Guardium provides a set of scripts to simplify the creation of groups
or roles with minimum privileges required for running vulnerability assessments.
Before you begin
This task requires downloading scripts from a Guardium system and running those scripts on a
database server. You will need to identify the IP address of the machine used to access the Guardium
system. This could be the IP address of an individual workstation where you will download the
scripts before transferring them to a database server, or it could be the IP address of the database
server itself.
About this task
Running Guardium vulnerability assessments and using the Guardium classifier requires access to
the database and specific database privileges. Guardium provides a set of scripts to simplify the creation of groups
or roles with minimum privileges required for running vulnerability assessments. Once created,
these groups or roles can be assigned to any database user who needs to run an assessment. You will
create a Guardium datasource with this user to perform the VA scan.
Scripts are provided to support most database types and are designed to be run in the database
tool itself. Each script includes detailed instructions in the script header. The privileges granted
for each database type can be seen in the script looking at each grants.
Important: Before running any scripts, database administrators should read the instructions
in the script headers and review the database actions that will be taken by the
script.
Procedure
- On a Guardium system, enable the file server using the fileserver CLI
command. For example, to enable the file server for one hour and download the scripts to a system
with IP address 10.0.0.1, use the following command:
fileserver 10.0.0.1 3600
When successfully initiated, the file server should display output similar to the
following:Starting the file server...
The file server is ready at https://guardium.host.com:8445
The timeout has been set to 3600 seconds and it may timeout during the uploading.
The upload will only be accessible from the IP you are logged in from: 10.0.0.1
Press ENTER to stop the file server.
- On the machine where you will download the scripts, use a web browser to access the file
server. For example, for a Guardium system running at
https://guardium.host.com:8445, access the scripts for vulnerability assessment and
classification at the following URLs:
https://guardium.host.com:8445/log/debug-logs/gdmmonitor_scripts/
https://guardium.host.com:8445/log/debug-logs/classification_role/
Important: Discovery processes of the Guardium classifier require a higher level of
database access than is required for vulnerability assessment tests. It is recommended to use the
scripts in gdmmonitor_scripts for vulnerability assessment and the scripts in
classification_role for the classifier. Before running any scripts, database
administrators should read the instructions in the script headers and review the database actions
that will be taken by the script. Before running any scripts, database administrators should read the instructions
in the script headers and review the database actions that will be taken by the
script.
- Download the required scripts using the web browser's action or a similar function. Review the README.txt files to identify the correct scripts to use for
specific database types.
Tip: The following scripts are for Microsoft SQL Server:
- gdmmonitor-mss2000-only.sql is for Microsoft
SQL Server 2000
- gdmmonitor-mss.sql is for Microsoft SQL Server
2005 and newer
- gdmmonitor-mss-SA.sql provides administrative privileges required for six
of the Microsoft SQL Server vulnerability assessment tests. If you do not allow these privileges,
the tests will return errors indicating inadequate privileges. These six tests represent no more
than 5% of the available tests.
What to do next
Once you have downloaded the scripts required for your database servers, closely review and
follow the instructions in the script headers.