Database Auto-discovery
The Auto-Discovery application scans and probes your servers for open ports to prevent unknown or unwanted connections to your network. You can run auto-discovery processes on demand, or schedule the processes on a periodic basis.
Database Auto-discovery Overview
There are many scenarios where databases can exist undetected on your network and expose your network to potential risk. Old databases might be forgotten and unmonitored, or a new database might be added as part of an application package. A rogue DBA might also create a new instance of a database to conduct malicious activity outside of the monitored databases.
- A scan job scans each specified host (or hosts in a specified subnet), and compiles a list of open ports that are specified for that host.
- A probe job uses the results of the scan to determine whether there are database services that are running on the open ports. A probe job cannot be completed without first running a scan. View the results of this job in the Databases Discovered predefined report.
- Create an Auto-discovery process to search specific IP addresses or subnets for open ports.
- Run the Auto-discovery process on demand or on a scheduled basis.
- View the results of the process with Auto-discovery reports, or create custom reports.
Auto discovery has its own processes that are independent of audit processes, but they work exactly the same way as audit processes.
You can only enter IPs when doing a scan, you cannot enter host names. However, Guardium does detect host names as part of the report. Guardium does not truncate host names in the Guardium product. However, it may be necessary to configure the report to have wider columns.
Guardium auto-discovery does not guess about databases that appears during a probe. If Guardium auto-discovery says it has found a database, then it is 100% certain what the database is.
- Db2
- Informix
- MongoDB
- Microsoft SQL Server
- MySQL
- Netezza
- Oracle
- PostgreSQL
- SAP HANA
- Sybase
- Teradata
Create an Auto-discovery Process
- Configure Auto-discovery by clicking .
- Click New to create a new process and open the Auto-discovery Process Builder.
- Enter a Process name that is unique on your Guardium® system.
- To run a probe job immediately after the scan job completes, check the Run probe after scan check box.
- To scan for open ports on hosts where discovery is blocked, check the
Skip host discovery check box.Note: Host discovery requires ports 80 and 443. If those ports are blocked, using Skip host discovery forces scanning for open ports on those hosts. This is equivalent to
nmap -Pn
- For each host or subnet to be scanned, enter the host and port, and click Add
scan. Each time that you add a scan, it is added to the task list.Note:
- Wildcard characters are enabled. For example: to select all addresses beginning with 192.168.2, use 192.168.2.*.
- Specify a range of ports by putting a dash between the first and last port numbers in the range. For example: 4100-4102.
- After you add a scan, modify the host or port by typing over it. Click Apply to save the modification.
- If you have a dual stack configuration, you will need to set up a scan for both the IPV4 and the IPV6 addresses.
- To remove a scan, click the Delete this task icon for the scan. If a task has scan results dependent upon it, the scan cannot be deleted.
- When finished adding scans, click Apply, and run the job or schedule the job in the future.
Run or Schedule an Auto-discovery Process
- Click .
- Select the process to-be run from the Auto-discover Process Selector list and do one of the following:
- To run a job immediately, click Run Once Now.
- To schedule a job in the future, click Modify Schedule (see Scheduling if you
need help defining a schedule). Note: A probe job cannot run without the results of the scan job. You can schedule the two jobs to run individually, or you configure the probe job to run after the scan job by modifying a process, and checking the Run probe after scan check box.
- After you start or schedule a job, you can click Progress Summary to display the status of this process.
Auto-discovery Reports
Open the Auto-discovery reports by clicking
and selecting from the available reports.You can create custom reports with the Auto-discovery Query Builder. Open the Auto-discovery Query Builder by clicking .
Databases Discovered Report
Open the Databases Discovered report by clicking .
The main entity for this report is the Discovered Port. Each individual port that is discovered has its own row in the report. The columns that are listed are: Time Probed, Server IP address, Server Host Name, DB Type, Port, Port Type (usually TCP), and a count of occurrences.
There are no special runtime parameters for this report, but it excludes any discovered ports with a database type of Unknown.
When an auto-discovery process definition changes, the statistics for that process are reset.
Auto-discovery Tracking Domain
The Auto-discovery Tracking domain contains all of the data reported by Auto-discovery processes. Click any entity name to display its attributes.
- Auto-discovery Scan provides a time stamp for each scan operation.
- Discovered Host provides the IP address and host name for each discovered host.
- Discovered Port provides a time stamp, identifies the port, and provides the database type for each port discovered open.