Database Auto-discovery

The Auto-Discovery application scans and probes your servers for open ports to prevent unknown or unwanted connections to your network. You can run auto-discovery processes on demand, or schedule the processes on a periodic basis.

Database Auto-discovery Overview

There are many scenarios where databases can exist undetected on your network and expose your network to potential risk. Old databases might be forgotten and unmonitored, or a new database might be added as part of an application package. A rogue DBA might also create a new instance of a database to conduct malicious activity outside of the monitored databases.

Auto-discovery uses scan and probe jobs to ensure that no database goes undetected in your environment.
  • A scan job scans each specified host (or hosts in a specified subnet), and compiles a list of open ports that are specified for that host.
  • A probe job uses the results of the scan to determine whether there are database services that are running on the open ports. A probe job cannot be completed without first running a scan. View the results of this job in the Databases Discovered predefined report.
Follow these steps to use the Auto-discovery application:
  1. Create an Auto-discovery process to search specific IP addresses or subnets for open ports.
  2. Run the Auto-discovery process on demand or on a scheduled basis.
  3. View the results of the process with Auto-discovery reports, or create custom reports.

Auto discovery has its own processes that are independent of audit processes, but they work exactly the same way as audit processes.

You can only enter IPs when doing a scan, you cannot enter host names. However, Guardium does detect host names as part of the report. Guardium does not truncate host names in the Guardium product. However, it may be necessary to configure the report to have wider columns.

Guardium auto-discovery does not guess about databases that appears during a probe. If Guardium auto-discovery says it has found a database, then it is 100% certain what the database is.

Attention: Database auto-discovery works with the following databases:
  • Db2
  • Informix
  • MongoDB
  • Microsoft SQL Server
  • MySQL
  • Netezza
  • Oracle
  • PostgreSQL
  • SAP HANA
  • Sybase
  • Teradata
Auto-discovery only finds running databases. Databases need to be started if discovery is to be used during the installation. Due to how the AIX KTAP interception works, the databases need to be restarted after the first time S-TAP runs. If the databases are not restarted, some interception does not work.

Create an Auto-discovery Process

Specify which host and ports the Auto-discovery process scans.
  1. Configure Auto-discovery by clicking Discover > Database Discovery > Auto-discovery Configuration.
  2. Click New to create a new process and open the Auto-discovery Process Builder.
  3. Enter a Process name that is unique on your Guardium® system.
  4. To run a probe job immediately after the scan job completes, check the Run probe after scan check box.
  5. To scan for open ports on hosts where discovery is blocked, check the Skip host discovery check box.
    Note: Host discovery requires ports 80 and 443. If those ports are blocked, using Skip host discovery forces scanning for open ports on those hosts. This is equivalent to nmap -Pn
  6. For each host or subnet to be scanned, enter the host and port, and click Add scan. Each time that you add a scan, it is added to the task list.
    Note:
    • Wildcard characters are enabled. For example: to select all addresses beginning with 192.168.2, use 192.168.2.*.
    • Specify a range of ports by putting a dash between the first and last port numbers in the range. For example: 4100-4102.
    • After you add a scan, modify the host or port by typing over it. Click Apply to save the modification.
    • If you have a dual stack configuration, you will need to set up a scan for both the IPV4 and the IPV6 addresses.
    • To remove a scan, click the Delete this task icon for the scan. If a task has scan results dependent upon it, the scan cannot be deleted.
  7. When finished adding scans, click Apply, and run the job or schedule the job in the future.
See Scheduling if you need help defining a schedule.

Run or Schedule an Auto-discovery Process

Run or schedule scan and probe jobs as part of the Auto-discovery process.
  1. Click Discover > Database Discovery > Auto-discovery Configuration.
  2. Select the process to-be run from the Auto-discover Process Selector list and do one of the following:
    • To run a job immediately, click Run Once Now.
    • To schedule a job in the future, click Modify Schedule (see Scheduling if you need help defining a schedule).
      Note: A probe job cannot run without the results of the scan job. You can schedule the two jobs to run individually, or you configure the probe job to run after the scan job by modifying a process, and checking the Run probe after scan check box.
  3. After you start or schedule a job, you can click Progress Summary to display the status of this process.

Auto-discovery Reports

Open the Auto-discovery reports by clicking Discover > Reports and selecting from the available reports.

You can create custom reports with the Auto-discovery Query Builder. Open the Auto-discovery Query Builder by clicking Discover > Database Discovery > Auto-discovery Query Builder.

Databases Discovered Report

Open the Databases Discovered report by clicking Discover > Reports > Databases Discovered.

The main entity for this report is the Discovered Port. Each individual port that is discovered has its own row in the report. The columns that are listed are: Time Probed, Server IP address, Server Host Name, DB Type, Port, Port Type (usually TCP), and a count of occurrences.

There are no special runtime parameters for this report, but it excludes any discovered ports with a database type of Unknown.

When an auto-discovery process definition changes, the statistics for that process are reset.

Auto-discovery Tracking Domain

The Auto-discovery Tracking domain contains all of the data reported by Auto-discovery processes. Click any entity name to display its attributes.

Auto-discovery Tracking Domain Entities
  • Auto-discovery Scan provides a time stamp for each scan operation.
  • Discovered Host provides the IP address and host name for each discovered host.
  • Discovered Port provides a time stamp, identifies the port, and provides the database type for each port discovered open.