DbProtect_Installation Guide.book

DbProtect 2009.1
Installation Guide
Last Modified February 5, 2009
Application Security, Inc.
www.AppSecInc.com
info@appsecinc.com
1-866-9APPSEC
DbProtect 2009.1
Installation Guide
Contents
Chapter 1 - Introduction 4
Product, Guide, and Documentation Suite Overview 5
Intended Audience 8
DbProtect Components 10
Chapter 2 - Planning Your DbProtect Installation 15
Network Pre-Installation Considerations 16
DbProtect Installation Checklist 18
Chapter 3 - Minimum System Requirements 19
Console - Minimum System Requirements 20
Sensors - Minimum System Requirements 31
Scan Engines - Minimum System Requirements 69
Chapter 4 - Licensing 73
Chapter 5 - Installing the DbProtect Components and Logging
Into the Console 77
Installing the DbProtect Suite Management Components 78
Installing and Starting/Stopping the Sensors 103
Installing Scan Engines 143
Logging Into the Console 150
Chapter 6 - Uninstalling the DbProtect Components 152
Uninstalling the Console 153
Uninstalling and Unregistering a Sensor 156
Uninstalling a Scan Engine 161
Chapter 7 - Installation Troubleshooting 163
Appendices 172
Appendix A: Installing/Uninstalling DbProtect in a SQL Server
Cluster 173
Appendix B: What Are the MSDE Lockdown Scripts Doing During
the Installation of DbProtect? 183
Application Security, Inc.
2
DbProtect 2009.1
Installation Guide
Appendix C: Modifying the Sensor Listener Port Number 185
Appendix D: Network Ports Used by DbProtect 186
Appendix E: Configuring Your Host-Based Sensor for Oracle DDL
Triggers 188
Appendix F: Modifying the "Log On As" User for the AppRadar
Sensor and DbProtect Message Collector Services 191
Appendix G: DB2 Administrative Client Driver Installation 193
Appendix H: DbProtect Log Files 194
Appendix I: Using App DSN, the Repair ODBC Utility 198
Appendix J: Configuring Your Oracle Audit Trail in Order to Monitor Logins 200
Appendix K: Required Client Drivers for Audits 201
Appendix L: Required Audit Privileges 207
Appendix M: Auditing SQL Server (Using Windows Authentication) Against a Machine on a Different or Untrusted Domain 235
Appendix N: Troubleshooting the Java Run Time Environment
(JRE) Security Settings on Internet Explorer 6 and Greater 237
Appendix O: Determining Your NetBIOS Name and Your FullQualified Domain Name 240
Appendix P: Monitoring Multiple Instances on a DB2 Server 243
Appendix Q: Clearing Your Java Cache 244
Application Security, Inc.
3
DbProtect 2009.1
Installation Guide
Chapter 1 - Introduction
This chapter explains what’s in the DbProtect Installation Guide, the intended
audience, and the components of DbProtect.
What you will find in this chapter:
• Product, Guide, and Documentation Suite Overview
• Intended Audience
• DbProtect Components.
Application Security, Inc.
4
DbProtect 2009.1
Installation Guide
Product, Guide, and
Documentation Suite
Overview
This section includes an overview, an explanation of conventions used, and a listing of
other DbProtect guides available for customers.
What you will find in this section:
• About DbProtect
• What you will find in this guide
• If you need more help.
About DbProtect
The Industry’s Only Complete Database Security Solution
A centrally-managed enterprise solution for comprehensive database security,
DbProtect combines Discovery, vulnerability scanning, real-time activity monitoring,
and Auditing to help organizations reduce risk and enhance compliance. The
integrated suite is comprised of the company’s flagship solutions for database
vulnerability assessment and real-time database activity monitoring which protect
enterprise organizations around the world from all internal and external threats, while
also ensuring that those organizations meet or exceed regulatory compliance
requirements.
Applying the proven security industry best practices of vulnerability assessment,
structured risk mitigation, and real-time intrusion monitoring, coupled with extensive
enterprise features (including fine-grained access controls, and centralized
management and reporting), DbProtect delivers comprehensive security and auditing
capabilities to complex, diverse enterprise database environments.
Address Database Threats and Provide Protection with Proven Technology
• Tamper Evident Privileged Activity Monitoring defends against misuse, fraud
and abuse from internal and external users.
• Comprehensive Vulnerability Assessment identifies and reduces risk.
• Real-Time Monitoring and Intrusion Detection immediately identifies database
attacks or misuse.
• Compensating Controls, including Patch Gap management, assists with
prioritizing of database security patches and defending against attack.
• Improved Integration enables reporting on security patch progress, risk
mitigation impact, and overall compliance status.
Application Security, Inc.
5
DbProtect 2009.1
Installation Guide
• Application Awareness provides critical insight into IT infrastructure enabling
organizations to better understand their database inventory, and thereby
mitigate compliance risk factors, as well as addressing database security needs.
• Industry-leading Knowledgebase utilizes the most comprehensive catalog of
database-specific threats, many discovered by Team SHATTER, our own
research and development team.
• DbProtect’s ASAP Update mechanism ensures protection remains up to date.
This allows users to immediately identify and detect worms, buffer overflows,
and privilege escalation exposures and attacks enabling a timely, informed, and
fast response.
Enhance Regulatory Compliance Efforts
DbProtect enables enterprises to ground compliance efforts in the database
applications that house regulated data – be it material financial transactions, critical
intellectual property, or sensitive personal information. The solution also supports
forensic investigations and analysis. This approach to database security includes:
•
•
•
•
•
Robust access and authentication controls
Privileged and non-privileged user monitoring
Vulnerability and threat management
Suspicious activity monitoring with proactive real-time alerts
Defined security policies to guide user activity.
These security components collectively facilitate regulatory compliance and create
active and intelligent protection mechanisms for databases. By grounding efforts in
the databases where sensitive data spends the bulk of its existence, the suite helps
customers comply with a variety of business and regulatory requirements including the
PCI Data Security Standard, HIPAA, GLBA, California Security Breach Information Act
(SB 1386), Sarbanes-Oxley Act, Basel II, ISO 27001/17799, DISA-STIG, FISMA, NIST
800-53, PIPEDA, Canada’s Bill 198, and MITS.
What you will find
in this guide
This guide consists of the following chapters:
•
•
•
•
Chapter 2 - Planning Your DbProtect Installation
Chapter 3 - Minimum System Requirements
Chapter 4 - Licensing
Chapter 5 - Installing the DbProtect Components and Logging Into the
Console
• Chapter 6 - Uninstalling the DbProtect Components
• Chapter 7 - Installation Troubleshooting
• Appendices.
Application Security, Inc.
6
DbProtect 2009.1
If you need more
help
Application Security, Inc.
Installation Guide
You can contact Application Security, Inc. Customer Support any time by emailing
support@appsecinc.com, or by calling 1-866-9APPSEC or 1-212-912-4100.
7
DbProtect 2009.1
Installation Guide
Intended Audience
This guide intended for persons responsible for installing the core components of Db
Protect (i.e., the Console, Scan Engines, and Sensors). Typically, those responsible for
installing DbProtect have the following (sometimes overlapping) job roles:
• system administrators; for more information, see System administrators
• network administrators; for more information, see Network administrators
• database administrators; for more information, see Database administrators.
System
administrators
The system administrator maintains and operates a computer system and/or network.
System administrators are often members of an Information Technology (IT)
department. Their duties are wide-ranging, and vary from one organization to another.
System administrators are usually charged with installing, supporting, and maintaining
servers or other computer systems, and planning for and responding to service
outages and other problems. Other duties may include scripting or light
programming, project management for systems-related projects, supervising or
training computer operators, and being the consultant for computer problems beyond
the knowledge of technical support staff.
Network
administrators
The network administrator is a professional responsible for the maintenance of
computer hardware and software that comprises a computer network. This normally
includes the deployment, configuration, maintenance and monitoring of active
network equipment.
Network administration commonly includes activities and tasks such as network
address assignment, assignment of routing protocols and routing table configuration,
as well as configuration of authentication and authorization-directory services. A
network administrator’s duties often also include maintenance of network facilities in
individual machines, such as drivers and settings of personal computers, as well as
printers and so on.
Network administration also sometimes entails maintenance of certain network
servers, e.g., file servers, VPN gateways, intrusion detection systems, etc. Network
specialists and analysts concentrate on the network design and security, particularly
troubleshooting and/or debugging network-related problems. Their work can also
include the maintenance of the network's authorization infrastructure, as well as
network backup systems.
In addition, the network administrator is responsible for the security of the network
and for assigning IP addresses to the devices connected to the networks. Assigning IP
addresses gives the subnet administrator some control over the professional who
connects to the subnet. It also helps to ensure that the administrator knows each
system that is connected and who personally is responsible for the system. When
network administrators give a system an IP address, they also delegate certain security
responsibilities to the system administrator.
Application Security, Inc.
8
DbProtect 2009.1
Database
administrators
Installation Guide
A database administrator (DBA) is responsible for the environmental aspects of a
database. In general, these include:
•
•
•
•
•
•
Recoverability. Creating and testing dackups.
Integrity. Verifying or helping to verify data integrity.
Security. Defining and/or implementing access controls to the data.
Availability. Ensuring maximum uptime.
Performance. Ensuring maximum performance.
Development and testing support. Helping programmers and engineers to
efficiently utilize the database.
The role of a DBA has changed according to the technology of database management
systems (DBMSs), as well as the needs of the database owners.
Application Security, Inc.
9
DbProtect 2009.1
Installation Guide
DbProtect Components
This section provides a comprehensive overview of the DbProtect components.
What you will find in this section:
•
•
•
•
Conceptual
diagram
Application Security, Inc.
Conceptual diagram
Console
Sensors
Scan Engines.
The following conceptual diagram illusrates how the DbProtect components interact,
and indicates which standard listen ports must be open in order for DbProect to work.
10
DbProtect 2009.1
Installation Guide
Console
The Console is the web browser-based, graphical component of DbProtect that allows
you to navigate to the various features of the two DbProtect products: DbProtect
AppRadar and DbProtect AppDetective. For more information on navigating the
Console and using DbProtect, see the DbProtect User’s Guide.
Sensors
Sensors monitor your database for a variety events, such as intrusion attempts or
auditing of normal usage.
There are two types of Sensors available:
• Host-based Sensors, which monitor SQL Server, Oracle, or DB2 databases on
the host server
• Network-based Sensors, which monitor your Oracle, DB2 or Sybase databases
on the network.
Sensors fire Alerts when they detect a violation of rules, and a monitored event occurs.
For more information on Alerts, see the DbProtect User’s Guide.
HOST-BASED SENSORS
Host-based Sensors allow you to monitor the following databases on a host server:
• SQL Server on Windows
• Oracle on Solaris, AIX, HP-UX, Red Hat Enterprise Linux, and Windows
• DB2 on Solaris, AIX, Red Hat Enterprise Linux, and Windows.
The table below lists all supported host-based database/OS combinations, and links
you to the installation steps.
DB
SQL
SERVER
Application Security, Inc.
OS
WINDOWS
For minimum system
requirements, see:
Host-based Sensor for SQL
Server (on Windows) minimum system
requirements
For installation
instructions, see:
Host-based Sensor for SQL
Server (on Windows) installation steps
11
DbProtect 2009.1
Installation Guide
For minimum system
requirements, see:
For installation
instructions, see:
RED HAT
ENTERPRISE
LINUX
Host-based Sensor for DB2
(on Red Hat Enterprise Linux)
- minimum system
requirements
Host-based Sensor for DB2
(on Red Hat Enterprise
Linux) - installation steps
SOLARIS
Host-based Sensor for DB2
(on Solaris) - minimum system
requirements
Host-based Sensor for DB2
(on Solaris) - installation
steps
AIX
Host-based Sensor for DB2
(on AIX) - minimum system
requirements
Host-based Sensor for DB2
(on AIX) - installation steps
WINDOWS
Host-based Sensor for DB2
(on Windows) - minimum
system requirements
Host-based Sensor for DB2
(on Windows) - installation
steps
SOLARIS
Host-based Sensor for Oracle
(on Solaris) - minimum system
requirements
Host-based Sensor for
Oracle (on Solaris) installation steps
AIX
Host-based Sensor for Oracle
(on AIX) - minimum system
requirements
Host-based Sensor for
Oracle (on AIX) installation steps
HP-UX
Host-based Sensor for Oracle
(on HP-UX) - minimum system
requirements
Host-based Sensor for
Oracle (on HP-UX) installation steps
RED HAT
ENTERPRISE
LINUX
Host-based Sensor for Oracle
(on Red Hat Enterprise Linux)
- minimum system
requirements
Host-based Sensor for
Oracle (on Red Hat
Enterprise Linux) installation steps
WINDOWS
Host-based Sensor for Oracle
(on Windows) - minimum
system requirements
Host-based Sensor for
Oracle (on Windows) installation steps
DB
DB2
ORACLE
Application Security, Inc.
OS
12
DbProtect 2009.1
Installation Guide
NETWORK-BASED SENSORS
Network-based Sensors allow you to monitor Windows-based Sybase, Oracle, and
DB2 on the network. If you want to install a network-based Sensor, the table below lists
supported database/OS combinations, and links you to the installation steps.
Note:
The network-based Sensor only runs on the Windows OS, but the
databases it monitors do not need to be running on Windows.
DB
Scan Engines
For minimum system requirements, see:
DB2
Network-based Sensor for DB2 - minimum
system requirements
SYBASE
Network-based Sensor for Sybase - minimum
system requirements
ORACLE
Network-based Sensor for Oracle - minimum
system requirements
For installation
instructions, see:
Network-based Sensor for
Sybase, Oracle, and DB2 installation steps
DbProtect’s network-based, vulnerability assessment Scan Engines discover database
applications within your infrastructure and assesses their security strength. Backed by a
proven security methodology and extensive knowledge of application-level
vulnerabilities, DbProtect locates, examines, reports, and fixes security holes and
misconfigurations. Scan Engines scan your databases for vulnerabilities, and allow you
to perform Penetration (Pen) Tests and Audits against them.
Target databases (on Windows) include:
•
•
•
•
•
•
•
•
Application Security, Inc.
Oracle
Oracle Application Server
SQL Server
Lotus Notes/Domino
Sybase
DB2
DB2 on the Mainframe
MySQL.
13
DbProtect 2009.1
Installation Guide
For more information on Scan Engine:
• minimum system requirements, see Scan Engines - Minimum System
Requirements
• installation instructions, see Installing Scan Engines.
Application Security, Inc.
14
DbProtect 2009.1
Installation Guide
Chapter 2 - Planning
Your DbProtect
Installation
This chapter explains how to plan your DbProtect installation.
What you will find in this chapter:
• Network Pre-Installation Considerations
• DbProtect Installation Checklist.
Application Security, Inc.
15
DbProtect 2009.1
Installation Guide
Network Pre-Installation
Considerations
This section provides a comprehensive overview of the DbProtect technical
components, and lists
What you will find in this section:
• Network connectivity
• Ports and firewalls.
Network
connectivity
The Console must have network connectivity to the following:
•
•
•
•
all applications you want to monitor
all installed Sensors
all installed Scan Engines
SNMP and Syslog systems (optional).
You should install the Console on a machine connected to the network continuously, if
you want to receive real-time Alerts from the Sensors.
DbProtect has its own method of authentication and using a firewall is not required to
restrict access. The Message Collector component of DbProtect listens for HTTPS
traffic on port 20081 (unless you configure it differently during the Console installation)
which the Sensor uses to send Alerts to the Console. Application Security, Inc.
recommends you disallow all traffic to that port except from the Sensors.
Ports and firewalls
Every Sensor installation requires its own dedicated port for communication. Specify
which port number the Sensor should use to receive commands from the Console. The
Sensor can not share the same port with any other program. This does not mean each
Sensor requires a different port number on each separate host server. For example,
you can use the same port number for each Sensor you install on each individual host
machine (e.g., port 20000). Or you can specify a different port number for each Sensor
on each host machine. For more information, see Installing and Starting/Stopping the
Sensors.
The Console uses port 20080 (by default) to send data to, and receive data from, the
Sensors. The Sensors, by comparison, send data to, and receive data from, the
Console on port 20000 (by default). Additionally, when the Sensor sends Alerts (via
port 20000) to the Console's Message Collector component, the Message Collector
receives these Alerts on port 20081 (by default). For more information, see DbProtect
suite management components - installation steps.
Note:
Application Security, Inc.
If you maintain a firewall with “hardened” security, the traffic on both ports
is SSL.
16
DbProtect 2009.1
Installation Guide
If you are installing a Sensor on the same host server where the Console is installed, do
not specify ports 20080 or 20081 (unless you’re certain these ports are available).
If you are installing a host-based Sensor on any *nix platform, you can, at any time,
change the port number in the sensor.xml and sensor_original.xml files; for more
information, see Appendix C: Modifying the Sensor Listener Port Number.
Note:
No other machines should be permitted to connect to the Sensors.
Components of DbProtect communicate via Internet Protocol (IP) connections. To help
you configure your firewall properly, the table in Appendix D: Network Ports Used by
DbProtectlists each component and describes how they each use the network.
Application Security, Inc.
17
DbProtect 2009.1
Installation Guide
DbProtect Installation
Checklist
Below is a checklist for a typical DbProtect installation scenario:
Action
1. REVIEW THE MINIMUM SYSTEM REQUIREMENTS.
Before you install any software, carefully read the minimum system requirements,
prerequisites, and recommendations for:
•
the Console
•
Sensors (host-based or network-based)
•
Scan Engines.
For more information, see Chapter 3 - Minimum System Requirements.
2. OBTAIN THE LICENSE FILES.
For more information, see Chapter 4 - Licensing.
3. INSTALL THE DBPROTECT COMPONENTS.
Application Security, Inc. provides you with the installation files for:
•
the DbProtect management bundle
•
Sensors (host-based or network-based)
•
Scan Engines.
Note: The Console and the Scan Engines run on Windows. The host- and networkbased Sensors, however, can run on a variety of database/OS combinations.
For more information, see Chapter 5 - Installing the DbProtect Components and
Logging Into the Console.
Application Security, Inc.
18
DbProtect 2009.1
Installation Guide
Chapter 3 - Minimum
System Requirements
This chapter provides minimum system requirements for the following DbProect
components: the Console, the Sensors, and the Scan Engines.
What you will find in this chapter:
• Console - Minimum System Requirements
• Sensors - Minimum System Requirements
• Scan Engines - Minimum System Requirements.
Application Security, Inc.
19
DbProtect 2009.1
Installation Guide
Console - Minimum System
Requirements
This section provides detailed minimum system requirements for the Console
component of DbProtect.
What you will find in this section:
• Hardware
• Operating system
• Required installation and runtime user account rights and privileges (for the
Console and Data Repository)
•
•
•
•
Hardware
Browser
Networking and firewall considerations
Data Repository
Additional Console assumptions, prerequisites, and recommendations.
• Processor. 1.5 GHz processor minimum; 2+ GHz processors recommended.
Dual processors recommended for larger installations. Dual processors
recommended if you are running the Console and a network-based Sensor on
the same machine.
• RAM. 2 GB minimum; 3 GB recommended. 4 GB recommended especially if
you are running both the Console and a network-based Sensor on the same
machine.
Application Security, Inc.
20
DbProtect 2009.1
Installation Guide
• Hard drive space. 150 MB for program files. 3GB minimum for the Data
Repository; 20 GB or more recommended (may vary).
When you upgrade the DbProtect Console from a version lower than 3.10, the
upgrade creates a backup of all files. This means space requirements are
temporarily doubled for the period of the upgrade. The upgrade creates backups
of the DbProtect and AppDetective folders (DbProtectBackup and
AppDetectiveBackup, respectively). You can safely delete these backup files after
your upgrade is complete, but only after you have logged into the DbProtect
Console to make sure your upgrade was successful, and you can log into the
DbProtect Console (for more information on logging into the DbProtect Console,
see Logging Into the Console).
You must have a minimum of 1GB of disk space on your C:\ drive -- even if you
are installing the Console on an alternate drive -- because the installer is
uncompressed to the default windows temp directory on C:\. The operating
system uses this space for unpacking installer files. This additional space is
required only for users installing the product for the first time, as well as those
upgrading from previous versions of DbProtect Console.
However, if you don't have enough space on your C:\ drive, there is a
workaround. 1.) Right click My Computer and select Properties to display the
System Properties dialog box. 2.) Click the Environment Variables button to
display the Environment Variables dialog box. 3.) Edit the system environment
variables TEMP and TMP to point to another drive that has enough space (e.g.,
E:\systmp).
Operating system
The Console runs on Windows. The following versions are supported:
• Windows 2000 Server
• Windows 2000 Advanced Server
• Windows Server 2003.
The Console also runs on Windows XP Professional Service Pack 1 or greater for
evaluation purposes only.
Note:
For DbProtect AppRadar, the Console uses local Microsoft Windows
groups for authentication. Consequently, you cannot also use the Console
machine as a domain controller. For DbProtect AppDetective, the Console
authenticates through Active Directory.
You must also have Microsoft .NET Framework 2.0 SP1 (x86) installed in order to install
the Console. If the DbProtect installer does not detect Microsoft .NET Framework 2.0
SP1 (x86) installed on your host server, the installer will prompt you to install it. For
more information, see DbProtect suite management components - installation steps.
Application Security, Inc.
21
DbProtect 2009.1
Required
installation and
runtime user
account rights and
privileges (for the
Console and Data
Repository)
Installation Guide
Note:
Your Console server and Data Repository database server (if remote) must
have a trusted relationship with one another, or be in the same domain/
workgroup.
The Console requires certain privileges on the host where it is installed, as well as on
the associated Data Repository. The following table explains the account privileges
required for various aspects of installation and runtime operation of the Console.
Account
Setup User
Purpose
Account used when
installing the software
for the first time or
when upgrading the
system.
Used by
Person
installing
Requirements
•
Member of Windows group
Administrators on the
DbProtect server host.
Note: This user must have
privileges on the target
database for upgrades.
•
Needs access to SQL Server
database master and have
SQL Server role Database
Creator (dbcreator) or
equivalent permissions on
the SQL Server to be used
for the Data Repository.
Note: SQL Server rights are not
required if you intend you
use SQL authentication
credentials when the
DbProtect installer
prompts you for database
installer information.
Application Security, Inc.
•
For all operating systems,
the Setup User must also
have the “Logon as a
service” privilege, and must
belong to the local
Administrators group.
•
Windows 2000 users must
also have the “Act as part of
the operating system”
privilege.
22
DbProtect 2009.1
Installation Guide
Account
Purpose
Used by
Runtime User
Account used to run all
of the services in the
DbProtect system.
Allows DbProtect to
read, write and modify
data in its backend
database.
The
DbProtect
Console
and
DbProtect
Message
Collector
services.
Requirements
•
“Log on as a service”
Windows user right.
•
Read, write, and change
rights to the area of the
filesystem where the
DbProtect software is
installed (the default
location is C:\Program
Files\AppSecInc).
•
Needs access to the SQL
Server database
AppDetective and must
have the database roles
db_datareader and
db_datawriter.
Note: It is possible to configure
the system to use SQL
authentication to access
the database. In this case,
the Runtime User does
not need SQL Server
access.
•
Database
User
Allows DbProtect to
read, write and modify
data in its Data
Repository using SQL
authentication.
Note: This account is
optional.
Application Security, Inc.
DbProtect
Console
and
DbProtect
Message
Collector
services.
Windows 2000 users must
also have the “Act as part of
the operating system”
privilege.
Needs access to the SQL Server
database AppDetective and
have the database roles
db_datareader and
db_datawriter.
23
DbProtect 2009.1
Installation Guide
Account
Database
Installer
Purpose
Account used during
the setup process to
create and configure
the Data Repository.
Used by
Setup
program
Requirements
Needs access to SQL Server
database master and have SQL
Server role Database Creator
(dbcreator) or equivalent
permissions on the SQL Server
to be used for DbProtect's Data
Repository.
Note: The user has the option to
use the credentials of the
Setup User as long as that
user has appropriate SQL
Server permissions as
described above.
Application Security, Inc.
24
DbProtect 2009.1
Browser
Networking and
firewall
considerations
Installation Guide
Internet Explorer 6 or greater with JavaScript enabled. The minimum screen resolution
is 1024x768.
What you will find in this help topic:
• Networking
• Firewall Considerations.
NETWORKING
Network connectivity is required for the Console to communicate with the Sensors.
You should install the Console on a machine connected to the network continuously, if
you want to collect real-time Alerts from the Sensors continuously.
Every Sensor installation requires its own dedicated port for communication. Specify
which port number the Sensor should use to receive commands from the Console. The
Sensor can not share the same port with any other program. This does not mean each
Sensor requires a different port number on each separate host server. For example,
you can use the same port number for each Sensor you install on each individual host
machine (e.g., port 20000). Or you can specify a different port number for each Sensor
on each host machine. For more information, see Installing and Starting/Stopping the
Sensors.
The Console uses port 20080 (by default) to send data to, and receive data from, the
Sensors. The Sensors, by comparison, send data to, and receive data from, the
Console on port 20000 (by default). Additionally, when the Sensor sends Alerts (via
port 20000) to the Console's Message Collector component, the Message Collector
receives these Alerts on port 20081 (by default). For more information, see DbProtect
suite management components - installation steps.
If you are installing a Sensor on the same host server where the Console is installed, do
not specify ports 20080 or 20081 (unless you’re certain these ports are available).
If you are installing a host-based Sensor on any *nix platform, you can, at any time,
change the port number in the sensor.xml and sensor_original.xml files; for more
information, see Appendix C: Modifying the Sensor Listener Port Number.
FIREWALL CONSIDERATIONS
The Console is accessible via HTTPS on default port 20080. You can allow all machines,
certain machines, or no machines to have access from outside your firewall. In the
latter case, only machines inside the firewall can access the Console. This is completely
at your discretion, but for convenience Application Security, Inc. recommends you at
least allow users to connect from their desktop machines.
Application Security, Inc.
25
DbProtect 2009.1
Data Repository
Installation Guide
DbProtect requires a SQL Server 2000 or SQL Server 2005 Data Repository to operate.
This Data Repository stores all Alerts and audit data, as well as its system configuration
information.
You can install a database, or choose an existing database instance. During setup, the
installation wizard prompts you to either:
• install SQL Server Desktop Engine 2000 (MSDE 2000), a free version of
Microsoft SQL Server designed for client applications (like DbProtect) that
require a Data Repository
• specify the SQL Server 2000 or SQL Server 2005 instance where you want to
install the Data Repository.
Note:
Remote vs. local installation options are related to whether you install
MSDE 2000 or SQL Server as your Data Repository; for more information,
see Local vs. remote installation considerations.
If you choose to install MSDE 2000 as your Data Repository, a correct installation is
essential for DbProtect to function properly. Also note, older versions of MSDE 2000
are not automatically upgraded.
Note:
MSDE 2000 runs much slower than SQL Server, and has a data capacity
limitation of 2GB. If processing speed is an issue, and/or if you plan to
audit a large volume of data, Application Security, Inc. recommends you
use a SQL Server database. For more information, see Warning about the
possible effects of installing MSDE 2000 on the Alert Manager.
What you will find in this help topic:
•
•
•
•
•
•
•
•
Requirement: administrative privileges on SQL Server 2000
Requirement: server-level login on SQL Server (with sysadmin privileges
Requirement: deleting your existing DbProtect Data Repository
Requirement: Administrators group membership for Windows login
Acceptable Data Repository software
Local vs. remote installation considerations
Warning about Enterprise Manager/Query Analyzer corruption
Warning about the possible effects of installing MSDE 2000 on the Alert
Manager.
REQUIREMENT: ADMINISTRATIVE PRIVILEGES ON SQL
SERVER 2000
If you choose not to install MSDE (bundled with the Console), and choose instead to
use your own instance of SQL Server 2000 (SP4 or higher), then you must have
administrative privileges on that instance.
Application Security, Inc.
26
DbProtect 2009.1
Installation Guide
REQUIREMENT: SERVER-LEVEL LOGIN ON SQL SERVER
(WITH SYSADMIN PRIVILEGES
In Chapter 5 - Installing the DbProtect Components and Logging Into the Console,
you will be prompted to choose an authentication type: Windows Authentication or
SQL Authentication. Regardless of which authentication type you choose, you must
first create the specified account as a server-level login on SQL Server before you
install DbProtect. The account must have sysadmin privileges.
REQUIREMENT: DELETING YOUR EXISTING DBPROTECT
DATA REPOSITORY
If a Data Repository and account already exist on your SQL Server or MSDE database,
you must delete them.
REQUIREMENT: ADMINISTRATORS GROUP MEMBERSHIP
FOR WINDOWS LOGIN
You must log on with a Windows account in the Administrators group.This is required
to install the Windows service. The service name is DbProtect. For more information
on starting and stopping DbProtect services, see the DbProtect Administrator’s Guide.
ACCEPTABLE DATA REPOSITORY SOFTWARE
Your Data Repository can be:
• SQL Server 2000 instance (SP4 or higher)
• SQL Server 2005
• SQL Server Desktop Engine (MSDE 2000).
You can install a new instance, or choose an existing instance, for your Data Repository.
During setup, the Console installation wizard prompts you to either:
• specify the instance where you want to install the Data Repository
• install SQL Server Desktop Engine (MSDE 2000), a free version of SQL Server
designed for client applications (like DbProtect) that require an embedded
database.
Note:
Due to performance and space limitations inherent to MSDE 2000,
Application Security, Inc. recommends you install a full SQL Server
instance, not MSDE 2000.
LOCAL VS. REMOTE INSTALLATION CONSIDERATIONS
If you choose to:
• install MSDE 2000 as your Data Repository, it is installed locally, i.e., on the same
physical host where the Console is installed
• use SQL Server as your Data Repository, you can install it locally or remotely,
i.e., on a physical box separate from where the Console is installed.
Application Security, Inc.
27
DbProtect 2009.1
Installation Guide
Note:
If you supply your own SQL Server instance as the back-end of your
Console installation, you must patch the instance to SP4 or later.
WARNING ABOUT ENTERPRISE MANAGER/QUERY ANALYZER
CORRUPTION
On a computer that has SQL Server 2000 with Service Pack (SP) 1 or SP2 installed, the
installation of MSDE 2000 might corrupt your Enterprise Manager/Query Analyzer
settings. You can upgrade your SQL Server database to the latest service pack levels
recommended by Microsoft, then start the installation.
WARNING ABOUT THE POSSIBLE EFFECTS OF INSTALLING
MSDE 2000 ON THE ALERT MANAGER
MSDE 2000 runs significantly slower than SQL Server, and has a data capacity
limitation of 2GB. If processing speed is an issue, and/or if you plan to audit a large
volume of data, Application Security, Inc. recommends you use a SQL Server
database.
The 2GB limitation with MSDE 2000 can also cause problems when you use the Alert
Manager. Specifically, when you reach the 2GB capacity:
• the Current Alerts portion of the Alert Manager stops displaying new Alerts
(regardless of whether it is manually or automatically refreshed)
• current Alerts can no longer be Archived -- hence, there is no way to delete the
Archived Alerts through UI in order to reclaim space for the database.
• If processing speed is an issue, and/or if you plan to audit a large volume of
data, Application Security, Inc. recommends you use a SQL Server database.
Additional Console
assumptions,
prerequisites, and
recommendations
Additional Console assumptions, prerequisites, and recommendations follow:
• The Console installation process assumes a clean installation of DbProtect
using an Application Security, Inc.-provided CD, or via download from the
Application Security, Inc. FTP site or website.
• SQL Server 2000 Prerequisite. Patch your SQL Server 2000 Data Repository to at
least Service Pack 4 (SP4) before installing the Console. For more information,
see Data Repository.
• Administrators Group Prerequisite. You must log on with a Windows account in
the Administrators group.This is required to install the Windows service. The
service name is DbProtect. For more information on starting/stopping services,
see the DbProtect Administrator’s Guide.
• Server-Level Login on SQL Server (with sysadmin Privileges) Prerequisite.
Regardless of which authentication type (i.e., Windows Authentication or SQL
Authentication) you choose when you are installing the Console, you must first
create the specified account as a server-level login on your SQL Server before
you begin installing the Console. The specified account must have sysadmin
privileges.
Application Security, Inc.
28
DbProtect 2009.1
Installation Guide
In addition, your Console server and Data Repository server (if remote) must
have a trusted relationship with one another. For example, they must be in the
same domain or workgroup. Otherwise you will receive the following error
message:
"Login failed for user '(null)'. Reason: Not associated with
trusted SQL Server Connection."
Also, your database server must have a valid Microsoft SQL Server account for
the Console server to access.
If you want to use:
-Microsoft SQL Server authentication, you can create a new username/password, add
the necessarily privileges, and install the Console with that username/password.
-Windows authentication, you can do the following:
By default Microsoft SQL Server 2000 adds the "Builtin\Administrators"
group. This means users can add any domain user to the Administrators group in
Windows and install the Console using that domain user.
Or, you can create a new user from the Enterprise Manager with the name
"domainname\username", then select Windows Authenication, then enter
"domainname". You can now use that domain user to install the Console.
• SQL Server 2005 browser service requirement. The SQL Server 2005 browser
service must be on if you:
-have a SQL Server 2005 Data Repository installed on a non-default instance, in order
for the Console to function correctly
-are upgrading from DbProtect 2007.0 or later with a SQL Server 2005 Data Repository
(i.e., the SQL Server 2005 browser service must be running at the time of the upgrade)
-plan to specify (or specified) an instance name (not a port) during installation of the
Database Component; for more information, see DbProtect suite management
components - installation steps.
• Warning to SQL Server Administrators. On a computer that has SQL Server
2000 with Service Pack (SP) 1 or SP2 installed, the installation of MSDE 2000
might corrupt your Enterprise Manager/Query Analyzer settings. You can
upgrade your SQL Server database to the latest service pack levels
recommended by Microsoft, then start the installation.
Application Security, Inc.
29
DbProtect 2009.1
Installation Guide
• Warning About the Possible Effects on the Alert Manager of an MSDE 2000
Installation. MSDE 2000 runs much slower than SQL Server, and has a data
capacity limitation of 2GB. If processing speed is an issue, and/or if you plan to
audit a large volume of data, Application Security, Inc. recommends you use a
SQL Server database.
The 2GB limitation with MSDE 2000 can also cause problems when you use the
Alert Manager. Specifically, when you reach the 2GB capacity:
-the Current Alerts portion of the Alert Manager stops displaying new Alerts
(regardless of whether it is manually or automatically refreshed)
-current Alerts can no longer be Archived -- hence, there is no way to delete the
Archived Alerts through the Console in order to reclaim space for the database.
Note:
If processing speed is an issue, and/or if you plan to audit a large volume
of data, Application Security, Inc. recommends you use a SQL Server
database.
• Windows Installer 3.1. If you do not have Windows Installer 3.1 installed on any
supported version of Windows before you run the DbProtect installer, a dialog
box informs you that you must install it. You can download Windows Installer
3.1 from the here: http://www.microsoft.com/downloads/
details.aspx?FamilyID=889482FC-5F56-4A38-B838DE776FD4138C&displaylang=en. For more information on DbProtect
installation, see Installing the DbProtect Suite Management Components.
• Security Update for Windows 2000 (KB835732). If you do not have the Security
Update for Windows 2000 (KB835732) installed before running the DbProtect
installer on a Windows 2000 machine, then you may encounter an error
message indicating the prerequisite for Microsoft .NET Framework 2.0 SP1 has
not installed correctly. There could be other reasons you could receive this error
message. Application Security, Inc. recommends you verify you have the
Windows security update installed, then re-try the DbProtect installation. If the
installation still fails, you should install the .NET Framework 2.0 SP1 manually by
downloading it from the Microsoft website here: http://www.microsoft.com/
downloads/details.aspx?FamilyID=029196ED-04EB-471E-8A993C61D19A4C5A&displaylang=en
• Application Security, Inc. recommends you clear your Java cache after an
upgrade. The Java cache does not get automatically cleared following a
reboot. For more information, see Appendix Q: Clearing Your Java Cache.
Application Security, Inc.
30
DbProtect 2009.1
Installation Guide
Sensors - Minimum System
Requirements
This section provides detailed minimum system requirements for the Sensor
components of DbProtect. There are two types of Sensors available: host-based and
network-based.
What you will find in this section:
• Host-based Sensor - minimum system requirements at-a-glance
• Network-based Sensor - minimum system requirements at-a-glance
• Host-based Sensor for SQL Server (on Windows) - minimum system
requirements
• Host-based Sensor for DB2 (on Red Hat Enterprise Linux) - minimum system
requirements
Application Security, Inc.
•
•
•
•
•
•
•
Host-based Sensor for DB2 (on Solaris) - minimum system requirements
•
•
•
•
Host-based Sensor for Oracle (on Windows) - minimum system requirements
Host-based Sensor for DB2 (on AIX) - minimum system requirements
Host-based Sensor for DB2 (on Windows) - minimum system requirements
Host-based Sensor for Oracle (on Solaris) - minimum system requirements
Host-based Sensor for Oracle (on AIX) - minimum system requirements
Host-based Sensor for Oracle (on HP-UX) - minimum system requirements
Host-based Sensor for Oracle (on Red Hat Enterprise Linux) - minimum system
requirements
Network-based Sensor for Sybase - minimum system requirements
Network-based Sensor for Oracle - minimum system requirements
Network-based Sensor for DB2 - minimum system requirements.
31
DbProtect 2009.1
Host-based Sensor
- minimum system
requirements at-aglance
Installation Guide
Host-based Sensors allow you to monitor the following databases on a host server:
• SQL Server on Windows
• Oracle on Solaris, AIX, HP-UX, Red Hat Enterprise Linux, and Windows
• DB2 on Red Hat Enterprise Linux, Solaris, AIX, and Windows.
If you want to install a host-based Sensor, the table below lists supported database/OS
combinations, and links you to the minimum system requirements.
DB
Go to:
SQL
SERVER
WINDOWS
Host-based Sensor for SQL Server (on Windows) - minimum
system requirements
DB2
RED HAT
ENTERPRISE
LINUX
Host-based Sensor for DB2 (on Red Hat Enterprise Linux) minimum system requirements
SOLARIS
Host-based Sensor for DB2 (on Solaris) - minimum system
requirements
AIX
Host-based Sensor for DB2 (on AIX) - minimum system
requirements
WINDOWS
Host-based Sensor for DB2 (on Windows) - minimum system
requirements
SOLARIS
Host-based Sensor for Oracle (on Solaris) - minimum system
requirements
AIX
Host-based Sensor for Oracle (on AIX) - minimum system
requirements
HP-UX
Host-based Sensor for Oracle (on HP-UX) - minimum system
requirements
RED HAT
ENTERPRISE
LINUX
Host-based Sensor for Oracle (on Red Hat Enterprise Linux) minimum system requirements
WINDOWS
Host-based Sensor for Oracle (on Windows) - minimum system
requirements
ORACLE
Application Security, Inc.
OS
32
DbProtect 2009.1
Installation Guide
A host-based Sensor must reside on the same machine as the SQL Server instance(s),
Oracle SID(s), or DB2 UDB instance it is monitoring.
Note:
Network-based
Sensor - minimum
system
requirements at-aglance
Although it is possible to install a host-based Sensor and the Console on
the same host, Application Security, Inc. recommends that for host-based
Sensors on production databases you install the Console and Data
Repository on different hosts. For more information, see Console Minimum System Requirements.
Network-based Sensors allow you to monitor Windows-based Sybase, Oracle, and
DB2 on the network. If you want to install a network-based Sensor, the table below lists
supported database/OS combinations, and links you to the minimum system
requirements.
Note:
The network-based Sensor only runs on the Windows OS, but the
databases it monitors do not need to be running on Windows.
DB
Host-based Sensor
for SQL Server (on
Windows) minimum system
requirements
Go to:
DB2
Network-based Sensor for Sybase - minimum system requirements
SYBASE
Network-based Sensor for Oracle - minimum system requirements
ORACLE
Network-based Sensor for DB2 - minimum system requirements
This help topic provides detailed minimum system requirements for the host-based
Sensor for SQL Server (on Windows).
What you will find in this help topic:
•
•
•
•
•
•
•
Supported SQL Server versions
Supported Windows versions
Rights and privileges
Hardware
Network connectivity
Important server and instance information
SQL Server Cluster support.
SUPPORTED SQL SERVER VERSIONS
• SQL Server 2000 (all x86 and x64 editions)
• SQL Server 2005 (all x86 and x64 editions).
Application Security, Inc.
33
DbProtect 2009.1
Installation Guide
SUPPORTED WINDOWS VERSIONS
• Windows 2000 Server (including Advanced Server), 32-bit and 64-bit (excluding
Itanium)
• Windows Server 2003 (including Enterprise Edition), 32-bit and 64-bit
(excluding Itanium).
RIGHTS AND PRIVILEGES
Installation Rights and Privileges:
You need the following rights and privileges to install a host-based Sensor for SQL
Server (on Windows):
• To install a host-based Sensor for SQL Server, you must be a Windows user with
administrative rights on both the host server and SQL Server. You must also
have domain administrator rights to install a host-based Sensor for SQL Server
in a cluster.
• To run the host-based Sensor for SQL Server, you must have “run as a service"
rights on Windows, and administrative rights on SQL Server at runtime.
SQL Server 2005 Windows User Requirement:
SQL Server 2005 does not create a login for the Windows user “Local System” by
default. You must run the host-based Sensor for SQL Server (on Windows) as a
Windows user that exists in your SQL Server instance.
Service Account Requirement:
In addition, the service account (i.e., the user running the AppRadar Sensor service)
requires, at a minimum:
• to be in the sysadmin role (SQL Server 2000 only)
• to have ALTER TRACE permission (SQL Server 2005 only)
• to have permission to execute the following stored procedures:
-sp_trace_create
-sp_trace_setevent
-sp_trace_setfilter
-sp_trace_getdata
-sp_trace_setstatus
To use the Audit Filter Wizard (for more information, see the DbProtect User’s Guide),
the service account must also be able to query the sysobjects table within all
databases.
Application Security, Inc.
34
DbProtect 2009.1
Installation Guide
HARDWARE
• RAM. 2GB, or at least 512 MB in addition to operating system and database
memory requirements. Application Security, Inc. recommends adding more
memory if your data volume is high.
• Hard drive space. 50 MB of free disk space. A minimum of 100 MB of space is
required if you configure the Sensor to log to a local file.
NETWORK CONNECTIVITY
Network connectivity is required in order for the Sensor to communicate with the
Console and, optionally, with SNMP and Syslog systems.
IMPORTANT SERVER AND INSTANCE INFORMATION
•
•
•
•
Each machine should have only one Sensor.
Every Sensor requires its own dedicated port for communication.
One host-based Sensor can monitor multiple instances on a single machine.
You can monitor as many SQL Server instances as your license allows; for more
information, see Chapter 4 - Licensing.
SQL SERVER CLUSTER SUPPORT
If you want to install a host-based Sensor on a single instance, or multiple instances, of
a SQL Server Cluster, then you must read Appendix A: Installing/Uninstalling
DbProtect in a SQL Server Cluster.
Host-based Sensor
for DB2 (on Red
Hat Enterprise
Linux) - minimum
system
requirements
This help topic provides detailed minimum system requirements for the host-based
Sensor for DB2 (on Red Hat Enterprise Linux).
What you will find in this help topic:
•
•
•
•
•
•
•
•
•
•
Supported DB2 versions
Supported Red Hat Enterprise Linux versions
Rights and privileges
Required Red Hat Enterprise Linux 32- and 64-bit minimum kernel release
MON_HEAP_SZ database configuration parameter
Hardware
Network connectivity
Single instance monitoring limitation
User group requirement
DB2 auditing usage for failed logins.
SUPPORTED DB2 VERSIONS
DB2 versions 8 and 9.
Application Security, Inc.
35
DbProtect 2009.1
Installation Guide
SUPPORTED RED HAT ENTERPRISE LINUX VERSIONS
Red Hat Enterprise Linux 3, 4, or 5 (32-bit x86 and 64-bit x64).
Caution! The host-based Sensor installer may display a warning message
if you run it on Red Hat Enterprise Linux 3 to inform you DB2 is
not supported on version 3. You may safely ignore this warning.
RIGHTS AND PRIVILEGES
The DB2 administrator must grant the following privileges to the appradar user for
every DB2 database in the instance the user wants to monitor. These privileges are:
•
•
SYSADM if the user wants to monitor failed logins
DBADM if the user does not want to monitor failed logins.
REQUIRED RED HAT ENTERPRISE LINUX 32- AND 64-BIT
MINIMUM KERNEL RELEASE
Host-based Sensors for DB2 on Red Hat Enterprise Linux 32- and 64-bit require a
minimum Red Hat Enterprise Linux kernel release of version 2.6. Otherwise, install a
kernel patch that supports asynchronous I/O.
MON_HEAP_SZ DATABASE CONFIGURATION PARAMETER
The host-based Sensor for DB2 (on Red Hat Enterprise Linux) uses DB2 internal feature
monitoring. The MON_HEAP_SZ database configuration parameter specifies the number
of 4KB blocks of memory available to the monitoring facility. If this parameter is set too
low, monitoring won’t turn on and, consequently, the host-based Sensor for DB2 won’t
be able to monitor your DB2 database.
Application Security, Inc. recommends a value of 1024 for the MON_HEAP_SZ
configuration parameter, but you should use the formula provided by IBM to
determine your exact monitoring memory requirements. For more information, see
http://publib.boulder.ibm.com/infocenter/db2luw/v8/topic/
com.ibm.db2.udb.doc/admin/c0005995.htm
HARDWARE
• RAM. 2GB, or at least 512 MB in addition to operating system and database
memory requirements. Application Security, Inc. recommends adding more
memory if your data volume is high.
• Hard drive space. 50 MB of free disk space. A minimum of 100 MB of space is
required if you configure the Sensor to log to a local file.
Application Security, Inc.
36
DbProtect 2009.1
Installation Guide
NETWORK CONNECTIVITY
Network connectivity is required for communication with the Console and, optionally,
with SNMP and Syslog systems.
You can specify a different port number during installation, or you change the port
number in the sensor.xml and sensor_original.xml files; for more information, see
Appendix C: Modifying the Sensor Listener Port Number.
SINGLE INSTANCE MONITORING LIMITATION
A host-based Sensor for DB2 can only monitor one DB2 instance. The host-based
Sensor for DB2 uses an IBM-provided API that caches the value of the DB2INSTANCE
environment variable. Consequently, even if the environment variable’s value changes,
the API will not switch to the other instance. This prevents the host-based Sensor for
DB2 process from monitoring more than one instance at a time, and it prevents it from
switching from one instance to another (unless you re-start the Sensor).
There is a workaround, however, that allows you to monitor multiple instances on an
DB2 server. For more information, see Appendix P: Monitoring Multiple Instances on a
DB2 Server.
USER GROUP REQUIREMENT
The account running the DB2 instance must be a member of the AppRadar group, and
the account running the Sensor must be a member of the DB2 group.
DB2 AUDITING USAGE FOR FAILED LOGINS
"Failed login" support utilizes DB2's "auditing" feature. This is unique to host-based
Sensors for DB2, since all other types of host-based Sensor utilize "event monitoring."
The host-based Sensors for DB2 automtically turns on DB2 auditing. If you enable any
Rule related to failed logins (specifically, "Failed Login", "Password Guessing", or
"Scripted Password Attack"). The host-based Sensors for DB2 monitor all other types
of events using the DB2 "event monitoring" facility.
For more information on how the host-based Sensors for DB2 uses auditing to monitor
failed logins and how to manually manage the resulting audit files, see the DbProtect
Administrator’s Guide.
Caution! Host-based Sensors for DB2 fully control DB2 "auditing" if user
authentication (failed login) events are enabled in a Policy
(specifically, "Failed Login", "Password Guessing", or "Scripted
Password Attack"). In other words, the host-based Sensor for
DB2 turns "auditing" on, sets it, and turns it off. If you are using
DB2 "auditing" on other applications, the host-based Sensors for
DB2 can potentially override (and effectively disable) DB2
"auditing" on these other applications. The host-based Sensors
for DB2 monitor all other types of events using the DB2 "event
monitoring" facility”.
Application Security, Inc.
37
DbProtect 2009.1
Host-based Sensor
for DB2 (on Solaris)
- minimum system
requirements
Installation Guide
This help topic provides detailed minimum system requirements for the host-based
Sensor for DB2 (on Solaris).
What you will find in this help topic:
•
•
•
•
•
•
•
•
•
Supported DB2 versions
Supported Solaris versions
Rights and privileges
Required Solaris patches
Hardware
Network connectivity
Single instance monitoring limitation
User group requirement
DB2 auditing usage for failed logins.
SUPPORTED DB2 VERSIONS
DB2 versions 8 and 9.
SUPPORTED SOLARIS VERSIONS
Solaris 8, 9, and 10 (64-bit SPARC).
RIGHTS AND PRIVILEGES
The DB2 administrator must grant the following privileges to the appradar user for
every DB2 database in the instance the user wants to monitor. These privileges are:
•
•
Application Security, Inc.
SYSADM if the user wants to monitor failed logins
DBADM if the user does not want to monitor failed logins.
38
DbProtect 2009.1
Installation Guide
REQUIRED SOLARIS PATCHES
The following table lists OS patches required for Solaris versions 8 and 9.
Solaris version
Solaris 8
Required patch
Patch Id: 108434-22
Summary: SunOS 5.8: 32-bit shared library patch for C++
108435-22 is the corresponding 64-bit patch.
Date: Aug/01/2006
Patch Id: 111721-04
Summary: SunOS 5.8: Math Library (libm) patch
Date: May/08/2003
Patch Id: 117350-39
Summary: SunOS 5.8: kernel patch
Date: Jul/20/2006
Solaris 9
Patch Id: 111711-15 / 111712-16
Summary: SunOS 5.9: 32-bit shared library patch for C++
11712-16 is the corresponding 64-bit patch
Date: Aug/07/2006
Patch Id: 111722-04
Summary: SunOS 5.9: Math Library (libm) patch
Date: May/08/2003
Patch Id: 118558-25 (or better)
Summary: SunOS 5.9: Kernel Patch
Date: Apr/25/2006
Application Security, Inc.
39
DbProtect 2009.1
Installation Guide
HARDWARE
• RAM. 2GB, or at least 512 MB in addition to operating system and database
memory requirements. Application Security, Inc. recommends adding more
memory if your data volume is high.
• Hard drive space. 50 MB of free disk space. A minimum of 100 MB of space is
required if you configure the Sensor to log to a local file.
NETWORK CONNECTIVITY
Network connectivity is required for communication with the Console and, optionally,
with SNMP and Syslog systems.
You can specify a different port number during installation, or you change the port
number in the sensor.xml and sensor_original.xml files; for more information, see
Appendix C: Modifying the Sensor Listener Port Number.
SINGLE INSTANCE MONITORING LIMITATION
A host-based Sensor for DB2 can only monitor one DB2 instance. The host-based
Sensor for DB2 uses an IBM-provided API that caches the value of the DB2INSTANCE
environment variable. Consequently, even if the environment variable’s value changes,
the API will not switch to the other instance. This prevents the host-based Sensor for
DB2 process from monitoring more than one instance at a time, and it prevents it from
switching from one instance to another (unless you re-start the Sensor).
There is a workaround, however, that allows you to monitor multiple instances on an
DB2 server. For more information, see Appendix P: Monitoring Multiple Instances on a
DB2 Server.
USER GROUP REQUIREMENT
The account running the DB2 instance must be a member of the AppRadar group, and
the account running the Sensor must be a member of the DB2 group.
DB2 AUDITING USAGE FOR FAILED LOGINS
"Failed login" support utilizes DB2's "auditing" feature. This is unique to host-based
Sensors for DB2, since all other types of host-based Sensor utilize "event monitoring."
The host-based Sensors for DB2 automtically turns on DB2 auditing. If you enable any
Rule related to failed logins (specifically, "Failed Login", "Password Guessing", or
"Scripted Password Attack"). The host-based Sensors for DB2 monitor all other types
of events using the DB2 "event monitoring" facility
For more information on how the host-based Sensors for DB2 uses auditing to monitor
failed logins and how to manually manage the resulting audit files, see the DbProtect
Administrator’s Guide.
Application Security, Inc.
40
DbProtect 2009.1
Installation Guide
Caution! Host-based Sensors for DB2 fully control DB2 "auditing" if user
authentication (failed login) events are enabled in a Policy
(specifically, "Failed Login", "Password Guessing", or "Scripted
Password Attack"). In other words, the host-based Sensor for
DB2 turns "auditing" on, sets it, and turns it off. If you are using
DB2 "auditing" on other applications, the host-based Sensors for
DB2 can potentially override (and effectively disable) DB2
"auditing" on these other applications. The host-based Sensors
for DB2 monitor all other types of events using the DB2 "event
monitoring" facility”.
Host-based Sensor
for DB2 (on AIX) minimum system
requirements
This help topic provides detailed minimum system requirements for the host-based
Sensor for DB2 (on AIX).
What you will find in this help topic:
•
•
•
•
•
•
•
•
Supported DB2 versions
Supported AIX versions
Rights and Privileges
Hardware
Network connectivity
Single instance monitoring limitation
User group requirement
DB2 auditing usage for failed logins.
SUPPORTED DB2 VERSIONS
DB2 versions 8 and 9.
SUPPORTED AIX VERSIONS
AIX 5.2 Technology Level 5 and greater (32-bit and 64-bit).
RIGHTS AND PRIVILEGES
The DB2 administrator must grant the following privileges to the appradar user for
every DB2 database in the instance the user wants to monitor. These privileges are:
•
•
SYSADM if the user wants to monitor failed logins
DBADM if the user does not want to monitor failed logins.
HARDWARE
• RAM. 2GB, or at least 512 MB in addition to operating system and database
memory requirements. Application Security, Inc. recommends adding more
memory if your data volume is high.
• Hard drive space. 50 MB of free disk space. A minimum of 100 MB of space is
required if you configure the Sensor to log to a local file.
Application Security, Inc.
41
DbProtect 2009.1
Installation Guide
NETWORK CONNECTIVITY
Network connectivity is required for communication with the Console and, optionally,
with SNMP and Syslog systems.
If you are installing a host-based Sensor on a *nix platform, you can, at any time,
specify a different port number in the sensor.xml and sensor_original.xml files; for
more information, see Appendix C: Modifying the Sensor Listener Port Number.
SINGLE INSTANCE MONITORING LIMITATION
A host-based Sensor for DB2 can only monitor one DB2 instance. The host-based
Sensor for DB2 uses an IBM-provided API that caches the value of the DB2INSTANCE
environment variable. Consequently, even if the environment variable’s value changes,
the API will not switch to the other instance. This prevents the host-based Sensor for
DB2 process from monitoring more than one instance at a time, and it prevents it from
switching from one instance to another (unless you re-start the Sensor).
There is a workaround, however, that allows you to monitor multiple instances on an
DB2 server. For more information, see Appendix P: Monitoring Multiple Instances on a
DB2 Server.
USER GROUP REQUIREMENT
The account running the DB2 instance must be a member of the AppRadar group, and
the account running the Sensor must be a member of the DB2 group.
DB2 AUDITING USAGE FOR FAILED LOGINS
"Failed login" support utilizes DB2's "auditing" feature. This is unique to host-based
Sensors for DB2, since all other types of host-based Sensor utilize "event monitoring."
The host-based Sensors for DB2 automtically turns on DB2 auditing. If you enable any
Rule related to failed logins (specifically, "Failed Login", "Password Guessing", or
"Scripted Password Attack"). The host-based Sensors for DB2 monitor all other types
of events using the DB2 "event monitoring" facility
For more information on how the host-based Sensors for DB2 uses auditing to monitor
failed logins and how to manually manage the resulting audit files, see the DbProtect
Administrator’s Guide.
Application Security, Inc.
42
DbProtect 2009.1
Installation Guide
Caution! Host-based Sensors for DB2 fully control DB2 "auditing" if user
authentication (failed login) events are enabled in a Policy
(specifically, "Failed Login", "Password Guessing", or "Scripted
Password Attack"). In other words, the host-based Sensor for
DB2 turns "auditing" on, sets it, and turns it off. If you are using
DB2 "auditing" on other applications, the host-based Sensors for
DB2 can potentially override (and effectively disable) DB2
"auditing" on these other applications. The host-based Sensors
for DB2 monitor all other types of events using the DB2 "event
monitoring" facility”.
Host-based Sensor
for DB2 (on
Windows) minimum system
requirements
This help topic provides detailed minimum system requirements for the host-based
Sensor for DB2 (on Red Hat Enterprise Linux).
What you will find in this help topic:
•
•
•
•
•
•
Supported DB2 versions
Supported Windows versions
Rights and privileges
Hardware
Network connectivity
User group requirement
SUPPORTED DB2 VERSIONS
DB2 versions 8 and 9.
SUPPORTED WINDOWS VERSIONS
• Windows 2000 Server (including Advanced Server), 32-bit
• Windows Server 2003 (including Enterprise Edition), 32-bit.
RIGHTS AND PRIVILEGES
The DB2 administrator must grant the following privileges to the appradar user for
every DB2 database in the instance the user wants to monitor. These privileges are:
•
•
SYSADM if the user wants to monitor failed logins
DBADM if the user does not want to monitor failed logins.
HARDWARE
• RAM. 2GB, or at least 512 MB in addition to operating system and database
memory requirements. Application Security, Inc. recommends adding more
memory if your data volume is high.
• Hard drive space. 50 MB of free disk space. A minimum of 100 MB of space is
required if you configure the Sensor to log to a local file.
Application Security, Inc.
43
DbProtect 2009.1
Installation Guide
NETWORK CONNECTIVITY
Network connectivity is required for communication with the Console and, optionally,
with SNMP and Syslog systems.
USER GROUP REQUIREMENT
The account running the DB2 instance must be a member of the AppRadar group, and
the account running the Sensor must be a member of the DB2 group.
Host-based Sensor
for Oracle (on
Solaris) - minimum
system
requirements
This help topic provides detailed minimum system requirements for the host-based
Sensor for Oracle (on Solaris).
What you will find in this help topic:
•
•
•
•
•
•
•
•
•
•
•
Supported Oracle versions
Supported Solaris versions
Rights and privileges
Required Solaris patches
Hardware
Network connectivity
Important port information
Important server and instance information
Oracle Word size prerequisite
Firewall considerations
Creating the appradar Runtime User Account and working with Oracle (on
Solaris) SGA shared memory permissions
• Java Oracle Packages (requirement for monitoring DDL statements)
• Sensor re-start requirement (for DDL trigger removals/re-adds) - on Solaris.
SUPPORTED ORACLE VERSIONS
Oracle 9iR2, 10g, and 10gR2.
SUPPORTED SOLARIS VERSIONS
Solaris 8, 9, and 10 (32- and 64-bit SPARC).
RIGHTS AND PRIVILEGES
Host-based Sensor for Oracle installations on all UNIX platforms (Solaris, AIX, HP-UX,
and Red Hat Enterprise Linux) require the following rights and privileges:
• To install the host-based Sensor for Oracle package, you must have
administrative (root) privileges on the host. If this is not possible, a tar
distribution of the host-based Sensor for Oracle is also available.
Application Security, Inc.
44
DbProtect 2009.1
Installation Guide
• To run the host-based Sensor for Oracle, you must use a user that is a member
of the same “dba” group as oracle on the host.
The appradar account must belong to the Oracle DBA group or to the database, and
it must allow for login by a system account.
REQUIRED SOLARIS PATCHES
The following table lists OS patches required for Solaris versions 8 and 9.
Solaris version
Solaris 8
Required patch
Patch Id: 108434-22
Summary: SunOS 5.8: 32-bit shared library patch for C++
108435-22 is the corresponding 64-bit patch.
Date: Aug/01/2006
Patch Id: 111721-04
Summary: SunOS 5.8: Math Library (libm) patch
Date: May/08/2003
Patch Id: 117350-39
Summary: SunOS 5.8: kernel patch
Date: Jul/20/2006
Solaris 9
Patch Id: 111711-15 / 111712-16
Summary: SunOS 5.9: 32-bit shared library patch for C++
11712-16 is the corresponding 64-bit patch
Date: Aug/07/2006
Patch Id: 111722-04
Summary: SunOS 5.9: Math Library (libm) patch
Date: May/08/2003
Patch Id: 118558-25 (or better)
Summary: SunOS 5.9: Kernel Patch
Date: Apr/25/2006
Application Security, Inc.
45
DbProtect 2009.1
Installation Guide
To determine your Solaris patch level:
Step
1
Action
Note: Any user can execute this command.
Execute the following command:
uname -a; showrev -p | egrep -e '^Patch: 117350|^Patch:
111721|^Patch: 108434' | cut -d" " -f1,2
Result: The output displays your OS and patches; for example:
SunOS sunny14 5.8 Generic_117350-38 sun4u sparc SUNW,Ultra-80
Patch: 117350-38
Patch: 111721-04
Patch: 108434-21
HARDWARE
• RAM. 2GB, or at least 512 MB in addition to operating system and database
memory requirements. Application Security, Inc. recommends adding more
memory if your data volume is high.
• Hard drive space. 50 MB of free disk space. A minimum of 100 MB of space is
required if you configure the Sensor to log to a local file.
NETWORK CONNECTIVITY
Network connectivity is required for communication with the Console and, optionally,
with SNMP and Syslog systems.
If you are installing a host-based Sensor on a *nix platform, you can, at any time,
specify a different port number in the sensor.xml and sensor_original.xml files; for
more information, see Appendix C: Modifying the Sensor Listener Port Number.
IMPORTANT PORT INFORMATION
Every Sensor requires its own dedicated port. During installation, you must specify
which port number the Sensor will use to receive commands from the Console. The
Sensor can not share the same port with any other program. This does not mean each
Sensor requires a different port number on each separate host. For example, you can
use the same port number for each Sensor you install on each individual host machine
(e.g., port 20000). Or you can specify a different port number for each Sensor on each
host.
On the host where the Console is installed, Sensors listen on port 20080 (by default)
for commands from the Console. The next consecutive port number (i.e., 20081 if you
use the default) must be open in order for the Console to receive Alerts.
If you are installing the Sensor on the same host server where the Console is installed,
do not specify ports 20080 or 20081 (unless you’re certain these ports are available).
Application Security, Inc.
46
DbProtect 2009.1
Installation Guide
For more information on Console installation, see DbProtect suite management
components - installation steps.
Host-based and network-based Sensors listen on port 20000 for HTTPS traffic from the
Console (e.g., reconfiguration or status requests) unless you configure them differently
during installation.
Note:
No other machines should be permitted to connect to the Sensors.
IMPORTANT SERVER AND INSTANCE INFORMATION
• Each machine should have only one Sensor.
• One Sensor can monitor multiple Oracle SIDs on a single machine.
• You can monitor as many Oracle SIDs as your license allows; for more
information, see Chapter 4 - Licensing.
ORACLE WORD SIZE PREREQUISITE
You must install a host-based Sensor for Oracle corresponding to the word-size Oracle
uses, not the operating system. For example, if Oracle is 32-bit but the operating
system is 64-bit, your host-based Sensor for Oracle must be 32-bit. This is only true for
host-based Sensor for Oracle installations, and it’s true for all Unix operating systems
on which it runs (i.e., AIX, HP-UX, Red Hat Enterprise Linux, and Solaris).
FIREWALL CONSIDERATIONS
You must allow DbProtect traffic through firewalls.
The Console is accessible via HTTPS on port 20080. You can allow all machines, certain
machines, or no machines to have access from outside your firewall. In the latter case,
only machines inside the firewall can access DbProtect. This is completely at your
discretion, but for convenience Application Security, Inc. recommends you at least
allow users to connect from their desktop machines.
DbProtect has its own method of authentication and using a firewall is not required to
restrict access. The Message Collector component of DbProtect listens for HTTPS
traffic on port 20081 (unless you configure it differently during the Console installation)
which the Sensor uses to send Alerts to the Console. Application Security, Inc.
recommends you disallow all traffic to that port except from the Sensors.
Components of DbProtect communicate via Internet Protocol (IP) connections. To help
you configure your firewall properly, the table in Appendix D: Network Ports Used by
DbProtect lists each component and describes how they each use the network.
Application Security, Inc.
47
DbProtect 2009.1
Installation Guide
CREATING THE APPRADAR RUNTIME USER ACCOUNT AND
WORKING WITH ORACLE (ON SOLARIS) SGA SHARED
MEMORY PERMISSIONS
Creating the appradar Runtime User Account:
Application Security, Inc. strongly recommends you create a unique DbProtect user
called appradar, and use this account for host-based Sensor for Oracle installation.
While creating this user is not mandatory, it will ensure that other database
administrators can’t turn off your host-based Oracle Sensors.
The appradar user must belong to the primary group of the Oracle user. In many cases
oracle is the default Oracle user name, while the default group name is typically
either oracle or dba. The user (i.e., appradar) must be a member of the same dba
group as oracle on the host.
To determine your Oracle group name, enter the following command: id oracle. Your
Oracle user name (uid) and group name (gid) should display, e.g., uid=1001(oracle)
gid=503(dba)
Note:
To ensure proper permissioning, verify group ownership of the Oracle
process memory segments by executing ipcs -m. This command displays
current user and group memberships of the Oracle segment. Confirm the
appradar user has the same primary group as the group ownership of the
shared memory, and that this user is also in the dba group.
To create the runtime user account:
Step
Action
1
Use an administrative account to create a runtme user account called appradar
(suggested name).
2
Set the proper Oracle permissions for this user; see above.
Working with Oracle SGA Shared Memory Permissions:
The Oracle System Global Area (SGA) is a group of shared memory areas that are
dedicated to an Oracle instance. Oracle processes use SGA to store and communicate
information. Among other things, SGA allows processes (such as the host-based
Sensor for Oracle on any *nix platform) to attach, read, and/or write -- but not execute.
SGA properties are similar to those of a file, i.e., owner, group, and mode. The
permission to attach, read, and/or write depends on the SGA mode. The mode for
shared memory and a file both depend on the umask setting of the OS session that
creates the shared memory or file.
When you start an Oracle instance, Oracle creates SGA. The SGA mode depends on
the umask setting of the OS session which starts the Oracle instance. If the umask
setting of the OS session masks the bit "read for group", the SGA's modes will not
have permission for the group to read. Consequently, your host-based Sensor for
Application Security, Inc.
48
DbProtect 2009.1
Installation Guide
Oracle on any *nix platform -- which is in the same group as Oracle OS user -- can not
read information from the SGA. As a result, your host-based Sensor for Oracle on a
*nix platform will not fire Alerts.
Solution: Use the umask command to change the user mask of the session to make
sure the group read bit is not masked off. (An example of a correct setting is: umask
026.) You should place this command in the appropriate shell startup file for the Oracle
database user ID. After you change the umask value, restart Oracle. After Oracle starts
up, use ipcs –m to check the SGA to make sure the modes for the Oracle segments
include group read, which grants other users in this group permission to read the
segment. This allows the appradar runtime user (who is part of the same group) to
read the SGA and monitor activity.
JAVA ORACLE PACKAGES (REQUIREMENT FOR MONITORING
DDL STATEMENTS)
If you are using a host-based Sensor to monitor DDL statements (e.g., CREATE TABLE)
on an Oracle instance, you must install Oracle Java Packages. For more information,
see Appendix E: Configuring Your Host-Based Sensor for Oracle DDL Triggers.
SENSOR RE-START REQUIREMENT (FOR DDL TRIGGER
REMOVALS/RE-ADDS) - ON SOLARIS
If you remove and re-add a DDL trigger for any reason, you must re-start the Sensor
afterwards. Most DDL rules will not fire until this is done.
Application Security, Inc.
49
DbProtect 2009.1
Host-based Sensor
for Oracle (on AIX)
- minimum system
requirements
Installation Guide
This help topic provides detailed minimum system requirements for the host-based
Sensor for Oracle (on AIX).
What you will find in this help topic:
•
•
•
•
Supported Oracle versions
•
•
•
•
•
•
•
Minimum AIX bos.rte fileset level
Supported AIX versions
Rights and privileges
Oracle Java Packages requirement for monitoring DDL statements on an
Oracle instance
Hardware
Network connectivity
Important port information
Important server and instance information
Oracle Word size prerequisite
Creating the appradar Runtime User Account and working with Oracle (on AIX)
SGA shared memory permissions
• Sensor re-start requirement (for DDL trigger removals/re-adds) - on AIX.
SUPPORTED ORACLE VERSIONS
Oracle 9iR2, 10g, and 10gR2.
SUPPORTED AIX VERSIONS
AIX 5.2 Technology Level 5 and greater.
RIGHTS AND PRIVILEGES
Host-based Sensor for Oracle installations on all UNIX platforms (Solaris, AIX, HP-UX,
and Red Hat Enterprise Linux) require the following rights and privileges:
• To install the host-based Sensor for Oracle package, you must have
administrative (root) privileges on the host. If this is not possible, a tar
distribution of the host-based Sensor for Oracle is also available.
• To run the host-based Sensor for Oracle, you must use a user that is a member
of the same “dba” group as oracle on the host.
ORACLE JAVA PACKAGES REQUIREMENT FOR MONITORING
DDL STATEMENTS ON AN ORACLE INSTANCE
If you are using a host-based Sensor to monitor DDL statements (e.g., CREATE TABLE)
on an Oracle instance, you must install Oracle Java Packages. For more information,
see Appendix E: Configuring Your Host-Based Sensor for Oracle DDL Triggers.
Application Security, Inc.
50
DbProtect 2009.1
Installation Guide
MINIMUM AIX BOS.RTE FILESET LEVEL
Host-based Sensors for Oracle installations on AIX require the bos.rte fileset to be at
(or above) maintenance level 5.2.0.50.
• Fileset: bos.rte ("Base Operating System Runtime")
• Maintenance Level: 5.2.0.50
• Date: January 2005
To determine your AIX patch level:
Step
1
Action
Note: Any user can execute this command.
Execute the following command:
lslpp -l bos.rte
Result: The output displays your maintenace level for the bos.rte fileset; for
example:
Fileset Level State Description
-----------------------------------------------------------Path: /usr/lib/objrepos
bos.rte 5.2.0.50 COMMITTED Base Operating System Runtime
Path: /etc/objrepos
bos.rte 5.2.0.50 COMMITTED Base Operating System Runtime
2
Change the shmmax parameter to 3 in /etc/sysctl.conf on Red Hat Enterprise
Linux, and go to Step 2.
Or, if you do not want to reboot your Red Hat Enterprise Linux host server, you can
change the shmmax parameter to 3 in /proc/sys/kernel/shmmax, and go to
Step 3.
3
Reboot your host server.
4
Re-start Oracle.
HARDWARE
• RAM. 2GB, or at least 512 MB in addition to operating system and database
memory requirements. Application Security, Inc. recommends adding more
memory if your data volume is high.
• Hard drive space. 50 MB of free disk space. A minimum of 100 MB of space is
required if you configure the Sensor to log to a local file.
Application Security, Inc.
51
DbProtect 2009.1
Installation Guide
NETWORK CONNECTIVITY
Network connectivity is required for communication with the Console and, optionally,
with SNMP and Syslog systems.
If you are installing a host-based Sensor on a *nix platform, you can, at any time,
specify a different port number in the sensor.xml and sensor_original.xml files; for
more information, see Appendix C: Modifying the Sensor Listener Port Number.
IMPORTANT PORT INFORMATION
Every Sensor requires its own dedicated port. During installation, you must specify
which port number the Sensor will use to receive commands from the Console. The
Sensor can not share the same port with any other program. This does not mean each
Sensor requires a different port number on each separate host. For example, you can
use the same port number for each Sensor you install on each individual host machine
(e.g., port 20000). Or you can specify a different port number for each Sensor on each
host.
On the host where the Console is installed, Sensors listen on port 20080 (by default)
for commands from the Console. The next consecutive port number (i.e., 20081 if you
use the default) must be open in order for the Console to receive Alerts.
If you are installing the Sensor on the same host server where the Console is installed,
do not specify ports 20080 or 20081 (unless you’re certain these ports are available).
For more information on Console installation, see DbProtect suite management
components - installation steps.
Host-based and network-based Sensors listen on port 20000 for HTTPS traffic from the
Console (e.g., reconfiguration or status requests) unless you configure them differently
during installation.
If you are installing a host-based Sensor on a *nix platform, you can, at any time,
specify a different port number in the sensor.xml and sensor_original.xml files; for
more information, see Appendix C: Modifying the Sensor Listener Port Number.
Note:
No other machines should be permitted to connect to the Sensors.
IMPORTANT SERVER AND INSTANCE INFORMATION
• Each machine should have only one Sensor.
• One Sensor can monitor multiple Oracle SIDs on a single machine.
• You can monitor as many Oracle SIDs as your license allows; for more
information, see Chapter 4 - Licensing.
ORACLE WORD SIZE PREREQUISITE
You must install a host-based Sensor for Oracle corresponding to the word-size Oracle
uses, not the operating system. For example, if Oracle is 32-bit but the operating
system is 64-bit, your host-based Sensor for Oracle must be 32-bit. This is only true for
host-based Sensor for Oracle installations, and it’s true for all Unix operating systems
on which it runs (i.e., AIX, HP-UX, Red Hat Enterprise Linux, and Solaris).
Application Security, Inc.
52
DbProtect 2009.1
Installation Guide
CREATING THE APPRADAR RUNTIME USER ACCOUNT AND
WORKING WITH ORACLE (ON AIX) SGA SHARED MEMORY
PERMISSIONS
Creating the appradar Runtime User Account:
Application Security, Inc. strongly recommends you create a unique DbProtect user
called appradar, and use this account for host-based Sensor for Oracle installation.
While creating this user is not mandatory, it will ensure that other database
administrators can’t turn off your host-based Oracle Sensors.
The appradar user must belong to the primary group of the Oracle user. In many cases
oracle is the default Oracle user name, while the default group name is typically
either oracle or dba. The user (i.e., appradar) must be a member of the same dba
group as oracle on the host.
To determine your Oracle group name, enter the following command: id oracle. Your
Oracle user name (uid) and group name (gid) should display, e.g., uid=1001(oracle)
gid=503(dba)
Note:
To ensure proper permissioning, verify group ownership of the Oracle
process memory segments by executing ipcs -m. This command displays
current user and group memberships of the Oracle segment. Confirm the
appradar user has the same primary group as the group ownership of the
shared memory, and that this user is also in the dba group.
To create the runtime user account:
Step
Action
1
Use an administrative account to create a runtme user account called appradar
(suggested name).
2
Set the proper Oracle permissions for this user; see above.
Working with Oracle SGA Shared Memory Permissions:
The Oracle System Global Area (SGA) is a group of shared memory areas that are
dedicated to an Oracle instance. Oracle processes use SGA to store and communicate
information. Among other things, SGA allows processes (such as the host-based
Sensor for Oracle on any *nix platform) to attach, read, and/or write -- but not execute.
SGA properties are similar to those of a file, i.e., owner, group, and mode. The
permission to attach, read, and/or write depends on the SGA mode. The mode for
shared memory and a file both depend on the umask setting of the OS session that
creates the shared memory or file.
When you start an Oracle instance, Oracle creates SGA. The SGA mode depends on
the umask setting of the OS session which starts the Oracle instance. If the umask
setting of the OS session masks the bit "read for group", the SGA's modes will not
have permission for the group to read. Consequently, your host-based Sensor for
Application Security, Inc.
53
DbProtect 2009.1
Installation Guide
Oracle on any *nix platform -- which is in the same group as Oracle OS user -- can not
read information from the SGA. As a result, your host-based Sensor for Oracle on a
*nix platform will not fire Alerts.
Solution: Use the umask command to change the user mask of the session to make
sure the group read bit is not masked off. (An example of a correct setting is: umask
026.) You should place this command in the appropriate shell startup file for the Oracle
database user ID. After you change the umask value, restart Oracle. After Oracle starts
up, use ipcs –m to check the SGA to make sure the modes for the Oracle segments
include group read, which grants other users in this group permission to read the
segment. This allows the appradar runtime user (who is part of the same group) to
read the SGA and monitor activity.
SENSOR RE-START REQUIREMENT (FOR DDL TRIGGER
REMOVALS/RE-ADDS) - ON AIX
If you remove and re-add a DDL trigger for any reason, you must re-start the Sensor
afterwards. Most DDL rules will not fire until this is done.
Application Security, Inc.
54
DbProtect 2009.1
Host-based Sensor
for Oracle (on HPUX) - minimum
system
requirements
Installation Guide
This help topic provides detailed minimum system requirements for the host-based
Sensor for Oracle (on HP-UX).
What you will find in this help topic:
•
•
•
•
Supported Oracle versions
•
•
•
•
•
•
Hardware
Supported HP-UX versions
Rights and privileges
Oracle Java Packages requirement for monitoring DDL statements on an
Oracle instance
Network connectivity
Important port information
Important server and instance information
Oracle Word size prerequisite
Shared memory maximum size requirement on your HP-UX host server (for
host-based Sensors prior to 3.3 only)
• Creating the appradar Runtime User Account and working with Oracle(on HPUX) SGA shared memory permissions
• Sensor re-start requirement (for DDL trigger removals/re-adds) - on HP-UX.
SUPPORTED ORACLE VERSIONS
Oracle 9iR2, 10g, and 10gR2.
SUPPORTED HP-UX VERSIONS
HP-UX 11i v1 or later on the PA-RISC processor and HP-UX 11i v2 or later on the
Itanium (IA64) processor.
RIGHTS AND PRIVILEGES
Host-based Sensor for Oracle installations on all UNIX platforms (Solaris, AIX, HP-UX,
and Red Hat Enterprise Linux) require the following rights and privileges:
• To install the host-based Sensor for Oracle package, you must have
administrative (root) privileges on the host. If this is not possible, a tar
distribution of the host-based Sensor for Oracle is also available.
• To run the host-based Sensor for Oracle, you must use a user that is a member
of the same “dba” group as oracle on the host.
ORACLE JAVA PACKAGES REQUIREMENT FOR MONITORING
DDL STATEMENTS ON AN ORACLE INSTANCE
If you are using a host-based Sensor to monitor DDL statements (e.g., CREATE TABLE)
on an Oracle instance, you must install Oracle Java Packages. For more information
see Appendix E: Configuring Your Host-Based Sensor for Oracle DDL Triggers.
Application Security, Inc.
55
DbProtect 2009.1
Installation Guide
HARDWARE
• RAM. 2GB, or at least 512 MB in addition to operating system and database
memory requirements. Application Security, Inc. recommends adding more
memory if your data volume is high.
• Hard drive space. 50 MB of free disk space. A minimum of 100 MB of space is
required if you configure the Sensor to log to a local file.
NETWORK CONNECTIVITY
Network connectivity is required for communication with the Console and, optionally,
with SNMP and Syslog systems.
If you are installing a host-based Sensor on a *nix platform, you can, at any time,
specify a different port number in the sensor.xml and sensor_original.xml files; for
more information, see Appendix C: Modifying the Sensor Listener Port Number.
IMPORTANT PORT INFORMATION
Every Sensor requires its own dedicated port. During installation, you must specify
which port number the Sensor will use to receive commands from the Console. The
Sensor can not share the same port with any other program. This does not mean each
Sensor requires a different port number on each separate host. For example, you can
use the same port number for each Sensor you install on each individual host machine
(e.g., port 20000). Or you can specify a different port number for each Sensor on each
host.
On the host where the Console is installed, Sensors listen on port 20080 (by default)
for commands from the Console. The next consecutive port number (i.e., 20081 if you
use the default) must be open in order for the Console to receive Alerts.
If you are installing the Sensor on the same host server where the Console is installed,
do not specify ports 20080 or 20081 (unless you’re certain these ports are available).
For more information on Console installation, see DbProtect suite management
components - installation steps.
Host-based and network-based Sensors listen on port 20000 for HTTPS traffic from the
Console (e.g., reconfiguration or status requests) unless you configure them differently
during installation.
If you are installing a host-based Sensor on a *nix platform, you can, at any time,
specify a different port number in the sensor.xml and sensor_original.xml files; for
more information, see Appendix C: Modifying the Sensor Listener Port Number.
Note:
Application Security, Inc.
No other machines should be permitted to connect to the Sensors.
56
DbProtect 2009.1
Installation Guide
IMPORTANT SERVER AND INSTANCE INFORMATION
• Each machine should have only one Sensor.
• One Sensor can monitor multiple Oracle SIDs on a single machine.
• You can monitor as many Oracle SIDs as your license allows; for more
information, see Chapter 4 - Licensing.
ORACLE WORD SIZE PREREQUISITE
You must install a host-based Sensor for Oracle corresponding to the word-size Oracle
uses, not the operating system. For example, if Oracle is 32-bit but the operating
system is 64-bit, your host-based Sensor for Oracle must be 32-bit. This is only true for
host-based Sensor for Oracle installations, and it’s true for all Unix operating systems
on which it runs (i.e., AIX, HP-UX, Red Hat Enterprise Linux, and Solaris).
SHARED MEMORY MAXIMUM SIZE REQUIREMENT ON YOUR
HP-UX HOST SERVER (FOR HOST-BASED SENSORS PRIOR TO
3.3 ONLY)
The host-based Sensor for Oracle (on an HP-UX host only, for host-based Sensors prior
to version 3.3 only) required Oracle's SGA to reside in a single shared memory
segment.
CREATING THE APPRADAR RUNTIME USER ACCOUNT AND
WORKING WITH ORACLE(ON HP-UX) SGA SHARED MEMORY
PERMISSIONS
Creating the appradar Runtime User Account:
Application Security, Inc. strongly recommends you create a unique DbProtect user
called appradar, and use this account for host-based Sensor for Oracle installation.
While creating this user is not mandatory, it will ensure that other database
administrators can’t turn off your host-based Oracle Sensors.
The appradar user must belong to the primary group of the Oracle user. In many cases
oracle is the default Oracle user name, while the default group name is typically
either oracle or dba. The user (i.e., appradar) must be a member of the same dba
group as oracle on the host.
To determine your Oracle group name, enter the following command: id oracle. Your
Oracle user name (uid) and group name (gid) should display, e.g., uid=1001(oracle)
gid=503(dba)
Note:
Application Security, Inc.
To ensure proper permissioning, verify group ownership of the Oracle
process memory segments by executing ipcs -m. This command displays
current user and group memberships of the Oracle segment. Confirm the
appradar user has the same primary group as the group ownership of the
shared memory, and that this user is also in the dba group.
57
DbProtect 2009.1
Installation Guide
To create the runtime user account:
Step
Action
1
Use an administrative account to create a runtme user account called appradar
(suggested name).
2
Set the proper Oracle permissions for this user; see above.
Working with Oracle SGA Shared Memory Permissions:
The Oracle System Global Area (SGA) is a group of shared memory areas that are
dedicated to an Oracle instance. Oracle processes use SGA to store and communicate
information. Among other things, SGA allows processes (such as the host-based
Sensor for Oracle on any *nix platform) to attach, read, and/or write -- but not execute.
SGA properties are similar to those of a file, i.e., owner, group, and mode. The
permission to attach, read, and/or write depends on the SGA mode. The mode for
shared memory and a file both depend on the umask setting of the OS session that
creates the shared memory or file.
When you start an Oracle instance, Oracle creates SGA. The SGA mode depends on
the umask setting of the OS session which starts the Oracle instance. If the umask
setting of the OS session masks the bit "read for group", the SGA's modes will not
have permission for the group to read. Consequently, your host-based Sensor for
Oracle on any *nix platform -- which is in the same group as Oracle OS user -- can not
read information from the SGA. As a result, your host-based Sensor for Oracle on a
*nix platform will not fire Alerts.
Solution: Use the umask command to change the user mask of the session to make
sure the group read bit is not masked off. (An example of a correct setting is: umask
026.) You should place this command in the appropriate shell startup file for the Oracle
database user ID. After you change the umask value, restart Oracle. After Oracle starts
up, use ipcs –m to check the SGA to make sure the modes for the Oracle segments
include group read, which grants other users in this group permission to read the
segment. This allows the appradar runtime user (who is part of the same group) to
read the SGA and monitor activity.
SENSOR RE-START REQUIREMENT (FOR DDL TRIGGER
REMOVALS/RE-ADDS) - ON HP-UX
If you remove and re-add a DDL trigger for any reason, you must re-start the Sensor
afterwards. Most DDL rules will not fire until this is done.
Application Security, Inc.
58
DbProtect 2009.1
Host-based Sensor
for Oracle (on Red
Hat Enterprise
Linux) - minimum
system
requirements
Installation Guide
This help topic provides detailed minimum system requirements for the host-based
Sensor for Oracle (on Red Hat Enterprise Linux).
What you will find in this help topic:
•
•
•
•
Supported Oracle versions
•
•
•
•
•
•
Hardware
Supported Red Hat Enterprise Linux versions
Rights and privileges
Oracle Java Packages requirement for monitoring DDL statements on an
Oracle instance
Network connectivity
Important port information
Important server and instance information
Oracle Word size prerequisite
Creating the appradar Runtime User Account and working with Oracle (on Red
Hat Enterprise Linux) SGA shared memory permissions
• Sensor re-start requirement (for DDL trigger removals/re-adds) - on Red Hat
Enterprise Linux.
SUPPORTED ORACLE VERSIONS
Oracle 9iR2, 10g, and 10gR2.
SUPPORTED RED HAT ENTERPRISE LINUX VERSIONS
Red Hat Enterprise Linux 3, 4, and 5 (32-bit x86 and 64-bit x64).
RIGHTS AND PRIVILEGES
Host-based Sensor for Oracle installations on all UNIX platforms (Solaris, AIX, HP-UX,
and Red Hat Enterprise Linux) require the following rights and privileges:
• To install the host-based Sensor for Oracle package, you must have
administrative (root) privileges on the host. If this is not possible, a tar
distribution of the host-based Sensor for Oracle is also available.
• To run the host-based Sensor for Oracle, you must use a user that is a member
of the same “dba” group as oracle on the host.
ORACLE JAVA PACKAGES REQUIREMENT FOR MONITORING
DDL STATEMENTS ON AN ORACLE INSTANCE
If you are using a host-based Sensor to monitor DDL statements (e.g., CREATE TABLE)
on an Oracle instance, you must install Oracle Java Packages. For more information,
see Appendix E: Configuring Your Host-Based Sensor for Oracle DDL Triggers.
Application Security, Inc.
59
DbProtect 2009.1
Installation Guide
HARDWARE
• RAM. 2GB, or at least 512 MB in addition to operating system and database
memory requirements. Application Security, Inc. recommends adding more
memory if your data volume is high.
• Hard drive space. 50 MB of free disk space. A minimum of 100 MB of space is
required if you configure the Sensor to log to a local file.
NETWORK CONNECTIVITY
Network connectivity is required for communication with the Console and, optionally,
with SNMP and Syslog systems.
If you are installing a host-based Sensor on a *nix platform, you can, at any time,
specify a different port number in the sensor.xml and sensor_original.xml files; for
more information, see Appendix C: Modifying the Sensor Listener Port Number.
IMPORTANT PORT INFORMATION
Every Sensor requires its own dedicated port. During installation, you must specify
which port number the Sensor will use to receive commands from the Console. The
Sensor can not share the same port with any other program. This does not mean each
Sensor requires a different port number on each separate host. For example, you can
use the same port number for each Sensor you install on each individual host machine
(e.g., port 20000). Or you can specify a different port number for each Sensor on each
host.
On the host where the Console is installed, Sensors listen on port 20080 (by default)
for commands from the Console. The next consecutive port number (i.e., 20081 if you
use the default) must be open in order for the Console to receive Alerts.
If you are installing the Sensor on the same host server where the Console is installed,
do not specify ports 20080 or 20081 (unless you’re certain these ports are available).
For more information on Console installation, see DbProtect suite management
components - installation steps.
Host-based and network-based Sensors listen on port 20000 for HTTPS traffic from the
Console (e.g., reconfiguration or status requests) unless you configure them differently
during installation.
If you are installing a host-based Sensor on a *nix platform, you can, at any time,
specify a different port number in the sensor.xml and sensor_original.xml files; for
more information, see Appendix C: Modifying the Sensor Listener Port Number.
Note:
Application Security, Inc.
No other machines should be permitted to connect to the Sensors.
60
DbProtect 2009.1
Installation Guide
IMPORTANT SERVER AND INSTANCE INFORMATION
• Each machine should have only one Sensor.
• One Sensor can monitor multiple Oracle SIDs on a single machine.
• You can monitor as many Oracle SIDs as your license allows; for more
information, see Chapter 4 - Licensing.
ORACLE WORD SIZE PREREQUISITE
You must install a host-based Sensor for Oracle corresponding to the word-size Oracle
uses, not the operating system. For example, if Oracle is 32-bit but the operating
system is 64-bit, your host-based Sensor for Oracle must be 32-bit. This is only true for
host-based Sensor for Oracle installations, and it’s true for all Unix operating systems
on which it runs (i.e., AIX, HP-UX, Red Hat Enterprise Linux, and Solaris).
CREATING THE APPRADAR RUNTIME USER ACCOUNT AND
WORKING WITH ORACLE (ON RED HAT ENTERPRISE LINUX)
SGA SHARED MEMORY PERMISSIONS
Creating the appradar Runtime User Account:
Application Security, Inc. strongly recommends you create a unique DbProtect user
called appradar, and use this account for host-based Sensor for Oracle installation.
While creating this user is not mandatory, it will ensure that other database
administrators can’t turn off your host-based Oracle Sensors.
The appradar user must belong to the primary group of the Oracle user. In many cases
oracle is the default Oracle user name, while the default group name is typically
either oracle or dba. The user (i.e., appradar) must be a member of the same dba
group as oracle on the host.
To determine your Oracle group name, enter the following command: id oracle. Your
Oracle user name (uid) and group name (gid) should display, e.g., uid=1001(oracle)
gid=503(dba)
Note:
To ensure proper permissioning, verify group ownership of the Oracle
process memory segments by executing ipcs -m. This command displays
current user and group memberships of the Oracle segment. Confirm the
appradar user has the same primary group as the group ownership of the
shared memory, and that this user is also in the dba group.
To create the runtime user account:
Step
Application Security, Inc.
Action
1
Use an administrative account to create a runtme user account called appradar
(suggested name).
2
Set the proper Oracle permissions for this user; see above.
61
DbProtect 2009.1
Installation Guide
Working with Oracle SGA Shared Memory Permissions:
The Oracle System Global Area (SGA) is a group of shared memory areas that are
dedicated to an Oracle instance. Oracle processes use SGA to store and communicate
information. Among other things, SGA allows processes (such as the host-based
Sensor for Oracle on any *nix platform) to attach, read, and/or write -- but not execute.
SGA properties are similar to those of a file, i.e., owner, group, and mode. The
permission to attach, read, and/or write depends on the SGA mode. The mode for
shared memory and a file both depend on the umask setting of the OS session that
creates the shared memory or file.
When you start an Oracle instance, Oracle creates SGA. The SGA mode depends on
the umask setting of the OS session which starts the Oracle instance. If the umask
setting of the OS session masks the bit "read for group", the SGA's modes will not
have permission for the group to read. Consequently, your host-based Sensor for
Oracle on any *nix platform -- which is in the same group as Oracle OS user -- can not
read information from the SGA. As a result, your host-based Sensor for Oracle on a
*nix platform will not fire Alerts.
Solution: Use the umask command to change the user mask of the session to make
sure the group read bit is not masked off. (An example of a correct setting is: umask
026.) You should place this command in the appropriate shell startup file for the Oracle
database user ID. After you change the umask value, restart Oracle. After Oracle starts
up, use ipcs –m to check the SGA to make sure the modes for the Oracle segments
include group read, which grants other users in this group permission to read the
segment. This allows the appradar runtime user (who is part of the same group) to
read the SGA and monitor activity.
SENSOR RE-START REQUIREMENT (FOR DDL TRIGGER
REMOVALS/RE-ADDS) - ON RED HAT ENTERPRISE LINUX
If you remove and re-add a DDL trigger for any reason, you must re-start the Sensor
afterwards. Most DDL rules will not fire until this is done.
Application Security, Inc.
62
DbProtect 2009.1
Host-based Sensor
for Oracle (on
Windows) minimum system
requirements
Installation Guide
This help topic provides detailed minimum system requirements for the host-based
Sensor for Oracle (on Windows).
What you will find in this help topic:
•
•
•
•
Supported Oracle versions
Supported Windows versions
Hardware
Network connectivity.
SUPPORTED ORACLE VERSIONS
Oracle 9iR2, 10g, and 10gR2.
SUPPORTED WINDOWS VERSIONS
• Windows 2000 Server (including Advanced Server), 32-bit
• Windows Server 2003 (including Enterprise Edition), 32-bit.
HARDWARE
• RAM. 2GB, or at least 512 MB in addition to operating system and database
memory requirements. Application Security, Inc. recommends adding more
memory if your data volume is high.
• Hard drive space. 50 MB of free disk space. A minimum of 100 MB of space is
required if you configure the Sensor to log to a local file.
NETWORK CONNECTIVITY
Network connectivity is required in order for the Sensor to communicate with the
Console and, optionally, with SNMP and Syslog systems.
Network-based
Sensor for Sybase minimum system
requirements
This help topic provides detailed minimum system requirements for the networkbased Sensor for Sybase.
What you will find in this help topic:
•
•
•
•
•
Supported Sybase versions
Supported Windows versions
Rights and privileges
Hardware
Network connectivity.
SUPPORTED SYBASE VERSIONS
Sybase 11.x-15.
Application Security, Inc.
63
DbProtect 2009.1
Installation Guide
SUPPORTED WINDOWS VERSIONS
• Windows 2000 Server (including Advanced Server), 32-bit only (64-bit not
currently supported)
• Windows Server 2003 (including Enterprise Edition), 32-bit only (64-bit not
currently supported).
Note:
The network-based Sensor only runs on the Windows OS, but the
databases it monitors do not need to be running on Windows.
RIGHTS AND PRIVILEGES
• To install the network-based Sensor, you must have administrative privileges on
Windows.
• To run the network-based Sensor, you must have administrative and “run as a
service" privileges on Windows.
• To create a custom Filter for Sybase, you require read access to the following
tables: master..sysdatabases and the sysobjects, sysusers, and
syscolumns tables in the target databases being audited.
For more information on Filters, see the DbProtect Administrator’s Guide and the
DbProtect User’s Guide.
HARDWARE
• Dedicated hardware recommendation. Application Security, Inc. recommends
you install the network-based Sensor on dedicated hardware, because it
improves performance and it’s easier to support. However, you can install the
network-based Sensor and the Console on the same machine.
Note:
Generally, to facilitate the networking requirements listed below, your
network administrator will install the network-based Sensor on a machine
in the same data center as the database(s) it will be monitoring.
• RAM. At least 512 MB. Application Security, Inc. recommends adding more
memory if your data volume is high.
• Hard drive space. 50 MB of free disk space. A minimum of 100 MB of space is
required if you configure the to log to a local file.
NETWORK CONNECTIVITY
• Network connectivity is required for communication with the Console and,
optionally, with SNMP and Syslog systems.
• During installation you must enter a port where the Sensor listens for
commands from the Console (default port 20000).
Application Security, Inc.
64
DbProtect 2009.1
Installation Guide
• The Sensor machine must be on the same Local Area Network (LAN) as the
database machine(s) that it is monitoring, or otherwise have access to network
traffic going to/coming from each database machine being monitored. You can
accomplish this using a variety of methods, including a Switched Port Analyzer
(SPAN) port on a Cisco switch, a mirror port, Network Tap, a Data Aggregator
device, or re-direction using VLANs.
• Two network interface cards (NICs) are required, i.e., one for communication
from the network-based Sensor to the Console, and one to capture database
traffic.
• The network environment must be standard Ethernet (10MB, 100MB, or 1GB -whatever standard Ethernet card the machine supports). Older drivers may not
work. Other environments currently not supported: ATM, Token Ring, FDDI.
Note:
Network-based
Sensor for Oracle minimum system
requirements
Application Security, Inc. recommends you use two network interface
cards: one for “listening” to database traffic, and one to communicate
with the Console, if data volume is high.
This help topic provides detailed minimum system requirements for the networkbased Sensor for Oracle.
What you will find in this help topic:
•
•
•
•
•
Supported Oracle versions
Supported Windows versions
Rights and privileges
Hardware
Network connectivity.
SUPPORTED ORACLE VERSIONS
Oracle 7.x; Oracle 8, 8i, 9i, 9iR2, 10g, 10gR2.
SUPPORTED WINDOWS VERSIONS
• Windows 2000 Server (including Advanced Server), 32-bit only (64-bit not
currently supported)
• Windows Server 2003 (including Enterprise Edition), 32-bit only (64-bit not
currently supported).
Note:
Application Security, Inc.
The network-based Sensor only runs on the Windows OS, but the
databases it monitors do not need to be running on Windows.
65
DbProtect 2009.1
Installation Guide
RIGHTS AND PRIVILEGES
• To install the network-based Sensor, you must have administrative privileges on
Windows.
• To run the network-based Sensor, you must have administrative and “run as a
service" privileges on Windows.
• To create a custom Filter for Oracle, you must have the following privileges:
all_users, all_tables, all_tab_columns, and all_objects.
For more information on Filters, see the DbProtect Administrator’s Guide and the
DbProtect User’s Guide.
HARDWARE
• RAM. 2GB, or at least 512 MB in addition to operating system and database
memory requirements. Application Security, Inc. recommends adding more
memory if your data volume is high.
• Hard drive space. 50 MB of free disk space. A minimum of 100 MB of space is
required if you configure the Sensor to log to a local file.
• Dedicated hardware recommendation. Application Security, Inc. recommends
you install the network-based Sensor on dedicated hardware, because it
improves performance and it’s easier to support. However, you can install the
network-based Sensor and the Console on the same machine.
Note:
Generally, to facilitate the networking requirements listed below, your
network administrator will install the network-based Sensor on a machine
in the same data center as the database(s) it will be monitoring.
NETWORK CONNECTIVITY
• Network connectivity is required for communication with the Console and,
optionally, with SNMP and Syslog systems.
• During installation you must enter a port where the Sensor listens for
commands from the Console (default port 20000).
• The Sensor machine must be on the same Local Area Network (LAN) as the
database machine(s) that it is monitoring, or otherwise have access to network
traffic going to/coming from each database machine being monitored. You can
accomplish this using a variety of methods, including a Switched Port Analyzer
(SPAN) port on a Cisco switch, a mirror port, Network Tap, a Data Aggregator
device, or re-direction using VLANs.
• Two network interface cards (NICs) are required, i.e., one for communication
from the network-based Sensor to the Console, and one to capture database
traffic.
• The network environment must be standard Ethernet (10MB, 100MB, or 1GB -whatever standard Ethernet card the machine supports). Older drivers may not
work. Other environments currently not supported: ATM, Token Ring, FDDI.
Application Security, Inc.
66
DbProtect 2009.1
Installation Guide
Note:
Network-based
Sensor for DB2 minimum system
requirements
Application Security, Inc. recommends you use two network interface
cards: one for “listening” to database traffic, and one to communicate
with the Console, if data volume is high.
This help topic provides detailed minimum system requirements for the networkbased Sensor for DB2.
What you will find in this help topic:
•
•
•
•
•
Supported DB2 versions
Supported Windows versions
Rights and privileges
Hardware
Network connectivity.
SUPPORTED DB2 VERSIONS
DB2 UDB versions 8 and 9; DB2 for zSeries v8, v7 (DRDA) (TCP/IP).
SUPPORTED WINDOWS VERSIONS
• Windows 2000 Server (including Advanced Server), 32-bit only (64-bit not
currently supported)
• Windows Server 2003 (including Enterprise Edition), 32-bit only (64-bit not
currently supported).
Note:
The network-based Sensor only runs on the Windows OS, but the
databases it monitors do not need to be running on Windows.
RIGHTS AND PRIVILEGES
• To install the network-based Sensor, you must have administrative privileges on
Windows.
• To run the network-based Sensor, you must have administrative and “run as a
service" privileges on Windows.
• To create a custom Filter for DB2, you must install the appropriate DB2
administrative client drivers (for more information, see Appendix G: DB2
Administrative Client Driver Installation), and configure it to recognize the
monitored database (either through Discovery or reference). Creating a custom
Filter for DB2 also requires access to read the following tables:
-sysibm.systables
-ysibm.syscolumns
-sysibm.sysroutines
For more information on Filters, see the DbProtect Administrator’s Guide and the
DbProtect User’s Guide.
Application Security, Inc.
67
DbProtect 2009.1
Installation Guide
HARDWARE
• RAM. 2GB, or at least 512 MB in addition to operating system and database
memory requirements. Application Security, Inc. recommends adding more
memory if your data volume is high.
• Hard drive space. 50 MB of free disk space. A minimum of 100 MB of space is
required if you configure the Sensor to log to a local file.
• Dedicated hardware recommendation. Application Security, Inc. recommends
you install the network-based Sensor on dedicated hardware, because it
improves performance and it’s easier to support. However, you can install the
network-based Sensor and the Console on the same machine.
Note:
Generally, to facilitate the networking requirements listed below, your
network administrator will install the network-based Sensor on a machine
in the same data center as the database(s) it will be monitoring.
NETWORK CONNECTIVITY
• Network connectivity is required for communication with the Console and,
optionally, with SNMP and Syslog systems.
• During installation you must enter a port where the Sensor listens for
commands from the Console (default port 20000).
• The Sensor machine must be on the same Local Area Network (LAN) as the
database machine(s) that it is monitoring, or otherwise have access to network
traffic going to/coming from each database machine being monitored. You can
accomplish this using a variety of methods, including a Switched Port Analyzer
(SPAN) port on a Cisco switch, a mirror port, Network Tap, a Data Aggregator
device, or re-direction using VLANs.
• Two network interface cards (NICs) are required, i.e., one for communication
from the network-based Sensor to the Console, and one to capture database
traffic.
• The network environment must be standard Ethernet (10MB, 100MB, or 1GB -whatever standard Ethernet card the machine supports). Older drivers may not
work. Other environments currently not supported: ATM, Token Ring, FDDI.
Note:
Application Security, Inc.
Application Security, Inc. recommends you use two network interface
cards: one for “listening” to database traffic, and one to communicate
with the Console, if data volume is high.
68
DbProtect 2009.1
Installation Guide
Scan Engines - Minimum
System Requirements
DbProtect’s network-based, vulnerability assessment Scan Engines discover database
applications within your infrastructure and assesses their security strength. Backed by a
proven security methodology and extensive knowledge of application-level
vulnerabilities, DbProtect locates, examines, reports, and fixes security holes and
misconfigurations. Scan Engines scan your databases for vulnerabilities, and allow you
to perform Penetration (Pen) Tests and Audits against them.
Target databases (on Windows) include:
•
•
•
•
•
•
•
•
Oracle
Oracle Application Server
SQL Server
Lotus Notes/Domino
Sybase
DB2
DB2 on the Mainframe
MySQL.
What you will find in this section:
•
•
•
•
•
•
•
•
•
•
Application Security, Inc.
Supported versions of target databases
Supported Windows versions (on your Scan Engine host server)
Rights and privileges
Hardware
Operating system
Network connectivity
Lotus/Domino requirements
Sybase requirements
DB2 requirements
Required third-party software.
69
DbProtect 2009.1
Supported
versions of target
databases
Installation Guide
The following table lists which databases the Scan Engines are licensable and
scannable, and the supported version(s) of each database type.
Target database
ORACLE DATABASE
SERVERS
Supported versions
Oracle 11g, Oracle 10g, Oracle9i, Oracle8i, Oracle8, and Oracle7.
Note: Audit does not work for Oracle versions prior to 8.1.7.4,
because the client drivers are now shipped with the Scan
Engine.
ORACLE APPLICATION
SERVERS
Oracle Application Server 9i, 9i Release 2.
SQL SERVER
SQL Server Versions 6.x, 7.0; SQL Server 2000 and 2005 Express
Edition; MSDE 1.0, 2000.
LOTUS NOTES/
DOMINO
Lotus Notes/Domino v4.5 through 7.0.
Note: DbProtect AppDetective performs Audits (but not
Penetration Tests) against Domino Groupware (Notes).
DbProtect AppDetective performs Penetration Tests (but
not Audits) against Domino Web.
SYBASE DATABASE
SERVERS
Sybase 11.0, 11.5, 11.9.2, 12.0, 12.5, 15.
DB2 UDB (LUW)
DB2 Version 8.2, DB2 Version 8.1, DB2 Version 7.2, DB2 Version
7.1, DB2 Version 6.1.
Note: For DB2 Version 7, DbProtect only supports a 32-bit
instance for Penetration Test and Audits.
DB2 Z SERIES
DB2 Version 7 (z/OS and OS/390) and 8 (z/OS).
Note: Additional requirement: DB2 Connect installed.
MYSQL SERVERS
Supported
Windows versions
(on your Scan
Engine host server)
Application Security, Inc.
MySQL 3.20, 3.21, 3.22, 3.23, 3.20, 4.0, 4.1, 5.0.
Windows 2000 Professional Service Pack (SP) 4, Windows XP Professional SP 1,
Windows 2003 Server SP 2 or greater, Windows 2000 Advanced Server SP 4, MDAC 2.8
SP1.
70
DbProtect 2009.1
Rights and
privileges
Installation Guide
Required rights and privileges follow:
• To install a Scan Engine, you must have administrative privileges on Windows.
• Since the Scan Engine installs and runs as a service, the service account must
have the the “logon as a service” privilege enabled.
• The minimum privileges required on the Data Repository are the database roles
(db_datawriter and db_datareader) and server role (dbcreator).
Note:
Contact Application Security, Inc. Support at support@appsecinc.com if
you plan to install Scan Engines across multiple Active Directory Domains.
• In order to run DbProtect with a Scan Engine installed, you must have the
permission Full Control on the following items:
-The directory where you installed DbProtect.
-The SYSTEM32 directory.
-The registry key HKEY_LOCAL_MACHINE\SOFTWARE\ASI and all subkeys
underneath.
-The registry key HKEY_LOCAL_MACHINE\SOFTWARE\ODBC and all subkeys
underneath.
• If you plan to run DbProtect on Windows 2000, the operating system account
that DbProtect runs under must have the “act as part of the operating system”
privilege enabled.
Hardware
• RAM. 512 MB recommended, in addition to operating system memory
requirements.
• Hard drive space. 80 MB of free disk space with additional space required to
store vulnerability information.
• Processor. 750 MHz or larger.
Operating system
Network
connectivity
Application Security, Inc.
Windows 2000 Professional Service Pack (SP) 4, Windows XP Professional SP 1,
Windows 2003 Server, Windows 2000 Advanced Server SP 4, MDAC 2.8 SP 1.
Network connection to scanned application and to the Console.
71
DbProtect 2009.1
Lotus/Domino
requirements
Installation Guide
In order to run Lotus Domino features, you must have the Lotus Notes Client installed
on your system. DbProtect requires a valid .id file and password to function properly.
If you are already a Lotus Notes user, you do not need to reload your Lotus Notes
client. For more information, see Lotus Notes client driver installation.
Note:
Sybase
requirements
DbProtect does not perform Audits on Lotus Notes/Domino applications.
To run an Audit on a Sybase SQL Server/Adaptive Server Enterprise application, your
workstation requires the appropriate client drivers installed. For more information, see
Sybase client driver installation.
You must have Full Control on the registry key: HKEY_LOCAL_MACHINE\SYBASE\Setup.
If you are using ODBC Drivers versions less than 3.7, you must also have read/write
permissions on the following local system files on the client machine:
${SYBASE_ROOT}\ini\sql.ini.
DB2 requirements
Required thirdparty software
Application Security, Inc.
To run an Audit on DB2, your workstation requires the appropriate client drivers
installed. For more information, see Appendix G: DB2 Administrative Client Driver
Installation.
You must have SQL Server 2000 or SQL Server 2005 installed in an accessible location
on the network. This is the Data Repository for the Console, which the Sensor and
Scan Engines components must access. For more information, see Conceptual
diagram and Data Repository.
72
DbProtect 2009.1
Installation Guide
Chapter 4 - Licensing
This chapter explains DbProtect licensing.
What you will find in this chapter:
•
•
•
•
DbProtect
licensing overview
DbProtect licensing overview
How are licenses consumed?
The mechanics of DbProtect licensing
Viewing your “node locked” Scan Engine licensing information.
DbProtect licensing is enforced and controlled by information obtained from an
Application Security, Inc.-provided set of license files.
files
If a license is not installed, you will not be able to log into DbProtect. If you have
subscribed to software updates, the license file also determines when the DbProtect
maintenance subscription is scheduled to expire.
DbProtect license files are “node locked”. In order to receive a license for your
product implementation, you will need to provide some specific details about your
server(s) to Application Security, Inc.
How are licenses
consumed?
Each database/application on your network requires a license to be Penetration
Tested or Audited (by a Scan Engine) or monitored (by a Sensor). Discovery results are
not metered.
• Vulnerabilty Assessment license consumption. When you run a test against a
database/application for the first time, one license of the appropriate type (i.e.,
Penetration Test or Audit) is consumed from the available set of licenses for that
particular database/application type. The consumed license is then “node
locked” to the IP address of the Penetration Tested or Audited database/
application. You can re-test these applications any time without consuming
another license. For more information on viewing your number of available
licenses, see Viewing your “node locked” Scan Engine licensing information.
• Activity Monitoring license consumption. When you enumerate a database
asset to monitor with the appropriate type of Sensor, the Sensor registration
process is what consumes a Sensor license. The license remains “node locked”
for a given database as long as it is registered via the Sensor Manager in the
DbProtect AppRadar Console (for more information, see Registering a Sensor
in the DbProtect User’s Guide).
Application Security, Inc.
73
DbProtect 2009.1
The mechanics of
DbProtect
licensing
Installation Guide
To use DbProtect, you must install at least two license files, i.e., one for DbProtect, and
one for each registered/installed Scan Engine.
Engine
What you will find in this help topic:
•
•
•
•
What you will need
Licensing artifacts
Deploying your license files
Viewing your “node locked” Scan Engine licensing information.
WHAT YOU WILL NEED
Contact Application Security, Inc. Customer Support (support@appsecinc.com) and
provide the following information:
• For each host where a Console and a Scan Engine is installed, provide
Application Security, Inc. Customer Support with the VolumeID,
VolumeID and specify the
number of Penetration Test and Audit licenses you require for each database
type.
Note:
To obtain the VolumeID, run asiidentify.exe at the command line. By
default, asiidentify.exe is usually located in the following folder:
C:\<DbProtect Installation
Folder>\AppSecInc\DbProtect\GUI\bin
• Application Security, Inc. Customer Support or your sales representative will
email your license files and installation instructions.
LICENSING ARTIFACTS
Application Security, Inc. Customer Support will email you a set of license files
(ADnnnnnnnnn.lic and ARnnnnnnnnn.lic).
You must copy the:
•
ADnnnnnnnnn.lic and ARnnnnnnnnn.lic license files on your DbProtect host,
host
so you can monitor database activity and assess database vulerabilities via the
Console
•
ADnnnnnnnnn.lic on each host running a Scan Engine (to activate vulnerability
assessment).
The following sub-topic (Deploying your license files) explains specifically where you
should deploy your license (.lic) files.
Application Security, Inc.
74
DbProtect 2009.1
Installation Guide
DEPLOYING YOUR LICENSE FILES
The following table explains specifically where you should deploy your license (.lic)
files.
On your
DbProtect
host:
Install each ADnnnnnnnnn.lic file in the following folders:
• c:\<DbProtect Installation
Folder>\AppSecInc\AppDetective\licenses
• c:\<DbProtect Installation
Folder>\AppSecInc\DbProtect\GUI\licenses
Install each ARnnnnnnnnn.lic file in the following folder:
c:\<DbProtect Installation
Folder>\AppSecInc\DbProtect\GUI\licenses
On each Scan
Engine host:
Install each ADnnnnnnnnn.lic file in the following folders:
• c:\<DbProtect Installation
Folder>\AppSecInc\AppDetective\licenses
• c:\<DbProtect Installation Folder>\AppSecInc\licenses
If you are adding or changing any licenses, then you must manually restart the
following services (as applicable to the host):
•
•
Viewing your
“node locked”
Scan Engine
licensing
information
Application Security, Inc.
DbProtect Console
DbProtect Scan Engine.
On any Scan Engine host, you can open the License Viewer.
Viewer It shows where your Scan
Engine license file is located, how many licenses you have, how many Penetration Test
and Audit licenses you’ve used (and on which platforms), etc.
75
DbProtect 2009.1
Installation Guide
To view your Scan Engine licensing info:
Step
1
Action
Choose Start > Programs > AppSecInc > AppDetective ScanEngine >
LicenseViewer.exe.
LicenseViewer.exe
Result: The License Viewer displays.
The License Viewer provides:
•
the license file location in the License File: field (stored by default in the
c:\<DbProtect Installation
Folder>\AppSecInc\Adscanengine\adse\licenses folder)
•
your basic license file information, including:
- Customer Name
- License Type
- Product Version
- Expiration Date
- ASAP Expiration
- Machine ID#
2
3
The AppDetective - Licensing Info dialog box allows you to:
•
view how many licenses you purchased (see the Licenses Purchased: field, which
is below the Penetration Tests and Security Audits tabs)
•
click the Penetration Tests and Security Audits tabs, respectively, to see how
many Penetration Test and Audit licenses you’ve used to-date
•
use the Application Type: drop-down to filter your used license data by platform
(e.g., Oracle,
Oracle My SQL,
SQL Sybase,
Sybase Web Applications,
Applications etc.).
You can also click the:
•
Get Machine ID # button to display the AppDetective - Machine ID Number pop
up, which displays your machine ID
Hint: Click the Copy to clipboard button to copy your machine ID to your
computer’s clipboard, whereupon you can paste the number into a field,
document, etc.
•
Application Security, Inc.
Select License File button to display an Open dialog box, which allows you to
open your .lic file.
76
DbProtect 2009.1
Installation Guide
Chapter 5 - Installing
the DbProtect
Components and
Logging Into the
Console
This chapter explains how to install the following DbProtect components: the Console,
the Sensors, and the Scan Engines. It also explains how to log into the Console for the
first time.
Note:
First make sure you have carefully read the minimum system requirements
for the DbProtect components. For more information, see Chapter 3 Minimum System Requirements.
What you will find in this chapter:
•
•
•
•
Application Security, Inc.
Installing the DbProtect Suite Management Components
Installing and Starting/Stopping the Sensors
Installing Scan Engines
Logging Into the Console.
77
DbProtect 2009.1
Installation Guide
Installing the DbProtect Suite
Management Components
The DbProtect suite is comprised of a management bundle,
bundle which consists of the
following components: Console, Message Collector, and the Database Component. In
addition, the suite employs data collection agents: a Scan Engine (for vulnerability
asssessment), and Sensors (for activity monitoring).
The DbProtect management bundle is deployed as one distribution, which detects/
installs prerequisites, and installs the Console, Message Collector component, and the
Database Component.
Note:
First make sure you have carefully read the minimum system requirements
for the Console and Data Repository. For more information, see Console Minimum System Requirements.
What you will find in this section:
•
•
•
•
Installing files to a drive other than the default C drive
MSDE lockdown scripts “behind the scenes”
Post-upgrade recommendation: clear your Java cache
DbProtect suite management components - installation steps.
Installing files to a
drive other than
the default C drive
DbProtect places the ASAP Updater and the license files into a common area: the
Windows Program Files directory default (C:\Program Files). If you want to install
these files on a different drive, refer to http://support.microsoft.com/kb/933700,
which has instructions on (and warnings about) changing the default Program Files
location.
MSDE lockdown
scripts “behind the
scenes”
If you want to know what the MSDE lockdown scripts are doing “behind the scenes”
during the installation of the Console, see Appendix B: What Are the MSDE Lockdown
Scripts Doing During the Installation of DbProtect?
Post-upgrade
recommendation:
clear your Java
cache
Application Security, Inc.
Application Security, Inc. recommends you clear your Java cache after an upgrade.
The Java cache does not get automatically cleared following a reboot. For more
information, see Appendix Q: Clearing Your Java Cache.
78
DbProtect 2009.1
DbProtect suite
management
components installation steps
Installation Guide
This topic explains how to install the DbProtect suite management components (i.e.,
Console, Message Collector, and Database Component). All components are
deployed as one distribution.
To install the DbProtect management suite:
Step
Action
1
Locate the DbProtect setup file on the Application Security, Inc.-provided CD, or
download it from the Application Security, Inc. FTP site. If downloading, save the file
to a convenient location (e.g., c:\temp).
2
The installer detects/installs prerequisites.
•
Double click DbProtect executable (.exe) file to begin installing the DbProtect
prerequisites and components.
The first screen of the DbProtect installer checks your host machine for
prerequisites and components, and displays which (if any) missing prerequisites
and components it will install for you. For more information, see Console Minimum System Requirements.
FIGURE:
•
Application Security, Inc.
DbProtect installer
Click the Install button to begin the installation of the prerequisites (if any are
listed), and the components in the order in which they are displayed.
79
DbProtect 2009.1
Installation Guide
Step
Action
3
FIGURE:
•
Progress screen (installing Microsoft .NET Framework 2.0 prerequisite)
The installation begins.
begins. The DbProtect installer installs any missing prerequisites
and components detected in Step 2.
Note: Depending which prerequisites and components are missing, this part of the
installation could take some time. For example, if your host server is missing
Microsoft .NET Framework 2.0 SP1 (x86).
•
Application Security, Inc.
Next the Database Component Setup Wizard welcome screen displays.
80
DbProtect 2009.1
Installation Guide
Step
4
Action
The Database Component Setup welcome screen is shown below.
FIGURE:
•
Application Security, Inc.
Database Component Setup (welcome screen)
Click the Next button to display the End-User License Agreement screen.
81
DbProtect 2009.1
Installation Guide
Step
5
Action
The End-User License Agreement screen is shown below.
FIGURE:
Application Security, Inc.
Database Component Setup (End-User
End-User License Agreement screen)
•
Read the License Agreement. If you accept the terms of the License Agreement,
check I accept the terms of the license agreement to illuminate the Next button.
•
Click the Next button to display the Destination Folder screen.
82
DbProtect 2009.1
Installation Guide
Step
6
Action
The Destination Folder screen is shown below.
FIGURE:
Application Security, Inc.
Database Component Setup (Destination
Destination Folder screen)
•
By default, the DbProtect installer installs the Database Component in the
\Database sub-folder located under C:\Program Files\AppSecInc. You
can click the Change... button to specify a different installation path for the
Database Component.
•
Click the Next button to display the Database Component Repository screen.
83
DbProtect 2009.1
Installation Guide
Step
7
Action
The Database Component Repository screen is shown below.
FIGURE:
•
Database Component Setup (Database
Database Component Repository screen)
The DbProtect suite requires a Microsoft SQL Server data respository. This
screen allows you to specify the location of the Microsoft SQL Server instance,
which can be local or remote. You can use the Database Instance drop-down to
select an available instance for the Database Component Repository. Or you can
manually enter an instance name (in the editable Database Instance drop-down
field) using the syntax hostname\instance (e.g., myserver\myinstance)
or hostname:port (e.g., myserver:1883).
Note: If you enter hostname:port, you do not need to have the SQL Server
browser service turned on; for more information, see Additional Console
assumptions, prerequisites, and recommendations.
You can manually change the connection string by modifying the following XML
files: appradar.xml, appdetective.xml, messagecollector.xml, and
appradarsoap.xml. For more information, see Appendix G: Moving or
Changing Your DbProtect Back-End Database in the DbProtect Administrator’s
Guide.
If you select an instance name and the SQL Server browser service is down at the
time of installation, an error message displays informing you the installer was
unable to establish a connection to the specified instance. However, if you select
an instance name and SQL Server browser service is up at the time of installation
-- but then is subsequently turned off -- DbProtect will not be able to function
until you turn the SQL Server browser service back on, or change the connection
string to a valid port number instead of an instance name.
Hint: You can also click the Browse... button to locate a different instance on your
network. The Select Computer pop-up displays, allowing you to search for a
database host.
Click the Next button to display the Database Installation Credentials screen.
Application Security, Inc.
84
DbProtect 2009.1
Installation Guide
Step
8
Action
The Database Installation Credentials screen is shown below (with the default
Windows Authentication database authentication type selected).
FIGURE:
Database Component Setup (Database
Database Installation Credentials screen -default Windows Authentication database authentication type selected)
The Database User Credentials screen allows you to select the authentication type
to use to connect to the database. DbProtect will use this user to create/modify
tables, views, and other objects in the database.
Note: The DbProtect installer automatically creates the database.
Select one of the following authentication types for the database user:
•
Windows Authentication (default), and go to Step 9
•
SQL Authentication,
Authentication and go to Step 10.
Note: If you're not sure which authentication type to select, see your database
administrator.
Application Security, Inc.
85
DbProtect 2009.1
Installation Guide
Step
9
Action
If you selected default Windows Authentication database authentication type in
Step 8, the Database Installation Credentials screen looks like this:
FIGURE:
Database Component Setup (Database
Database Installation Credentials screen -default Windows Authentication database authentication type selected)
•
The default Windows Authentication (a/k/a <domain\user>) database
authentication type uses the Windows credentials from the account with which
you are currently logged in (for fresh installations).
•
You must click the Test Connection button to test the database user credentials.
If the connection is successful, a green checkmark icon displays, and the Next
button is illuminated.
•
You can click either one of the following buttons:
-Modify
Modify Database Properties button to display the Database Properties
dialog box, which allows you to modify your database data file and log
file location. Go to Step 11.
-Next
Next button to display the Ready to Install Database Component screen
and go to Step 12.
Note: These credentials are used only for first-time installations in order to create
the database. When you upgrade, the DbProtect installer will attempt to use
Windows Authentication (if possible). If Windows Authentication fails, this
screen displays during the upgrade.
Application Security, Inc.
86
DbProtect 2009.1
Installation Guide
Step
Action
10
If you selected default SQL Authentication database authentication type in Step 8,
the Database Installation Credentials screen looks like this:
FIGURE:
Database Component Setup (Database
Database Installation Credentials screen -default SQL Authentication database authentication type selected)
Important: Make sure you have enabled SQL authentication on the database.
•
Enter a valid Login: and Password: combination.
•
You must click the Test Connection button to test the database user credentials.
If the connection is successful, a green checkmark icon displays, and the Next
button is illuminated.
Hint: You can check the Remember the database credentials for upgrades
checkbox (unchecked by default) if you want to store this SQL authentication
login/password combination to use when you upgrade to a newer version of
DbProtect in the future. This checkbox only displays if you select the SQL
Authentication database authentication type.
•
You can click either one of the following buttons:
-Modify
Modify Database Properties button to display the Database Properties
dialog box, which allows you to modify your database data file and log
file location. Go to Step 11.
-Next
Next button to display the Ready to Install Database Component screen
and go to Step 12.
Note: DbProtect does not store the credentials provided in this step unless you
check the Remember the database credentials for upgrades checkbox. These
credentials are used only for first-time installations in order to create the
database.
Application Security, Inc.
87
DbProtect 2009.1
Installation Guide
Step
Action
11
If you click the Modify Database Properties button in Step 9 or Step 10, the
Database Properties dialog box displays, which allows you to modify your database
data file and log file location.
FIGURE:
Database Component Setup Wizard (Database
Database Properties screen)
Important: This is an advanced option, and if you have no reason to force locations,
Application Security, Inc. recommends you leave these fields blank.
Do the following:
•
Specify the::
-Database data file path
-Database
Database log file path.
path
Hint: You can click the Recommend Path button to have the Database Component
Setup Wizard populate the fields automatically.
•
Click the:
-OK
OK button to apply any changes you made to the database data file and/
or log file locations.
-Cancel
Cancel button to cancel any changes.
•
Application Security, Inc.
Go back to the Database Installation Credentials screen displayed in Step 9 (if
you selected Windows Authentication in Step 8), or the Database Installation
Credentials screen displayed Step 10 (if you selected SQL Authentication in
Step 8).
88
DbProtect 2009.1
Installation Guide
Step
12
Action
The Ready to install Database Component screen is shown below.
FIGURE:
Database Component Setup Wizard (Ready
Ready to install Database
Component screen)
Do the following:
•
Click the Install button to install the database component.
FIGURE:
Database Component Setup Wizard (Installing
Installing Database Component
screen)
When the installation is complete, the Completed the Database Component Setup
Wizard screen displays.
Application Security, Inc.
89
DbProtect 2009.1
Installation Guide
Step
13
Action
The Completed the Database Component Setup Wizard screen is shown below.
FIGURE:
•
Application Security, Inc.
Database Component Setup Wizard (Completed
Completed the Database
Component Setup Wizard screen)
Click the Finish button to complete the Database Component installation. Next,
the Console Management Server Setup wizard welcome screen displays.
90
DbProtect 2009.1
Installation Guide
Step
14
Action
The Console Management Server Setup wizard welcome screen is shown below.
FIGURE:
Console Management Server Setup wizard (welcome screen)
Note: Application Security, Inc. strongly recommends you close all other
applications before continuing the installation.
•
Application Security, Inc.
Click the Next button to display the Destination Folder screen.
91
DbProtect 2009.1
Installation Guide
Step
15
Action
The Destination Folder screen is shown below.
FIGURE:
Application Security, Inc.
Console Management Server Setup wizard (Destination
Destination Folder screen)
•
By default, the DbProtect installer installs the Console under C:\Program
Files\AppSecInc. You can click the Change... button to specify a different
installation path for the Console.
•
Click the Next button to display the DbProtect Server Port screen.
92
DbProtect 2009.1
Installation Guide
Step
16
Action
The DbProtect Server Port screen is shown below.
FIGURE:
Console Management Server Setup wizard (DbProtect
DbProtect Server Port screen)
The Console Management Server is DbProtect’s web application management
interface. You access it via a web browser. This screen allows you to select the server
port the web service runs on. DbProtect users connect to the Console via secure
HTTPS connection to the specified server port.
Do the following:
Application Security, Inc.
•
Specify the Console server port.
port The default port (20080) is recommended for
most configurations. If necessary, enter a different port number (1-65535).
Consult your network administrator to determine which network port is
acceptable. For more information on required open listen ports, see Conceptual
diagram.
•
Check the Test Port button to test the availability of the specified server port. If
the port is available, a checkmark icon displays, and the Next button is
illuminated.
•
Click the Next button to display the Service Log On Credentials screen.
93
DbProtect 2009.1
Installation Guide
Step
17
Action
The Service Log On Credentials screen is shown below.
FIGURE:
Console Management Server Setup wizard (Service
Service Log On Credentials
screen)
This step allows you to specify the user DbProtect will use to:
•
run the DbProtect Console and DbProtect Message Collector services
•
browse the Windows Active Directory or NT 4 domains.
Note: For all operating systems, this user must have the “Logon as a service”
privilege, and must belong to the local Administrators group. Windows 2000
Super Users must also have the “Act as part of the operating system”
privilege.
•
You can select:
-Run
Run service as LocalSystem to run the DbProtect Console service as
the current logged-in user.
-Select Run service as:,
as: then manually enter (or click the Browse... button
to select) the Windows account domain path and user name in the
Account: field (e.g., Domain1\Account1), then enter the Windows
account password in the Password: field.
Application Security, Inc.
•
Check the Test Credentials button to test the Run service as: credentials
provided. If the credentials are valid, a checkmark icon displays, and the Next
button is illuminated.
•
Click the Next button to display the Database Run Time Credentials screen.
94
DbProtect 2009.1
Installation Guide
Step
18
Action
The Database Run Time Credentials screen is shown below.
FIGURE:
Console Management Server Setup wizard (Database
Database Run Time
Credentials screen)
This service connects to the Database Component using either Windows
Authentication (using the Local System Windows Service account) or SQL
Authentication.
Authentication
•
You can select:
-Windows
Windows Authentication.
Authentication If you select this option, DbProtect uses the
service credentials that you specified in Step 17 to connect to the
database at run-time.
-SQL
SQL Authentication (make sure you have enabled SQL authentication). If
you select this option, you must also enter a valid Login: and Password:
combination.
Caution! SQL Server authentication information is stored in clear text in the
following configuration files: files: appradar.xml, appdetective.xml,
messagecollector.xml, and appradarsoap.xml. These files
contain two parameters: username and password. In their
corresponding <value> fields, you will find the SQL Server
authentication values filled in by default. For more information, see the
DbProtect Administrator’s Guide.
Regardless of your selection, the Console uses these credentials to read and
write data. Only the db_datareader and db_datawriter roles are required
for these credentials.
Application Security, Inc.
•
Click the Test Connection button to test the database run time credentials. If the
connection is successful, a green checkmark icon displays, and the Next button
is illuminated.
•
Click the Next button to display the Ready to Install Console Management
Server screen.
95
DbProtect 2009.1
Installation Guide
Step
19
Action
The Ready to Install Console Management Server screen is shown below.
FIGURE:
•
Application Security, Inc.
Console Management Server Setup wizard (Ready
Ready to Install Console
Management Server screen)
Click the Install button to begin the Console installation. When the Console
installation completes, a success message displays and the Finish button is
illuminated.
96
DbProtect 2009.1
Installation Guide
Step
20
Action
The Completed the Console Management Server Setup screen is shown below.
FIGURE:
•
Application Security, Inc.
Console Management Server Setup wizard (Completed
Completed the Console
Management Server Setup screen)
Click the Finish button to complete the Console installation. Next, the Message
Collector Setup wizard welcome screen displays.
97
DbProtect 2009.1
Installation Guide
Step
21
Action
The Message Collector Setup wizard welcome screen is shown below.
FIGURE:
Message Collector Setup wizard (welcome screen)
Note: Application Security, Inc. recommends you close all other applications before
continuing the installation.
•
Application Security, Inc.
Click the Next button to display the Service Log On Credentials screen.
98
DbProtect 2009.1
Installation Guide
Step
22
Action
The Service Log On Credentials screen is shown below.
FIGURE:
Message Collector Setup wizard (Service
Service Log On Credentials screen)
This service runs using either Windows Authentication (using the Local System
Windows Service account) or SQL Authentication.
Authentication
•
If you selected:
-Windows
Windows Authentication in Step 18, the Message Collector will use the
service credentials to connect to the database at run-time.
-SQL
SQL Authentication in Step 18, the Message Collector will use the SQL
credentials you entered in Step 18 to connect to the database at runtime.
Application Security, Inc.
•
Click the Test Connection button to test the database run time credentials. If the
connection is successful, a green checkmark icon displays, and the Next button
is illuminated.
•
Click the Next button to display the Ready to Install Console Management
Server screen.
99
DbProtect 2009.1
Installation Guide
Step
23
Action
The Ready to Install Message Collector screen is shown below.
FIGURE:
•
Application Security, Inc.
Message Collector Setup wizard (Ready
Ready to Install Message Collector
screen)
Click the Install button to begin the Message Collector installation. When the
Message Collector installation completes, the Completed the Message
Collector Setup Wizard screen displays and the Finish button is illuminated.
100
DbProtect 2009.1
Installation Guide
Step
24
Action
The Completed the Message Collector Setup Wizard screen is shown below.
FIGURE:
•
Click the Finish button to complete the Message Collector (and DbProtect
management bundle) installation. A “Congratulations” pop up displays after
you successfully complete the installation.
FIGURE:
•
25
Application Security, Inc.
Message Collector Setup wizard (Completed
Completed the Message Collector
Setup Wizard screen)
“Congratulations” pop up
Click the OK button to closethe pop up.
DbProtect begins running as a Windows service on your computer. This service
automatically starts when you start your computer.
101
DbProtect 2009.1
Installation Guide
Step
Action
26
Obtain and install your Application Security, Inc.-issued DbProtect licenses. You will
need:
•
ADnnnnnnnnn.lic and ARnnnnnnnnn.lic license files on your DbProtect
host,
host so you can monitor database activity and assess database vulerabilities via
the Console
•
an individual ADnnnnnnnnn.lic license file on each host running a Scan
Engine (to activate vulnerability assessment).
For specific details, see Chapter 4 - Licensing.
27
Restart the DbProtect Console and DbProtect Message Collector services
after you copy the license files. Wait 20 seconds for the license to initialize.
All DbProtect services start automatically every time you start your computer. If you
need to start or stop any DbProtect services for any reason, see the DbProtect
Administrator’s Guide.
Application Security, Inc.
102
DbProtect 2009.1
Installation Guide
Installing and Starting/
Stopping the Sensors
This section provides detailed installation steps for the Sensor components of
DbProtect. There are two types of Sensors available: host-based and network-based.
network-based
This section also explains how to start and stop the Sensors (on Windows and *nix
platforms).
Note:
First make sure you have carefully read the minimum system requirements
for the Sensors. For more information, see Sensors - Minimum System
Requirements.
What you will find in this section:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Application Security, Inc.
Host-based Sensors (supported databases and platforms)
Network-based Sensors (supported databases and platforms)
Host-based Sensor for SQL Server (on Windows) - installation steps
Host-based Sensor for DB2 (on Red Hat Enterprise Linux) - installation steps
Host-based Sensor for DB2 (on Solaris) - installation steps
Host-based Sensor for DB2 (on AIX) - installation steps
Host-based Sensor for DB2 (on Windows) - installation steps
Host-based Sensor for Oracle (on Solaris) - installation steps
Host-based Sensor for Oracle (on AIX) - installation steps
Host-based Sensor for Oracle (on HP-UX) - installation steps
Host-based Sensor for Oracle (on Red Hat Enterprise Linux) - installation steps
Host-based Sensor for Oracle (on Windows) - installation steps
Network-based Sensor for Sybase, Oracle, and DB2 - installation steps
Starting and stopping the Sensors.
103
DbProtect 2009.1
Host-based
Sensors
(supported
databases and
platforms)
Installation Guide
Host-based Sensors allow you to monitor the following databases on a host server:
• SQL Server on Windows
• DB2 on Solaris, AIX, Red Hat Enterprise Linux, and Windows
• Oracle on Solaris, AIX, HP-UX, Red Hat Enterprise Linux, and Windows.
If you want to install a host-based Sensor, the table below lists supported database/OS
combinations, and links you to the installation steps.
DB
Go to:
SQL
SERVER
WINDOWS
Host-based Sensor for SQL Server (on Windows) installation steps
DB2
RED HAT
ENTERPRISE
LINUX
Host-based Sensor for DB2 (on Red Hat Enterprise Linux) installation steps
SOLARIS
Host-based Sensor for DB2 (on Solaris) - installation steps
AIX
Host-based Sensor for DB2 (on AIX) - installation steps
WINDOWS
Host-based Sensor for DB2 (on Windows) - installation steps
SOLARIS
Host-based Sensor for Oracle (on Solaris) - installation steps
AIX
Host-based Sensor for Oracle (on AIX) - installation steps
HP-UX
Host-based Sensor for Oracle (on HP-UX) - installation steps
RED HAT
ENTERPRISE
LINUX
Host-based Sensor for Oracle (on Red Hat Enterprise Linux) installation steps
WINDOWS
Host-based Sensor for Oracle (on Windows) - installation
steps
ORACLE
Application Security, Inc.
OS
104
DbProtect 2009.1
Network-based
Sensors
(supported
databases and
platforms)
Installation Guide
Network-based Sensors allow you to monitor Sybase,
Sybase Oracle,
Oracle and DB2 on the network.
If you want to install a network-based Sensor, the table below lists supported
database/OS combinations, and links you to the installation steps.
Note:
The network-based Sensor only runs on the Windows OS, but the
databases it monitors do not need to be running on Windows.
DB
OS
DB2
WINDOWS
SYBASE
Go to:
Network-based Sensor for Sybase, Oracle, and DB2 installation steps
ORACLE
Host-based Sensor
for SQL Server (on
Windows) installation steps
To install the host-based Sensor for SQL Server on Windows:
Step
Action
1
Locate the setup file on the Application Security, Inc.-provided CD, or download it
from the Application Security, Inc. FTP site or website.
2
Save the file to a convenient location (e.g., c:\temp).
3
•
Double click the executable file to display the installation wizard (Welcome
Welcome
page) and begin the Sensor installation.
FIGURE:
•
Application Security, Inc.
Welcome page
Click the Next button to display the License Agreement page.
105
DbProtect 2009.1
Installation Guide
Step
Action
4
FIGURE:
License Agreement page
•
Read the License Agreement.
•
If you accept the terms of the License Agreement,
Agreement select I accept the terms of
the license agreement.
•
Click the Next button to display the Choose Destination Location page.
5
FIGURE:
•
Choose Destination Location page
Choose the location of the Sensor installation directory. You can click the:
-Change
Change button to choose a directory manually
-Next
Next button to choose the default location. (The default location is:
c:\Program Files\AppSecInc\AppRadar Sensor\).
•
Application Security, Inc.
Click the Next button to display the Ready to Install the Program page.
106
DbProtect 2009.1
Installation Guide
Step
Action
6
FIGURE:
Ready to Install page
Click the Install button. When the installation finishes, the Complete page displays.
7
FIGURE:
Complete page
Click the Finish button to display the Sensor Initialization Utility.
Utility
8
FIGURE:
Sensor Initialization Utility
Click the Host-Based Sensor for Microsoft SQL Server, DB2 and Oracle button to
display the Sensor Communication Port Information page.
Application Security, Inc.
107
DbProtect 2009.1
Installation Guide
Step
Action
9
FIGURE:
•
Sensor Communication Port Information page
Specify which port number the Sensor should use to receive commands from the
Console. The default port (20000) is recommended for most configurations. If
necessary, enter a different port number (1-65535). Consult your network
administrator to determine which network port is acceptable. For more
information on required open listen ports, see Conceptual diagram.
Note: Every Sensor installation requires its own dedicated port for communication.
Specify which port number the Sensor should use to receive commands from
the Console. The Sensor can not share the same port with any other program.
This does not mean each Sensor requires a different port number on each
separate host server. For example, you can use the same port number for
each Sensor you install on each individual host machine (e.g., port 20000). Or
you can specify a different port number for each Sensor on each host
machine.
The Console uses port 20080 (by default) to send data to, and receive data
from, the Sensors. The Sensors, by comparison, send data to, and receive
data from, the Console on port 20000 (by default). Additionally, when the
Sensor sends Alerts (via port 20000) to the Console's Message Collector
component, the Message Collector receives these Alerts on port 20081 (by
default).
If you are installing a Sensor on the same host server where the Console is
installed, do not specify ports 20080 or 20081 (unless you’re certain these
ports are available).
•
Application Security, Inc.
Click the Next button to display the Sensor Service Logon Details page.
108
DbProtect 2009.1
Installation Guide
Step
Action
10
FIGURE:
•
Sensor Service Logon Details page
Specify a database user login and password.
Important: If you want to specify a non-local user username and password for the
Sensor to run under, you must do so in this step.
You can select:
-Use "Local System" Account,
Account if you want to use the "local system"
account, which has full access rights and privileges on the host computer.
-Existing
Existing domain user having the "log on as service" privilege. This
selection allows you to specify a domain user login and password in the
bottom half of the screen.
Important: The Sensor logs in to the monitored database, and the Sensor service
runs, under this user profile. This profile must be a Windows user with
administrator rights. Also, the account name specified must have the
"log on as service" permission set in the Local Security Policy of the
server (for more information, see your Windows help). If you select
Existing domain user having the "log on as service" privilege,
privilege then in
the bottom half of the screen you must enter the: a.) domain name\user
name, or click the Find User button to display the Select Users pop-up
and locate a valid user, and b.) password for the specified user. Also, the
domain user must be a Windows user with administrative rights on both
the host server and SQL Server, and must have domain administrator
rights to install a host-based Sensor for SQL Server in a cluster.
Caution! When using the Sensor Initialization Utility,
Utility you may encounter issues
when implementing the Windows Control that displays when you click the
Find User button. Depending on your OS version, it may not be possible
to select a user from a list. Subsequently, you may have to enter a valid
domain name\user name manually. Additionally, on operating systems
where this control does work, picking the user name from the Find User
list may not display it in the required format (domain name\user name) if
you select a local user rather than a domain user.
•
Application Security, Inc.
Click the Next button to display the Summary page.
109
DbProtect 2009.1
Installation Guide
Step
Action
11
FIGURE:
Application Security, Inc.
Summary page
•
Verify the installation details. If want to review or change any settings you can
click the Back button.
•
Click the Initialize Sensor button. When the initialization finishes, the Results
page displays.
110
DbProtect 2009.1
Installation Guide
Step
Action
12
FIGURE:
Application Security, Inc.
Results page
•
Review the installation details at the bottom of the page.
•
Click the Finish button.
111
DbProtect 2009.1
Host-based Sensor
for DB2 (on Red
Hat Enterprise
Linux) - installation
steps
Installation Guide
HOST-BASED DB2 (ON RED HAT ENTERPRISE LINUX)
SENSOR INSTALLATION
To install a host-based Sensor for DB2 on Red Hat Enterprise Linux 3, 4, or 5 (32-bit x86
and 64-bit x64):
Step
Action
1
The Unix administrator (root) creates the appradar user and group.
2
The Unix administrator (root) puts the instance (db2inst1) default user account
(or the account of whomever runs the DB2 user process) into the appradar group.
The DB2 user (db2inst1) must be in the appradar group, and the appradar
user must be in the same group as the DB2 user (db2grp1). Both actions must be
taken in order for the host-based DB2 Sensor to work properly.
Caution! A host-based Sensor for DB2 can only monitor one DB2 instance. If you
want to monitor multiple instances on an DB2 server, see Appendix C:
Modifying the Sensor Listener Port Number and Appendix P: Monitoring
Multiple Instances on a DB2 Server.
3
4
The DB2 administrator must grant the following privileges to the appradar user for
every DB2 database in the instance you want to monitor:
•
SYSADM if you want to monitor unsuccessful authentication attempts
•
DBADM if you do not want to monitor unsuccessful authentication attempts.
The person installing the host-based DB2 Sensor logs in as the user who will run the
host-based DB2 Sensor, i.e., appradar, or the user created by the Unix
administrator (root) in Step 1.
Caution! The account running the DB2 database must be in the same user group as
the account running the host-based Sensor for DB2 installation script.
5
Application Security, Inc.
Download or copy the host-based Sensor file to your target database host. The file
names are:
•
AppRadar Sensor_<version number>_Linux32.tgz.sh for Red Hat
Enterprise Linux (32-bit x86)
•
AppRadar Sensor_<version number>_Linux64.tgz.sh for Red Hat
Enterprise Linux (64-bit x64).
x64)
112
DbProtect 2009.1
Installation Guide
Step
6
Action
Install the host-based Sensor file as follows:
•
sh "./AppRadar Sensor_<version number>_Linux32.tgz.sh" install
<installation_dir>
for Red Hat Enterprise Linux (32-bit x86),
x86) where <installation_dir> is the
directory where you want to install the Sensor, e.g. /opt.
•
sh "./AppRadar Sensor_<version number>_Linux64.tgz.sh" install
<installation_dir>
for Red Hat Enterprise Linux (64-bit x64),
x64) where <installation_dir> is the
directory where you want to install the Sensor, e.g. /opt.
Note: If the filename contains spaces, then don't forget to quote these spaces in the
command.
The host-based Sensor is installed in the "<installation_dir>/
ASIappradar/" directory.
7
Application Security, Inc.
Start your Sensor; for more information, see Starting and stopping the Sensors.
113
DbProtect 2009.1
Host-based Sensor
for DB2 (on Solaris)
- installation steps
Installation Guide
To install a host-based Sensor for DB2 on Solaris 8, 9, and 10 (64-bit SPARC):
Step
Action
1
The Unix administrator (root) creates the appradar user and group.
2
The Unix administrator (root) puts the instance (db2inst1) default user account
(or the account of whomever runs the DB2 user process) into the appradar group.
The DB2 user (db2inst1) must be in the appradar group, and the appradar
user must be in the same group as the DB2 user (db2grp1). Both actions must be
taken in order for the host-based DB2 Sensor to work properly.
Caution! A host-based Sensor for DB2 can only monitor one DB2 instance. If you
want to monitor multiple instances on an DB2 server, see Appendix C:
Modifying the Sensor Listener Port Number and Appendix P: Monitoring
Multiple Instances on a DB2 Server.
3
4
The DB2 administrator must grant the following privileges to the appradar user for
every DB2 database in the instance you want to monitor:
•
SYSADM if you want to monitor unsuccessful authentication attempts
•
DBADM if you do not want to monitor unsuccessful authentication attempts.
The person installing the host-based DB2 Sensor logs in as the user who will run the
host-based DB2 Sensor, i.e., appradar, or the user created by the Unix
administrator (root) in Step 1.
Caution! The account running the DB2 database must be in the same user group as
the account running the host-based Sensor for DB2 installation script.
5
Download or copy the host-based Sensor installation file to your target database
host. The file is: AppRadar Sensor_<version number>__Solaris64.tgz.sh
6
Install the host-based Sensor file as follows:
sh "./AppRadar Sensor_<version number>__Solaris64.tgz.sh" install
<installation_dir>
where <installation_dir> is the directory where you want to install the Sensor,
e.g. /opt.
Note: If the filename contains spaces, then don't forget to quote these spaces in the
command.
The host-based Sensor is installed in the "<installation_dir>/ASIappradar/"
directory.
7
Application Security, Inc.
Start your Sensor; for more information, see Starting and stopping the Sensors.
114
DbProtect 2009.1
Host-based Sensor
for DB2 (on AIX) installation steps
Installation Guide
Note:
For information on performing an ASAP update of a host-based Sensor for
DB2 on a Unix or Red Hat Enterprise Linux host, see the DbProtect
Administrator’s Guide.
To install a host-based Sensor for DB2 on a Unix host running AIX 5.2 Technology Level
5 and up:
Step
Action
1
The Unix administrator (root) creates the appradar user and group.
2
The Unix administrator (root) puts the instance (db2inst1) default user account
(or the account of whomever runs the DB2 user process) into the appradar group.
The DB2 user (db2inst1) must be in the appradar group, and the appradar
user must be in the same group as the DB2 user (db2grp1). Both actions must be
taken in order for the host-based DB2 Sensor to work properly.
Caution! A host-based Sensor for DB2 can only monitor one DB2 instance. If you
want to monitor multiple instances on an DB2 server, see Appendix C:
Modifying the Sensor Listener Port Number and Appendix P: Monitoring
Multiple Instances on a DB2 Server.
3
4
The DB2 administrator must grant the following privileges to the appradar user for
every DB2 database in the instance you want to monitor:
•
SYSADM if you want to monitor unsuccessful authentication attempts
•
DBADM if you do not want to monitor unsuccessful authentication attempts.
The person installing the host-based DB2 Sensor logs in as the user who will run the
host-based DB2 Sensor, i.e., appradar, or the user created by the Unix
administrator (root) in Step 1.
Caution! The account running the DB2 database must be in the same user group as
the account running the host-based Sensor for DB2 installation script.
5
Download or copy the host-based Sensor file to your target database host. The file
names are:
• AppRadar Sensor_<version number>_aix-ppc-32.tgz.sh for AIX (32bit)
•
Application Security, Inc.
AppRadar Sensor_<version number>_aix-ppc-64.tgz.sh for AIX (64bit).
bit)
115
DbProtect 2009.1
Installation Guide
Step
6
Action
Install the host-based Sensor file as follows:
•
sh "./AppRadar Sensor_<version number>_aix-ppc-32.tgz.sh" install
<installation_dir>
for AIX (32-bit),
(32-bit) where <installation_dir> is the directory where you want
to install the Sensor, e.g. /opt.
•
sh "./AppRadar Sensor_<version number>_aix-ppc-64.tgz.sh" install
<installation_dir>
for AIX (64-bit),
(64-bit) where <installation_dir> is the directory where you want
to install the Sensor, e.g. /opt.
Note: If the filename contains spaces, then don't forget to quote these spaces in the
command.
The host-based Sensor is installed in the "<installation_dir>/
ASIappradar/" directory.
7
Host-based Sensor
for DB2 (on
Windows) installation steps
Start your Sensor; for more information, see Starting and stopping the Sensors.
To install a host-based Sensor for DB2 on Windows:
Step
Action
1
Locate the setup file on the Application Security, Inc.-provided CD, or download it
from the Application Security, Inc. FTP site or website.
2
Save the file to a convenient location (e.g., c:\temp).
3
•
Double click the executable file to display the installation wizard (Welcome
Welcome
page) and begin the Sensor installation.
FIGURE:
•
Application Security, Inc.
Welcome page
Click the Next button to display the License Agreement page.
116
DbProtect 2009.1
Installation Guide
Step
Action
4
FIGURE:
License Agreement page
•
Read the License Agreement.
•
If you accept the terms of the License Agreement, select I accept the terms of
the license agreement.
agreement
•
Click the Next button to display the Choose Destination Location page.
5
FIGURE:
•
Choose Destination Location page
Choose the location of the Sensor installation directory. You can click the:
-Change
Change button to choose a directory manually
-Next
Next button to choose the default location. (The default location is:
c:\Program Files\AppSecInc\AppRadar Sensor\).
•
Application Security, Inc.
Click the Next button to display the Ready to Install the Program page.
117
DbProtect 2009.1
Installation Guide
Step
Action
6
FIGURE:
Ready to Install the Program page
Click the Install button. When the installation finishes, the Complete page displays.
7
FIGURE:
Complete page
Click the Finish button to display the Sensor Initialization Utility.
Utility
8
FIGURE:
Sensor
ensor Initialization Utility
Click the Host-Based Sensor for Microsoft SQL Server, DB2 and Oracle button to
display the Sensor Communication Port Information page.
Application Security, Inc.
118
DbProtect 2009.1
Installation Guide
Step
Action
9
FIGURE:
•
Sensor Communication Port Information page
Specify which port number the Sensor should use to receive commands from the
Console. The default port (20000) is recommended for most configurations. If
necessary, enter a different port number (1-65535). Consult your network
administrator to determine which network port is acceptable. For more
information on required open listen ports, see Conceptual diagram.
Note: Every Sensor installation requires its own dedicated port for communication.
Specify which port number the Sensor should use to receive commands from
the Console. The Sensor can not share the same port with any other program.
This does not mean each Sensor requires a different port number on each
separate host server. For example, you can use the same port number for
each Sensor you install on each individual host machine (e.g., port 20000). Or
you can specify a different port number for each Sensor on each host
machine.
The Console uses port 20080 (by default) to send data to, and receive data
from, the Sensors. The Sensors, by comparison, send data to, and receive
data from, the Console on port 20000 (by default). Additionally, when the
Sensor sends Alerts (via port 20000) to the Console's Message Collector
component, the Message Collector receives these Alerts on port 20081 (by
default).
If you are installing a Sensor on the same host server where the Console is
installed, do not specify ports 20080 or 20081 (unless you’re certain these
ports are available).
•
Application Security, Inc.
Click the Next button to display the Sensor Service Logon Details page.
119
DbProtect 2009.1
Installation Guide
Step
Action
10
FIGURE:
•
Sensor Service Logon Details page
Specify a database user login and password.
Important: If you want to specify a non-local user username and password for the
Sensor to run under, you must do so in this step.
You can select:
-Use "Local System" Account,
Account if you want to use the "local system"
account, which has full access rights and privileges on the host computer.
-Existing
Existing domain user having the "log on as service" privilege. This
selection allows you to specify a domain user login and password in the
bottom half of the screen.
Important: The Sensor logs in to the monitored database, and the Sensor service
runs, under this user profile. This profile must be a Windows user with
administrator rights. Also, the account name specified must have the
"log on as service" permission set in the Local Security Policy of the
server (for more information, see your Windows help). If you select
Existing domain user having the "log on as service" privilege,
privilege then in
the bottom half of the screen you must enter the: a.) domain name\user
name, or click the Find User button to display the Select Users pop-up
and locate a valid user, and b.) password for the specified user.
Caution! When using the Sensor Initialization Utility, you may encounter issues when
implementing the Windows Control that displays when you click the Find
User button. Depending on your OS version, it may not be possible to
select a user from a list. Subsequently, you may have to enter a valid
domain name\user name manually. Additionally, on operating systems
where this control does work, picking the user name from the Find User
list may not display it in the required format (domain name\user name) if
you select a local user rather than a domain user.
•
Application Security, Inc.
Click the Next button to display the Summary page.
120
DbProtect 2009.1
Installation Guide
Step
Action
11
FIGURE:
Application Security, Inc.
Summary page
•
Verify the installation details. If want to review or change any settings you can
click the Back button.
•
Click the Initialize Sensor button. When the initialization finishes, the Results
page displays.
121
DbProtect 2009.1
Installation Guide
Step
Action
12
FIGURE:
13
Application Security, Inc.
Results page
•
Review the installation details at the bottom of the page.
•
Click the Finish button.
Start your Sensor; for more information, see Starting and stopping the Sensors.
122
DbProtect 2009.1
Host-based Sensor
for Oracle (on
Solaris) installation steps
Installation Guide
Note:
For information on performing an ASAP update of a host-based Sensor for
Oracle on a Unix or Red Hat Enterprise Linux host, see the DbProtect
Administrator’s Guide.
To install a host-based Sensor for Oracle on a Unix host running Solaris 8, 9, 10 (32and 64-bit SPARC):
Step
1
Action
Login as a user that will run the Sensor, i.e., appradar.
Caution! Do not log in as root
Note: The user (i.e., appradar) must be a member of the same “dba” group as
oracle on the host.
2
3
Download or copy the host-based Sensor file to your target database host. The file
names are:
•
AppRadar Sensor_<version number>_Solaris32.tgz.sh for Solaris (32bit SPARC)
•
AppRadar Sensor_<version number>_Solaris64.tgz.sh for Solaris (64bit SPARC).
SPARC)
Install the host-based Sensor file as follows:
•
sh "./AppRadar Sensor_<version number>_Solaris32.tgz.sh" install
<installation_dir>
for Solaris (32-bit SPARC),
SPARC) where <installation_dir> is the directory where
you want to install the Sensor, e.g. /opt.
•
sh "./AppRadar Sensor_<version number>_Solaris64.tgz.sh" install
<installation_dir>
for Solaris (64-bit SPARC),
SPARC) where <installation_dir> is the directory where
you want to install the Sensor, e.g. /opt.
Note: If the filename contains spaces, then don't forget to quote these spaces in the
command.
The host-based Sensor is installed in the "<installation_dir>/
ASIappradar/" directory.
4
Finally, you must configure your host-based Sensor for Oracle DDL triggers, and
configure your host-based Sensor for Oracle audit trail to monitor failed logins. For
more information, see Appendix E: Configuring Your Host-Based Sensor for Oracle
DDL Triggers and Appendix J: Configuring Your Oracle Audit Trail in Order to
Monitor Logins, respectively.
Note: If you remove and re-add a DDL trigger for any reason, you must re-start the
Sensor afterwards. Most DDL rules will not fire until this is done.
5
Application Security, Inc.
Start your Sensor; for more information, see Starting and stopping the Sensors.
123
DbProtect 2009.1
Host-based Sensor
for Oracle (on AIX)
- installation steps
Installation Guide
Note:
For information on performing an ASAP update of a host-based Sensor for
Oracle on a Unix or Red Hat Enterprise Linux host, see the DbProtect
Administrator’s Guide.
To install a host-based Sensor for DB2 on a Unix host running AIX 5.2 (64-bit)
Technology Level 5 and up (or AIX 5.3 Technology Level 5 for Sensors prior to version
3.3):
Step
1
Action
Login as a user that will run the Sensor, i.e., appradar.
Caution! Do not log in as root.
Note: The user (i.e., appradar) must be a member of the same “dba” group as
oracle on the host.
2
Download or copy the host-based Sensor file to your target database host. The file
name is: AppRadar Sensor_<version number>_aix-ppc-64.tgz.sh for 64bit AIX.
3
Install the host-based Sensor file as follows:
sh "./AppRadar Sensor_<version number>_aix-ppc-64.tgz.sh" install
<installation_dir>
for AIX 5.2 (64-bit), where <installation_dir> is the directory where you want
to install the Sensor, e.g. /opt.
Note: If the filename contains spaces, then don't forget to quote these spaces in the
command.
Result: The host-based Sensor is installed in the "<installation_dir>/
ASIappradar/" directory.
4
Finally, you must configure your host-based Sensor for Oracle DDL triggers, and
configure your host-based Sensor for Oracle audit trail to monitor failed logins. For
more information, see Appendix E: Configuring Your Host-Based Sensor for Oracle
DDL Triggers and Appendix J: Configuring Your Oracle Audit Trail in Order to
Monitor Logins, respectively.
Note: If you remove and re-add a DDL trigger for any reason, you must re-start the
Sensor afterwards. Most DDL rules will not fire until this is done.
5
Application Security, Inc.
Start your Sensor; for more information, see Starting and stopping the Sensors.
124
DbProtect 2009.1
Host-based Sensor
for Oracle (on HPUX) - installation
steps
Installation Guide
Note:
For information on performing an ASAP update of a host-based Sensor for
Oracle on a Unix or Red Hat Enterprise Linux host, see the DbProtect
Administrator’s Guide.
To install a host-based Sensor for Oracle on a Unix host running HP-UX 11i v1 (11.11)
and greater on the PA-RISC processor and HP-UX 11i v2 (11.23) and greater on the
Itanium (IA64) processor:
Step
1
Action
Login as a user that will run the Sensor, i.e., appradar.
Caution! Do not log in as root.
Note: The user (i.e., appradar) must be a member of the same “dba” group as
oracle on the host.
2
3
Download or copy the host-based Sensor file to your target database host. If you
are installing a host-based Sensor on a Unix host running:
•
HP-UX 11i v1 (11.11) and greater on the PA-RISC processor,
processor the name if the file
is: AppRadar Sensor_<version number>_hpux-hppa-64.tgz.sh
•
HP-UX 11i v2 (11.23) and greater on the Itanium (IA64) processor,
processor the name if the
file is: AppRadar Sensor_<version number>_hpux-ia64-64.tgz.sh
Install the host-based Sensor file as follows:
•
sh "./AppRadar Sensor_<version number>_hpux-hppa-64.tgz.sh" install
<installation_dir>
for HP-UX 11i v1 (11.11) and greater on the PA-RISC processor,
processor where
<installation_dir> is the directory where you want to install the Sensor,
e.g. /opt.
•
sh "./AppRadar Sensor_<version number>_hpux-ia64-64.tgz.sh" install
<installation_dir>
for HP-UX 11i v2 (11.23) and greater on the Itanium (IA64) processor,
processor where
<installation_dir> is the directory where you want to install the Sensor,
e.g. /opt.
Note: If the filename contains spaces, then don't forget to quote these spaces in the
command.
The host-based Sensor is installed in the "<installation_dir>/
ASIappradar/" directory.
4
Finally, you must configure your host-based Sensor for Oracle DDL triggers, and
configure your host-based Sensor for Oracle audit trail to monitor failed logins. For
more information, see Appendix E: Configuring Your Host-Based Sensor for Oracle
DDL Triggers.
Note: If you remove and re-add a DDL trigger for any reason, you must re-start the
Sensor afterwards. Most DDL rules will not fire until this is done.
5
Application Security, Inc.
Start your Sensor; for more information, see Starting and stopping the Sensors.
125
DbProtect 2009.1
Host-based Sensor
for Oracle (on Red
Hat Enterprise
Linux) - installation
steps
Installation Guide
Note:
For information on performing an ASAP update of a host-based Sensor for
Oracle on a Unix or Red Hat Enterprise Linux host, see the DbProtect
Administrator’s Guide.
Caution! The host-based Sensor installer may display a warning message
if you run it on Red Hat Enterprise Linux 3 to inform you DB2 is
not supported on version 3. You may safely ignore this warning.
To install a host-based Sensor for Oracle on a host running Red Hat Enterprise Linux 3,
4, or 5 (32-bit x86 and 64-bit x64):
Step
1
Action
Login as a user that will run the Sensor, i.e., appradar.
Caution! Do not log in as root.
Note: The user (i.e., appradar) must be a member of the same “dba” group as
oracle on the host.
2
3
Download or copy the host-based Sensor file to your target database host. The file
names are:
•
AppRadar Sensor_<version number>_Linux32.tgz.sh for Red Hat
Enterprise Linux (32-bit x86)
•
AppRadar Sensor_<version number>_Linux64.tgz.sh for Red Hat
Enterprise Linux (64-bit x64).
x64)
Install the host-based Sensor file as follows:
•
sh "./AppRadar Sensor_<version number>_Linux32.tgz.sh" install
<installation_dir>
for Red Hat Enterprise Linux (32-bit x86),
x86) where <installation_dir> is the
directory where you want to install the Sensor, e.g. /opt.
•
sh "./AppRadar Sensor_<version number>_Linux64.tgz.sh" install
<installation_dir>
for Red Hat Enterprise Linux (64-bit x64),
x64) where <installation_dir> is the
directory where you want to install the Sensor, e.g. /opt.
Note: If the filename contains spaces, then don't forget to quote these spaces in the
command.
Result: The host-based Sensor is installed in the "<installation_dir>/
ASIappradar/" directory.
4
Finally, you must configure your host-based Sensor for Oracle DDL triggers, and
configure your host-based Sensor for Oracle audit trail to monitor failed logins. For
more information, see Appendix E: Configuring Your Host-Based Sensor for Oracle
DDL Triggers.
Note: If you remove and re-add a DDL trigger for any reason, you must re-start the
Sensor afterwards. Most DDL rules will not fire until this is done.
Application Security, Inc.
126
DbProtect 2009.1
Installation Guide
Step
5
Host-based Sensor
for Oracle (on
Windows) installation steps
Action
Start your Sensor; for more information, see Starting and stopping the Sensors.
To install a host-based Sensor for Oracle on Windows:
Step
Action
1
Locate the setup file on the Application Security, Inc.-provided CD, or download it
from the Application Security, Inc. FTP site or website.
2
Save the file to a convenient location (e.g., c:\temp).
3
•
Double click the executable file to display the installation wizard (Welcome
Welcome
page) and begin the Sensor installation.
FIGURE:
•
Application Security, Inc.
Welcome page
Click the Next button to display the License Agreement page.
127
DbProtect 2009.1
Installation Guide
Step
Action
4
FIGURE:
License Agreement page
•
Read the License Agreement.
•
If you accept the terms of the License Agreement, select I accept the terms of
the license agreement.
agreement
•
Click the Next button to display the Choose Destination Location page.
5
FIGURE:
•
Choose Destination Location page
Choose the location of the Sensor installation directory. You can click the:
-Change
Change button to choose a directory manually
-Next
Next button to choose the default location. (The default location is:
c:\Program Files\AppSecInc\AppRadar Sensor\).
•
Application Security, Inc.
Click the Next button.
128
DbProtect 2009.1
Installation Guide
Step
Action
6
FIGURE:
Ready to Install the Program page
Click the Install button. When the installation finishes, the Complete page displays.
7
FIGURE:
Complete page
Click the Finish button to display the Sensor Initialization Utility.
Utility
8
FIGURE:
Sensor Initialization Utility
Click the Host-Based Sensor for Microsoft SQL Server, DB2 and Oracle button to
display the Sensor Communication Port page.
Application Security, Inc.
129
DbProtect 2009.1
Installation Guide
Step
Action
9
FIGURE:
•
Sensor Communication Port page
Specify which port number the Sensor should use to receive commands from the
Console. The default port (20000) is recommended for most configurations. If
necessary, enter a different port number (1-65535). Consult your network
administrator to determine which network port is acceptable. For more
information on required open listen ports, see Conceptual diagram.
Note: Every Sensor installation requires its own dedicated port for communication.
Specify which port number the Sensor should use to receive commands from
the Console. The Sensor can not share the same port with any other program.
This does not mean each Sensor requires a different port number on each
separate host server. For example, you can use the same port number for
each Sensor you install on each individual host machine (e.g., port 20000). Or
you can specify a different port number for each Sensor on each host
machine.
The Console uses port 20080 (by default) to send data to, and receive data
from, the Sensors. The Sensors, by comparison, send data to, and receive
data from, the Console on port 20000 (by default). Additionally, when the
Sensor sends Alerts (via port 20000) to the Console's Message Collector
component, the Message Collector receives these Alerts on port 20081 (by
default).
If you are installing a Sensor on the same host server where the Console is
installed, do not specify ports 20080 or 20081 (unless you’re certain these
ports are available).
•
Application Security, Inc.
Click the Next button to display the Sensor Service Logon Details page.
130
DbProtect 2009.1
Installation Guide
Step
Action
10
FIGURE:
•
Sensor Service Logon Details page
Specify a database user login and password.
Important: If you want to specify a non-local user username and password for the
Sensor to run under, you must do so in this step.
You can select:
-Use "Local System" Account,
Account if you want to use the "local system"
account, which has full access rights and privileges on the host computer.
-Existing
Existing domain user having the "log on as service" privilege. This
selection allows you to specify a domain user login and password in the
bottom half of the screen.
Important: The Sensor logs in to the monitored database, and the Sensor service
runs, under this user profile. This profile must be a Windows user with
administrator rights. Also, the account name specified must have the
"log on as service" permission set in the Local Security Policy of the
server (for more information, see your Windows help). If you select
Existing domain user having the "log on as service" privilege,
privilege then in
the bottom half of the screen you must enter the: a.) domain name\user
name, or click the Find User button to display the Select Users pop-up
and locate a valid user, and b.) password for the specified user.
Caution! When using the Sensor Initialization Utility, you may encounter issues when
implementing the Windows Control that displays when you click the Find
User button. Depending on your OS version, it may not be possible to
select a user from a list. Subsequently, you may have to enter a valid
domain name\user name manually. Additionally, on operating systems
where this control does work, picking the user name from the Find User
list may not display it in the required format (domain name\user name) if
you select a local user rather than a domain user.
•
Application Security, Inc.
Click the Next button to display the Summary page.
131
DbProtect 2009.1
Installation Guide
Step
Action
11
FIGURE:
Application Security, Inc.
Summary page
•
Verify the installation details. If want to review or change any settings you can
click the Back button.
•
Click the Initialize Sensor button. When the initialization finishes, the Results
page displays.
132
DbProtect 2009.1
Installation Guide
Step
Action
12
FIGURE:
13
Application Security, Inc.
Results page
•
Review the installation details at the bottom of the page.
•
Click the Finish button.
Start your Sensor; for more information, see Starting and stopping the Sensors.
133
DbProtect 2009.1
Network-based
Sensor for Sybase,
Oracle, and DB2 installation steps
Installation Guide
Note:
The network-based Sensor only runs on the Windows OS, but the
databases it monitors do not need to be running on Windows.
To install a network-based Sensor for DB2, Oracle, or Sybase:
Step
Action
1
Locate the setup file on the Application Security, Inc.-provided CD, or download it
from the Application Security, Inc. FTP site or website.
2
Save the file to a convenient location (e.g., c:\temp).
3
Double click the executable file to start the Sensor installation.
Result: The Welcome page of the installation wizard displays, and the Sensor
installation begins.
FIGURE:
Installation wizard (Welcome
Welcome page)
Click the Next button.
4
FIGURE:
Application Security, Inc.
Installation wizard (License
License Agreement page)
•
Read the License Agreement.
•
If you accept the terms of the License Agreement, select I accept the terms of
the license agreement.
agreement
•
Click the Next button.
134
DbProtect 2009.1
Installation Guide
Step
Action
5
FIGURE:
•
Choose Destination Location page
Choose the location of the Sensor installation directory. You can click the:
-Change
Change button to choose a directory manually
-Next
Next button to choose the default location. (The default location is:
c:\Program Files\AppSecInc\AppRadar Sensor\).
•
Click the Next button.
6
FIGURE:
Installation wizard (Ready
Ready to Install the Program page)
Click the Install button. When the installation finishes, the Complete page displays.
7
FIGURE:
Complete page
Click the Finish button to display the Sensor Initialization Utility.
Utility
Application Security, Inc.
135
DbProtect 2009.1
Installation Guide
Step
Action
8
FIGURE:
Sensor Initialization Utility
From the Sensor Initialization Utility page, click the Network-Based Sensor for DB2,
Oracle & Sybase button.
Application Security, Inc.
136
DbProtect 2009.1
Installation Guide
Step
Action
9
FIGURE:
•
Sensor Communication Port Information page
Specify which port number the Sensor should use to receive commands from the
Console. The default port (20000) is recommended for most configurations. If
necessary, enter a different port number (1-65535). Consult your network
administrator to determine which network port is acceptable. For more
information on required open listen ports, see Conceptual diagram.
Note: Every Sensor installation requires its own dedicated port for communication.
Specify which port number the Sensor should use to receive commands from
the Console. The Sensor can not share the same port with any other program.
This does not mean each Sensor requires a different port number on each
separate host server. For example, you can use the same port number for
each Sensor you install on each individual host machine (e.g., port 20000). Or
you can specify a different port number for each Sensor on each host
machine.
The Console uses port 20080 (by default) to send data to, and receive data
from, the Sensors. The Sensors, by comparison, send data to, and receive
data from, the Console on port 20000 (by default). Additionally, when the
Sensor sends Alerts (via port 20000) to the Console's Message Collector
component, the Message Collector receives these Alerts on port 20081 (by
default).
If you are installing a Sensor on the same host server where the Console is
installed, do not specify ports 20080 or 20081 (unless you’re certain these
ports are available).
•
Application Security, Inc.
Click the Next button to display the Sensor Service Logon Details page.
137
DbProtect 2009.1
Installation Guide
Step
Action
10
FIGURE:
•
Sensor Service Logon Details page
Specify a database user login and password.
Important: If you want to specify a non-local user username and password for the
Sensor to run under, you must do so in this step.
You can select:
-Use "Local System" Account,
Account if you want to use the "local system"
account, which has full access rights and privileges on the host computer.
-Existing
Existing domain user having the "log on as service" privilege. This
selection allows you to specify a domain user login and password in the
bottom half of the screen.
Important: The Sensor logs in to the monitored database, and the Sensor service
runs, under this user profile. This profile must be a Windows user with
administrator rights. Also, the account name specified must have the
"log on as service" permission set in the Local Security Policy of the
server (for more information, see your Windows help). If you select
Existing domain user having the "log on as service" privilege,
privilege then in
the bottom half of the screen you must enter the: a.) domain name\user
name, or click the Find User button to display the Select Users pop-up
and locate a valid user, and b.) password for the specified user.
Caution! When using the Sensor Initialization Utility, you may encounter issues when
implementing the Windows Control that displays when you click the Find
User button. Depending on your OS version, it may not be possible to
select a user from a list. Subsequently, you may have to enter a valid
domain name\user name manually. Additionally, on operating systems
where this control does work, picking the user name from the Find User
list may not display it in the required format (domain name\user name) if
you select a local user rather than a domain user.
•
Application Security, Inc.
Click the Next button to display the Summary page.
138
DbProtect 2009.1
Installation Guide
Step
Action
11
FIGURE:
Summary page
•
Verify the installation details. If want to review or change any settings you can
click the Back button.
•
Click the Initialize Sensor button. When the initialization finishes, the Results
page displays.
12
FIGURE:
Results page
Click the Finish button.
13
Application Security, Inc.
Start your Sensor; for more information, see Starting and stopping the Sensors.
139
DbProtect 2009.1
Starting and
stopping the
Sensors
Installation Guide
What you will find in this help topic:
• Starting and stopping the Sensors on Windows
• Starting and stopping the Sensors on *nix platforms.
STARTING AND STOPPING THE SENSORS ON WINDOWS
There are four DbProtect services:
• DbProtect
• One of the following:
-MSSQL$(YourInstanceName)
-MSSQLSERVER (default instance)
•
•
DbProtect Message Collector
AppRadar Sensor
You only need to start the AppRadar Sensor service in order for DbProtect to collect
data from Sensors, and for you to connect to DbProtect. These services are configured
to start whenever Windows starts.
There are several ways to start and stop the services on Windows.
Starting a Sensor from the command line
To start a Sensor from the command line:
Step
Action
1
Choose Start > Run to display the Run dialog box.
2
Enter cmd.exe in the Open field.
3
Click the OK button to display a command window.
4
Enter the following to start the service:
C:\> net start ServiceName
where ServiceName is one of the following:
• DbProtect
•
MSSQL$(YourInstanceName) or MSSQLSERVER
• DbProtect Message Collector
• AppRadar Sensor
The following messages display:
The ServiceName service is starting.
The ServiceName service was started successfully.
Application Security, Inc.
140
DbProtect 2009.1
Installation Guide
Stopping a Sensor from the command line
To stop a Sensor from the command line:
Step
Action
1
Choose Start > Run to display the Run dialog box.
2
Enter cmd.exe in the Open field.
3
Click the OK button to display a command window.
4
Enter the following to stop the service:
C:\> net stop ServiceName
where ServiceName is one of the following:
• DbProtect
•
MSSQL$(YourInstanceName) or MSSQLSERVER
• DbProtect Message Collector
• AppRadar Sensor
The following messages display:
The ServiceName service is stopping.
The ServiceName service was stopped successfully.
Starting a Sensor from the Control Panel
To start a Sensor from the Control Panel:
Step
Action
1
Choose Start > Control Panel to display the Control Panel dialog box.
2
Double click the Administrative Tools icon to display the Administrative Tools dialog
box.
3
Double click the Services icon to display the Services dialog box.
4
Highlight any of the following services:
• DbProtect
•
MSSQL$(YourInstanceName) or MSSQLSERVER
• DbProtect Message Collector
• AppRadar Sensor
5
Application Security, Inc.
Click the Start link to display the Service Control pop-up. The service starts. The
Status column in the Services dialog box should read Started.
Started
141
DbProtect 2009.1
Installation Guide
Stopping a Sensor from the Control Panel
To stop a Sensor from the Control Panel:
Step
Action
1
Choose Start > Control Panel to display the Control Panel dialog box.
2
Double click the Administrative Tools icon to display the Administrative Tools dialog
box.
3
Double click the Services icon to display the Services dialog box.
4
Highlight any of the following services:
• DbProtect
•
MSSQL$(YourInstanceName) or MSSQLSERVER
• DbProtect Message Collector
• AppRadar Sensor
5
Click the Stop link to display the Service Control pop-up. The service stops. The
Status column in the Services dialog box should be blank.
STARTING AND STOPPING THE SENSORS ON *NIX
PLATFORMS
To start and stop the Sensors on a *nix platform:
Step
1
2
Application Security, Inc.
Action
To start a host-based Sensor on a *nix platform, do the following:
•
Log in as the user you created in during the installation process (appradar, for
example).
•
Once you are successfully authenticated as this user, go to the /util directory
where you installed the host-based Sensor (for example:
/opt/ASIappradar/sensor/util).
•
Run the command: ./appradar_start
To start a host-based Sensor on a *nix platform, do the following:
•
Log in as the user you created in during the installation process (appradar, for
example).
•
Once you are successfully authenticated as this user, go to the /util directory
where you installed the host-based Sensor (for example:
/opt/ASIappradar/sensor/util).
•
Run the command: ./appradar_stop
142
DbProtect 2009.1
Installation Guide
Installing Scan Engines
This section provides detailed installation steps for the Scan Engine component of
DbProtect.
Note:
First make sure you have carefully read the minimum system requirements
for the Console and Data Repository. For more information, see Scan
Engines - Minimum System Requirements.
What you will find in this section:
• Scan Engine - installation steps.
Scan Engine installation steps
To install a Scan Engine:
Step
Action
1
Download the Scan Engine setup file from the Application Security, Inc. website
(contact Customer Support at support@appsecinc.com if you need the exact
URL).
2
Double click the Scan Engine executable (.exe) file to start the DbProtect Scan
Engine installation.
FIGURE:
Scan Engine installation wizard
Click the Next button to display the License Agreement page.
Application Security, Inc.
143
DbProtect 2009.1
Installation Guide
Step
Action
3
FIGURE:
Application Security, Inc.
License Agreement page
•
Read the License Agreement.
•
If you accept the terms of the License Agreement, select I accept the terms of
the license agreement.
agreement
•
Click the Next button to display the Destination Folder page.
144
DbProtect 2009.1
Installation Guide
Step
Action
4
FIGURE:
Application Security, Inc.
Destination Folder page
•
Click the Change... button to select the folder where the installation wizard will
install files.
•
Click the Next button to display the Setup Type page.
145
DbProtect 2009.1
Installation Guide
Step
Action
5
FIGURE:
Setup Type page
Select a setup type. If you select:
Application Security, Inc.
•
Custom to install only certain features (and specify where to install them), and
click the Next button, then the Custom Setup page displays (go to Step 6)
•
Complete to install all features (recommended), and click the Next button, then
the Scan Engine Configuration page displays (go to Step 7).
146
DbProtect 2009.1
Installation Guide
Step
6
Action
The Custom Setup page displays if you select Custom in Step 5. This page allows
you to install only certain features (and specify where to install them).
Click the + icon to display the following Scan Engine installation components:
•
Core Functionality
•
AppDetective
•
SQL-DMO
•
Visual Basic Runtime
FIGURE:
Application Security, Inc.
Custom Setup page
•
You must install the Core Functionality,
Functionality and Visual Basic Runtime components.
•
Click the Change... button to specify a folder where you want to install files for
the selected components.
•
Click the Next button to display the Scan Engine Configuration page and go to
Step 7.
147
DbProtect 2009.1
Installation Guide
Step
Action
7
FIGURE:
•
Scan Engine Configuration page
On the Scan Engine Configuration page, do the following:
In the installation information portion:
-Enter the HOSTNAME of the machine where you installed DbProtect; for
more information, see DbProtect suite management components installation steps.
-Enter which HTTP port DbProtect AppDetective uses (1-65535). (For
more information on required open listen ports, see Conceptual
diagram.)
-If you do not know the DbProtect AppDetective port number, do the
following:
a.) Open the server.xml file (stored under \<DbProtect
Installation Folder>\AppSecInc\gui\tomcat\conf.
b.) Locate the following line: <Connector
className=”org.apache.coyote.tomcat4.CoyoteConnector”
port = “<port number used>”.
c.) Use this port number.
•
Application Security, Inc.
Click the Next button to display the Initialization Parameters page.
148
DbProtect 2009.1
Installation Guide
Step
Action
8
FIGURE:
Initialization Parameters page
If you:
•
installed your Scan Engine and Console on different hosts, you must copy the
cacert.pem file located in:
<DbProtect AppDetective Installation
Folder>\GUI\repository\cacert.pem
to:
<Scan Engine Installation Folder>\adse\certs\cacert.pem
Note: If this file already exists, you must overwrite it.
•
Application Security, Inc.
need to synch the database where your Scan Engine results are stored with the
Data Repository (required), you can run the AppDSN utility on the Scan Engine
server; for more information, see Appendix I: Using App DSN, the Repair ODBC
Utility
149
DbProtect 2009.1
Installation Guide
Logging Into the Console
Caution! Some older version of Google Desktop (5.1 and earlier) may
cause problems when loading the Console applet in Internet
Explorer. You should turn off Google Desktop, or re-install a
newer (5.2 or greater) version.
To log into the Console:
Step
1
Action
Do one of the following:
•
Choose Start > All Programs > AppSecInc > DbProtect.
DbProtect
•
Open Internet Explorer 6.0 or greater with JavaScript enabled, and the screen
resolution set to a minimum of 1024x768.
•
Enter https://YourMachineName: InstallPort in the Address line,
where:
-YourMachineName is the computer name of your Console machine
-InstallPort is the port number entered during installation.
A Security Alert pop-up displays, prompting you to accept a security certificate from
Application Security, Inc. DbProtect uses this certificate to communicate with users
over a secure channel.
Note: If you experience difficulty logging into DbProtect and connecting to
DbProtect, you may need to troubleshoot the Java Runtime Environment
(JRE) security settings on your Internet Explorer 6 or greater web browser. For
more information on a workaround, see Appendix N: Troubleshooting the
Java Run Time Environment (JRE) Security Settings on Internet Explorer 6 and
Greater.
Another possible solution is to clear your Java cache. For more information,
see Appendix Q: Clearing Your Java Cache.
Application Security, Inc.
150
DbProtect 2009.1
Installation Guide
Step
2
Action
Click the OK button.
FIGURE:
Console login page
Do the following:
•
In the Username: field, enter your DbProtect user name.
•
In the Password: field, enter your DbProtect password.
•
Use the Domain: drop-down to select your domain, or manually enter a domain
in the Domain: field.
Caution! If you cannot log in, it may be because you have not entered your fullqualified domain name in the Domain: field. If you need help determining
your full-qualified domain name, see Appendix O: Determining Your
NetBIOS Name and Your Full-Qualified Domain Name.
Note: DbProtect is designed to use only Secure Sockets Layer (SSL) communication,
which encrypts your user name and credentials prior to transmission to
DbProtect. DbProtect then uses the Windows Authentication subsystem to
verify the credentials.
Use the Log into: drop down to log into:
•
DbProtect AppRadar and display the AppRadar Console (i.e., the DbProtect
AppRadar-specific part of the Console)
•
DbProtect AppDetective to display the AppDetective Console (i.e., the
DbProtect AppDetective-specific part of the Console).
For more information on using DbProtect AppDetective and DbProtect AppRadar,
see the DbProtect User’s Guide.
Application Security, Inc.
151
DbProtect 2009.1
Installation Guide
Chapter 6 - Uninstalling
the DbProtect
Components
This chapter explains how to uninstall the following DbProtect components: the
Console,
Console Sensors,
Sensors and Scan Engines.
Engines
What you will find in this chapter:
• Uninstalling the Console
• Uninstalling and Unregistering a Sensor
• Uninstalling a Scan Engine.
Application Security, Inc.
152
DbProtect 2009.1
Installation Guide
Uninstalling the Console
This section provides uninstallation steps for the Console.
Console
What you will find in this section:
• Important back-end database deletion considerations
• ASAP Updater uninstallation considerations
• Uninstalling the Console.
Important backend database
deletion
considerations
If you originally installed the Console with the option of: using MSDE as your back-end
database (for more information, see DbProtect suite management components installation steps), then your MSDE instance is automatically removed during the
uninstallation of the Console.
However, if you originally installed the Console with the option of using SQL Server as
your back-end database (for more information, see DbProtect suite management
components - installation steps), then the uninstallation wizard will prompt you to
delete the DbProtect AppRadar database from the instance. In this case, you should
delete the database only if you no longer need the data it contains.
If you are uninstalling the Console with the intention of re-installing it later on a
different server, you should back-up your SQL Server back-end database before you
begin un-installing the Console. Then you can restore the SQL Server back-end
database to whichever instance you select after you re-install the Console elsewhere.
For more information, see the DbProtect Administrator’s Guide.
ASAP Updater
uninstallation
considerations
Uninstalling the
Console
In addition to uninstalling the Console, the uninstallation process also automatically
uninstalls the ASAP Updater utility unless there is at least one other Application
Security, Inc.-registered product also installed on the server (for example,
AppDetectivePro).
You can uninstall the Console from the Start Menu or from the Control Panel. This
topic consists of the following sub-topics:
• Before you uninstall the Console
• Uninstalling the Console from the Start Menu
• Uninstalling the Console from the Control Panel.
Application Security, Inc.
153
DbProtect 2009.1
Installation Guide
BEFORE YOU UNINSTALL THE CONSOLE
Before you uninstall the Console, do the following:
Step
1
Action
Unregister all Sensors from within DbProtect before uninstalling the Console.
Unregistering a Sensor brings the Sensor back to its original install state, allowing
you to register the Sensor again with the Console. For more information, see
Uninstalling and Unregistering a Sensor.
2
If you have registered a Sensor to monitor the APPSECINCCONSOLE instance,
uninstall the Sensor before uninstalling the Console.
Caution! Failure to uninstall the Sensor before uninstalling the Console can result in
the inability to reinstall the Console later, because the
APPSECINCCONSOLE instance may be running at that time.
3
If you are uninstalling the Console with the intention of re-installing it later on a
different server, you should back-up your SQL Server back-end database before you
begin un-installing the Console. Then you can restore the SQL Server back-end
database to whichever instance you select after you re-install the Console
elsewhere. For more information on backing up your back-end database, see the
DbProtect Administrator’s Guide.
UNINSTALLING THE CONSOLE FROM THE START MENU
To uninstall the Console from the Start Menu:
Step
1
2
Action
Choose Start > AppSecInc > DbProtect > Uninstall DbProtect to display the
uninstallation wizard.
Follow the prompts.
Note: If you encountered an MSDE error message during installation -- and you
chose to continue the installation -- a message may display during
uninstallation informing you a package was not found. Click the OK button
and disregard the message.
Caution! If you originally installed the Console with the option of using SQL Server
as your back-end database, then the uninstallation wizard prompts you to
delete the Console database from the instance. In this case, you should
delete the database only if you no longer need the data it contains. For
more information, see the DbProtect Administrator’s Guide.
3
Application Security, Inc.
A message informs you when the uninstallation is complete. Click the Finish button.
154
DbProtect 2009.1
Installation Guide
UNINSTALLING THE CONSOLE FROM THE CONTROL PANEL
To uninstall the Console from the Control Panel:
Step
Action
1
Choose Start > Control Panel to display the Control Panel.
2
Double click the Add or Remove Programs icon.
3
Select DbProtect.
DbProtect
4
Click the Change/Remove button.
5
Follow the prompts.
Caution! If you originally installed the Console with the option of using SQL Server
as your back-end database, then the uninstallation wizard prompts you to
delete the Console database from the instance. In this case, you should
delete the database only if you no longer need the data it contains. For
more information, see the DbProtect Administrator’s Guide.
Note: If you encountered an MSDE error message during installation -- and you
chose to continue the installation -- a message may display during
uninstallation informing you a package was not found. Click the OK button
and disregard the message.
6
Application Security, Inc.
A message informs you when the uninstallation is complete. Click the Finish button.
155
DbProtect 2009.1
Installation Guide
Uninstalling and Unregistering
a Sensor
This section provides uninstallation and unregistration (including forced
unregistration) steps for a Sensor.
Sensor
What you will find in this section:
•
•
•
•
•
Uninstallation vs.
unregistration
Uninstallation vs. unregistration
Uninstalling a Sensor (on Windows)
Uninstalling a Host-Based Sensor for Oracle (on a *nix platform)
Uninstalling a Host-Based Sensor for DB2 (on a *nix platform)
Unregistering a Sensor.
DbProtect AppRadar allows you to uninstall and/or unregister your Sensors. The key
differences between uninstallation and unregistration follow:
• Unregistration removes the Sensor from the Console, but does not remove the
Sensor from the host where it is installed.
• Uninstallation removes the Sensor from the server where is installed, but does
not remove the Sensor from the Console where it may have been registered
(assuming the Sensor was not unregistered
before it was uninstalled).
un
Uninstalling a
Sensor (on
Windows)
Note:
Unregister all Sensors from within DbProtect before uninstalling the
Console or Sensors. Unregistering a Sensor brings the Sensor back to its
original install state, allowing you to register the Sensor again with
DbProtect. For more information, see Unregistering a Sensor.
You can uninstall any host-based or network-based Sensor (installed on Windows) from
the Start Menu or the Control Panel.
What you will find in this help topic:
• Uninstalling a Sensor (on Windows) from the Start Menu
• Uninstalling a Sensor (on Windows) from the Control Panel.
Application Security, Inc.
156
DbProtect 2009.1
Installation Guide
UNINSTALLING A SENSOR (ON WINDOWS) FROM THE START
MENU
To uninstall a Sensor (on Windows) from the Start Menu:
Step
Action
1
Choose Start > AppSecInc > DbProtect AppRadar > Uninstall AppRadar Sensor to
display the uninstallation wizard.
2
Follow the prompts.
3
A message informs you when the uninstallation is complete. Click the Finish button.
UNINSTALLING A SENSOR (ON WINDOWS) FROM THE
CONTROL PANEL
To uninstall a Sensor (on Windows) from the Control Panel:
Step
Uninstalling a
Host-Based Sensor
for Oracle (on a
*nix platform)
Action
1
Choose Start > Control Panel to display the Control Panel.
2
Double click the Add or Remove Programs icon.
3
Select AppRadar Sensor.
Sensor
4
Click the Change/Remove button.
5
Follow the prompts.
6
A message informs you when the uninstallation is complete. Click the Finish button.
To uninstall a host-based Sensor for Oracle (on a *nix platform):
Step
Action
1
If you installed a DDL trigger, use remove.sql (located in <Sensor Install
Directory>/ASIappradar/sensor/java) to remove it.
2
If you turned on native auditing for failed logins, do the following (if necessary):
3
•
Modify the audit_trail value in the pfile init.ora file
•
Truncate the dba_audit_session table.
Unregister the host-based Sensor for Oracle; for more information, see Uninstalling
and Unregistering a Sensor.
Application Security, Inc.
157
DbProtect 2009.1
Installation Guide
Step
Uninstalling a
Host-Based Sensor
for DB2 (on a *nix
platform)
Action
4
Stop the host-based Sensor for Oracle; for more information, see Starting and
stopping the Sensors in the DbProtect User’s Guide or DbProtect Administrator’s
Guide.
5
Delete the installation directory of the host-based Sensor for Oracle.
To uninstall a host-based Sensor for DB2 (on a *nix platform):
Step
1
Action
Unregister the host-based Sensor for DB2; for more information, see Uninstalling
and Unregistering a Sensor.
Unregistering a
Sensor
2
Stop the host-based Sensor for Oracle; for more information, see Starting and
stopping the Sensors in the DbProtect User’s Guide or DbProtect Administrator’s
Guide.
3
Delete the installation directory of the host-based Sensor for DB2.
When you unregister a Sensor via the Sensor Manager,
Manager the Sensor stops sending
messages and Alerts. Unregistration returns the Sensor to its original, unconfigured
installation state -- but it is not removed.
Note:
An unregistered Sensor continues to log events to a notification file
(appradar_app.txt located in the Sensor’s log directory), but only
whether the Sensor is “up” or “down”.
You can forcibly unregister a Sensor in the rare event it does not respond to an
unregistration request via the Sensor Manager.
Manager
What you will find in this help topic:
• Unregistering a Sensor via the Sensor Manager
• Forcibly unregistering a Sensor (if unregistration via the Sensor Manager fails).
UNREGISTERING A SENSOR VIA THE SENSOR MANAGER
To unregister a Sensor via the Sensor Manager:
Manager
Step
1
Application Security, Inc.
Action
Log into the Console and select AppRadar.
AppRadar
158
DbProtect 2009.1
Installation Guide
Step
2
Action
Do one of the following to display the Sensor Manager:
Manager
•
Click the Sensors - Manage Sensor workflow link on the Home page.
•
Click the Sensors tab from anywhere on the page.
FIGURE:
Sensor Manager
Highlight a registered Sensor, and click the Unregister button. An unregistration
confirmation pop-up displays.
3
FIGURE:
Unregistration confirmation pop-up
Click the Yes button. DbProtect unregisters your Sensor.
Note: If unregistration is unsuccessful, DbProtect prompts you to let it attempt a
forced unregistration; for more information, see Forcibly unregistering a
Sensor (if unregistration via the Sensor Manager fails).
Application Security, Inc.
159
DbProtect 2009.1
Installation Guide
FORCIBLY UNREGISTERING A SENSOR (IF
UNREGISTRATION VIA THE SENSOR MANAGER FAILS)
You can forcibly unregister a Sensor in the rare event it does not respond to an
unregistration request via the Sensor Manager.
Manager
To forcibly unregister a Sensor:
Step
1
Action
Do the following (in any order):
•
On the Sensor Manager,
Manager click the Yes button when you are prompted to forcibly
unregister a Sensor.
•
Run force_unregister.bat (on Windows) or force_unregister (on *nix
platforms) on the Sensor's host, located by default in the following directories:
-On Windows installations: <Sensor Install
Directory>\AppSecInc\AppRadar Sensor\utils
-On *nix installations: <Sensor Install Directory>/
ASIappradar/sensor/util
Your Sensor is forcibly unregistered.
Note: You can register the Sensor again, if necessary; for more information, see the
DbProtect User’s Guide.
Application Security, Inc.
160
DbProtect 2009.1
Installation Guide
Uninstalling a Scan Engine
This section provides uninstallation steps for a Scan Engine.
Engine
What you will find in this section:
• Unregistering a Scan Engine
• Uninstalling a Scan Engine.
Unregistering a
Scan Engine
When you unregister a Scan Engine,
Engine you return the Scan Engine to its original,
unconfigured installation state -- but it is not removed.
Note:
You should unregister your Scan Engine before you uninstall it.
To unregister a Scan Engine:
Step
Application Security, Inc.
Action
1
Log into DbProtect and select AppDetective.
AppDetective
2
Click the Scan Engines button on the toolbar.
3
Do one of the following to unregister a Scan Engine:
•
Choose Scan Engines > Unregister from the menu.
•
Right click a Scan Engine in the Scan Engines portion of the Scan Engines page,
and choose Unregister.
Unregister
4
The Confirm Unregister pop up prompts you to confirm the unregistration. Click the
Yes button.
5
DbProtect unregisters your Scan Engine.
161
DbProtect 2009.1
Uninstalling a Scan
Engine
Installation Guide
You can uninstall an Scan Engine from the Control Panel.
Panel
Note:
You should unregister an Scan Engine before you uninstall it; for more
information, see Unregistering a Scan Engine.
To uninstall a Scan Engine:
Step
Application Security, Inc.
Action
1
Choose Start > Control Panel to display the Control Panel.
2
Double click the Add or Remove Programs icon.
3
Select AppDetective Scan Engine.
Engine
4
Click the Change/Remove button.
5
Follow the prompts.
6
A message informs you when the uninstallation is complete. Click the Finish button.
162
DbProtect 2009.1
Installation Guide
Chapter 7 - Installation
Troubleshooting
This chapter provides answers to some troubleshooting questions.
What you will find in this chapter:
•
•
•
•
How do I contact Customer Support?
How can I watch (or "tail") my log files?
What happens if I uninstall the SQL Server instance a Sensor is monitoring?
I uninstalled DbProtect without unregistering my Sensors. What can I do so I
can register my Sensors again without reinstalling them?
• How can I find out my SQL Server virtual server name?
• How can I review the audit events in a log file?
• The DbProtect or Sensor service failed to start, and when I look at the
DbProtect or Sensor log file located in the log directory, they indicate a "bind
to port" error. What should I do?
• My Sensor is using a Policy with only the Select from User Table Rule enabled. I
executed a SQL DELETE statement against my database, and the Select from
User Table Rule fired. Why?
•
•
•
•
•
Are there any firewall issues I should consider?
Do I require domain administrator rights after I install a Sensor on a Cluster?
Is a Windows account created when I install a Sensor on SQL Server?
Are any accounts created within SQL Server?
I see my Sensor listed as timed out in the Sensor Manager. What can I do to
reactivate my Sensor?
• What should I do if the following error message displays: “Error Occurred. The
DbProtect database is not available at the moment. Please retry your request
later.”?
• What should I do if I’m not receiving any Alerts?
• Why am I displaying a blank page on the UI?
• How do I change my IPC port number?.
Application Security, Inc.
163
DbProtect 2009.1
How do I contact
Customer
Support?
How can I watch
(or "tail") my log
files?
Installation Guide
A: Email support@appsecinc.com; for more information, see What should I do if I’m
not receiving any Alerts?.
A:
DbProtect provides a tail program if you wish to watch the Sensor and DbProtect
log files. To watch the:
• Sensor log file, execute the tailSensor.bat file, stored in C:\<DbProtect
Installation Folder>\AppSecInc\AppRadar Sensor\utils
• DbProtect log file, execute the tailconsole.bat file, stored in C:\<DbProtect
Installation Folder>\AppSecInc\DbProtect\GUI\util.
What happens if I
uninstall the SQL
Server instance a
Sensor is
monitoring?
I uninstalled
DbProtect without
unregistering my
Sensors. What can
I do so I can
register my
Sensors again
without
reinstalling them?
Application Security, Inc.
A: The Sensor will not receive any new Alerts. You should unregister the Sensor first,
then uninstall it. For more information on unregistering a Sensor, see the DbProtect
User’s Guide. For more information on uninstalling a Sensor, see Uninstalling and
Unregistering a Sensor.
Alternately, you can reconfigure your Sensor to monitor another database instance.
For more information on reconfiguring a Sensor, see the DbProtect User’s Guide.
A: Application Security, Inc. provides a Sensor reset batch file
(force_unregister.bat on Windows and force_unregister on Unix) with each
Sensor installation. The file is located in the utils folder of the Sensor installation
directory (c:\<DbProtect Installation Folder>\AppSecInc\AppRadar
Sensor\utils\force_unregister.bat). When you execute the batch file, it resets
the Sensor to its original settings. You can then register the Sensor again.
164
DbProtect 2009.1
How can I find out
my SQL Server
virtual server
name?
How can I review
the audit events in
a log file?
The DbProtect or
Sensor service
failed to start, and
when I look at the
DbProtect or
Sensor log file
located in the log
directory, they
indicate a "bind to
port" error. What
should I do?
My Sensor is using
a Policy with only
the Select from
User Table Rule
enabled. I
executed a SQL
DELETE statement
against my
database, and the
Select from User
Table Rule fired.
Why?
Application Security, Inc.
Installation Guide
A: You can find the SQL_virtual_server_name in the Cluster Administrator,
Administrator located
in the cluster's Resources folder. To display: right click the SQL Network Name
Resource,
Resource and select Properties.
Properties In the dialog box that displays, click the Parameters
tab. Your SQL_virtual_server_name displays in the Name field.
A: The log file (appradar_notifications.txt) is stored in c:\<DbProtect
Installation Folder>\AppSecInc\AppRadar Sensor\logs. Optionally, you can
specify a different target location on this page. Audit logs, when configured to go to a
file, are in the \logs sub-folder in the Sensor installation directory; for more
information Installing and Starting/Stopping the Sensors.
A:
Make sure no other application is using the ports you specified during installation
of the Sensor and DbProtect. Restart the service after you’ve shut down any software
that is using or blocking the ports.
A: When SQL Server executes a DELETE statement, its underlying engine first does a
SELECT statement on the target table before proceeding with the deletion.
165
DbProtect 2009.1
Are there any
firewall issues I
should consider?
Installation Guide
A: The Console UI is accessible via HTTPS on port 20080. You can allow all machines,
certain machines, or no machines to have access from outside your firewall. In the
latter case, only machines inside the firewall can access the Console UI. This is
completely at your discretion, but for convenience Application Security, Inc.
recommends you at least allow users to connect from their desktop machines.
DbProtect has its own method of authentication and using a firewall is not required to
restrict access.
The Message Collector component of DbProtect “listens” for HTTPS traffic on port
20081, which the Sensor uses to send Alerts. Application Security, Inc. recommends
you disallow all traffic to that port except from the Sensors.
Sensors listen on port 20000 for HTTPS traffic from DbProtect unless you configure
them differently during installation, or you change the port number in the sensor.xml
and sensor_original.xml files; for more information, see Installing and Starting/
Stopping the Sensors.
No other machines should be permitted to connect to the Sensors.
Do I require
domain
administrator
rights after I install
a Sensor on a
Cluster?
Is a Windows
account created
when I install a
Sensor on SQL
Server?
Are any accounts
created within SQL
Server?
Application Security, Inc.
A:
No. For more information on installing Sensors on a SQL Server Cluster, see
Appendix A: Installing/Uninstalling DbProtect in a SQL Server Cluster.
A: No.
A: No.
166
DbProtect 2009.1
I see my Sensor
listed as timed out
in the Sensor
Manager. What
can I do to
reactivate my
Sensor?
Installation Guide
A: When a Sensor times out, it means DbProtect is unable to communicate with it.
Do the following:
• The Sensor may be under heavy load. Wait two minutes and check again.
• Determine if the IP address of either DbProtect or the Sensor has changed
since you registered the Sensor. If either one has, change the IP address back to
its original value, or, if that’s not possible, unregister and register the Sensor.
For more information on unregistering a Sensor, see the DbProtect
Administrator’s Guide. For more information on manually removing a Sensor, if
necessary, see Uninstalling and Unregistering a Sensor.
• Use your ping utility to verify your DbProtect machine can communicate with
your Sensor machine.
• On the Sensor machine, ensure the AppRadar Sensor service is running. If the
service was stopped, try starting it again; for more information on starting and
stopping DbProtect services, see the DbProtect Administrator’s Guide.
• Verify that you have correctly configured any firewalls between DbProtect and
the Sensor; for more information, see Are there any firewall issues I should
consider?.
• Make sure the following services are running:
-DbProtect Console
-Message Collector
-The database instance that DbProtect uses, i.e., MSSQL$APPSECINCCONSOLE (if you
are using an MSDE 2000 database), MSSQL$(YourInstanceName), or MSSQL
(default instance).
For more information on starting and stopping DbProtect services, see the
DbProtect Administrator’s Guide.
• Check the dbprotect.log file for errors; for more information, see Appendix
H: DbProtect Log Files.
• Email support@appsecinc.com; for more information, see What should I do if
I’m not receiving any Alerts?
What should I do if
the following error
message displays:
“Error Occurred.
The DbProtect
database is not
available at the
moment. Please
retry your request
later.”?
Application Security, Inc.
•
A: Make sure the database instance that DbProtect uses (i.e.,
MSSQL$APPSECINCCONSOLE) is running, and make sure the database credentials
you specified during installation are correct. For more information on starting
and stopping DbProtect services, see the DbProtect Administrator’s Guide. For
more information on DbProtect component installation, see Chapter 5 Installing the DbProtect Components and Logging Into the Console.
• Email support@appsecinc.com; for more information, see What should I do if
I’m not receiving any Alerts?.
167
DbProtect 2009.1
What should I do if
I’m not receiving
any Alerts?
Installation Guide
A: If you’re not receiving any Alerts, make sure you have:
• met all of the minimum system requirements, including required patches and
permissions; for more information, see Chapter 3 - Minimum System
Requirements.
• properly installed your Sensor; for more information, see Installing and Starting/
Stopping the Sensors.
• properly connected to the Console; for more information, see the DbProtect
User’s Guide.
• no firewall issues that may be blocking communication between DbProtect and
your Sensors; for more information, see Are there any firewall issues I should
consider?
A: If you are still not receiving any Alerts, here are some Alert considerations:
considerations
• A security Alert is a notification of a monitored security event on the database
host or network. DbProtect fires an Alert when the criteria for the Rule in the
associated Policy is met (unless an exception or Filter prevents the Alert from
firing). The level of a security Alert is either High,
High Medium,
Medium or Low.
Low For more
information on Policies, see the DbProtect User’s Guide.
• An Informational Alert (also known as an audit) is a record of standard database
activity. The level of an Informational Alert can be Info-1,
Info-1 Info-2,
Info-2 Info-3,
Info-3 orr Info-4.
Info-4
Note:
The Alert Manager only displays security Alerts. It does not display
Informational Alerts. For more information, see the DbProtect User’s
Guide.
If you want to view your Informational Alerts, must run the Auditing Event
Summary Report or create a new report template that includes the Informational
risk level. For more information, see the DbProtect User’s Guide.
Note:
The default settings for new report templates do not include Informational
Alerts.
• Alternately, you can view your most recent Informational Alerts via the
Dashboard;
Dashboard for more information, see the DbProtect User’s Guide
• Informational Alerts may only show up every 15 minutes depending on the
configuration.
A: If you are still not receiving any Alerts, here are some Sensor considerations:
considerations
For network-based Sensors:
• Make sure you have properly configured your SPAN port; for more information,
see Network-based Sensor for Sybase, Oracle, and DB2 - installation steps.
• Ensure that your SPAN port is detecting network traffic. Do the following:
-On your Sensor machine, double click c:\<DbProtect Installation
Folder>\AppSecInc\AppRadar Sensor\utils\net_cfg_test.exe to display
the Network Configuration Test Tool.
Application Security, Inc.
168
DbProtect 2009.1
Installation Guide
-Use the drop-down to select the network card that is connected to your SPAN port.
The tool should display a list of servers which are either sending or receiving network
traffic.
-If this list does not include your database server, confirm you have correctly configured
the SPAN port.
• If you SPAN port is detecting network activity, verify you have properly
configured your network-based Sensor. Specifically, did you configure the
network-based Sensor with the correct IP address(es) and port(s)?
• For Oracle, is the network-based Sensor configured with the correct SID and
service name?
For more information, see the DbProtect User’s Guide.
For host-based Sensors:
• Is the host-based Sensor pointing to the correct database?
• Is the database active right now?
For more information, see the DbProtect User’s Guide.
• Are you specifically not receiving DDL Alerts? Open the appsensor.log. See if
it contains the following error message.
[ error ] [ 95103920 ] [ Tue Aug 21 2007 14:45:02.631528 ] [ open
] Error opening port ( LINE 49, FILE ipc_server.cpp )
If so, this means the IPC port is already in use. As a workaround, you must
change the IPC port. For more information, see How do I change my IPC port
number?.
A: If you are still not receiving any Alerts, here are some Policy considerations:
considerations
• What Policy did you deploy?
• Will the deployed Policy fire Alerts based on the database events you want to
monitor?
• Edit the deployed Policy. Change a rule to display a common, Informational
Alert event (i.e., Info-1,
Info-1 Info-2,
Info-2 Info-3,
Info-3 or Info-4)
Info-4 as a Low event, i.e., an event
that will trigger a Low security Alert and display in the Alert Manager;
Manager for more
information, see for more information, see the DbProtect User’s Guide.
Then, go to the Alert Manager to see if Low security Alert displays; for more
information, see the DbProtect User’s Guide.
A: If you are still not receiving any Alerts, here are some SSL-related considerations:
• Is the time the same on the DbProtect and the Sensor machines? Time zone
differences are acceptable as long as both machines represent the same point
in time (within a few minutes).
Application Security, Inc.
169
DbProtect 2009.1
Installation Guide
• Has the IP address or hostname of the DbProtect or the Sensor machine
changed recently? If so, un-register and re-register the Sensor. You may need to
forcibly unregister the Sensor.
A:
Finally, if you are still not receiving any Alerts, contact Application Security, Inc.
Customer Support.
Execute the collectinfo.bat files on both your DbProtect and Sensor machines.
On your DbProtect machine, you must execute two, separate collectinfo.bat files
(one for the MessageCollector service, and one for the GUI). These collectinfo.bat
files are located in the following folders:
•
c:\<DbProtect Installation Folder>\AppSecInc\AppRadar
Sensor\utils
•
c:\<DbProtect Installation
Folder>\DbProtect\MessageCollector\util.
Executing these .bat files creates a .zip file in each folder, i.e., one for the
MessageCollector service, and one for the GUI.
Caution! The GUI and MessageCollector.zip files are both named
AppsecIncConsole.zip. Re-name one before sending to
Application Security, Inc. Customer support.
On your Sensor machine, execute the collectinfo.bat files located here:
C:\<DbProtect Installation Folder>\DbProtect\GUI\util. Executing this .bat
file creates a .zip file (one for each Sensor). This .zip file contains configuration and
log files which allow Application Security, Inc. Customer Support to troubleshoot your
issue.
Attach all three generated .zip files (i.e., two from your DbProtect machine and one
from your Sensor server) to an email, and send to support@appsecinc.com for
analysis.
Why am I
displaying a blank
page on the UI?
How do I change
my IPC port
number?
A: You must enable Javascript on your web browser.
A: Appendix E: Configuring Your Host-Based Sensor for Oracle DDL Triggers
explains how to configure DDL triggers in the host-based Sensor for Oracle. After you
start the host-based Sensor for Oracle you may notice you are not receiving any DDL
Alerts. Open the appsensor.log. See if it contains the following error message.
[ error ] [ 95103920 ] [ Tue Aug 21 2007 14:45:02.631528 ] [ open ]
Error opening port ( LINE 49, FILE ipc_server.cpp )
Application Security, Inc.
170
DbProtect 2009.1
Installation Guide
If so, this means the IPC port is already in use. As a workaround, you must change the
IPC port. Complete the following steps:
Step
Action
1
Open the sensor.xml and sensor_original.xml files located in
<installation dir>/ASIappradar/sensor/conf.
2
Change the following line to a different port number: <ipc port="7777"></
ipc>
3
Re-start the host-based Sensor for Oracle; for more information, see the DbProtect
Administrator’s Guide.
Note: If the host-based Oracle Sensor was already registered, you must unregister it
and re-register it. For more information, see Uninstalling and Unregistering a
Sensor (in this guide) and Registering a Sensor in the DbProtect User’s Guide.
You may also need to re-configure and re-deploy your host-based Sensor for
Oracle. If it’s already configured, you should note the current configuration
setup in order to re-configure your re-registered host-based Sensor for Oracle
to match the original configuration. For more information, see the DbProtect
User’s Guide.
4
Edit <installation dir>/ASIappradar/sensor/add.sql to change the
port. Specifically, edit the second parameter on the line, which should look like this:
sys.asi_writeEvent(100079, 7777, ...
If you:
Application Security, Inc.
•
already ran add.sql, first run remove.sql in that same directory, then run
add.sql
•
haven't already run add.sql, do so now.
171
DbProtect 2009.1
Installation Guide
Appendices
What you will find in this chapter:
• Appendix A: Installing/Uninstalling DbProtect in a SQL Server Cluster
• Appendix B: What Are the MSDE Lockdown Scripts Doing During the
Installation of DbProtect?
•
•
•
•
Appendix C: Modifying the Sensor Listener Port Number
•
•
•
•
•
•
•
Appendix G: DB2 Administrative Client Driver Installation
Appendix D: Network Ports Used by DbProtect
Appendix E: Configuring Your Host-Based Sensor for Oracle DDL Triggers
Appendix F: Modifying the "Log On As" User for the AppRadar Sensor and
DbProtect Message Collector Services
Appendix H: DbProtect Log Files
Appendix I: Using App DSN, the Repair ODBC Utility
Appendix J: Configuring Your Oracle Audit Trail in Order to Monitor Logins
Appendix K: Required Client Drivers for Audits
Appendix L: Required Audit Privileges
Appendix M: Auditing SQL Server (Using Windows Authentication) Against a
Machine on a Different or Untrusted Domain
• Appendix N: Troubleshooting the Java Run Time Environment (JRE) Security
Settings on Internet Explorer 6 and Greater
• Appendix O: Determining Your NetBIOS Name and Your Full-Qualified Domain
Name
• Appendix P: Monitoring Multiple Instances on a DB2 Server
• Appendix Q: Clearing Your Java Cache.
Application Security, Inc.
172
DbProtect 2009.1
Installation Guide
Appendix A: Installing/
Uninstalling DbProtect in a
SQL Server Cluster
This appendix explains how to configure DbProtect in a Clustered environment.
Note:
DbProtect allows you to build one (or multiple)
multiple database instances within
one (or multiple) virtual servers. For more information, see Installing
DbProtect in a SQL Server Cluster (single instance) and Installing
DbProtect in a SQL Server Cluster (multiple instances), respectively.
In this appendix:
• Assumptions
• Working with a SQL Server Cluster (DbProtect installed on a single instance)
• Working with a SQL Server Cluster (DbProtect installed on multiple instances).
Assumptions
This appendix assumes you:
• have a strong working knowledge of implementation and administration of
Windows and SQL Server Clustering
• have a Windows Cluster configured with SQL Server in a Cluster Group
• are logged in as a user with both domain and SQL Server administrative
privileges
• your shared drive (referred to as X:, in this paper) is currently located in the
same Resource Group as the Virtual SQL Server instance your Sensor will
monitor (applies to single instance installations only)
• all necessary Cluster resources are currently online, and you have identified the
Cluster’s Active Node (applies to single instance installations only)
• are working with multiple virtual servers, each one containing at least one
database instance (applies to multiple instance installations only).
Application Security, Inc.
173
DbProtect 2009.1
Working with a
SQL Server Cluster
(DbProtect
installed on a
single instance)
Installation Guide
This topic explains how to install/uninstall DbProtect on a single instance of a SQL
Server Cluster.
What you will find in this help topic:
•
•
•
•
SQL Server Cluster diagram (single instance)
Installing DbProtect in a SQL Server Cluster (single instance)
Upgrading DbProtect in a SQL Server Cluster (single instance)
Uninstalling DbProtect in a SQL Server Cluster (single instance).
SQL SERVER CLUSTER DIAGRAM (SINGLE INSTANCE)
The following diagram displays a SQL Server Cluster setup, where the Sensor files are
installed on a shared drive. The AppRadar Sensor service is installed on each Node.
FIGURE:
Application Security, Inc.
SQL Server Cluster diagram (single instance)
174
DbProtect 2009.1
Installation Guide
INSTALLING DBPROTECT IN A SQL SERVER CLUSTER
(SINGLE INSTANCE)
To install a single instance of DbProtect in a SQL Server Cluster:
Step
Action
1
Open the Cluster Administrator and determine which Node is Active, i.e., the owner
of the SQL Server Cluster Resource.
2
Log in to the Active Node.
3
Install a Sensor on the shared drive (X:
X:);
X: for more information, see Installing and
Starting/Stopping the Sensors.
Note: When installing a host-based Sensor for SQL Server, you must install the
Sensor on your shared drive, not in the default location.
Also, when initializing a host-based Sensor for SQL Server, note whether you
select Existing domain user or the “Local System” Account. You will need this
information in Step 7, below.
Result: The Sensor files are copied to your shared drive (X:
X:),
X: and a service called
AppRadar Sensor is created, pointing to the DbProtect .exe file on your shared
drive (X:
X:).
X:
4
Since the AppRadar Sensor service is only installed on the Active Node (Node
Node A)
A at
this point, you must also install the service on the other Node (Node
Node B)
B in your
Cluster.
Use the Cluster Administrator to change ownership to the Node where you need to
install the AppRadar Sensor service (i.e., Node B).
B
5
Log in to the new Active Node (e.g., Node B),
B i.e., the owner of the resources. Make
sure it has access to the shared drive (X:
X:).
X:
6
Open a command prompt and go to the bin directory where you installed the
Sensor in Step 3, e.g., c:\<DbProtect Installation
Folder>\AppSecInc\AppRadar Sensor\bin.
7
Run the following command:
appradar_sensor -i 3 -S “user” -P “password”
where “user” and “password” specify the logon account used to run the service.
Note: The local system account does not require a password.
Examples:
appradar_sensor -i 3 -S “.\LocalSystem”
or
•
Application Security, Inc.
appradar_sensor -i 3 -S “DomainName\DomainUser” -P “password”
175
DbProtect 2009.1
Installation Guide
Step
Action
8
Repeat Steps 4-7 for other Nodes in the Cluster.
9
From the Active Node, open the Cluster Administrator and locate the Group with
the shared drive and SQL Server resources.
10
Choose File > New > Resource to display the New Resource dialog box.
11
Add a new Resource to the same Group to which the shared drive (X:
X:)
X: belongs.
•
Enter a name in the Name field, e.g., DbProtect
•
Under Resource Type,
Type select Generic Service.
Service
•
Select a Group type from the drop-down.
Note: The correct Group may (or may not) already display in the Group field as the
default selection; it depends how you configured the Cluster and where you
installed the Sensor. Regardless, you must select the Group that contains the
shared drive (X:)
•
Optionally, you can enter a Description.
Description
•
Do not check Run this Resource in a separate Resource monitor.
monitor
•
Click the Next button.
Result: The Possible Owners dialog box displays.
12
13
14
Application Security, Inc.
•
Verify all your Nodes in the Cluster display in the Possible owners: box. All your
Nodes must display in this list. If necessary, add a possible owner from the
Available Nodes list.
•
Click the Next button to display the Dependencies dialog box.
•
Move the shared drive (X:
X:),
X: the SQL Server,
Server and the virtual IP address from the
Available resources: box to the Resource dependencies: box.
•
Click the Next button to display the Generic Service Parameters dialog box.
Specify the following parameters:
•
In the Service name: field enter AppSecInc_AppSensor
•
Leave the Start parameters: field blank.
•
Do not check Use Network Name for computer name.
name
•
Click the Next button to display the Registry Replication dialog box.
15
Click the Finish button. The Resource (DbProtect
DbProtect,
DbProtect which you named in Step 11,
above) displays in the Resource Group in the Cluster Administrator.
Administrator The Resource is
initially Offline (in the State column).
16
Right click your new Resource (DbProtect) and select Bring Online to bring your
new Resource online.
176
DbProtect 2009.1
Installation Guide
Step
17
Action
Prevent the DbProtect Resource from causing an entire group to failover.
•
Do the following:
- Open the Cluster Administrator.
Administrator
- Right click the Resource.
- Select Properties.
Properties
•
Select the Advanced tab.
•
Uncheck Affect The Group.
Group
When the DbProtect Resource fails over, it does not impact the other resources in
that group. On the other hand, when other resources in the group failover (e.g., the
disk or SQL Server), the DbProtect Resource also fails over because other
Resources in the group still have the Affect The Group option enabled.
Note:
For more information on how to register a Sensor, and on how to configure
and deploy a Sensor, see the DbProtect User’s Guide.
UPGRADING DBPROTECT IN A SQL SERVER CLUSTER
(SINGLE INSTANCE)
Note:
This topic only applies to single instance SQL Server Cluster installations.
For multiple instance installations, see the DbProtect Administrator’s
Guide.
To upgrade DbProtect in a Cluster:
Step
Action
1
Go to the Node where you initially ran the installer in Installing DbProtect in a SQL
Server Cluster (single instance), and ensure this is the Active Node (i.e., Node A).
2
Take the DbProtect Resource offline. You can:
•
Open the Cluster Administrator.
Administrator
•
Right click the DbProtect Resource.
•
Select Take Offline.
Offline
Or, you can:
3
Application Security, Inc.
•
Open the Cluster Administrator.
Administrator
•
Highlight the DbProtect Resource.
•
Choose File > Take Offline.
Offline
Run the Sensor installer from Node A (it should automatically detect that it needs to
perform an upgrade install rather than a new install). You can also perform an ASAP
Update from Node A; for more information on ASAP Updates, see the DbProtect
Administration Guide.
177
DbProtect 2009.1
Installation Guide
Step
4
Action
Bring the DbProtect Resource back online. You can:
•
Open the Cluster Administrator.
Administrator
•
Right click the DbProtect Resource.
•
Select Bring Online.
Online
Or, you can:
•
Open the Cluster Administrator.
Administrator
•
Highlight the DbProtect Resource.
•
Choose File > Bring Online.
Online
UNINSTALLING DBPROTECT IN A SQL SERVER CLUSTER
(SINGLE INSTANCE)
Note:
For multiple instance installations, you must uninstall the Sensor on each
Node. For more information, see Chapter 6 - Uninstalling the DbProtect
Components.
Uninstalling DbProtect in a SQL Server Cluster is somewhat more complex than a
standard DbProtect uninstallation.
Note:
You must perform the uninstallation steps in the order specified, or you will
not have a “clean slate”.
There are two prerequisites:
prerequisites
• Node B must start out as the Active Node; if it is not already the Active Node,
simulate a failover to create this condition.
• If you registered/configured the clustered Sensor via the UI, you should first
unregister it via the UI prior to uninstallation; for more information, see the
DbProtect User’s Guide.
Application Security, Inc.
178
DbProtect 2009.1
Installation Guide
To uninstall DbProtect in a SQL Server Cluster:
Step
1
Action
Take the DbProtect nbhbhResource offline.
Steps 9-16 in Installing DbProtect in a SQL Server Cluster (single instance) explain
how to create a Resource. You must take this Resource offline prior to uninstallation.
To take the Resource offline:
•
Open the Cluster Administrator.
Administrator
•
Right click the Resource.
•
Select Take Offline.
Offline
Or, you can:
2
•
Open the Cluster Administrator.
Administrator
•
Highlight the Resource.
•
Choose File > Take Offline.
Offline
With the secondary Node (i.e., Node B) the Active Node, delete the AppRadar
Sensor service from this Node.
•
Open a command prompt on the Node where you installed the Sensor manually
(i.e., Node B).
•
Go to the bin directory of the shared drive where you installed the Sensor in
Step 3 of Installing DbProtect in a SQL Server Cluster (single instance), e.g.,
c:\<DbProtect Installation Folder>\AppSecInc\AppRadar
Sensor\bin.
•
Run the following command: appradar_sensor -u.
•
Press <ENTER>.
The AppRadar Sensor service is uninstalled on the secondary Node.
3
Delete the DbProtect Resource via the Cluster Administrator.
To delete the DbProtect Resource:
•
Open the Cluster Administrator.
Administrator
•
Right click the Resource.
•
Select Delete.
Delete
Or, you can:
Application Security, Inc.
•
Open the Cluster Administrator.
Administrator
•
Highlight the Resource.
•
Choose File > Delete.
Delete
179
DbProtect 2009.1
Installation Guide
Step
4
Action
Make Node A your Active Node.
•
Open the Cluster Administrator.
Administrator
•
Right click the SQL Server Resource.
•
Select Initiate Failure.
Failure
Or, you can:
•
Open the Cluster Administrator.
Administrator
•
Highlight the Resource.
•
Choose File > Initiate Failure.
Failure
Note: You must perform these steps four times before the simulated failover actually
occurs.
5
6
Application Security, Inc.
Uninstall the Sensor from Node A.
•
Go to the Node where you installed the Sensor (i.e., Node A, which is now the
Active Node).
•
Uninstall the Sensor; for more information, see Chapter 6 - Uninstalling the
DbProtect Components.
At this point, the AppRadar Sensor service should no longer be running or present,
and the SQL Server Cluster should be both online and functioning normally.
180
DbProtect 2009.1
Working with a
SQL Server Cluster
(DbProtect
installed on
multiple instances)
Installation Guide
This topic explains how to install/uninstall DbProtect on a Cluster consisting of
multiple virtual servers,
servers each with at least one instance of SQL Server. It consists of the
following sub-topics:
•
•
•
•
SQL Server Cluster diagram (multiple instances)
Installing DbProtect in a SQL Server Cluster (multiple instances)
Upgrading DbProtect in a SQL Server Cluster (single instance)
Uninstalling DbProtect in a SQL Server Cluster (multiple instances).
SQL SERVER CLUSTER DIAGRAM (MULTIPLE INSTANCES)
The following diagram displays a SQL Server Cluster setup, where the Sensor is
installed on multiple Cluster Nodes.
Nodes
FIGURE:
Application Security, Inc.
SQL Server Cluster diagram (multiple instances)
181
DbProtect 2009.1
Installation Guide
INSTALLING DBPROTECT IN A SQL SERVER CLUSTER
(MULTIPLE INSTANCES)
DbProtect allows you to build multiple database instances within one (or multiple)
virtual servers.
To install DbProtect on a Cluster consisting of multiple virtual servers,
servers each with at
least one instance of SQL Server:
Step
Action
1
Install a Sensor on each Node in your SQL Server Cluster. For more information, see
the Installing and Starting/Stopping the Sensors.
2
In a multiple instance installation, you must register each Sensor using the Node's
hostname or IP address, not the virtual host or IP address.
Example: Using the diagram in SQL Server Cluster diagram (single instance) as an
example, register one Sensor as IP address 192.168.0.1 (Node
Node A),
A and the other
Sensor as IP address 192.168.0.2 (Node
Node B).
B
For more information on registering a Sensor, see Registering a Sensor in the
DbProtect User’s Guide.
3
When you install multiple instances of DbProtect in a SQL Server Cluster, you must
configure and deploy each Sensor.
Note: For more information on configuring a Sensor, see Configuring an AppRadar
Sensor and Deploying the Configuration Information.
DbProtect does not allow you to use the same database instance alias twice, so you
must use aliases like:
•
MySQLServerInstance1_Node1 and MySQLServerInstance2_Node1 on
the first Sensor
•
MySQLServerInstance1_Node2 and MySQLServerInstance2_Node2 on
the second Sensor
•
And so on.
Note: Alerts will appear as if they come from a different database instance if your
primary Node fails over to the secondary Node.
UPGRADING DBPROTECT IN A CLUSTER (MULTIPLE
INSTANCES)
For more information on multiple instance upgrades, see the DbProtect
Administrator’s Guide.
UNINSTALLING DBPROTECT IN A SQL SERVER CLUSTER
(MULTIPLE INSTANCES)
For multiple instance installations, you must uninstall the Sensor on each Node. For
more information, see Uninstalling and Unregistering a Sensor.
Application Security, Inc.
182
DbProtect 2009.1
Installation Guide
Appendix B: What Are the
MSDE Lockdown Scripts
Doing During the Installation
of DbProtect?
The MSDE lockdown scripts protect the MSDE instance from known security
vulnerabilities. The MSDE lockdown scripts only run if you select MSDE as an
installation option when you install the Console; for more information, see DbProtect
suite management components - installation steps.
So what are the MSDE lockdown scripts doing ‘behind the scenes’ during the
installation of DbProtect? This appendix explains.
#
1
During installation of DbProtect, the lockdown scripts:
Tighten jobs procedures in case the SQL Agent service is activated. This prevents
low-privileged users from submitting or managing jobs.
REVOKE execute on msdb..sp_add_job FROM public
REVOKE execute on msdb..sp_add_'jobs' FROM public
REVOKE execute on msdb..sp_add_jobserver FROM public
REVOKE execute on msdb..sp_start_job FROM public
2
Revoke the DTS package procedure from public.
REVOKE execute on dbo.sp_enum_dtspackages FROM public
REVOKE execute on dbo.sp_get_dtspackage FROM public
3
Tighten permissions on the web tasks table to prevent malicious users from creating
or altering tasks.
REVOKE ALL on msdb..mswebtasks FROM public
4
Tighten permissions on extended procedures that require heavy use but should not
be allowed public access.
REVOKE execute on sp_runwebtask FROM public
REVOKE execute on sp_readwebtask FROM public
REVOKE execute on sp_MSSetServerProperties FROM public
REVOKE execute on sp_MScopyscriptfile FROM public
REVOKE execute on sp_MSsetalertinfo FROM public
REVOKE execute on xp_regread FROM public
REVOKE execute on xp_instance_regread FROM public
Application Security, Inc.
183
DbProtect 2009.1
Installation Guide
#
During installation of DbProtect, the lockdown scripts:
5
Revoke guest access to msdb in order to keep any non-system administrators from
accessing the database without explicit permissions.
EXECUTE msdb..sp_revokedbaccess guest
6
Turn off the ability to allow remote access in order to prevent other SQL Servers
from connecting to this server via RPC.
EXECUTE sp_configure 'remote access', '0'
RECONFIGURE WITH OVERRIDE
7
Increase the SQL Server log history threshold in order to maintain logs for a longer
amount of time (defaulted to 365 days).
8
Remove any residual setup files (\sqldir\setup.iss - \winnt\setup.iss \winnt\sqlstp.log) that may be lingering on the file system.
9
Grant permission to select from syslogins. Only members of the sysadmin role
should have permissions to perform any action on the syslogins table.
REVOKE SELECT ON master.dbo.syslogins FROM public
10
Remove xp_cmdshell
execute sp_dropextendedproc @functname='xp_cmdshell'
Application Security, Inc.
184
DbProtect 2009.1
Installation Guide
Appendix C: Modifying the
Sensor Listener Port Number
Host-based and network-based Sensors listen on port 20000 for HTTPS traffic from
DbProtect (e.g., reconfiguration or status requests) unless you configure them
differently during installation, or you change the port number in the sensor.xml and
sensor_original.xml files.
Note:
While, technically speaking, you can follow the steps in this appendix to
modify the listen port number for any Sensor on any operating system,
these steps are only recommended for modifying the listen port number
for host-based Sensors for Oracle (running on *nix platform) and hostbased Sensors for DB2 (running on *nix platform). For all other host- and
network-based Sensors running on Windows, Application Security, Inc.
recommends you specify the listen port number during Sensor installation;
for more information, see Installing and Starting/Stopping the Sensors.
As explained in Appendix P: Monitoring Multiple Instances on a DB2 Server, one
reason you may want to modify the port number in the sensor.xml and
sensor_original.xml files is because you want to monitor multiple instances on an
DB2 server. To do so, you must install one host-based Sensor for DB2 for each instance
you want to monitor. You must then modify the XML files for each host-based Sensor
for DB2 installation and assign a unique port number to each host-based Sensor for
DB2.
To modify a Sensor listen port number:
Step
1
Action
Make sure the Sensor is unregistered; for more information, see the DbProtect
User’s Guide.
Note: You may also need to re-configure and re-deploy your Sensor. If it’s already
configured, you should note the current configuration setup in order to reconfigure your re-registered Sensor to match the original configuration. For
more information, see the DbProtect User’s Guide.
2
Open the sensor.xml and sensor_original.xml files located in
<installation dir>/ASIappradar/sensor/conf.
3
Locate the following line:
<appSensorRoot sensorType="host-based" displayName="AppRadar
Sensor" id="55555" ip="127.0.0.1" port="20000"> and change
port="20000" to a new value.
20000 is the default value; your port number may be different.
4
Application Security, Inc.
Re-start the Sensor.
185
DbProtect 2009.1
Installation Guide
Appendix D: Network Ports
Used by DbProtect
Components of DbProtect communicate via Internet Protocol (IP) connections. To help
you configure your firewall properly, the following table lists each component and
describes how they each use the network.
Applicatio
n
Application
Protocol
Type
Port
Encrypte
d
User
(GUI)Configurable?
Direction
Sensors
All Sensors
SOAP
TCP
20000
Over SSL
Yes
Inbound/
Listen
Host-based
Oracle with
DDL
Triggers
Installed
Internal
UDP
7777
No
TCP
20001
Over SSL
At install
time
Inbound/
Listen
1433
No
No
Inbound/
Listen (local
connections
only)
Inbound/
Listen (local
connections
only)
Scan Engines
All Scan
Engines
SOAP
SQL
Console
Application Security, Inc.
186
DbProtect 2009.1
Installation Guide
Applicatio
n
Application
Protocol
All Consoles
HTTP
Type
TCP
Port
Encrypte
d
20080
Tomcat
32XXX
Java
30005
SQL
1433
No
User
(GUI)Configurable?
Direction
Yes
Inbound/
Listen
No
Inbound/
Listen (local
connections
only)
Outbound/
Console
back-end
database
Message Collector
All Message
Collectors
Application Security, Inc.
HTTP
TCP
20081
Over SSL
No, ARC +
1
Inbound/
Listen
Tomcat
32XXX
No
No
Java
30006
Inbound/
Listen (local
connections
only)
187
DbProtect 2009.1
Installation Guide
Appendix E: Configuring Your
Host-Based Sensor for Oracle
DDL Triggers
This appendix consists of the following topics:
• Configuring your host-based Sensor for Oracle DDL triggers
• Determining whether Oracle Java Packages are installed on your Oracle
instance.
Configuring your
host-based Sensor
for Oracle DDL
triggers
DbProtect relies on the use of DDL triggers to capture traffic that does not pass
through Oracle’s SGA memory structures.
Note:
Because this step is optional, you only need to complete these steps for
SIDs that you want to monitor for DDL activity. You should complete these
steps for each SID that resides on a server, assuming the host-based
Sensor is going to monitor these SIDs.
Optionally, you can complete the following steps for each Oracle database instance
that your host-based Sensor for Oracle is configured to monitor (assuming you want to
monitor DDL-related Alerts).
Caution! You must have Oracle Java Packages installed on your Oracle
instances. To determine whether you have Oracle Java Packages
installed, see Determining whether Oracle Java Packages
are installed on your Oracle instance.
To configure your host-based Sensor for Oracle for DDL triggers:
Step
Action
1
Find the Sensor installation subdirectory java. (Typically
<installation_directory>/ASIappradar/sensor/java.)
2
If your installation path differs from the default one, you need to edit the first line in
the file add.sql, and replace it with the actual path. For example:
CREATE OR REPLACE DIRECTORY sensor_dir AS
'/<installation_directory>/ASIappradar/sensor/java';
Application Security, Inc.
188
DbProtect 2009.1
Installation Guide
Step
3
Action
Run sqlplus from this location and login as sysdba. Remember to set the
appropriate ORACLE_HOME and ORACLE_SID values for your for the environment
of the Sensor's runtime account (e.g., appradar).
Note: You must grant read permissions to the Oracle process on the DLL.class
file in the host-based Sensor for Oracle’s directory in order to successfully
execute the add.sql script. Failure to configure the Oracle process correctly
triggers add.sql script error messages when it runs.
Caution! If you encounter the following error message in the appsensor.log
when you start the host-based Sensor for Oracle, it means the IPC port is
already in use:
[ error ] [ 95103920 ] [ Tue Aug 21 2007
14:45:02.631528 ] [ open ] Error opening port ( LINE
49, FILE ipc_server.cpp )
Workaround: change the IPC port number. For more information, see How
do I change my IPC port number?.
4
Run the @add command to load the DDL triggers.
Caution! If you execute the script to add triggers more than once (i.e., you remove
the triggers, then re-add them), then the next statement executed on any
active Oracle session will encounter the following error once:
"ORA-29549: class string.string has changed, Java
session state cleared".
This occurs because Oracle, internally, forces a reload of the underlying
Java class used by the DbProtect trigger. Subsequent statements will
function normally, and DbProtect will process them as expected.
Notes:
Application Security, Inc.
•
Use the command @remove to remove triggers at a later date, or to reinstall
them.
•
If the Sensor is already running, you need to restart it; for more information, see
the DbProtect Administrator’s Guide.
189
DbProtect 2009.1
Determining
whether Oracle
Java Packages are
installed on your
Oracle instance
Installation Guide
To determine if Oracle Java Packages are installed on your Oracle instance:
Step
1
Action
Note: Any user can execute this command.
Execute the following command:
select banner from all_registry_banners
The output displays information about any Oracle Java Packages installed on your
Oracle instance; for example:
Oracle9i Catalog Views Release 9.2.0.4.0 - Production JServer
JAVA Virtual Machine
Release 9.2.0.4.0 - Production Oracle XDK for Java Release
9.2.0.6.0 - Production
Oracle9i Java Packages Release 9.2.0.4.0 - Production
Caution! If executing this command yields no results -- i.e., Oracle Java Packages
are not installed on your Oracle instance, and you intend to use a hostbased Sensor to monitor DDL statements (e.g., CREATE TABLE) -- then
you must manually install Oracle Java Packages on your Oracle instance.
Application Security, Inc.
190
DbProtect 2009.1
Installation Guide
Appendix F: Modifying the
"Log On As" User for the
AppRadar Sensor and
DbProtect Message Collector
Services
In this appendix:
• What is the "Log On As" user?
• Modifying the Windows Authentication LocalSystem account.
What is the "Log
On As" user?
When you install DbProtect (see Chapter 5 - Installing the DbProtect Components and
Logging Into the Console), the Database Runtime Configuration page allows you to
configure your DbProtect runtime user account. This is the "log on as" user, i.e., the
user whose privileges are used to log into and use DbProtect.
You can connect to your custom SQL Server instance using SQL Authentication or
Windows Authentication. The latter uses the LocalSystem account as the run-as user
for the services installed (i.e., DbProtect and DbProtect Message Collector).
Collector
This chapter explains how to modify the Windows Authentication LocalSystem
account if you want.
Application Security, Inc.
191
DbProtect 2009.1
Modifying the
Windows
Authentication
LocalSystem
account
Installation Guide
To modify the Windows Authentication LocalSystem account:
Step
Action
1
Choose Start > Control Panel to display the Control Panel.
2
Double click the Administrative Tools icon.
3
Double click the Services icon to display the Services dialog box.
4
Highlight a service (e.g., DbProtect Message Collector)
Collector to display the DbProtect
Message Collector Properties pop-up.
5
Click the Log On tab to display the Log on as: portion of the DbProtect Message
Collector Properties pop-up displays.
6
Select This account: and enter the:
7
•
new "log on as" user’s domain name\user name (or click the Browse button to
display the Select User pop-up and locate a valid user) \
•
password for the specified user.
Click the Apply button.
A message informs you the revised "log on as" account change will not take effect
until you reboot your computer. Click the OK button.
Application Security, Inc.
192
DbProtect 2009.1
Installation Guide
Appendix G: DB2
Administrative Client Driver
Installation
To download and install DB2 client drivers:
Step
1
2
Application Security, Inc.
Action
Do one of the following to download and install a DB2 client driver:
•
Contact your system administrator, who can provide the DB2 installation CD
containing the client drivers.
•
Visit the IBM website (http://www.ibm.com/support/all_download_
drivers.html) and search for an appropriate driver.
•
As a final alternative, you can download an evaluation version of DB2 from the
IBM website, and install the client drivers which come with the installation
package. For more information, see http://www.ibm.com/software/
data/db2/.
Locate the downloaded client driver on your hard drive (a .zip file), and install
using the wizard.
193
DbProtect 2009.1
Installation Guide
Appendix H: DbProtect Log
Files
In this appendix:
• DbProtect log files
• Sensor log files.
DbProtect log files
Normal operations Console log files:
Log file:
dbprotect.log
Description:
This is the main application log that is
written to during system usage.
Log entries are in the following format:
Sat 01 Jan 23:59:59
[ThreadIdentifer] LEVEL
Component – Log Message
Location:
\<DbProtect
Installation
Folder>\
AppSecInc\
DbProtect\GUI\
logs\
where the date and time are presented
first, followed by the DbProtect thread
identifier, the level of the log message
(which will be either INFO,
INFO WARN or
ERROR),
ERROR the DbProtect component and
then the log message.
Each log message entry can span
multiple lines.
gui_wrapper.log
Log for the component that manages
the service life cycle of the DbProtect
service.
catalina*.log
Application logs for the Tomcat engine
used by DbProtect.
\<DbProtect
Installation
Folder>\AppSecInc
\ DbProtect\GUI\
tomcat\logs\
and
\<DbProtect
Installation
Folder>\AppSecInc
\
DbProtect\Message
Collector\tomcat\
logs\
Application Security, Inc.
194
DbProtect 2009.1
Installation Guide
Log file:
Description:
messagecollector
_wrapper.log
Log for the component that manages
the service life cycle of the Message
Collector service.
messagecollector
.log
This is a log file for DbProtect. It tracks
the error entries for the Alert-collecting
component of DbProtect.
Location:
\<DbProtect
Installation
Folder>\
AppSecInc\
DbProtect\Message
Collector\logs\
DbProtect installation and upgrade log files:
The following DbProtect log files are related to installation and upgrade. Once
installation is completed, you can ignore these files (or you can safely remove them).
•
•
•
•
•
•
•
•
•
Sensor log files
appradar_load_data.log
appradar_load_policies.log
appradar_load_reports.log
appradar_load_rules.log
appradargroup_install.log
createlocalenv_install.log
dbbuild_install.log
keyutil_install.log
testappradarconn.log.
The section of the appendix explains:
•
•
•
•
Archiving
Normal operations Sensor log files
Replay log files
Sensor installation and upgrade log file.
ARCHIVING
Log files automatically archive themselves when they reach a certain size, e.g. 100 MB.
For example, when a log file named AppRadar Sensor.log reaches its limit, the file is
renamed AppRadar Sensor.log.1 and a new AppRadar Sensor.log file is started.
When AppRadar Sensor.log again reaches its limit, appsensor.log.1 is renamed
appsensor.log.2, appsensor.log is renamed appsensor.log.1, a new
appsensor.log is started, and so on. Each type of log listed below has a different file
size limit at which archiving occurs, and each has a different maximum number of
archives.
Application Security, Inc.
195
DbProtect 2009.1
Installation Guide
NORMAL OPERATIONS SENSOR LOG FILES
Log file:
appsensor.
log
Description:
Sensor application log (created during
normal operations).
This file generally contains warnings and
errors, and at the default Warning level
the file size grows slowly. However, you
can configure this file to include also
debug messages for troubleshooting, if
the Application Security, Inc. Support
Team asks you to set the level to Debug
or Development.
Development In this case, the file size
grows rapidly.
Location:
\<DbProtect
Installation Folder>\
AppSecInc\AppRadar
Sensor\logs\
Note: This file “rolls over” at 100MB and
does so a maximum of three times.
"Failed login" support utilizes DB2's
"auditing" feature. This is unique to
host-based Sensors for DB2, since all
other types of host-based Sensors utilize
"event monitoring."
The host-based Sensors for DB2
automtically turns on DB2 auditing. If you
enable any Rule related to failed logins
(specifically, "Failed Login", "Password
Guessing", or "Scripted Password
Attack"), then the host-based Sensors for
DB2 write errors to the appsensor.log
file(s).
For more information on how the hostbased Sensors for DB2 uses auditing to
monitor failed logins and how to
manually manage the resulting audit
files, see the DbProtect Administrator’s
Guide.
Application Security, Inc.
196
DbProtect 2009.1
Installation Guide
REPLAY LOG FILES
Also in the logs directory are Sensor log files related to “store-&-forward”, i.e.,
Application Security, Inc.’s method of storing Alerts temporarily in case DbProtect
becomes unavailable. These are more commonly known as the replay log files.
files They
come in two forms:
•
*.replay.log, which contains Alerts to be forwarded to DbProtect when it
becomes available
•
*.replay.log.bookmark, which is a bookmark pointing to the replay log
indicating where forwarding left off the last time it ran.
If DbProtect becomes unavailable, these files ensure your Alerts will continue to be
logged. They store Alerts in binary form which are “replayed” to DbProtect when it is
back online.
The growth rate of the Alert log files depends on Alert rate and size. An average replay
log grows at rate of approximately 2k/second -- but only when the Sensor cannot
communicate with DbProtect.
The number of and size of Alert log files depends on how many Alerts per second are
being fired and how long the Message Collector component of DbProtect has been
down. Once it’s back online, the replay logs will not shrink in size, but rather they will
disappear one file at a time.
Replay logs “roll over” at 500MB and continue to do so every 500MB until DbProtect
becomes available.
SENSOR INSTALLATION AND UPGRADE LOG FILE
The Sensor configuration.log file is related to installation and upgrade. Once
installation is completed, you can ignore these files (or you can remove them safely).
Application Security, Inc.
197
DbProtect 2009.1
Installation Guide
Appendix I: Using App DSN,
the Repair ODBC Utility
App DNN is a built-in Repair OBDC (Open Database Connectivity) utility that allows
you to synch the database where your Scan Engine results are stored with the
DbProtect Data Repository component.
App DNN also allows you to change the type of authentication DbProtect
AppDetective uses to authenticate to the database server (i.e., from Windows
authentication to SQL Server authentication -- or vice-versa).
To use App DSN:
Step
Action
1
Choose Start > Programs > AppSecInc > AppDetective Scan Engine > AppDSN to
display the App DSN utility.
FIGURE:
2
App DSN utility
Use the Server drop-down to select the SQL Server 2005 instance where the Scan
Engine stores its results, or enter the SQL Server 2005 instance name.
Important: This must be the same database DbProtect AppDetective uses.
Hint: Click the Locate instances... button to search for/display all SQL Server instances
on your network.
Application Security, Inc.
198
DbProtect 2009.1
Installation Guide
Step
3
Action
Select to authenticate to the database server using: Windows Authentication
(strongly recommended) or SQL Server Authentication.
Authentication
If you select:
4
•
Windows Autentication,
Autentication then the AppDetective Scan Engine service uses
the login/password credentials supplied in the Sensor installation section of the
DbProtect Installation Guide. If you want to change or verify these values, you
must run services.msc
•
SQL Server Authentication,
Authentication then you must enter a SQL Server authentication
Login Name: and Password:.
Password:
Click the OK button.
The Repair ODBC utility changes the database server the Scan Engine uses to store
its results, and/or changes the type of authentication DbProtect AppDetective uses
to authenticate to the database server.
Application Security, Inc.
199
DbProtect 2009.1
Installation Guide
Appendix J: Configuring Your
Oracle Audit Trail in Order to
Monitor Logins
You can configure your Oracle audit trail settings in order for your host-based Sensor
for Oracle to monitor logins. Specifically, the following DbProtect Rules can monitor
failed and successful logins:
•
•
•
•
“Login attempt – successful”
“Failed Login”
“Password guessing”
“Password scripted attack”.
To configure your Oracle audit trail settings so your host-based Sensor for Oracle can
monitor logins, you must set the Oracle audit trail of the database to db so that it logs
the logins (failed and successful) to the dba_audit_session table.
Note:
Because this step is optional, you only need to complete these steps for
SIDs that you want to monitor for logins. You should complete these steps
for each SID that resides on a server, assuming the host-based Sensor is
going to monitor these SIDs.
You can complete the following steps for each Oracle database instance that your
host-based Sensor for Oracle is configured to monitor (assuming you want to monitor
logins).
To configure your host-Oracle audit trail to enable your host-based Sensor for Oracle
to monitor logins:
Step
1
Action
Using an Oracle client such as sqlplus, set the audit trail to db:
alter system set audit_trail='db' scope=spfile;
shutdown
startup
2
Enable session auditing:
audit session;
Note: If your host-based Sensor for Oracle is already running, you need to re-start it;
for more information, see the DbProtect Administrator’s Guide.
Application Security, Inc.
200
DbProtect 2009.1
Installation Guide
Appendix K: Required Client
Drivers for Audits
In this appendix:
•
•
•
•
DB2 client driver
installation
DB2 client driver installation
Lotus Notes client driver installation
Sybase client driver installation
DB2 Connect installation.
To perform an Audit on a DB2 server, you must install the DB2 administrative client. If
you do not have these drivers and privileges, DbProtect AppDetective cannot access
tables that are critical for information gathering.
If you are already a DB2 user, and you have the administrative client installed, you do
not need to reinstall the client drivers. You only need your login name and password.
In this help topic:
• Supported and non-supported client configurations
• Downloading and installing the DB2 client drivers.
SUPPORTED AND NON-SUPPORTED CLIENT
CONFIGURATIONS
DB2 version 7 client local connections to a DB2 version 8 server are not supported. For
example, you cannot use a DB2 version 7 client to catalog a DB2 version 8 instance on
the same machine as a local node.
A detailed matrix on the DB2 website describes the standard and gateway
configuration support for DB2 clients. For more information, see the following:
http://publib.boulder.ibm.com/infocenter/db2help/index.jsp?topic=/
com.ibm.db2.udb.doc/start/r0009731.htm.
Application Security, Inc.
201
DbProtect 2009.1
Installation Guide
DOWNLOADING AND INSTALLING THE DB2 CLIENT DRIVERS
To download and install DB2 client drivers:
Step
1
Action
The client drivers needed are Administration. Do one of the following:
•
Contact your system administrator, who can provide the DB2 installation CD
containing the client drivers.
•
For DB2 Version 7, download the appropriate driver from the IBM website
(http://www-306.ibm.com/software/data/db2/udb/support/
downloadv7.html)
•
For DB2 Version 8, download the appropriate driver from the IBM website
(http://www-306.ibm.com/software/data/db2/udb/support/
downloadv8.html)
•
Visit the IBM website (http://www-1.ibm.com/support/
all_download_drivers.html) and search for an appropriate driver.
•
As a final alternative, you can download an evaluation version of DB2 from the
IBM website, and install the client drivers which come with the installation
package. For more information, see http://www-3.ibm.com/software/
data/db2/.
2
Locate the downloaded client driver on your hard drive (a .zip file).
3
Use a utility like Winzip to unzip the contents into a temporary install directory.
4
Once the files are extracted into the temporary install directory, double click the
setup file (setup.exe) to begin the installation process.
5
Click the Next button to choose the DB2 Administration client.
6
Choose Typical.
Typical
7
Click the Next button.
8
Choose to install the client in the default location.
9
Click the Next button. A dialog box informs you if there is enough information to
complete the installation.
10
Click the Next button.
11
Click the Finish button.
12
Reboot your system.
Result: The DB2 client drivers are now installed. You can now perform Audits on an
DB2 server.
Application Security, Inc.
202
DbProtect 2009.1
Lotus Notes client
driver installation
Installation Guide
To perform an Audit of a Lotus Notes-based Domino Mail Server, you must install the
Lotus Notes client drivers. If you are already a Lotus Notes user, you do not need to reinstall the client drivers. You only need to find your .id file, typically located in your
C:\Lotus\Notes\Data folder. You must also know your password.
In this help topic:
• Downloading and installing Lotus Notes client software
• Starting Lotus Notes for the first time.
DOWNLOADING AND INSTALLING LOTUS NOTES CLIENT
SOFTWARE
To download and install Lotus Notes client software:
Step
Action
1
Open http://www.lotus.com in your browser.
2
Click the Downloads link.
3
Click the most appropriate Lotus Notes client software download link.
Note: You must register to access the download site.
Application Security, Inc.
4
Download the Lotus Notes client software setup file to a convenient location (e.g.,
C:\temp).
5
Double click the setup file you downloaded from the Lotus website to display the
welcome dialog box.
6
Click the Next button to display the license dialog box.
7
Read the License Agreement.
8
If you consent to the License Agreement,
Agreement press the Yes button to display the name
and company dialog box.
9
Enter your name and company name.
10
Click the Next button to display the default installation directory dialog box.
11
Do not change the default installation directories.
12
Click the Next button to display the setup dialog box.
13
Select Typical Setup.
Setup
14
Click the Next button to display the Lotus Notes program icons dialog box.
15
Specify the folder where you want to install the Lotus Notes program icons.
16
Lotus Notes is installed.
203
DbProtect 2009.1
Installation Guide
STARTING LOTUS NOTES FOR THE FIRST TIME
Your Domino administrator must set up a valid Lotus Notes account for you. He/she
can provide you with a password as well as an .id file which you must copy to your
C:\Lotus\Notes\Data folder. Contact your Domino administrator if you are unsure
about the proper responses to give in the following procedure.
To start Lotus Notes for the first time:
Step
Action
1
Choose Start > Lotus Applications > Lotus Notes to display the set up connections
dialog box.
2
Click the Next button to display the Connect to Domino Server dialog box.
3
Click the Next button.
4
Choose your desired method of connecting to the server. If you are in an office,
select Connect through a LAN.
LAN
5
Click the Next button to display the Server dialog box.
6
Enter your server name. (Ask your Domino administrator if you are unsure.)
7
Click the Next button to display the Browse for Your ID File/Lotus Notes Name
dialog box.
8
Browse for your .id file, or use your Lotus Notes name. (Ask your Domino
administrator if you are unsure.)
9
Click the Next button.
10
Setup is complete.
Note: You may or may not want to set up your email, news, directory server, and
proxy servers. This is usually done by your Domino administrator. At this
point, you have provided enough information to run AppDetective for Lotus
Domino.
Application Security, Inc.
204
DbProtect 2009.1
Sybase client
driver installation
Installation Guide
To perform an Audit on a Sybase ASE dataserver, you must have the Sybase ASE
ODBC driver installed on your workstation. The Sybase ASE ODBC driver is packaged
with the Sybase ASE Client driver. DbProtect uses the Sybase ASE ODBC driver to
access your Sybase dataserver.
Specifically, DbProtect supports the following Sybase ASE ODBC drivers:
• Sybase ASE ODBC driver (packaged in the 12.5.2 client driver)
• Adapter Server Enterprise ODBC driver (packaged in the 15.x client driver or
Software Development Kit).
In this help topic:
• Checking if you have the proper Sybase ASE ODBC drivers installed
• Downloading and installing Sybase ASE ODBC drivers.
CHECKING IF YOU HAVE THE PROPER SYBASE ASE ODBC
DRIVERS INSTALLED
To check if you have the proper Sybase ASE ODBC driver installed:
Step
Application Security, Inc.
Action
1
Choose Start > Settings > Control Panel.
Panel
2
Double click the Administrative Tools icon.
3
Double click the Data Sources (ODBC) icon.
4
Click the Drivers tab.
5
Scroll down and check if you have either the Sybase ASE ODBC Driver or the
Adaptive Server Enterprise ODBC Driver installed (in the Name column).
6
If you:
•
have the drivers on your machine, you are ready to use DbProtect’s security
Audit feature
•
do not have the driver installed, go to Downloading and installing Sybase ASE
ODBC drivers.
205
DbProtect 2009.1
Installation Guide
DOWNLOADING AND INSTALLING SYBASE ASE ODBC
DRIVERS
To download and install Sybase ASE ODBC drivers:
Step
1
Action
Refer to the Sybase installation CDs shipped with your database installation to
obtain the correct Sybase ASE ODBC drivers, or download them from http://
download.sybase.com/eval/ASE_1252_DE/pcclient_1252.zip
Note: The Adaptive Server Enterprise ODBC Driver version 15.x is not a free
download. Refer to the Sybase installation CDs shipped with your database
installation to obtain it. If you do not have this, you can obtain the Adaptive
Server Enterprise ODBC driver in the Software Developer kit as a licensed
contact, or for purchase. Alternately, you can try to download a free
Developer’s Edition copy of ASE 15.x from Sybase. However, Application
Security, Inc. is not responsible for the time frame in which Sybase is making
this available.
DB2 Connect
installation
To run an Audit on DB2 on the Mainframe, you must install DB2 Connect (Enterprise
Edition) software on your scanning machine.
To download and install DB2 Connect (Enterprise Edition):
Step
1
Application Security, Inc.
Action
Go to the IBM website, click the How to buy link, follow the download and
installation instructions.
206
DbProtect 2009.1
Installation Guide
Appendix L: Required Audit
Privileges
This appendix consists of the following topics:
•
•
•
•
•
•
•
•
DB2 Audit
privileges
Note:
DB2 Audit privileges
DB2 z/OS Audit privileges
Lotus Domino Groupware Audit privileges
SQL Server Audit privileges
MySQL Audit Privileges
Oracle Audit privileges
Sybase Audit privileges
Operating system considerations.
For more information on DB2 OS check requirements, see Operating
system considerations.
To conduct a full DB2 Audit, you need the following privileges. Make sure the account
you are using has rights to use the following tables and views:
•
•
•
•
•
•
•
•
•
•
•
•
Application Security, Inc.
CONNECT
GET DATABASE MANAGER CONFIGURATION & LIST DATABASE DIRECTORY
Service Info (Windows ONLY)
SYSIBM.SYSCOLAUTH
SYSIBM.SYSINDEXAUTH
SYSIBM.SYSPASSTHRUAUTH
SYSIBM.SCHEMAAUTH
SYSIBM.SYSDBAUTH
SYSIBM.SYSTABAUTH
SYSIBM.SYSFUNCTIONS
SYSIBM.SYSPROCEDURES
SYSIBM.SYSVERSIONS
207
DbProtect 2009.1
Installation Guide
Below is a list of checks within DbProtect AppDetective for an DB2 Audit, and the
tables and views they need permission to access in order to function properly:
•
CLIENT authentication:
DATABASE DIRECTORY
GET DATABASE MANAGER CONFIGURATION & LIST
•
SERVER authentication:
DATABASE DIRECTORY
GET DATABASE MANAGER CONFIGURATION & LIST
•
DCS authentication:
DATABASE DIRECTORY
•
Trust All Client: GET DATABASE MANAGER CONFIGURATION & LIST
DATABASE DIRECTORY
•
Authentication type:
DATABASE DIRECTORY
•
•
Service runs as LocalSystem:
•
Permissions granted to user: SYSIBM.SYSCOLAUTH,
SYSIBM.SYSINDEXAUTH, SYSIBM.SYSPASSTHRUAUTH, SYSIBM.SCHEMAAUTH,
SYSIBM.SYSDBAUTH, SYSIBM.SYSTABAUTH
•
Permissions grantable: SYSIBM.SYSCOLAUTH, SYSIBM.SYSINDEXAUTH,
SYSIBM.SYSPASSTHRUAUTH, SYSIBM.SCHEMAAUTH, SYSIBM.SYSDBAUTH,
SYSIBM.SYSTABAUTH
•
Permissions on system catalog:
SYSIBM.SYSTABAUTH
•
•
•
•
•
•
Permissions to list users:
GET DATABASE MANAGER CONFIGURATION & LIST
GET DATABASE MANAGER CONFIGURATION & LIST
Service Info (Windows ONLY)
Permissions granted to PUBLIC: SYSIBM.SYSCOLAUTH,
SYSIBM.SYSINDEXAUTH, SYSIBM.SYSPASSTHRUAUTH, SYSIBM.SCHEMAAUTH,
SYSIBM.SYSDBAUTH, SYSIBM.SYSTABAUTH
SYSIBM.SYSDBAUTH,
SYSIBM.SYSDBAUTH, SYSIBM.SYSTABAUTH
db2ckpwd buffer overflow (Version verify):
Query Compiler DoS (Verify version):
Date/Varchar DoS (Verify version):
Latest FixPak not installed:
SYSIBM.SYSVERSIONS
SYSIBM.SYSVERSIONS
SYSIBM.SYSVERSIONS
SYSIBM.SYSVERSIONS
Control Center buffer overflow (Verify version):
SYSIBM.SYSVERSIONS
Some DB2 Audit checks need to differentiate between fixpaks such as 4/4a, 6/6a, etc.
These checks require specific permissions. Specifically, the checks affected are:
Application Security, Inc.
•
•
Arbitrary code execution in a federated system (Verify version)
•
•
•
•
•
•
•
•
•
Arbitrary file creation in XML Extender functions (Verify version)
Arbitrary code execution when processing connection messages
(Verify version)
Buffer overflow in CALL statement (Verify version)
Buffer overflow in db2fmp (Verify version)
Buffer overflow in generate_distfile procedure (Verify version)
Buffer overflow in REC2XML function (Verify version)
Buffer overflow in SATADMIN.SATENCRYPT function (Verify version)
Buffer overflow in the JDBC listener (Verify version)
Buffer overflows in XML Extender functions (Verify version)
DoS in string formatting functions (Verify version)
208
DbProtect 2009.1
Installation Guide
•
•
•
•
•
Latest FixPak not installed
Multiple Buffer overflows in libdb2.so.1 library (Verify version)
Multiple critical vulnerabilities in IBM DB2 (Verify version)
Multiple DoS vulnerabilities in SQLJRA protocol
SELECT privilege escalation
In order for DbProtect AppDetective to work properly with any of these checks, you
must set special permissions, depending on what version of DB2 is running on your
server. The following table explains which permissions are required for which versions
of DB2:
If your server is
running DB2 version:
9.10 or later
Requirements:
SELECT or CONTROL privilege on the ENV_INST_INFO
administrative view.
OR
EXECUTE privilege on the ENV_GET_INST_INFO table function.
OR
SYSADM and/or ATTACH privileges.
DB2 z/OS Audit
privileges
8.2.2 or later
EXECUTE privilege on the ENV_GET_INST_INFO table function.
8.1.0 or later
SYSADM or ATTACH privileges.
7
Registry access or OS access.
You must have at least SELECT privilege on the following system catalog tables (which
as SYSADM has by default):
•
•
•
•
•
•
•
•
Application Security, Inc.
SYSIBM.SYSCOLAUTH
SYSIBM.SYSDBAUTH
SYSIBM.SYSPACKAUTH
SYSIBM.SYSPLANAUTH
SYSIBM.SYSROUTINEAUTH
SYSIBM.SYSSCHEMAAUTH
SYSIBM.SYSTABAUTH
SYSIBM.SYSUSERAUTH
209
DbProtect 2009.1
Lotus Domino
Groupware Audit
privileges
Installation Guide
Note:
For more information on Lotus Domino OS check requirements, see
Operating system considerations.
To conduct a full Lotus Domino Groupware Audit, you need the following privileges.
Make sure the account you are using has rights to use the following tables and views:
•
•
•
•
•
Read all databases
Read decsadm.nsf and all of its documents
Read names.nsf and all of its documents
Execute commands on the server
Read all user documents
Below is a list of checks within the Scan Engine for a Lotus Domino Audit, and the
tables and views they need permission to access in order to function properly:
Application Security, Inc.
•
•
•
•
•
•
•
Anonymous can create documents:
Read all databases
•
Anonymous ACL missing:
of its documents
•
Access server unrestricted:
documents
•
All people can use monitors:
documents
•
All users can run personal agents:
documents
•
Anonymous access via HTTPS:
documents
•
Anonymous access via Notes RPC: Read names.nsf and all of its
documents
•
Bindsock arbitrary file creation:
documents
•
•
CGI directory leak:
•
Create databases unrestricted:
documents
•
•
Enumerate groups:
Anonymous granted Designer or higher access:
Anonymous user in Authors field:
Read all databases
Read all databases
Default has Editor or higher access:
Encrypted field full-text indexed:
Read all databases
Read all databases
Unspecified user type in ACL: Read all databases
DECS password unencrypted:
documents
Read decsadm.nsf and all of its
Read all databases, Read names.nsf and all
Read names.nsf and all of its
Read names.nsf and all of its
Read names.nsf and all of its
Read names.nsf and all of its
Read names.nsf and all of its
Read names.nsf and all of its documents
Check passwords on Notes IDs:
documents
Read names.nsf and all of its
Read names.nsf and all of its
Read names.nsf and all of its documents
Failed access control on file attachments:
of its documents
Read names.nsf and all
210
DbProtect 2009.1
Application Security, Inc.
Installation Guide
•
iNotes client ActiveX control buffer overflow:
all of its documents
Read names.nsf and
•
iNotes s_ViewName buffer overflow:
documents
•
Latest maintenance release not applied:
its documents
•
•
Long POST request DoS:
•
Maximum size of request contents:
documents
•
Maximum size of request headers:
documents
•
•
Maximum URL length:
•
Non-admins can use monitors:
documents
•
Notes RPC buffer overflow:
documents
•
Notes_ExecDirectory buffer overflow:
its documents
•
Password change interval for user:
documents
•
•
PATH buffer overflow:
•
Restricted agents runlist:
documents
•
Restricted Java/COM runlist:
documents
•
Saved email not encrypted:
documents
•
•
Servlets disabled:
•
Unrestricted Java/COM runlist:
documents
Read names.nsf and all of its
•
User can create new databases:
documents
Read names.nsf and all of its
•
Administration over HTTP: Read names.nsf and all of its
documents, Execute a command on the server
Read names.nsf and all of its
Read names.nsf and all of
Read names.nsf and all of its documents
Maximum number of request headers:
documents
Read names.nsf and all of its
Read names.nsf and all of its
Read names.nsf and all of its
Read names.nsf and all of its documents
Maximum URL path segments:
documents
Read names.nsf and all of its
Read names.nsf and all of its
Read names.nsf and all of its
Read names.nsf and all of
Read names.nsf and all of its
Read names.nsf and all of its documents
Public keys compared to directory:
documents
Read names.nsf and all of its
Read names.nsf and all of its
Read names.nsf and all of its
Read names.nsf and all of its
Read names.nsf and all of its documents
Unrestricted agents runlist:
documents
Read names.nsf and all of its
211
DbProtect 2009.1
Application Security, Inc.
Installation Guide
•
Anonymous access via HTTP: Read names.nsf and all of its
documents, Execute a command on the server
•
Anonymous access via IIOP: Read names.nsf and all of its
documents, Execute a command on the server
•
Anonymous access via IIOPS: Read names.nsf and all of its
documents, Execute a command on the server
•
Anonymous access via LDAP: Read names.nsf and all of its
documents, Execute a command on the server
•
Anonymous access via LDAPS: Read names.nsf and all of its
documents, Execute a command on the server
•
ESMTP buffer overflow: Read names.nsf and all of its documents,
Execute a command on the server
•
Expired certificates allowed: Read names.nsf and all of its
documents, Execute a command on the server
•
HTTP authenticate buffer overflow: Read names.nsf and all of its
documents, Execute a command on the server
•
HTTP database browsing: Read names.nsf and all of its documents,
Execute a command on the server
•
HTTP logging not enabled: Read names.nsf and all of its
documents, Execute a command on the server
•
HTTP methods excluded from logging: Read names.nsf and all of its
documents, Execute a command on the server
•
HTTP MIME types excluded from logging: Read names.nsf and all of
its documents, Execute a command on the server
•
HTTP return codes excluded from logging: Read names.nsf and all
of its documents, Execute a command on the server
•
HTTP user agents excluded from logging: Read names.nsf and all of
its documents, Execute a command on the server
•
HTTPS allows anonymous access: Read names.nsf and all of its
documents, Execute a command on the server
•
Inadequate amgr process logging: Read names.nsf and all of its
documents, Execute a command on the server
•
Incomplete POST DoS: Read names.nsf and all of its documents,
Execute a command on the server
•
Interface address leak in banner: Read names.nsf and all of its
documents, Execute a command on the server
•
LDAP buffer overflow: Read names.nsf and all of its documents,
Execute a command on the server
•
LDAP format string: Read names.nsf and all of its documents,
Execute a command on the server
•
MS-DOS device web path leak: Read names.nsf and all of its
documents, Execute a command on the server
•
Personal agents runlist: Read names.nsf and all of its documents,
Execute a command on the server
212
DbProtect 2009.1
Application Security, Inc.
Installation Guide
•
Redirected host/location buffer overflow: Read names.nsf and all
of its documents, Execute a command on the server
•
Routing loop DoS (Verify version): Read names.nsf and all of its
documents, Execute a command on the server
•
SMTP buffer overflow: Read names.nsf and all of its documents,
Execute a command on the server
•
Unencrypted HTTP: Read names.nsf and all of its documents,
Execute a command on the server
•
Unencrypted IIOP: Read names.nsf and all of its documents,
Execute a command on the server
•
Unencrypted IMAP: Read names.nsf and all of its documents,
Execute a command on the server
•
Unencrypted LDAP: Read names.nsf and all of its documents,
Execute a command on the server
•
Unencrypted NNTP: Read names.nsf and all of its documents,
Execute a command on the server
•
Unencrypted POP3: Read names.nsf and all of its documents,
Execute a command on the server
•
Web retriever HTTP status buffer overflow: Read names.nsf and all
of its documents, Execute a command on the server
•
Web Retriever logging: Read names.nsf and all of its documents,
Execute a command on the server
•
•
•
Easily-guessed Internet password:
•
•
•
•
•
•
Ambiguous webnames allowed:
Easily-guessed Notes password:
Read all user documents
Read all user documents
Agent manager debugging not enabled:
server
Console password not set:
Inadequate console logging:
NDS password present:
NDS userid present:
Execute a command on the
Execute a command on the server
Execute a command on the server
Execute a command on the server
Execute a command on the server
Execute a command on the server
Phone line logging not enabled:
Execute a command on the server
213
DbProtect 2009.1
SQL Server Audit
privileges
Installation Guide
Note:
For more information on SQL Server OS check requirements, see
Operating system considerations.
This topic consists of the following sub-topics:
• SQL Server 7, SQL Server 2000, and MSDE Audit Privileges
• SQL Server 2005 Audit Privileges
• Credentials for SQL Server Audits.
SQL SERVER 7, SQL SERVER 2000, AND MSDE AUDIT
PRIVILEGES
To conduct a full SQL Server Audit, you need the following privileges. Make sure the
account you are using has rights to use the following tables and views:
Check
master.dbo.xp_loginconfig
Privileges required
EXECUTE
master.dbo.xp_regread
exec <db name>.dbo.sp_helprotect
msdb.dbo.sp_get_sqlagent_properties
master.dbo.xp_cmdshell
@@VERSION
SELECT
master.dbo.syslogins
(MSSQLSysLogins)
master.dbo.sysxlogins
master.dbo.sysdatabases
master.dbo.sysconfigures
master.dbo.syscurconfigs
master.dbo.syscharsets
<db name>.dbo.sysusers
<db name>.dbo.sysobjects
<db name>.dbo.syscomments
Application Security, Inc.
214
DbProtect 2009.1
Installation Guide
Below is a list of checks within the Scan Engine for a SQL Server Audit, and the tables
and views they need permission to access in order to function properly:
Application Security, Inc.
•
Agent jobs privilege escalation: exec <db name>.dbo.sp_helprotect,
master.dbo.sysdatabases
•
•
•
•
•
•
•
Auditing of failed logins: master.dbo.xp_loginconfig
•
Case-insensitive sort order: master.dbo.syscharsets,
master.dbo.sysconfigures,master.dbo.syscurconfigs
•
•
Changing mode may leave sa password blank: @@VERSION
•
•
Computed Column UDF DoS:
•
•
•
•
•
•
•
•
•
•
DBCC addextendedproc buffer overflow: @@VERSION
•
Direct updates on data dictionary: master.dbo.sysconfigures,
master.dbo.syscurconfigs
•
•
•
DTS package procedures granted to public:
•
•
•
•
Easily-guessed password: @@VERSION
•
•
Enterprise Manager improperly revokes proxy account: @@VERSION
Auditing of successful logins: master.dbo.xp_loginconfig
Blank password: master.dbo.sysxlogins
Blank password for sa: master.dbo.sysxlogins
Blank password for well-known login: master.dbo.sysxlogins
BULK INSERT buffer overflow: @@VERSION
C2 Audit Mode: @@VERSION, master.dbo.sysconfigures,
master.dbo.syscurconfigs
Cleartext password written by installation: @@VERSION,
master.dbo.xp_cmdshell
@@version
Database ownership chaining not disabled:
sysconfigures,syscurconfigs
DBCC BUFFER buffer overflow: @@VERSION
DBCC CHECKCONSTRAINTS buffer overflow: @@VERSION
DBCC CLEANTABLE buffer overflow: @@VERSION
DBCC INDEXDEFRAG buffer overflow: @@VERSION
DBCC PROCBUF buffer overflow: @@VERSION
DBCC SHOWCONTIG buffer overflow: @@VERSION
DBCC SHOWTABLEAFFINITY buffer overflow: @@VERSION
DBCC UPDATEUSAGE buffer overflow: @@VERSION
Default login enabled: @@VERSION, master.dbo.syslogins,
master.dbo.xp_loginconfig
sp_helprotect
DTS password exposed in properties dialog: @@VERSION
DTS passwords publicly viewable: <db name>.dbo.sysuser, exec <db
name>.dbo.sp_helprotect, master.dbo.sysdatabases
Easily-guessed password for sa: @@VERSION
Easily-guessed password for well-known login: @@VERSION
Encoded password written by installation: @@VERSION,
master.dbo.xp_cmdshell
Error logs can be overwritten: <db name>.dbo.sysobjects,
@@VERSION, master.dbo.sysdatabases
215
DbProtect 2009.1
Application Security, Inc.
Installation Guide
•
•
Escalated privileges in heterogeneous joins: @@VERSION
•
•
•
•
•
•
Fixed server role granted: master.dbo.syslogins
•
•
Hello buffer overflow: @@VERSION
•
Jet running in sandbox Mode: <db name>.dbo.sysobjects, @@VERSION,
master.dbo.sysdatabases
•
•
•
Job output file handling: @@VERSION
•
•
•
•
Malformed RPC request DoS: @@VERSION
•
OLEDB ad hoc queries allowed: @@VERSION, <db name>.dbo.sysobjects,
master.dbo.sysdatabases
•
Orphaned user: @@VERSION, <db name>.dbo.sysuser,
master.dbo.sysdatabases, master.dbo.syslogins
•
•
Password same as login name: @@VERSION
•
•
Permissions granted to public: <db name>.dbo.sp_helprotect
•
Permission on registry extended proc: exec <db
name>.dbo.sp_helprotect, master.dbo.sysdatabases
•
Permission on sp_MSsetalertinfo: exec <db name>.dbo.sp_helprotect,
master.dbo.sysdatabases
•
Permission on sp_MSSetServerProperties: exec <db
name>.dbo.sp_helprotect, master.dbo.sysdatabases
•
Permission on sp_readwebtask: exec <db name>.dbo.sp_helprotect,
master.dbo.sysdatabases
•
Permission on sp_runwebtask: exec <db name>.dbo.sp_helprotect,
master.dbo.sysdatabases
•
Permission on xp_readerrorlog: exec <db name>.dbo.sp_helprotect,
master.dbo.sysdatabases
Extended stored proc privilege upgrade: exec <db
name>.dbo.sp_helprotect, master.dbo.sysdatabases
Format string in C runtime DoS: @@VERSION
Format string vuln in xp_sprintf: @@VERSION
FORMATMESSAGE buffer overflow: @@VERSION
Global temporary stored proc exists:
sysobjects,sysusers
Guest user exists in database: <db name>.dbo.sysuser,
master.dbo.sysdatabases
Infected with Spida worm: <db name>.dbo.sysobjects,
master.dbo.sysdatabases, master.dbo.xp_cmdshell
Latest service pack applied: @@VERSION
Lumigent Log Explorer buffer overflow: <db name>.dbo.sysobjects,
master.dbo.sysdatabases
Malformed TDS packet header DoS: @@VERSION
MDX Query buffer overflow: @@VERSION
Objects not owned by dbo: <db name>.dbo.sysobjects,
master.dbo.sysdatabases, <db name>.dbo.sysuser
Permission grantable: exec <db name>.dbo.sp_helprotect,
master.dbo.sysdatabases
Permission on mswebtasks: exec <db name>.dbo.sp_helprotect,
master.dbo.sysdatabases
216
DbProtect 2009.1
Application Security, Inc.
Installation Guide
•
Permission to select from syslogins: exec <db
name>.dbo.sp_helprotect, master.dbo.sysdatabases
•
Permission to select from system table: <db name>.dbo.sysobjects,
exec <db name>.dbo.sp_helprotect, master.dbo.sysdatabases
•
Permissions granted on xp_cmdshell: @@VERSION, exec <db
name>.dbo.sp_helprotect, master.dbo.sysdatabases
•
Permissions granted to user: <db name>.dbo.sysuser, exec <db
name>.dbo.sp_helprotect, master.dbo.sysdatabases
•
Public can create Agent jobs: exec <db name>.dbo.sp_helprotect,
master.dbo.sysdatabases
•
•
•
pwdencrypt buffer overflow: @@VERSION
•
Remote access allowed: master.dbo.sysconfigures,
master.dbo.syscurconfigs
•
•
Remote data source function unchecked buffer: @@VERSION
•
•
•
•
•
Resolution service DoS: @@VERSION
•
sp_MScopyscriptfile command injection: <db name>.dbo.sysobjects,
master.dbo.sysdatabases, @@VERSION
•
SQL Agent password publicly viewable: @@version,
msdb.dbo.sp_get_sqlagent_properties, sp_helprotect
•
•
SQL Agent procedures granted to public:
•
•
•
•
•
•
•
•
•
•
•
•
•
srv_paraminfo buffer overflow in sp_OACreate: @@VERSION
RAISERROR buffer overflow: @@VERSION
Registry extended proc not removed: <db name>.dbo.sysobjects,
master.dbo.sysdatabases
Replication password publicly viewable:
xp_regread,sysobjects,@@version,sp_helprotect
Resolution service heap overflow: @@VERSION
Resolution service stack overflow: @@VERSION
Reusable cached administrator connection: @@VERSION
sp_attachsubscription command injection: @@VERSION, <db
name>.dbo.sysobjects, master.dbo.sysdatabases
sp_helprotect
SQLServerAgent password in registry: @@VERSION, <db
name>.dbo.sysobjects, master.dbo.sysdatabases
srv_paraminfo buffer overflow in sp_OADestroy: @@VERSION
srv_paraminfo buffer overflow in sp_OAGetProperty: @@VERSION
srv_paraminfo buffer overflow in sp_OAMethod: @@VERSION
srv_paraminfo buffer overflow in sp_OASetProperty: @@VERSION
srv_paraminfo buffer overflow in xp_displayparamstmt: @@VERSION
srv_paraminfo buffer overflow in xp_execresultset: @@VERSION
srv_paraminfo buffer overflow in xp_peekqueue: @@VERSION
srv_paraminfo buffer overflow in xp_printstatements: @@VERSION
srv_paraminfo buffer overflow in xp_proxiedmetadata: @@VERSION
srv_paraminfo buffer overflow in xp_SetSQLSecurity: @@VERSION
srv_paraminfo buffer overflow in xp_showcolv: @@VERSION
srv_paraminfo buffer overflow in xp_sqlagent_monitor: @@VERSION
217
DbProtect 2009.1
Application Security, Inc.
Installation Guide
•
•
•
srv_paraminfo buffer overflow in xp_sqlinventory: @@VERSION
•
Statement permission granted: master.dbo.sysdatabases, exec <db
name>.dbo.sp_helprotect
•
SysAdmin only for CmdExec job steps: @@VERSION, <db
name>.dbo.sysobjects, master.dbo.sysdatabases
•
•
sysadmin role granted: master.dbo.syslogins
•
•
•
Temporary stored procedures bypass permissions: @@VERSION
•
XMLHTTP control allows local file access: <db
name>.dbo.sysobjects, master.dbo.sysdatabases, @@VERSION
•
xp_cmdshell not removed: <db name>.dbo.sysobjects,
master.dbo.sysdatabases
•
xp_controlqueueservice buffer overflow: <db name>.dbo.sysobjects,
master.dbo.sysdatabases
•
xp_createprivatequeue buffer overflow: @@VERSION, <db
name>.dbo.sysobjects, master.dbo.sysdatabases
•
xp_createqueue buffer overflow: @@VERSION,
master.dbo.sysdatabases, <db name>.dbo.sysobjects
•
xp_decodequeuecmd buffer overflow: @@VERSION, <db
name>.dbo.sysobjects, master.dbo.sysdatabases
•
xp_deleteprivatequeue buffer overflow: @@VERSION, <db
name>.dbo.sysobjects, master.dbo.sysdatabases
•
xp_deletequeue buffer overflow: @@VERSION, <db
name>.dbo.sysobjects, master.dbo.sysdatabases
•
xp_dirtree buffer overflow: @@VERSION, <db name>.dbo.sysobjects,
master.dbo.sysdatabases
•
xp_displayqueuemesgs buffer overflow: @@VERSION,
master.dbo.sysdatabases, <db name>.dbo.sysobjects
•
xp_dsninfo buffer overflow: <db name>.dbo.sysobjects, @@VERSION,
master.dbo.sysdatabases
•
xp_mergelineages buffer overflow: @@VERSION,
master.dbo.sysdatabases, <db name>.dbo.sysobjects
•
xp_oledbinfo buffer overflow: @@VERSION, <db name>.dbo.sysobjects,
master.dbo.sysdatabases
•
xp_proxiedmetadata buffer overflow: master.dbo.sysdatabases, <db
name>.dbo.sysobjects, @@VERSION
•
xp_readpkfromqueue buffer overflow: @@VERSION,
name>.dbo.sysobjects, master.dbo.sysdatabases
srv_paraminfo buffer overflow in xp_updatecolvbm: @@VERSION
Standard SQL Server authentication allowed: @@VERSION, <db
name>.dbo.sysobjects, master.dbo.sysdatabases,
master.dbo.xp_loginconfig
Table to store DTS passwords publicly viewable: <db
name>.dbo.sysuser, master.dbo.sysdatabases, exec <db
name>.dbo.sp_helprotect
UDB broadcast buffer overflow: master.dbo.xp_cmdshell
Windows account name shown as hostname: @@VERSION,
master.dbo.xp_loginconfig
<db
218
DbProtect 2009.1
Installation Guide
•
xp_readpkfromvarbin buffer overflow: @@VERSION, <db
name>.dbo.sysobjects, master.dbo.sysdatabases
•
xp_repl_encrypt buffer overflow: @@VERSION, <db
name>.dbo.sysobjects, master.dbo.sysdatabases
•
xp_resetqueue buffer overflow: @@VERSION, <db
name>.dbo.sysobjects, master.dbo.sysdatabases
•
•
xp_sprintf buffer overflow: @@VERSION
•
xp_sqlinventory buffer overflow: @@VERSION,
master.dbo.sysdatabases, <db name>.dbo.sysobjects
•
xp_unpackcab buffer overflow: @@VERSION, <db name>.dbo.sysobjects,
master.dbo.sysdatabases
•
xstatus backdoor: @@VERSION, master.dbo.sysxlogins
xp_sqlagent_param buffer overflow: @@VERSION, <db
name>.dbo.sysobjects, master.dbo.sysdatabases
SQL SERVER 2005 AUDIT PRIVILEGES
Any Audit check for SQL Server 2005 queries the following views:
•
•
•
•
sys.databases
sys.configurations
sys.server_principals
sys.server_role_members
In SQL Server 2005 public group can select from these views but due to metadata
visibility concept not all records maybe returned.
This is why some checks require VIEW DEFINITION, VIEW ANY DEFINITION or even
CONTROL SERVER permission to get data.
Application Security, Inc.
•
•
Auditing of failed/successful logins: execute xp_loginconfig.
•
BUILTIN\Administrators not removed: select all rows from
sys.server_principals view which implies VIEW ANY DEFINITION
permission.
•
•
C2 Audit Mode: select from sys.configurations view.
•
•
Default password for well-known login: makes connection attempts.
•
Easily-guessed password checks: select password_hash column of
sys.sql_logins for all sql logins which implies CONTROL SERVER
permission.
•
•
Error logs can be overwritten: execute xp_instance_regread.
Blank password checks: select password_hash column of
sys.sql_logins for all sql logins which implies CONTROL SERVER
permission.
Database ownership chaining not disabled: select from
sys.configurations view.
DTS package procedures granted to public: select from
msdb.sys.database_permissions view.
Fixed server role granted: select all rows from
sys.server_principals, sys.server_role_members views which
implies VIEW ANY DEFINITION permission.
219
DbProtect 2009.1
Application Security, Inc.
Installation Guide
•
Global temporary stored proc exists: select from
tempdb.sys.all_objects.
•
Guest user exists in database: select all rows from sys.databases
and <dbname>.sys.database_principals, and
<dbname>.sys.database_permissions views.
•
Latest service pack/hot fix not applied: uses @@version - requires
no priveleges.
•
Lumigent Log Explorer buffer overflow: select all rows from
master.sys.objects view which implies VIEW DEFINITION on master
database permission.
•
•
Not using NTFS partition: execute xp_instance_regread.
•
Password same as login name: select password_hash column of
sys.sql_logins view for all sql logins which implies CONTROL
SERVER permission.
•
Permission grantable: select all rows from sys.databases,
<dbname>.sys.database_permissions views which implies VIEW
DEFINITION on database scope permission.
•
Permission on OLE automation procs: select all rows from
master.sys.database_permissions view which implies VIEW DEFINITION
on database scope permission.
•
Permission on registry extended proc: select all rows from
master.sys.database_permissions view which implies VIEW DEFINITION
on database scope permission.
•
Permission to select from system table: select all rows from
master.sys.database_permissions view which implies VIEW DEFINITION
on database scope permission.
•
Permissions granted on xp_cmdshell: select all rows from
master.sys.database_permissions view which implies VIEW DEFINITION
on database scope permission.
•
Permissions granted to PUBLIC: select all rows from sys.databases,
<dbname>.sys.database_permissions views.
•
Permissions granted to user: select all rows from sys.databases,
<dbname>.sys.database_permissions views which implies VIEW
DEFINITION on database scope permission.
•
•
Permissions on files: execute xp_instance_regread.
•
•
•
Registry permissions: execute xp_instance_regread.
•
•
Service runs as LocalSystem: execute xp_instance_regread.
OLEDB ad hoc queries allowed: select from sys.configurations view,
execute xp_instance_regenumkeys.
Registry extended proc not removed: select from
master.sys.system_objects view.
Remote access allowed: select from sys.configurations view.
Sample database not removed: select all rows from sys.databases
view.
Standard SQL Server authentication allowed: execute
xp_instance_regread.
220
DbProtect 2009.1
Installation Guide
•
Statement permission granted: select all rows from sys.databases,
<dbname>.sys.database_permissions views which implies VIEW
DEFINITION on database scope permission.
•
sysadmin role granted: select all rows from sys.server_principals,
sys.server_role_members views which implies VIEW ANY DEFINITION
permission.
•
xp_cmdshell not removed/not disabled: select from
sys.configurations view.
CREDENTIALS FOR SQL SERVER AUDITS
If you are unable to audit a SQL Server database using Windows Authentication, you
may be using an account that lacks the proper credentials. There are a number of
different ways to supply the proper credentials for SQL Server. The appropriate
method depends on your circumstances.
The following table explains how to change your credentials under different scenarios
when you attempt to perform an Audit on the SQL Server TARGET machine from
another machine (HOST). Once you have valid credentials on the target HOST, you
should be able to perform your Audit.
Part
If
1
TARGET and HOST are in the same
or trusted domain.
Then
•
If you are logged in to HOST as a user that
has Administrative access to TARGET, you
do not need to supply additional
credentials.
Or...
•
Application Security, Inc.
If you are logged in as user without
Administrative access, you will need to
supply TARGET’s sa credentials.
221
DbProtect 2009.1
Installation Guide
Part
2
If
Then
TARGET is in WORKGROUP_X and
HOST is in DOMAIN_A
•
Or...
Or...
TARGET is in WORKGROUP_X and
HOST is in WORKGROUP_Y
•
Or...
TARGET is in WORKGROUP_X and
HOST is in WORKGROUP_X
You can supply sa credentials in the Scan
Engine.
You can create a local user on TARGET and
a local user on HOST with matching user
names and passwords.
Note: You cannot use Domain names here.
Or...
•
Select the Properties branch option
Connect to Microsoft SQL Servers via
Named Pipes in the Console Properties
branch (in the DbProtect AppDetective
application), then use the Net Use
technique to establish credentials on
TARGET. You must select this option to
force the Scan Engine to use named pipes.
You must check this option if you want to
Audit a SQL Server database (using
Windows Authentication) against a
machine on a different or untrusted
domain. Additional steps are required. For
more information, see Appendix M:
Auditing SQL Server (Using Windows
Authentication) Against a Machine on a
Different or Untrusted Domain.
To use the Net Use technique:
-Open a command prompt.
-Enter the net use command to log
in to the target server with valid
credentials.
-The command should adhere to the
following format: net use
\\computerIP /
user:[domainname\]username
-You are prompted for a valid
password on the target.
-Verify access by re-entering net
use
3
TARGET is in DOMAIN_A and HOST
is either in an untrusted DOMAIN_B
or in WORKGROUP_X
•
You can use any of the methods listed in
Part 2, above.
Or...
•
Application Security, Inc.
You can add HOST to DOMAIN_A.
222
DbProtect 2009.1
MySQL Audit
Privileges
Installation Guide
Note:
For more information on MySQL Server OS check requirements, see
Operating system considerations.
To conduct a full MySQL Audit, you need the following privileges. Make sure the
account you are using has rights to use the following tables and views:
•
•
•
•
•
•
•
•
•
•
Anonymous user exists: SELECT on user table
•
Permissions on GRANT tables: SELECT on db table, SELECT on host
table, SELECT on user table, SELECT on columns_priv table, SELECT
on tables_priv table
•
•
•
•
Permissions on user table: SELECT on user table
Blank account passwords: SELECT on user table
Blank root password: SELECT on user table
Default passwords for test accounts: SELECT on user table
Easily-guessed account passwords: SELECT on user table
Easily-guessed root password: SELECT on user table
FILE privileges granted: SELECT on user table
General log file not enabled: execute SHOW VARIABLES
Password for user same as username: SELECT on user table
Permissions grantable: SELECT on db table, SELECT on host table,
SELECT on user table
PROCESS privileges granted: SELECT on user table
Sample database not removed: execute SHOW DATABASES
SSL encryption not enabled: execute SHOW VARIABLES
MYSQL CHECKS
MySQL Audit
•
•
•
•
•
•
•
•
•
•
•
•
Application Security, Inc.
Easily-guessed root password
Easily-guessed passwords
Blank password
Blank root password
Universal access
SSL is enabled
Grant tables privileges
Ensure sample databases have been removed
Permissions on [User] table
Permissions granted directly to user
Logging not enabled
MySQL mysqld Privilege Escalation Vulnerability
223
DbProtect 2009.1
Installation Guide
•
MySQL libmysqlclient Library Read_One_Row Buffer Overflow
Vulnerability
•
•
•
MySQL COM_CHANGE_USER Password Memory Corruption Vulnerability
•
MySQL libmysqlclient Library Read_Rows Buffer Overflow
Vulnerability
•
•
•
MySQL COM_TABLE_DUMP Memory Corruption Vulnerability
•
•
•
•
•
•
•
•
MySQL Null Root Password Weak Default Configuration Vulnerability
MySQL Double Free Heap Corruption Vulnerability
MySQL COM_CHANGE_USER Password Length Account Compromise
Vulnerability
MySQL COM_TABLE_DUMP Memory Corruption Vulnerability
MySQL Bind Address Not Enabled Weak Default Configuration
Vulnerability
WinMySQLadmin Plain Text Password Storage Vulnerability
MySQL Root Operation Symbolic Link File Overwriting Vulnerability
MySQL SHOW GRANTS Password Hash Disclosure Vulnerability
MySQL Local Buffer Overflow Vulnerability
MySQL Authentication Algorithm Vulnerability
MySQL GRANT Global Password Changing Vulnerability
MySQL Unauthenticated Remote Access Vulnerability
MySQL Penetration Test
Application Security, Inc.
•
•
•
•
•
•
Easily-guessed root password
•
•
•
MySQL COM_CHANGE_USER Password Memory Corruption Vulnerability
•
MySQL libmysqlclient Library Read_Rows Buffer Overflow
Vulnerability
•
•
•
MySQL COM_TABLE_DUMP Memory Corruption Vulnerability
•
MySQL Null Root Password Weak Default Configuration Vulnerability
Easily-guessed password
Blank password
Blank root password
MySQL mysqld Privilege Escalation Vulnerability
MySQL libmysqlclient Library Read_One_Row Buffer Overflow
Vulnerability
MySQL Double Free Heap Corruption Vulnerability
MySQL COM_CHANGE_USER Password Length Account Compromise
Vulnerability
MySQL COM_TABLE_DUMP Memory Corruption Vulnerability
MySQL Bind Address Not Enabled Weak Default Configuration
Vulnerability
224
DbProtect 2009.1
Installation Guide
•
•
•
•
•
•
•
Oracle Audit
privileges
Note:
WinMySQLadmin Plain Text Password Storage Vulnerability
MySQL Root Operation Symbolic Link File Overwriting Vulnerability
MySQL SHOW GRANTS Password Hash Disclosure Vulnerability
MySQL Local Buffer Overflow Vulnerability
MySQL Authentication Algorithm Vulnerability
MySQL GRANT Global Password Changing VulnerabilityMySQL
MySQL Unauthenticated Remote Access Vulnerability
For more information on Oracle OS check requirements, see Operating
system considerations and/or “Appendix O: Oracle Critical Patch Update
Detection” in the AppDetectivePro User’s Guide.
To conduct a full Oracle Audit, you need the following privileges. Make sure the
account you are using has rights to use the following tables and views:
•
•
•
•
•
•
•
•
•
•
•
•
DBA_PROFILES
•
•
•
SYS.DBA_SOURCE
Note:
DBA_ROLES
DBA_ROLE_PRIVS
DBA_STMT_AUDIT_OPTS
DBA_SYS_PRIVS
DBA_TABLES
DBA_TAB_PRIVS
DBA_USERS
PRODUCT_COMPONENT_VERSION
SYS.LINK$
SYS.USER$
V_$PARAMETER (the Scan Engine selects from V$PARAMETER but you must grant
SELECT on V_$PARAMETER)
DBA_OBJECTS
V$LOG
The account must also have the CREATE SESSION privilege.
The following script creates an account with the minimum privileges necessary to
perform a Security Audit on an Oracle SID. Be sure that whatever account is used to
conduct your Audit has at least the SELECT privileges listed below:
Application Security, Inc.
•
CREATE USER APPDETECTIVE_AUDITOR IDENTIFIED BY
APPDETECTIVE_AUDITOR_PASSWORD; GRANT SELECT ON DBA_PROFILES TO
APPDETECTIVE_AUDITOR;
•
•
GRANT SELECT ON DBA_ROLES TO APPDETECTIVE_AUDITOR;
GRANT SELECT ON DBA_ROLE_PRIVS TO APPDETECTIVE_AUDITOR;
225
DbProtect 2009.1
Installation Guide
•
•
•
•
•
•
•
•
•
•
•
•
•
GRANT SELECT ON DBA_STMT_AUDIT_OPTS TO APPDETECTIVE_AUDITOR;
GRANT SELECT ON DBA_SYS_PRIVS TO APPDETECTIVE_AUDITOR;
GRANT SELECT ON DBA_TABLES TO APPDETECTIVE_AUDITOR;
GRANT SELECT ON DBA_TAB_PRIVS TO APPDETECTIVE_AUDITOR;
GRANT SELECT ON DBA_USERS TO APPDETECTIVE_AUDITOR;
GRANT SELECT ON PRODUCT_COMPONENT_VERSION TO APPDETECTIVE_AUDITOR;
GRANT SELECT ON SYS.LINK$ TO APPDETECTIVE_AUDITOR;
GRANT SELECT ON SYS.USER$ TO APPDETECTIVE_AUDITOR;
GRANT SELECT ON V_$PARAMETER TO APPDETECTIVE_AUDITOR;
GRANT SELECT ON SYS.DBA_SOURCE TO APPDETECTIVE_AUDITOR;
GRANT CREATE SESSION TO APPDETECTIVE_AUDITOR;
GRANT SELECT ON DBA_OBJECTS TO APPDETECTIVE_AUDITOR
GRANT SELECT ON SYS.V_$LOG TO APPDETECTIVE_AUDITOR;
The following is a list of checks within the Scan Engine for Oracle Security Audit, and
the tables and views which they need permission to in order to function properly:
Application Security, Inc.
•
•
•
•
•
•
Account associated with DEFAULT profile:
DBA_USERS
•
•
•
•
ANY system privilege applies to data dictionary:
•
•
•
•
Brute-force database password:
•
Database link buffer overflow (Verify
version):PRODUCT_COMPONENT_VERSION
•
Database user allows remote authentication:
V$PARAMETER
•
•
•
DBLINK_ENCRYPT_LOGIN not enabled:
Account granted the predefined role CONNECT: DBA_ROLE_PRIVS
Account granted the predefined role DBA:
DBA_ROLE_PRIVS
Account granted the predefined role RESOURCE:
Accounts with SYSTEM as default tablespace:
DBA_ROLE_PRIVS
DBA_USERS
ANSI join syntax bypasses object privileges:
PRODUCT_COMPONENT_VERSION
Auditing Not Enabled:
V$PARAMETER
V$PARAMETER
Auditing of CREATE SESSION not enabled:
DBA_STMT_AUDIT_OPTS
BFILENAME buffer overflow (Verify
version):PRODUCT_COMPONENT_VERSION
Brute-force role password:
DBA_USERS
SYS.USER$
Cleartext password stored with database link:
Create library privilege:
PRODUCT_COMPONENT_VERSION
Default database password:
SYS.LINK$
DBA_SYS_PRIVS,
DBA_USERS,
SYS.LINK$, V$PARAMETER
DBA_USERS
Easily-guessed database password:
DBA_USERS
226
DbProtect 2009.1
Application Security, Inc.
Installation Guide
•
•
•
•
Easily-guessed role password:
•
•
Label Security SQL predicates bypassed:
•
•
Listener debug DoS (Verify version):
•
•
•
•
•
Locked account:
•
NSPTCN data offset DoS (Verify version):
PRODUCT_COMPONENT_VERSION
•
•
•
•
•
•
•
•
Object privilege grantable:
•
•
•
•
•
•
•
Privilege on audit trail table:
•
Profile settings - Password Grace Time:
PRODUCT_COMPONENT_VERSION
•
Profile settings - Password Life Time:
PRODUCT_COMPONENT_VERSION
Expired password:
SYS.USER$
DBA_USERS, PRODUCT_COMPONENT_VERSION
Kick Listener DoS (Verify version):
PRODUCT_COMPONENT_VERSION
Label Security row label improperly assigned:
PRODUCT_COMPONENT_VERSION
PRODUCT_COMPONENT_VERSION
Label Security unauthorized higher level read:
PRODUCT_COMPONENT_VERSION
PRODUCT_COMPONENT_VERSION
Listener format string buffer overflow (Verify version):
PRODUCT_COMPONENT_VERSION
DBA_USERS, PRODUCT_COMPONENT_VERSION
MTDS DoS (Verify version):
PRODUCT_COMPONENT_VERSION
NERP DoS (Verify version):
PRODUCT_COMPONENT_VERSION
Non-standard account with DBA role:
DBA_ROLE_PRIVS
NSPTCN buffer overflow (Verify version):
PRODUCT_COMPONENT_VERSION
DBA_TAB_PRIVS
Object privilege granted to account:
Object privilege granted to PUBLIC:
Oracle file overwrite:
DBA_TAB_PRIVS
PRODUCT_COMPONENT_VERSION
OS authentication prefix:
Overdue password change:
DBA_TAB_PRIVS, DBA_USERS
V$PARAMETER
sys.user$
Password for database user same as username:
DBA_USERS
Privilege granted to SELECT from data dictionary:
DBA_TAB_PRIVS
Privilege on database link table:
DBA_TABLES,
DBA_TAB_PRIVS
DBA_TAB_PRIVS, DBA_USERS
Privilege to execute UTL_FILE granted to PUBLIC:
DBA_TAB_PRIVS
Privilege to execute UTL_HTTP granted to PUBLIC:
DBA_TAB_PRIVS
Privilege to execute UTL_SMTP granted to PUBLIC:
DBA_TAB_PRIVS
Privilege to execute UTL_TCP granted to PUBLIC:
Profile settings - Failed Login Attempts:
PRODUCT_COMPONENT_VERSION
DBA_TAB_PRIVS
DBA_PROFILES,
DBA_PROFILES,
DBA_PROFILES,
227
DbProtect 2009.1
Application Security, Inc.
Installation Guide
•
Profile settings - Password Lock Time:
PRODUCT_COMPONENT_VERSION
•
Profile settings - Password Reuse Maximum:
PRODUCT_COMPONENT_VERSION
•
Profile settings - Password Reuse Time: DBA_PROFILES,
PRODUCT_COMPONENT_VERSION
•
Profile settings - Password Verify Function:
PRODUCT_COMPONENT_VERSION
•
•
•
•
•
•
•
•
Remote login password file not disabled:
•
•
•
•
•
•
•
•
•
•
SNMP DoS (Verify version):
•
TZ_OFFSET buffer overflow (Verify
version):PRODUCT_COMPONENT_VERSION
•
•
•
Trace reporting buffer overflow:
Remote OS Authentication enabled:
Remote OS Roles enabled:
DBA_PROFILES,
DBA_PROFILES,
DBA_PROFILES,
V$PARAMETER
V$PARAMETER
V$PARAMETER
Requestor version DoS (Verify version): PRODUCT_COMPONENT_VERSION
Role without password:
DBA_ROLES
Roles granted WITH ADMIN OPTION:
DBA_ROLE_PRIVS
SERVICE_CURLOAD DoS (Verify version):
PRODUCT_COMPONENT_VERSION
SERVICE_NAME buffer overflow (Verify version):
PRODUCT_COMPONENT_VERSION
PRODUCT_COMPONENT_VERSION
SQL92_SECURITY parameter not enabled:
SYSDBA auditing bug:
V$PARAMETER
PRODUCT_COMPONENT_VERSION
System privilege granted to account:
System privilege granted to PUBLIC:
DBA_SYS_PRIVS, DBA_USERS
DBA_SYS_PRIVS
System privilege granted WITH ADMIN OPTION:
System privilege with ANY clause:
DBA_SYS_PRIVS
DBA_SYS_PRIVS
TCL debugger installs with setUID root:
DBA_SYS_PRIVS
TCL debugger installs with setUID root:
PRODUCT_COMPONENT_VERSION
TO_TIMESTAMP_TZ buffer overflow (Verify
version):PRODUCT_COMPONENT_VERSION
UTL_FILE_DIR unrestricted:
PRODUCT_COMPONENT_VERSION
V$PARAMETER
XSQL Servlet stylesheet as URL parameter:
PRODUCT_COMPONENT_VERSION
228
DbProtect 2009.1
Sybase Audit
privileges
Installation Guide
To conduct a full Sybase Audit, you need the following privileges. Make sure the
account you are using has rights to use the following tables and views:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
SELECT @@VERSION
master.dbo.syslogins
master.dbo.syssrvroles
master.dbo.sysdatabases
master.dbo.sysconfigures
master.dbo.syscurconfigs
master.dbo.sysroles
master.dbo.sysloginroles
master.dbo.sysattributes
master.dbo.sysservers
exec sp_loginconfig
exec sp_displayaudit (if it's >= 11.5)
sp_auditoption (if it's < 11.5 and >= 11.0)
master.dbo.syblicenseslog
master.dbo.syscharsets
<db name>.dbo.sysusers
<db name>.dbo.sysobjects
<db name>.dbo.syscomments
exec <db name>.dbo.sp_help_resource_limit (if it's >= 11.5)
The following is a list of checks within the Scan Engine for Sybase Security Audit, and
the tables and views which they need permission to in order to function properly:
Application Security, Inc.
•
•
Absolute value of numeric DoS (Verify version): SELECT @@VERSION
•
•
Allow sendmsg: master.dbo.sysconfigures, master.dbo.syscurconfigs
•
Audit queue size: master.dbo.sysconfigures,
master.dbo.syscurconfigs
•
•
Audit subsystem not installed: master.dbo.sysdatabases
•
Auditing of failed logins not enabled: (if it's >= 11.5)
master.dbo.sysconfigures,
Allow resource limit: master.dbo.sysconfigures,
master.dbo.syscurconfigs
Audit logout not set ( if >= 11.5 ): master.dbo.sysconfigures,
master.dbo.syscurconfigs, exec sp_loginconfig, exec
sp_displayaudit (if it's >= 11.5), sp_auditoption (if it's < 11.5
and >= 11.0)
Auditing disabled: exec sp_loginconfig, exec sp_displayaudit (if
it's >= 11.5), sp_auditoption (if it's < 11.5 and >= 11.0),
master.dbo.sysconfigures, master.dbo.syscurconfigs
229
DbProtect 2009.1
Installation Guide
•
master.dbo.syscurconfigs, exec sp_loginconfig, exec
sp_displayaudit (if it's >= 11.5), sp_auditoption (if it's < 11.5 and
•
Auditing of successful logins not enabled: ( if >= 11.5 )
master.dbo.sysconfigures, master.dbo.syscurconfigs, exec
sp_loginconfig, exec sp_displayaudit (if it's >= 11.5), sp_auditoption (if
•
•
•
•
Blank password for sa: master.dbo.syslogins
•
Check password for digit: master.dbo.sysconfigures,
master.dbo.syscurconfigs
•
Current Audit Table: master.dbo.sysconfigures,
master.dbo.syscurconfigs
•
Default login exists: exec sp_loginconfig, exec sp_displayaudit
(if it's >= 11.5, sp_auditoption ((if it's < 11.5 and >= 11.0), SELECT
@@VERSION
•
•
•
•
•
•
•
•
Default password for entldbdbo: master.dbo.syslogins
•
Event logging: master.dbo.sysconfigures,
master.dbo.syscurconfigs, SELECT @@VERSION
•
•
Exceeded licensing limitations: master.dbo.syblicenseslog
•
Guest user exists in database: <db name>.dbo.sysusers,
master.dbo.sysdatabases
•
Guest user exists in sybsecurity: <db name>.dbo.sysusers,
master.dbo.sysdatabases
•
List resource limits: exec <db name>.dbo.sp_help_resource_limit
(if it's >= 11.5), master.dbo.sysdatabases
•
Locked logins: master.dbo.syslogins
>= 11.0)
it's < 11.5 and >= 11.0)
Application Security, Inc.
Buffer Overflow in DBCC CHECKVERIFY: SELECT @@VERSION
Buffer Overflow in DROP DATABASE: SELECT @@VERSION
Buffer Overflow in xp_freedll: <db name>.dbo.sysobjects, exec <db
name>.dbo.sp_helprotect, master.dbo.sysdatabases, SELECT
@@VERSION
Default password for entldbreader: master.dbo.syslogins
Default password for pkiuser: master.dbo.syslogins
Default password for PortalAdmin: master.dbo.syslogins
Default password for pso: master.dbo.syslogins
Easily-guessed password: master.dbo.syslogins
Easily-guessed sa password: master.dbo.syslogins
Event log computer name: master.dbo.sysconfigures,
master.dbo.syscurconfigs, SELECT @@VERSION
Expired logins: master.dbo.sysconfigures,
master.dbo.syscurconfigs, master.dbo.syslogins
230
DbProtect 2009.1
Application Security, Inc.
Installation Guide
•
Log audit logon failure: master.dbo.sysconfigures,
master.dbo.syscurconfigs
•
Log audit logon success: master.dbo.sysconfigures,
master.dbo.syscurconfigs
•
Login attributes less restrictive: master.dbo.sysattributes,
master.dbo.sysconfigures, master.dbo.syscurconfigs,
master.dbo.syslogins
•
Login granted sa_role: <db name>.dbo.sysusers,
master.dbo.sysdatabases, master.dbo.sysloginroles,
master.dbo.syslogins, master.dbo.sysroles
•
Login granted sso_role: <db name>.dbo.sysusers,
master.dbo.sysdatabases, master.dbo.sysloginroles,
master.dbo.syslogins, master.dbo.sysroles
•
Login mode: exec sp_loginconfig, exec sp_displayaudit (if it's >=
11.5), sp_auditoption (if it's < 11.5 and >= 11.0), SELECT @@VERSION
•
Maximum failed logins: master.dbo.sysconfigures,
master.dbo.syscurconfigs
•
Minimum password length: master.dbo.sysconfigures,
master.dbo.syscurconfigs
•
Objects not owned by dbo: <db name>.dbo.sysobjects, <db
name>.dbo.sysusers, master.dbo.sysdatabases,
master.dbo.sysdatabases
•
Orphaned user: <db name>.dbo.sysusers, master.dbo.sysdatabases,
master.dbo.syslogins, master.dbo.sysroles
•
•
Password same as login name: master.dbo.syslogins
•
Permission granted on system table : <db name>.dbo.sysobjects,
exec <db name>.dbo.sp_helprotect, master.dbo.sysdatabases,
master.dbo.sysdatabases
•
Permission granted on xp_cmdshell: <db name>.dbo.sysobjects, exec
<db name>.dbo.sp_helprotect, master.dbo.sysdatabases,
master.dbo.sysdatabases
•
Permission to select from syslogins: exec <db
name>.dbo.sp_helprotect, master.dbo.sysdatabases
•
Permissions granted to public: exec <db name>.dbo.sp_helprotect,
master.dbo.sysdatabases
•
Permissions granted to user: <db name>.dbo.sysusers, exec <db
name>.dbo.sp_helprotect, master.dbo.sysdatabases,
master.dbo.sysroles
•
Remote access allowed: master.dbo.sysconfigures,
master.dbo.syscurconfigs
•
Require message confidentiality with encryption:
master.dbo.sysconfigures, master.dbo.syscurconfigs
Permission granted in sybsecurity: <db name>.dbo.sysobjects, exec
<db name>.dbo.sp_helprotect, master.dbo.sysdatabases
231
DbProtect 2009.1
Application Security, Inc.
Installation Guide
•
Require message integrity: master.dbo.sysconfigures,
master.dbo.syscurconfigs
•
Roles revoked from the sa login: master.dbo.sysloginroles,
master.dbo.syslogins, master.dbo.syslogins,
master.dbo.syssrvroles
•
•
Roles without passwords: master.dbo.syssrvroles
•
•
•
•
•
Select all DoS (Verify version): SELECT @@VERSION
•
Statement permission granted: exec <db name>.dbo.sp_helprotect,
master.dbo.sysdatabases
•
Suspend audit when full disabled: master.dbo.sysconfigures,
master.dbo.syscurconfigs
•
System-wide password expiration: master.dbo.sysconfigures,
master.dbo.syscurconfigs
•
Unified login required: master.dbo.sysconfigures,
master.dbo.syscurconfigs
•
•
Unlocked sa login: master.dbo.syslogins
•
Updates allowed to system tables: master.dbo.sysconfigures,
master.dbo.syscurconfigs
•
Use security services: master.dbo.sysconfigures,
master.dbo.syscurconfigs
•
With Grant Option: exec <db name>.dbo.sp_helprotect,
master.dbo.sysdatabases
•
xp_cmdshell context: <db name>.dbo.sysobjects,
master.dbo.sysconfigures, master.dbo.syscurconfigs,
master.dbo.sysdatabases
•
xp_cmdshell not removed: <db name>.dbo.sysobjects,
master.dbo.sysdatabases
Secure default login exists: master.dbo.sysconfigures,
master.dbo.syscurconfigs, master.dbo.syslogins
Select/Into DoS (Verify version): SELECT @@VERSION
Server configured with remote server: master.dbo.sysservers
SSL Enabled: master.dbo.sysconfigures, master.dbo.syscurconfigs
Start mail session: master.dbo.sysconfigures,
master.dbo.syscurconfigs
Unrestricted access to syscomments: master.dbo.sysconfigures,
master.dbo.syscurconfigs
232
DbProtect 2009.1
Operating system
considerations
Installation Guide
Some Audit checks require more than just a valid database account to perform
correctly. They have different requirements depending upon whether the operating
system (OS) is Windows or UNIX. (The checks are listed in the Audit category OS
Integrity.)
Integrity They only run if the target database has the appropriate OS.
This topic consists of the following sub-topics:
• Windows OS Audit Check Requirements
• UNIX OS Audit Check Requirements.
WINDOWS OS AUDIT CHECK REQUIREMENTS
The Scan Engine performs Windows OS checks via Windows authentication. Make
sure the account and computer you are running the Scan Engine from has the
appropriate permissions for the corresponding checks:
•
•
•
•
Not Using NTFS Partition. Permission to read the installation disk type.
Registry Permissions. Remote registry access.
Service Runs as Local System. Permission to list the system services.
Permissions on Files. Permission to read files in the installation directory of the
database.
UNIX OS AUDIT CHECK REQUIREMENTS
The Scan Engine performs Unix OS checks via a Telnet or SSH account. Your account
must have the appropriate read and directory listing permissions activated on the
database installation and running directories.
If you run the following
checks:
Permissions on Files
Then you must have permission to:
List files in the installation directories of the database.
Setgid Bit Enabled
Setuid Bit Enabled
Application Security, Inc.
233
DbProtect 2009.1
Installation Guide
Properly-Configured Environment Variables
The Scan Engine can Audit platforms that use system variables to specify the location
of the database instances. In UNIX, you must set the environment variables correctly in
order to use SSH or Telnet to access the accounts. Specific requirements follow.
If you want to Audit the
following platform:
Application Security, Inc.
Then you must have permission to:
Oracle
Make sure the $ORACLE_HOME variable is correct.
Sybase
Make sure the $SYBASE variable is correct.
MySQL
Define a datadir or basedir variable to point to the
database root.
234
DbProtect 2009.1
Installation Guide
Appendix M: Auditing SQL
Server (Using Windows
Authentication) Against a
Machine on a Different or
Untrusted Domain
If you attempt to Audit a SQL Server database (using Windows Authentication) against
a machine on a different or untrusted domain, the following error message may
display:
SQLSTATE: 28000, Native error: 18452, Message: [Microsoft][ODBC
SQL Server Driver][SQL Server]Login failed for user ''. The user
is not associated with a trusted SQL Server connection..
To Audit a SQL Server database (using Windows Authentication) against a machine on
a different or untrusted domain:
Step
1
Action
Establish a connection to the target server.
Enter the appropriate Net Use syntax. For a remote host that is a:
2
•
member of domain, enter: net use \\ip /user:domain\username
•
workgroup member (standalone computer), enter: net use \\ip /
user:username or net use \\ip /user:computername\username
Use named pipes to connect to an untrusted domain.
Select the Properties branch option Connect to Microsoft SQL Servers via Named
Pipes.
Pipes You must check this option when Auditing a SQL Server database in an
untrusted domain.
Note: You must enable the named pipes protocol on both the Scan Engine host and
the SQL Server target server when using this option.
Application Security, Inc.
235
DbProtect 2009.1
Installation Guide
Step
3
Action
Make sure of the following:
•
That the Server and Remote Registry services on your remote host are
running
•
That the Net Use set of credentials file being used is a member of either the
domain hosting the target server, or a domain that is trusted by that domain
•
That login provides remote registry access and read-only file access to the
remote machine. To check this, do the following:
-enter net use \\server with your credentials, and expand
HKEY_LOCAL_MACHINE on the target server
-enter net use \\server\c$ to verify you can access files on the
target server.
•
4
5
Application Security, Inc.
That access to the remote host can be restricted by firewall, which is common on
Windows 2003/XP/Vista. You can verify this on the remote host by looking into
the firewall settings/logs for rejects packets. This means there should be
connectivity on port 445 or 139 on the target host.
Do the following to create and test a DSN connection to the target host:
•
Choose Control Panel > Administrative Tools > Data Sources (ODBC).
(ODBC)
•
Open the System DSN tab and click the Add button.
•
Choose Microsoft SQL Server from the list.
•
Click the Finish button.
•
Enter a Name and Description for this data source entry.
•
In the Server field, enter the IP address and listening port of the target server,
e.g., 172.27.190.58,1756.
•
Click the Next button.
•
Select SQL Server Authentication and enter your database credentials in the
Login ID and Password fields.
•
Click the Next button.
•
Follow the steps in the wizard.
You should now be able to test the connection to the data source. If this test is
successful, you should also be able to perform the Audit with the Scan Engine. If
you are unable to connect, try using the other IP address, or use Windows
Authentication rather than the SQL credentials (after connecting with Net Use).
236
DbProtect 2009.1
Installation Guide
Appendix N: Troubleshooting
the Java Run Time
Environment (JRE) Security
Settings on Internet Explorer
6 and Greater
If you are experiencing difficulty logging into DbProtect, you may need to
troubleshoot the Java Runtime Environment (JRE) security settings on your Internet
Explorer (IE) 6 or greater web browser. This appendix explains how.
Your connection problems are probably related to one of the following causes:
• If your web browser is IE 6. Proper Active X controls and “enable third-party
browser extensions” security settings may not be enabled on your IE 6 browser.
If this is the case, you will encounter an error message you attempt to
authenticate, and you can’t log in to the Console. To troubleshoot this problem,
see Enabling proper Active X controls and “Enable Third-Party Browser
Extensions” security settings (using IE 6).
• If your web browser is IE 7. JRE 1.6 may be disabled and/or multiple JREs may
be enabled on your client (i.e., the location from which your IE 7 browser is
running). JRE 1.6 must be enabled in order for you to connect to the Console. If
JRE 1.6 is disabled, or if multiple JREs of different versions are enabled on your
client, then you will encounter an error message when you attempt to
authenticate, and you can’t log in to the Console. To troubleshoot this problem,
see Ensuring JRE 1.6 is enabled and temporarily disabling other JREs on your
client machine (using IE 7).
Application Security, Inc.
237
DbProtect 2009.1
Enabling proper
Active X controls
and “Enable ThirdParty Browser
Extensions”
security settings
(using IE 6)
Installation Guide
Note:
The following security settings should be the default values in your IE 6
web browser. You should only change the settings if you’re experiencing
difficulty logging into the Console.
To enable proper Active X controls and “enable third-party browser extensions”
security settings on IE 6:
Step
Action
1
Launch IE 6.
2
Do the following:
3
•
Choose: Tools > Internet Options.
Options
•
Click the Security tab.
•
Click the Custom Level button to display the Security Settings dialog box.
•
Set the following security settings to Enable or Prompt:
Prompt
-Download signed ActiveX controls
-Run
Run ActiveX controls and plug-ins.
plug-ins
4
5
Ensuring JRE 1.6 is
enabled and
temporarily
disabling other
JREs on your client
machine (using IE
7)
Application Security, Inc.
•
Click the OK button.
•
Click the Advanced tab to display the Advanced Settings dialog box.
•
Check Enable Third-party browser extensions (requires restart).
restart)
•
Click the OK button.
•
Close and re-launch IE 6 or greater.
Try to log back into the Console. If you continue to experience trouble, contact
Application Security, Inc. Customer Support at support@appsecinc.com.
To ensure JRE 1.6 is enabled, and to temporarily disable multiple JREs on your client
machine (using IE 7):
Step
Action
1
Launch IE 7.
2
Do the following:
•
Choose: Tools > Internet Options.
Options
•
Click the Advanced tab to display the Settings dialog box.
238
DbProtect 2009.1
Installation Guide
Step
3
Action
Scroll down to the Java (Sun) portion of the dialog box and verify the following:
•
JRE 1.6 is enabled (i.e., the box must be checked)
•
multiple JRE installations are listed.
JRE 1.6 must be enabled in order for you to connect to the Console. If it is not,
not
check the JRE 1.6 box.
If JRE 1.6 is enabled, and other JRE versions are also enabled, then you must
temporarily disable them by un-checking the boxes.
4
5
Application Security, Inc.
•
Click the Apply button.
•
Click the OK button.
•
Close and re-launch IE 7.
Try to log back into the Console. If you continue to experience trouble, contact
Application Security, Inc. Customer Support at support@appsecinc.com.
239
DbProtect 2009.1
Installation Guide
Appendix O: Determining
Your NetBIOS Name and Your
Full-Qualified Domain Name
If you cannot log in to the Console, it may because, in your network environment, the
NetBIOS name is different from the full-qualified domain name.
name You need to provide
domain name in the Domain: field (on the Console login page). This appendix explains
how to determine your:
• NetBIOS name (from a command line); for more information, see Determining
your NetBIOS name using a command line
• full-qualified domain name (from the Windows Control Panel);
Panel for more
information, see Determining your full-qualified domain name using the
Control Panel.
Determining your
NetBIOS name
using a command
line
To determine your NetBIOS name using the command line:
line
Step
Action
1
Choose Start > Run to display the Run dialog box.
2
Enter cmd.exe in the Open field.
3
Click the OK button to display a command window.
Enter the nbtstat -n to display a listing of Net BIOS names associated with your
local machine.
Application Security, Inc.
240
DbProtect 2009.1
Installation Guide
Step
Action
4
FIGURE:
5
Determining your
full-qualified
domain name
using the Control
Panel
Application Security, Inc.
Listing of Net BIOS names
Look up which Net Bios Name belongs to the Type called Group and has a Net
BIOS code of <00>.
<00> This is your NetBIOS name.
To determine your full-qualified domain name using the Windows Control Panel:
Panel
Step
Action
1
Choose Start > Control Panel to display the Control Panel.
2
Double click the System icon to display the System Properties dialog box.
241
DbProtect 2009.1
Installation Guide
Step
Action
3
FIGURE:
4
Application Security, Inc.
System Properties window
Click the Computer Name tab to display your full-qualified Domain: name.
242
DbProtect 2009.1
Installation Guide
Appendix P: Monitoring
Multiple Instances on a DB2
Server
To monitor multiple instances on an DB2 server:
Step
1
Action
Install one host-based Sensor for DB2 (on any *nix platform) for each instance you
want to monitor; for more information, see:
•
Application Security, Inc.
Host-based Sensor for DB2 (on Red Hat Enterprise Linux) - installation steps
•
Host-based Sensor for DB2 (on Solaris) - installation steps
•
Host-based Sensor for DB2 (on AIX) - installation steps.
2
Modify the XML files for each host-based Sensor for DB2 installation and assign a
unique port number to each host-based Sensor for DB2. To do so, you must change
the port number in the sensor.xml and sensor_original.xml files (located in
<installation dir>/ASIappradar/sensor/conf) so each host-based
Sensor for DB2 has a unique port number; for more information, see Appendix C:
Modifying the Sensor Listener Port Number.
3
In these environments, when launching the sensor, go to <installation dir>/
ASIappradar/sensor/util, and launch it as follows: appradar_start -p.
This allows the host-based Sensor for DB2 to co-exist with other Sensors on the
same host.
243
DbProtect 2009.1
Installation Guide
Appendix Q: Clearing Your
Java Cache
If you are experiencing difficulty logging into the DbProtect Console, you may need to
clear your Java cache. Application Security, Inc. also recommends you clear your Java
cache after an upgrade. The Java cache does not get automatically cleared following a
reboot.
To clear your Java cache:
Step
Application Security, Inc.
Action
1
Choose Start > Control Panel to display the Control Panel.
2
Double click the Java icon to display the Java Control Panel dialog box.
3
With the default General tab selected, click the Settings... button (in the Temporary
Internet Files section of the dialog box) to display the Temporary Files Settings
dialog box.
4
Click the Delete Files... button to clear your Java cache.
5
Close your web browser and attempt to log into the DbProtect Console again.
244