IBM Support

Privilege requirement to perform VA scan

Question & Answer


Question

We like to know the minimum required users/roles privileges needed across different database types to successfully do VA scan.

Answer

Guardium provides a list of database-specific SQL script to prepare the database environment for Vulnerability Assessment. It's one script per database type. It must executed at the start. Each script contains detailed information on how to define database users/roles with sufficient credentials to connect to the database.


There are some gdm^ scripts found in appliance under /var/log/guard/gdmmonitor_scripts folder. Refer to README.txt to know which script to use for which database. Read the header of each script
careful, it tells you exactly what you need to do. They are retrievable using fileserver.  

Available scripts are



Script NameDatabase Server Type
gdmmonitor-db2.sql DB2
Create_CKADBVA_schema_tables_zOS.sqlDB2 on zOS
gdmmonitor-db2-zOS.sqDB2 on zOS
gdmmonitor-ifx.sqlInformix
gdmmonitor-mss.sqlMS-SQL 2005 and up
gdmmonitor-mss2000-only.sql MS-SQL 2000 only
gdmmonitor-mss-SA.sqlMS-SQL
gdmmonitor-mys.sqlMySQL
gdmmonitor-netezza.sqlNetezza
gdmmonitor-netezza.sqlOracle
gdmmonitor-ora-container.sqOracle Container DB
gdmmonitor-postgres.sqlPostgreSQL
gdmmonitor-syb.sqlSybase
gdmmonitor-teradata.sqlTeradata
gdmmonitor-sybaseIQ.sqlSybaseIQ
Jconnect_SybaseIQ_requirement.txt SybaseIQ

These scripts are found under /var/log/guard/gdmmonitor_scripts folder in the appliance. They are retrievable using fileserver and GUI. Each script takes care of setting up user/role privileges automatically. Guardium does not need system privilege (admin or superuser).

Some database types has pre-requirement before running script:



Database Type: MSSQL

* gdmmonitor-mss.sql  

This script creates a role called 'gdmmonitor' for ALL databases. It grants some system catalogs to this role for Security Assessment & entitlement use. Then adds a user called "sqlguard" to all databases and grants this user gdmmonitor role.

* gdmmonitor-mss-SA.sql                    
                       


This script grant SYSADMIN server role to sqlguard user. There are certain MSSQL VA tests where SYSADMIN privilege is require. If you executed those tests without SYSADMIN privilege, it will error and advise you to grant SYSADMIN server role. If you wishes to execute those tests, you must grant SYSADMIN server role to your datasource user.

Difference between the two scripts is we do not grant SYSADMIN privilege in our gdmmonitor-mss.sql.

--
-- **NOTE**:  This script should be run for all SQL Server 2005 and higher releases only.
--            If you are running SQL Server 2000 please use gdmmonitor-mss2000-only.sql

-- ------------------------------
-- before running this script
-- ------------------------------
-- SQL login user must exist before running this script.
--  you MUST CREATE A SQL LOGIN CALLED 'sqlguard'
--  This sqlguard login doesn't need to be added to any database or given
--  any privilege.  The script will take care of that.

 

Database type: DB2


-- This script grants the required privileges for VA on the database. You don't have to do anything.

-- ------------------------------
-- before running this script
-- ------------------------------
-- The role and the user must exist as an OS group before running this script.
-- Example using AIX:
--    # mkgroup gdmmon
--    # mkuser pgrp=gdmmon groups=gdmmon <gdm_user>
--    # passwd <gdm_user>
--
-- Example using Linux:
--    # groupadd gdmmon
--    # useradd -m /home/gdm_user -g gdmmon gdm_user
--    # passwd gdm_user

Database type: Oracle


-- This script creates a 'gdmmonitor' role required for Classification and Assessment on the database.
--
-- Note: This script grants execution of the user-defined
--       password verification function to 'gdmmonitor' so that
--       assessment tests may evaluate password strength.
--       Make sure that the user executing this script has
--       Authority to grant execution to the function used
--       to verify password strength.
--
-- ------------------------------
-- before running this script
-- ------------------------------
-- Nothing
 


Database Type: Teradata


-- This script creates a role called 'gdmmonitor'.
-- It grants some system catalogs to this role to allow Classification and Assessment on the database.
-- It then grant a user called "sqlguard" to gdmmonitor role.
--
-- ------------------------------
-- before running this script
-- ------------------------------
--  you MUST CREATE A SQL LOGIN CALLED 'sqlguard'
--  This sqlguard login doesn't need to be added to any database or given
--  any privilege.  The script will take care of that.

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Database Vulnerability Assessment","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"10.0;10.1;10.1.2;10.1.3;9.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg22008986