dbprotect installation guide - · pdf filethis chapter explains what’s in the dbprotect...

DbProtect 2009.1Installation GuideLast Modified February 5, 2009

Application Security, [email protected]

DbProtect 2009.1 Installation Guide

Application Security, Inc. 2

ContentsContentsContentsContentsChapter 1 - Introduction 4Chapter 1 - Introduction 4Chapter 1 - Introduction 4Chapter 1 - Introduction 4Product, Guide, and Documentation Suite Overview 5Intended Audience 8DbProtect Components 10

Chapter 2 - Planning Your DbProtect Installation 15Chapter 2 - Planning Your DbProtect Installation 15Chapter 2 - Planning Your DbProtect Installation 15Chapter 2 - Planning Your DbProtect Installation 15Network Pre-Installation Considerations 16DbProtect Installation Checklist 18

Chapter 3 - Minimum System Requirements 19Chapter 3 - Minimum System Requirements 19Chapter 3 - Minimum System Requirements 19Chapter 3 - Minimum System Requirements 19Console - Minimum System Requirements 20Sensors - Minimum System Requirements 31Scan Engines - Minimum System Requirements 69

Chapter 4 - Licensing 73Chapter 4 - Licensing 73Chapter 4 - Licensing 73Chapter 4 - Licensing 73

Chapter 5 - Installing the DbProtect Components and Logging Chapter 5 - Installing the DbProtect Components and Logging Chapter 5 - Installing the DbProtect Components and Logging Chapter 5 - Installing the DbProtect Components and Logging Into the Console 77Into the Console 77Into the Console 77Into the Console 77Installing the DbProtect Suite Management Components 78Installing and Starting/Stopping the Sensors 103Installing Scan Engines 143Logging Into the Console 150

Chapter 6 - Uninstalling the DbProtect Components 152Chapter 6 - Uninstalling the DbProtect Components 152Chapter 6 - Uninstalling the DbProtect Components 152Chapter 6 - Uninstalling the DbProtect Components 152Uninstalling the Console 153Uninstalling and Unregistering a Sensor 156Uninstalling a Scan Engine 161

Chapter 7 - Installation Troubleshooting 163Chapter 7 - Installation Troubleshooting 163Chapter 7 - Installation Troubleshooting 163Chapter 7 - Installation Troubleshooting 163

Appendices 172Appendices 172Appendices 172Appendices 172Appendix A: Installing/Uninstalling DbProtect in a SQL Server Cluster 173Appendix B: What Are the MSDE Lockdown Scripts Doing During the Installation of DbProtect? 183



Appendix C: Modifying the Sensor Listener Port Number 185Appendix D: Network Ports Used by DbProtect 186Appendix E: Configuring Your Host-Based Sensor for Oracle DDL Triggers 188Appendix F: Modifying the "Log On As" User for the AppRadar Sensor and DbProtect Message Collector Services 191Appendix G: DB2 Administrative Client Driver Installation 193Appendix H: DbProtect Log Files 194Appendix I: Using App DSN, the Repair ODBC Utility 198Appendix J: Configuring Your Oracle Audit Trail in Order to Mon-itor Logins 200Appendix K: Required Client Drivers for Audits 201Appendix L: Required Audit Privileges 207Appendix M: Auditing SQL Server (Using Windows Authentica-tion) Against a Machine on a Different or Untrusted Domain 235Appendix N: Troubleshooting the Java Run Time Environment (JRE) Security Settings on Internet Explorer 6 and Greater 237Appendix O: Determining Your NetBIOS Name and Your Full-Qualified Domain Name 240Appendix P: Monitoring Multiple Instances on a DB2 Server 243Appendix Q: Clearing Your Java Cache 244



Chapter 1 - IntroductionThis chapter explains what’s in the DbProtect Installation Guide, the intended audience, and the components of DbProtect.

What you will find in this chapter:

• Product, Guide, and Documentation Suite Overview

• Intended Audience

• DbProtect Components.



Product, Guide, and Documentation Suite OverviewThis section includes an overview, an explanation of conventions used, and a listing of other DbProtect guides available for customers.

What you will find in this section:

• About DbProtect

• What you will find in this guide

• If you need more help.

About DbProtect The Industry’s Only Complete Database Security Solution

A centrally-managed enterprise solution for comprehensive database security, DbProtect combines Discovery, vulnerability scanning, real-time activity monitoring, and Auditing to help organizations reduce risk and enhance compliance. The integrated suite is comprised of the company’s flagship solutions for database vulnerability assessment and real-time database activity monitoring which protect enterprise organizations around the world from all internal and external threats, while also ensuring that those organizations meet or exceed regulatory compliance requirements.

Applying the proven security industry best practices of vulnerability assessment, structured risk mitigation, and real-time intrusion monitoring, coupled with extensive enterprise features (including fine-grained access controls, and centralized management and reporting), DbProtect delivers comprehensive security and auditing capabilities to complex, diverse enterprise database environments.

Address Database Threats and Provide Protection with Proven Technology

• Tamper Evident Privileged Activity Monitoring defends against misuse, fraud and abuse from internal and external users.

• Comprehensive Vulnerability Assessment identifies and reduces risk.

• Real-Time Monitoring and Intrusion Detection immediately identifies database attacks or misuse.

• Compensating Controls, including Patch Gap management, assists with prioritizing of database security patches and defending against attack.

• Improved Integration enables reporting on security patch progress, risk mitigation impact, and overall compliance status.



• Application Awareness provides critical insight into IT infrastructure enabling organizations to better understand their database inventory, and thereby mitigate compliance risk factors, as well as addressing database security needs.

• Industry-leading Knowledgebase utilizes the most comprehensive catalog of database-specific threats, many discovered by Team SHATTER, our own research and development team.

• DbProtect’s ASAP Update mechanism ensures protection remains up to date. This allows users to immediately identify and detect worms, buffer overflows, and privilege escalation exposures and attacks enabling a timely, informed, and fast response.

Enhance Regulatory Compliance Efforts

DbProtect enables enterprises to ground compliance efforts in the database applications that house regulated data – be it material financial transactions, critical intellectual property, or sensitive personal information. The solution also supports forensic investigations and analysis. This approach to database security includes:

• Robust access and authentication controls

• Privileged and non-privileged user monitoring

• Vulnerability and threat management

• Suspicious activity monitoring with proactive real-time alerts

• Defined security policies to guide user activity.

These security components collectively facilitate regulatory compliance and create active and intelligent protection mechanisms for databases. By grounding efforts in the databases where sensitive data spends the bulk of its existence, the suite helps customers comply with a variety of business and regulatory requirements including the PCI Data Security Standard, HIPAA, GLBA, California Security Breach Information Act (SB 1386), Sarbanes-Oxley Act, Basel II, ISO 27001/17799, DISA-STIG, FISMA, NIST 800-53, PIPEDA, Canada’s Bill 198, and MITS.

What you will findin this guide

This guide consists of the following chapters:

• Chapter 2 - Planning Your DbProtect Installation

• Chapter 3 - Minimum System Requirements

• Chapter 4 - Licensing

• Chapter 5 - Installing the DbProtect Components and Logging Into the Console

• Chapter 6 - Uninstalling the DbProtect Components

• Chapter 7 - Installation Troubleshooting

• Appendices.



If you need morehelp

You can contact Application Security, Inc. Customer Support any time by emailing [email protected], or by calling 1-866-9APPSEC or 1-212-912-4100.



Intended AudienceThis guide intended for persons responsible for installing the core components of Db Protect (i.e., the Console, Scan Engines, and Sensors). Typically, those responsible for installing DbProtect have the following (sometimes overlapping) job roles:

• system administrators; for more information, see System administrators

• network administrators; for more information, see Network administrators

• database administrators; for more information, see Database administrators.

Systemadministrators

The system administrator maintains and operates a computer system and/or network. System administrators are often members of an Information Technology (IT) department. Their duties are wide-ranging, and vary from one organization to another. System administrators are usually charged with installing, supporting, and maintaining servers or other computer systems, and planning for and responding to service outages and other problems. Other duties may include scripting or light programming, project management for systems-related projects, supervising or training computer operators, and being the consultant for computer problems beyond the knowledge of technical support staff.

Networkadministrators

The network administrator is a professional responsible for the maintenance of computer hardware and software that comprises a computer network. This normally includes the deployment, configuration, maintenance and monitoring of active network equipment.

Network administration commonly includes activities and tasks such as network address assignment, assignment of routing protocols and routing table configuration, as well as configuration of authentication and authorization-directory services. A network administrator’s duties often also include maintenance of network facilities in individual machines, such as drivers and settings of personal computers, as well as printers and so on.

Network administration also sometimes entails maintenance of certain network servers, e.g., file servers, VPN gateways, intrusion detection systems, etc. Network specialists and analysts concentrate on the network design and security, particularly troubleshooting and/or debugging network-related problems. Their work can also include the maintenance of the network's authorization infrastructure, as well as network backup systems.

In addition, the network administrator is responsible for the security of the network and for assigning IP addresses to the devices connected to the networks. Assigning IP addresses gives the subnet administrator some control over the professional who connects to the subnet. It also helps to ensure that the administrator knows each system that is connected and who personally is responsible for the system. When network administrators give a system an IP address, they also delegate certain security responsibilities to the system administrator.



Databaseadministrators

A database administrator (DBA) is responsible for the environmental aspects of a database. In general, these include:

• Recoverability. Creating and testing dackups.

• Integrity. Verifying or helping to verify data integrity.

• Security. Defining and/or implementing access controls to the data.

• Availability. Ensuring maximum uptime.

• Performance. Ensuring maximum performance.

• Development and testing support. Helping programmers and engineers to efficiently utilize the database.

The role of a DBA has changed according to the technology of database management systems (DBMSs), as well as the needs of the database owners.



DbProtect ComponentsThis section provides a comprehensive overview of the DbProtect components.


• Conceptual diagram

• Console

• Sensors

• Scan Engines.

Conceptualdiagram

The following conceptual diagram illusrates how the DbProtect components interact, and indicates which standard listen ports must be open in order for DbProect to work.



Console The Console is the web browser-based, graphical component of DbProtect that allows you to navigate to the various features of the two DbProtect products: DbProtect AppRadar and DbProtect AppDetective. For more information on navigating the Console and using DbProtect, see the DbProtect User’s Guide.

Sensors Sensors monitor your database for a variety events, such as intrusion attempts or auditing of normal usage.

There are two types of Sensors available:

• Host-based Sensors, which monitor SQL Server, Oracle, or DB2 databases on the host server

• Network-based Sensors, which monitor your Oracle, DB2 or Sybase databases on the network.

Sensors fire Alerts when they detect a violation of rules, and a monitored event occurs. For more information on Alerts, see the DbProtect User’s Guide.

HOST-BASED SENSORS

Host-based Sensors allow you to monitor the following databases on a host server:

• SQL ServerSQL ServerSQL ServerSQL Server on Windows

• OracleOracleOracleOracle on Solaris, AIX, HP-UX, Red Hat Enterprise Linux, and Windows

• DB2DB2DB2DB2 on Solaris, AIX, Red Hat Enterprise Linux, and Windows.

The table below lists all supported host-based database/OS combinations, and links you to the installation steps.

DB OSFor minimum system requirements, see:

For installation instructions, see:

SQL

SERVER

WINDOWS Host-based Sensor for SQL

Server (on Windows) - minimum system requirements

Host-based Sensor for SQL

Server (on Windows) - installation steps



DB2 RED HAT ENTERPRISE LINUX

Host-based Sensor for DB2 (on Red Hat Enterprise Linux) - minimum system

requirements

Host-based Sensor for DB2 (on Red Hat Enterprise Linux) - installation steps

SOLARIS Host-based Sensor for DB2

(on Solaris) - minimum system

requirements

Host-based Sensor for DB2 (on Solaris) - installation steps

AIX Host-based Sensor for DB2 (on AIX) - minimum system

requirements

Host-based Sensor for DB2 (on AIX) - installation steps

WINDOWS Host-based Sensor for DB2

(on Windows) - minimum

system requirements

Host-based Sensor for DB2 (on Windows) - installation steps

ORACLE SOLARIS Host-based Sensor for Oracle (on Solaris) - minimum system

requirements

Host-based Sensor for Oracle (on Solaris) -

installation steps

AIX Host-based Sensor for Oracle (on AIX) - minimum system requirements

Host-based Sensor for Oracle (on AIX) - installation steps

HP-UX Host-based Sensor for Oracle

(on HP-UX) - minimum system requirements

Host-based Sensor for

Oracle (on HP-UX) - installation steps

RED HAT ENTERPRISE

LINUX

Host-based Sensor for Oracle (on Red Hat Enterprise Linux)

- minimum system requirements

Host-based Sensor for Oracle (on Red Hat

Enterprise Linux) - installation steps

WINDOWS Host-based Sensor for Oracle (on Windows) - minimum

system requirements

Host-based Sensor for Oracle (on Windows) -

installation steps

DB OSFor minimum system requirements, see:

For installation instructions, see:



NETWORK-BASED SENSORS

Network-based Sensors allow you to monitor Windows-based Sybase, Oracle, and DB2 on the network. If you want to install a network-based Sensor, the table below lists supported database/OS combinations, and links you to the installation steps.

Note:Note:Note:Note: The network-based Sensor only runs on the Windows OS, but the

databases it monitors do notnotnotnot need to be running on Windows.

Scan Engines DbProtect’s network-based, vulnerability assessment Scan Engines discover database applications within your infrastructure and assesses their security strength. Backed by a proven security methodology and extensive knowledge of application-level vulnerabilities, DbProtect locates, examines, reports, and fixes security holes and misconfigurations. Scan Engines scan your databases for vulnerabilities, and allow you to perform Penetration (Pen) Tests and Audits against them.

Target databases (on Windows) include:

• Oracle

• Oracle Application Server

• SQL Server

• Lotus Notes/Domino

• Sybase

• DB2

• DB2 on the Mainframe

• MySQL.

DB For minimum system requirements, see:For installation instructions, see:

DB2 Network-based Sensor for DB2 - minimum system requirements

Network-based Sensor for

Sybase, Oracle, and DB2 -

installation stepsSYBASE Network-based Sensor for Sybase - minimum

system requirements

ORACLE Network-based Sensor for Oracle - minimum

system requirements



For more information on Scan Engine:

• minimum system requirements, see Scan Engines - Minimum System Requirements

• installation instructions, see Installing Scan Engines.



Chapter 2 - Planning Your DbProtect InstallationThis chapter explains how to plan your DbProtect installation.


• Network Pre-Installation Considerations

• DbProtect Installation Checklist.



Network Pre-Installation ConsiderationsThis section provides a comprehensive overview of the DbProtect technical components, and lists


• Network connectivity

• Ports and firewalls.

Networkconnectivity

The Console must have network connectivity to the following:

• all applications you want to monitor

• all installed Sensors

• all installed Scan Engines

• SNMP and Syslog systems (optional).

You should install the Console on a machine connected to the network continuously, if you want to receive real-time Alerts from the Sensors.

DbProtect has its own method of authentication and using a firewall is not required to restrict access. The Message Collector component of DbProtect listens for HTTPS traffic on port 20081 (unless you configure it differently during the Console installation) which the Sensor uses to send Alerts to the Console. Application Security, Inc. recommends you disallow all traffic to that port except from the Sensors.

Ports and firewalls Every SensorSensorSensorSensor installation requires its own dedicated port for communication. Specify which port number the Sensor should use to receive commands from the Console. The Sensor can not share the same port with any other program. This does not mean each Sensor requires a different port number on each separate host server. For example, you can use the same port number for each Sensor you install on each individual host machine (e.g., port 20000). Or you can specify a different port number for each Sensor on each host machine. For more information, see Installing and Starting/Stopping the Sensors.

The ConsoleConsoleConsoleConsole uses port 20080 (by default) to send data to, and receive data from, the Sensors. The Sensors, by comparison, send data to, and receive data from, the Console on port 20000 (by default). Additionally, when the Sensor sends Alerts (via port 20000) to the Console's Message Collector component, the Message Collector receives these Alerts on port 20081 (by default). For more information, see DbProtect suite management components - installation steps.

Note:Note:Note:Note: If you maintain a firewall with “hardened” security, the traffic on both ports is SSL.



If you are installing a Sensor on the same host server where the Console is installed, do not specify ports 20080 or 20081 (unless you’re certain these ports are available).

If you are installing a host-based Sensor on any *nix platform, you can, at any time, change the port number in the sensor.xml and sensor_original.xml files; for more information, see Appendix C: Modifying the Sensor Listener Port Number.

Note:Note:Note:Note: No other machines should be permitted to connect to the Sensors.

Components of DbProtect communicate via Internet Protocol (IP) connections. To help you configure your firewall properly, the table in Appendix D: Network Ports Used by DbProtectlists each component and describes how they each use the network.



DbProtect Installation ChecklistBelow is a checklist for a typical DbProtect installation scenario:

� Action

� 1. REVIEW THE MINIMUM SYSTEM REQUIREMENTS.1. REVIEW THE MINIMUM SYSTEM REQUIREMENTS.1. REVIEW THE MINIMUM SYSTEM REQUIREMENTS.1. REVIEW THE MINIMUM SYSTEM REQUIREMENTS.

Before you install any software, carefully read the minimum system requirements, prerequisites, and recommendations for:

• the Console

• Sensors (host-based or network-based)

• Scan Engines.

For more information, see Chapter 3 - Minimum System Requirements.

� 2. OBTAIN THE LICENSE FILES.2. OBTAIN THE LICENSE FILES.2. OBTAIN THE LICENSE FILES.2. OBTAIN THE LICENSE FILES.

For more information, see Chapter 4 - Licensing.

� 3. INSTALL THE DBPROTECT COMPONENTS.3. INSTALL THE DBPROTECT COMPONENTS.3. INSTALL THE DBPROTECT COMPONENTS.3. INSTALL THE DBPROTECT COMPONENTS.

Application Security, Inc. provides you with the installation files for:

• the DbProtect management bundle

• Sensors (host-based or network-based)

• Scan Engines.

Note:Note:Note:Note: The Console and the Scan Engines run on Windows. The host- and network-

based Sensors, however, can run on a variety of database/OS combinations.

For more information, see Chapter 5 - Installing the DbProtect Components and

Logging Into the Console.



Chapter 3 - Minimum System RequirementsThis chapter provides minimum system requirements for the following DbProect components: the Console, the Sensors, and the Scan Engines.


• Console - Minimum System Requirements

• Sensors - Minimum System Requirements

• Scan Engines - Minimum System Requirements.



Console - Minimum System RequirementsThis section provides detailed minimum system requirements for the Console component of DbProtect.


• Hardware

• Operating system

• Required installation and runtime user account rights and privileges (for the Console and Data Repository)

• Browser

• Networking and firewall considerations

• Data Repository

• Additional Console assumptions, prerequisites, and recommendations.

Hardware • Processor.Processor.Processor.Processor. 1.5 GHz processor minimum; 2+ GHz processors recommended. Dual processors recommended for larger installations. Dual processors recommended if you are running the Console and a network-based Sensor on the same machine.

• RAM. RAM. RAM. RAM. 2 GB minimum; 3 GB recommended. 4 GB recommended especially if you are running both the Console and a network-based Sensor on the same machine.



• Hard drive space.Hard drive space.Hard drive space.Hard drive space. 150 MB for program files. 3GB minimum for the Data Repository; 20 GB or more recommended (may vary).

When you upgrade the DbProtect Console from a version lower than 3.10, the

upgrade creates a backup of all files. This means space requirements are

temporarily doubled for the period of the upgrade. The upgrade creates backups

of the DbProtect and AppDetective folders (DbProtectBackup and

AppDetectiveBackup, respectively). You can safely delete these backup files after

your upgrade is complete, but only after you have logged into the DbProtect

Console to make sure your upgrade was successful, and you can log into the

DbProtect Console (for more information on logging into the DbProtect Console,

see Logging Into the Console).

You must have a minimum of 1GB of disk space on your C:\ drive -- even ifeven ifeven ifeven if you are installing the Console on an alternate drive -- because the installer is uncompressed to the default windows temp directory on C:\. The operating system uses this space for unpacking installer files. This additional space is This additional space is This additional space is This additional space is required only for users installing the product for the first time, as well as those required only for users installing the product for the first time, as well as those required only for users installing the product for the first time, as well as those required only for users installing the product for the first time, as well as those upgrading from previous versions of DbProtect Console.upgrading from previous versions of DbProtect Console.upgrading from previous versions of DbProtect Console.upgrading from previous versions of DbProtect Console.

However, if you don't have enough space on your C:\ drive, there is a workaround. 1.) Right click My Computer My Computer My Computer My Computer and select Properties Properties Properties Properties to display the System Properties System Properties System Properties System Properties dialog box. 2.) Click the Environment VariablesEnvironment VariablesEnvironment VariablesEnvironment Variables button to display the Environment Variables Environment Variables Environment Variables Environment Variables dialog box. 3.) Edit the system environment variables TEMP and TMP to point to another drive that has enough space (e.g., E:\systmp).

Operating system The Console runs on Windows. The following versions are supported:

• Windows 2000 Server

• Windows 2000 Advanced Server

• Windows Server 2003.

The Console also runs on Windows XP Professional Service Pack 1 or greater for evaluation purposes only.

Note:Note:Note:Note: For DbProtect AppRadar, the Console uses local Microsoft Windows groups for authentication. Consequently, you cannot also use the Console machine as a domain controller. For DbProtect AppDetective, the Console authenticates through Active Directory.

You mustmustmustmust also have Microsoft .NET Framework 2.0 SP1 (x86) installed in order to install the Console. If the DbProtect installer does notnotnotnot detect Microsoft .NET Framework 2.0 SP1 (x86) installed on your host server, the installer will prompt you to install it. For more information, see DbProtect suite management components - installation steps.



Requiredinstallation and

runtime useraccount rights andprivileges (for theConsole and Data

Repository)

Note:Note:Note:Note: Your Console server and Data Repository database server (if remote) must have a trusted relationship with one another, or be in the same domain/workgroup.

The Console requires certain privileges on the host where it is installed, as well as on the associated Data Repository. The following table explains the account privileges required for various aspects of installation and runtime operation of the Console.

Account Purpose Used by Requirements

Setup User Account used when installing the software for the first time or

when upgrading the system.

Person installing

• Member of Windows group Administrators on the DbProtect server host.

Note:Note:Note:Note: This user mustmustmustmust have privileges on the target database for upgrades.

• Needs access to SQL Server database master and have SQL Server role Database

Creator (dbcreator) or equivalent permissions on the SQL Server to be used

for the Data Repository.

Note:Note:Note:Note: SQL Server rights are notnotnotnot required if you intend you

use SQL authentication credentials when the DbProtect installer

prompts you for database installer information.

• For all operating systems,

the Setup User mustmustmustmust also have the “Logon as a service” privilege, and mustmustmustmust

belong to the local Administrators group.

• Windows 2000 users mustmustmustmust

also have the “Act as part of the operating system” privilege.



Runtime User Account used to run all

of the services in the DbProtect system. Allows DbProtect to

read, write and modify data in its backend database.

The

DbProtect

Console and

DbProtect

Message

Collector

services.

• “Log on as a service”“Log on as a service”“Log on as a service”“Log on as a service”

Windows user right.

• Read, write, and change rights to the area of the

filesystem where the DbProtect software is installed (the default

location is C:\Program Files\AppSecInc).

• Needs access to the SQL

Server database AppDetective and must have the database roles

db_datareader and db_datawriter.

Note:Note:Note:Note: It is possible to configure

the system to use SQL authentication to access the database. In this case,

the Runtime User does not need SQL Server access.

• Windows 2000 users mustmustmustmust also have the “Act as part of the operating system”

privilege.

Database User

Allows DbProtect to read, write and modify data in its Data

Repository using SQL authentication.

Note:Note:Note:Note: This account is

optional.

DbProtect

Console and

DbProtect

Message

Collector

services.

Needs access to the SQL Server database AppDetective and have the database roles

db_datareader and db_datawriter.




Database

Installer

Account used during

the setup process to create and configure the Data Repository.

Setup

program

Needs access to SQL Server

database master and have SQL Server role Database Creator (dbcreator) or equivalent

permissions on the SQL Server to be used for DbProtect's Data Repository.

Note:Note:Note:Note: The user has the option to use the credentials of the Setup User as long as that

user has appropriate SQL Server permissions as described above.




Browser Internet Explorer 6 or greater with JavaScript enabled. The minimum screen resolution is 1024x768.

Networking andfirewall

considerations

What you will find in this help topic:

• Networking

• Firewall Considerations.

NETWORKING

Network connectivity is required for the Console to communicate with the Sensors. You should install the Console on a machine connected to the network continuously, if you want to collect real-time Alerts from the Sensors continuously.

Every SensorSensorSensorSensor installation requires its own dedicated port for communication. Specify which port number the Sensor should use to receive commands from the Console. The Sensor can not share the same port with any other program. This does not mean each Sensor requires a different port number on each separate host server. For example, you can use the same port number for each Sensor you install on each individual host machine (e.g., port 20000). Or you can specify a different port number for each Sensor on each host machine. For more information, see Installing and Starting/Stopping the Sensors.

The ConsoleConsoleConsoleConsole uses port 20080 (by default) to send data to, and receive data from, the Sensors. The Sensors, by comparison, send data to, and receive data from, the Console on port 20000 (by default). Additionally, when the Sensor sends Alerts (via port 20000) to the Console's Message Collector component, the Message Collector receives these Alerts on port 20081 (by default). For more information, see DbProtect suite management components - installation steps.

If you are installing a Sensor on the same host server where the Console is installed, do notnotnotnot specify ports 20080 or 20081 (unless you’re certain these ports are available).

If you are installing a host-based Sensor on any *nix platform, you can, at any time, change the port number in the sensor.xml and sensor_original.xml files; for more information, see Appendix C: Modifying the Sensor Listener Port Number.

FIREWALL CONSIDERATIONS

The Console is accessible via HTTPS on default port 20080. You can allow all machines, certain machines, or no machines to have access from outside your firewall. In the latter case, only machines inside the firewall can access the Console. This is completely at your discretion, but for convenience Application Security, Inc. recommends you at least allow users to connect from their desktop machines.



Data Repository DbProtect requires a SQL Server 2000 or SQL Server 2005 Data Repository to operate. This Data Repository stores all Alerts and audit data, as well as its system configuration information.

You can install a database, or choose an existing database instance. During setup, the installation wizard prompts you to either:

• install SQL Server Desktop Engine 2000 (MSDE 2000), a free version of Microsoft SQL Server designed for client applications (like DbProtect) that require a Data Repository

• specify the SQL Server 2000 or SQL Server 2005 instance where you want to install the Data Repository.

Note:Note:Note:Note: Remote vs. local installation options are related to whether you install MSDE 2000 or SQL Server as your Data Repository; for more information, see Local vs. remote installation considerations.

If you choose to install MSDE 2000 as your Data Repository, a correct installation is essential for DbProtect to function properly. Also note, older versions of MSDE 2000 are not automatically upgraded.

Note:Note:Note:Note: MSDE 2000 runs much slower than SQL Server, and has a data capacity limitation of 2GB. If processing speed is an issue, and/or if you plan to audit a large volume of data, Application Security, Inc. recommends you use a SQL Server database. For more information, see Warning about the possible effects of installing MSDE 2000 on the Alert Manager.


• Requirement: administrative privileges on SQL Server 2000

• Requirement: server-level login on SQL Server (with sysadmin privileges

• Requirement: deleting your existing DbProtect Data Repository

• Requirement: Administrators group membership for Windows login

• Acceptable Data Repository software

• Local vs. remote installation considerations

• Warning about Enterprise Manager/Query Analyzer corruption

• Warning about the possible effects of installing MSDE 2000 on the Alert Manager.

REQUIREMENT: ADMINISTRATIVE PRIVILEGES ON SQL SERVER 2000

If you choose not to install MSDE (bundled with the Console), and choose instead to use your own instance of SQL Server 2000 (SP4 or higher), then you must have administrative privileges on that instance.



REQUIREMENT: SERVER-LEVEL LOGIN ON SQL SERVER (WITH SYSADMIN PRIVILEGES

In Chapter 5 - Installing the DbProtect Components and Logging Into the Console, you will be prompted to choose an authentication type: Windows Authentication or SQL Authentication. Regardless of which authentication type you choose, you must first create the specified account as a server-level login on SQL Server before you install DbProtect. The account must have sysadmin privileges.

REQUIREMENT: DELETING YOUR EXISTING DBPROTECT

DATA REPOSITORY

If a Data Repository and account already exist on your SQL Server or MSDE database, you must delete them.

REQUIREMENT: ADMINISTRATORS GROUP MEMBERSHIP FOR WINDOWS LOGIN

You must log on with a Windows account in the Administrators group.This is required to install the Windows service. The service name is DbProtect. For more information on starting and stopping DbProtect services, see the DbProtect Administrator’s Guide.

ACCEPTABLE DATA REPOSITORY SOFTWARE

Your Data Repository can be:

• SQL Server 2000 instance (SP4 or higher)

• SQL Server 2005

• SQL Server Desktop Engine (MSDE 2000).

You can install a new instance, or choose an existing instance, for your Data Repository. During setup, the Console installation wizard prompts you to either:

• specify the instance where you want to install the Data Repository

• install SQL Server Desktop Engine (MSDE 2000), a free version of SQL Server designed for client applications (like DbProtect) that require an embedded database.

Note:Note:Note:Note: Due to performance and space limitations inherent to MSDE 2000, Application Security, Inc. recommends you install a full SQL Server instance, not MSDE 2000.

LOCAL VS. REMOTE INSTALLATION CONSIDERATIONS

If you choose to:

• install MSDE 2000 as your Data Repository, it is installed locally, i.e., on the same physical host where the Console is installed

• use SQL Server as your Data Repository, you can install it locally or remotely, i.e., on a physical box separate from where the Console is installed.



Note:Note:Note:Note: If you supply your own SQL Server instance as the back-end of your Console installation, you must patch the instance to SP4 or later.

WARNING ABOUT ENTERPRISE MANAGER/QUERY ANALYZER CORRUPTION

On a computer that has SQL Server 2000 with Service Pack (SP) 1 or SP2 installed, the installation of MSDE 2000 might corrupt your Enterprise Manager/Query Analyzer settings. You can upgrade your SQL Server database to the latest service pack levels recommended by Microsoft, then start the installation.

WARNING ABOUT THE POSSIBLE EFFECTS OF INSTALLING MSDE 2000 ON THE ALERT MANAGER

MSDE 2000 runs significantly slower than SQL Server, and has a data capacity limitation of 2GB. If processing speed is an issue, and/or if you plan to audit a large volume of data, Application Security, Inc. recommends you use a SQL Server database.

The 2GB limitation with MSDE 2000 can also cause problems when you use the Alert Manager. Specifically, when you reach the 2GB capacity:

• the Current Alerts portion of the Alert Manager stops displaying new Alerts (regardless of whether it is manually or automatically refreshed)

• current Alerts can no longer be Archived -- hence, there is no way to delete the Archived Alerts through UI in order to reclaim space for the database.

• If processing speed is an issue, and/or if you plan to audit a large volume of data, Application Security, Inc. recommends you use a SQL Server database.

Additional Consoleassumptions,

prerequisites, andrecommendations

Additional Console assumptions, prerequisites, and recommendations follow:

• The Console installation process assumes a clean installation of DbProtect using an Application Security, Inc.-provided CD, or via download from the Application Security, Inc. FTP site or website.

• SQL Server 2000 Prerequisite. SQL Server 2000 Prerequisite. SQL Server 2000 Prerequisite. SQL Server 2000 Prerequisite. Patch your SQL Server 2000 Data Repository to at least Service Pack 4 (SP4) before installing the Console. For more information, see Data Repository.

• Administrators Group Prerequisite. Administrators Group Prerequisite. Administrators Group Prerequisite. Administrators Group Prerequisite. You must log on with a Windows account in the Administrators group.This is required to install the Windows service. The service name is DbProtect. For more information on starting/stopping services, see the DbProtect Administrator’s Guide.

• Server-Level Login on SQL Server (with sysadmin Privileges) Prerequisite. Server-Level Login on SQL Server (with sysadmin Privileges) Prerequisite. Server-Level Login on SQL Server (with sysadmin Privileges) Prerequisite. Server-Level Login on SQL Server (with sysadmin Privileges) Prerequisite. Regardless of which authentication type (i.e., Windows Authentication or SQL Authentication) you choose when you are installing the Console, you must first create the specified account as a server-level login on your SQL Server before you begin installing the Console. The specified account must have sysadmin privileges.



In addition, your Console server and Data Repository server (if remote) must have a trusted relationship with one another. For example, they must be in the same domain or workgroup. Otherwise you will receive the following error message:

"Login failed for user '(null)'. Reason: Not associated with

trusted SQL Server Connection."

Also, your database server must have a valid Microsoft SQL Server account for the Console server to access.

If you want to use:

-Microsoft SQL Server authentication, you can create a new username/password, add

the necessarily privileges, and install the Console with that username/password.

-Windows authentication, you can do the following:

By default Microsoft SQL Server 2000 adds the "Builtin\Administrators" group. This means users can add any domain user to the Administrators group in Windows and install the Console using that domain user.

Or, you can create a new user from the Enterprise Manager with the name "domainname\username", then select Windows Authenication, then enter

"domainname". You can now use that domain user to install the Console.

• SQL Server 2005 browser service requirement. SQL Server 2005 browser service requirement. SQL Server 2005 browser service requirement. SQL Server 2005 browser service requirement. The SQL Server 2005 browser service must be on if you:

-have a SQL Server 2005 Data Repository installed on a non-default instance, in order

for the Console to function correctly

-are upgrading from DbProtect 2007.0 or later with a SQL Server 2005 Data Repository (i.e., the SQL Server 2005 browser service must be running at the time of the upgrade)

-plan to specify (or specified) an instance name (not a port) during installation of the Database Component; for more information, see DbProtect suite management components - installation steps.

• Warning to SQL Server Administrators.Warning to SQL Server Administrators.Warning to SQL Server Administrators.Warning to SQL Server Administrators. On a computer that has SQL Server 2000 with Service Pack (SP) 1 or SP2 installed, the installation of MSDE 2000 might corrupt your Enterprise Manager/Query Analyzer settings. You can upgrade your SQL Server database to the latest service pack levels recommended by Microsoft, then start the installation.



• Warning About the Possible Effects on the Alert Manager of an MSDE 2000 Warning About the Possible Effects on the Alert Manager of an MSDE 2000 Warning About the Possible Effects on the Alert Manager of an MSDE 2000 Warning About the Possible Effects on the Alert Manager of an MSDE 2000 Installation. Installation. Installation. Installation. MSDE 2000 runs much slower than SQL Server, and has a data capacity limitation of 2GB. If processing speed is an issue, and/or if you plan to audit a large volume of data, Application Security, Inc. recommends you use a SQL Server database.

The 2GB limitation with MSDE 2000 can also cause problems when you use the Alert Manager. Specifically, when you reach the 2GB capacity:

-the Current AlertsCurrent AlertsCurrent AlertsCurrent Alerts portion of the Alert Manager stops displaying new Alerts (regardless of whether it is manually or automatically refreshed)

-current Alerts can no longer be Archived -- hence, there is no way to delete the

Archived Alerts through the Console in order to reclaim space for the database.

Note:Note:Note:Note: If processing speed is an issue, and/or if you plan to audit a large volume of data, Application Security, Inc. recommends you use a SQL Server database.

• Windows Installer 3.1. Windows Installer 3.1. Windows Installer 3.1. Windows Installer 3.1. If you do not have Windows Installer 3.1 installed on any supported version of Windows before you run the DbProtect installer, a dialog box informs you that you mustmustmustmust install it. You can download Windows Installer 3.1 from the here: http://www.microsoft.com/downloads/details.aspx?FamilyID=889482FC-5F56-4A38-B838-

DE776FD4138C&displaylang=en. For more information on DbProtect installation, see Installing the DbProtect Suite Management Components.

• Security Update for Windows 2000 (KB835732). Security Update for Windows 2000 (KB835732). Security Update for Windows 2000 (KB835732). Security Update for Windows 2000 (KB835732). If you do not have the Security Update for Windows 2000 (KB835732) installed before running the DbProtect installer on a Windows 2000 machine, then you may encounter an error message indicating the prerequisite for Microsoft .NET Framework 2.0 SP1 has not installed correctly. There could be other reasons you could receive this error message. Application Security, Inc. recommends you verify you have the Windows security update installed, then re-try the DbProtect installation. If the installation still fails, you should install the .NET Framework 2.0 SP1 manually by downloading it from the Microsoft website here: http://www.microsoft.com/downloads/details.aspx?FamilyID=029196ED-04EB-471E-8A99-

3C61D19A4C5A&displaylang=en

• Application Security, Inc. recommends you clear your Java cache after an upgrade. The Java cache does notnotnotnot get automatically cleared following a reboot. For more information, see Appendix Q: Clearing Your Java Cache.



Sensors - Minimum System RequirementsThis section provides detailed minimum system requirements for the Sensor components of DbProtect. There are two types of Sensors available: host-based and network-based.


• Host-based Sensor - minimum system requirements at-a-glance

• Network-based Sensor - minimum system requirements at-a-glance

• Host-based Sensor for SQL Server (on Windows) - minimum system requirements

• Host-based Sensor for DB2 (on Red Hat Enterprise Linux) - minimum system requirements

• Host-based Sensor for DB2 (on Solaris) - minimum system requirements

• Host-based Sensor for DB2 (on AIX) - minimum system requirements

• Host-based Sensor for DB2 (on Windows) - minimum system requirements

• Host-based Sensor for Oracle (on Solaris) - minimum system requirements

• Host-based Sensor for Oracle (on AIX) - minimum system requirements

• Host-based Sensor for Oracle (on HP-UX) - minimum system requirements

• Host-based Sensor for Oracle (on Red Hat Enterprise Linux) - minimum system requirements

• Host-based Sensor for Oracle (on Windows) - minimum system requirements

• Network-based Sensor for Sybase - minimum system requirements

• Network-based Sensor for Oracle - minimum system requirements

• Network-based Sensor for DB2 - minimum system requirements.



Host-based Sensor- minimum systemrequirements at-a-

glance


• SQL Server on Windows

• Oracle on Solaris, AIX, HP-UX, Red Hat Enterprise Linux, and Windows

• DB2 on Red Hat Enterprise Linux, Solaris, AIX, and Windows.

If you want to install a host-based Sensor, the table below lists supported database/OS combinations, and links you to the minimum system requirements.

DB OS Go to:

SQL

SERVER

WINDOWS Host-based Sensor for SQL Server (on Windows) - minimum

system requirements


Host-based Sensor for DB2 (on Red Hat Enterprise Linux) - minimum system requirements

SOLARIS Host-based Sensor for DB2 (on Solaris) - minimum system

requirements

AIX Host-based Sensor for DB2 (on AIX) - minimum system requirements

WINDOWS Host-based Sensor for DB2 (on Windows) - minimum system requirements

ORACLE SOLARIS Host-based Sensor for Oracle (on Solaris) - minimum system

requirements

AIX Host-based Sensor for Oracle (on AIX) - minimum system requirements

HP-UX Host-based Sensor for Oracle (on HP-UX) - minimum system requirements

RED HAT

ENTERPRISE LINUX

Host-based Sensor for Oracle (on Red Hat Enterprise Linux) -

minimum system requirements

WINDOWS Host-based Sensor for Oracle (on Windows) - minimum system requirements



A host-based Sensor must reside on the same machine as the SQL Server instance(s), Oracle SID(s), or DB2 UDB instance it is monitoring.

Note:Note:Note:Note: Although it is possible to install a host-based Sensor and the Console on the same host, Application Security, Inc. recommends that for host-based Sensors on production databases you install the Console and Data Repository on different hosts. For more information, see Console - Minimum System Requirements.

Network-basedSensor - minimum

systemrequirements at-a-

glance

Network-based Sensors allow you to monitor Windows-based Sybase, Oracle, and DB2 on the network. If you want to install a network-based Sensor, the table below lists supported database/OS combinations, and links you to the minimum system requirements.

Note:Note:Note:Note: The network-based Sensor only runs on the Windows OS, but the

databases it monitors do notnotnotnot need to be running on Windows.

Host-based Sensorfor SQL Server (on

Windows) -minimum system

requirements

This help topic provides detailed minimum system requirements for the host-based Sensor for SQL Server (on Windows).


• Supported SQL Server versions

• Supported Windows versions

• Rights and privileges

• Hardware


• Important server and instance information

• SQL Server Cluster support.

SUPPORTED SQL SERVER VERSIONS

• SQL Server 2000 (all x86 and x64 editions)

• SQL Server 2005 (all x86 and x64 editions).

DB Go to:

DB2 Network-based Sensor for Sybase - minimum system requirements

SYBASE Network-based Sensor for Oracle - minimum system requirements

ORACLE Network-based Sensor for DB2 - minimum system requirements



SUPPORTED WINDOWS VERSIONS

• Windows 2000 Server (including Advanced Server), 32-bit and 64-bit (excluding Itanium)

• Windows Server 2003 (including Enterprise Edition), 32-bit and 64-bit (excluding Itanium).

RIGHTS AND PRIVILEGES

Installation Rights and Privileges:Installation Rights and Privileges:Installation Rights and Privileges:Installation Rights and Privileges:

You need the following rights and privileges to installinstallinstallinstall a host-based Sensor for SQL Server (on Windows):

• To installinstallinstallinstall a host-based Sensor for SQL Server, you must be a Windows user with administrative rights on both the host server and SQL Server. You must also have domain administrator rights to install a host-based Sensor for SQL Server in a cluster.

• To runrunrunrun the host-based Sensor for SQL Server, you must have “run as a service" rights on Windows, and administrative rights on SQL Server at runtime.

SQL Server 2005 Windows User Requirement:SQL Server 2005 Windows User Requirement:SQL Server 2005 Windows User Requirement:SQL Server 2005 Windows User Requirement:

SQL Server 2005 does notnotnotnot create a login for the Windows user “Local System” by default. You mustmustmustmust run the host-based Sensor for SQL Server (on Windows) as a Windows user that exists in your SQL Server instance.

Service Account Requirement:Service Account Requirement:Service Account Requirement:Service Account Requirement:

In addition, the service accountservice accountservice accountservice account (i.e., the user running the AppRadar Sensor service) requires, at a minimum:

• to be in the sysadmin role (SQL Server 2000 only)

• to have ALTER TRACE permission (SQL Server 2005 only)

• to have permission to execute the following stored procedures:

-sp_trace_create

-sp_trace_setevent

-sp_trace_setfilter

-sp_trace_getdata

-sp_trace_setstatus

To use the Audit Filter Wizard (for more information, see the DbProtect User’s Guide), the service account must also be able to query the sysobjects table within all databases.



HARDWARE

• RAM.RAM.RAM.RAM. 2GB, or at least 512 MB in addition to operating system and database memory requirements. Application Security, Inc. recommends adding more memory if your data volume is high.

• Hard drive space.Hard drive space.Hard drive space.Hard drive space. 50 MB of free disk space. A minimum of 100 MB of space is required if you configure the Sensor to log to a local file.

NETWORK CONNECTIVITY

Network connectivity is required in order for the Sensor to communicate with the Console and, optionally, with SNMP and Syslog systems.

IMPORTANT SERVER AND INSTANCE INFORMATION

• Each machine should have only one Sensor.

• Every Sensor requires its own dedicated port for communication.

• One host-based Sensor can monitor multiple instances on a single machine.

• You can monitor as many SQL Server instances as your license allows; for more information, see Chapter 4 - Licensing.

SQL SERVER CLUSTER SUPPORT

If you want to install a host-based Sensor on a single instance, or multiple instances, of a SQL Server Cluster, then you must read Appendix A: Installing/Uninstalling DbProtect in a SQL Server Cluster.

Host-based Sensorfor DB2 (on RedHat Enterprise

Linux) - minimumsystem

requirements

This help topic provides detailed minimum system requirements for the host-based Sensor for DB2 (on Red Hat Enterprise Linux).


• Supported DB2 versions

• Supported Red Hat Enterprise Linux versions


• Required Red Hat Enterprise Linux 32- and 64-bit minimum kernel release

• MON_HEAP_SZ database configuration parameter

• Hardware


• Single instance monitoring limitation

• User group requirement

• DB2 auditing usage for failed logins.

SUPPORTED DB2 VERSIONS

DB2 versions 8 and 9.



SUPPORTED RED HAT ENTERPRISE LINUX VERSIONS

Red Hat Enterprise Linux 3, 4, or 5 (32-bit x86 and 64-bit x64).

Caution! The host-based Sensor installer may display a warning message

if you run it on Red Hat Enterprise Linux 3 to inform you DB2 is

not supported on version 3. You may safely ignore this warning.


The DB2 administrator must grant the following privileges to the appradar user for every DB2 database in the instance the user wants to monitor. These privileges are:

• SYSADM if the user wants to monitor failed logins

• DBADM if the user does not want to monitor failed logins.

REQUIRED RED HAT ENTERPRISE LINUX 32- AND 64-BIT MINIMUM KERNEL RELEASE

Host-based Sensors for DB2 on Red Hat Enterprise Linux 32- and 64-bit require a minimum Red Hat Enterprise Linux kernel release of version 2.6. Otherwise, install a kernel patch that supports asynchronous I/O.

MON_HEAP_SZ DATABASE CONFIGURATION PARAMETER

The host-based Sensor for DB2 (on Red Hat Enterprise Linux) uses DB2 internal feature monitoring. The MON_HEAP_SZ database configuration parameter specifies the number of 4KB blocks of memory available to the monitoring facility. If this parameter is set too low, monitoring won’t turn on and, consequently, the host-based Sensor for DB2 won’t be able to monitor your DB2 database.

Application Security, Inc. recommends a value of 1024 for the MON_HEAP_SZ configuration parameter, but you should use the formula provided by IBM to determine your exact monitoring memory requirements. For more information, see http://publib.boulder.ibm.com/infocenter/db2luw/v8/topic/

com.ibm.db2.udb.doc/admin/c0005995.htm

HARDWARE






Network connectivity is required for communication with the Console and, optionally, with SNMP and Syslog systems.

You can specify a different port number during installation, or you change the port number in the sensor.xml and sensor_original.xml files; for more information, see Appendix C: Modifying the Sensor Listener Port Number.

SINGLE INSTANCE MONITORING LIMITATION

A host-based Sensor for DB2 can only monitor one DB2 instance. The host-based Sensor for DB2 uses an IBM-provided API that caches the value of the DB2INSTANCE environment variable. Consequently, even if the environment variable’s value changes, the API will not switch to the other instance. This prevents the host-based Sensor for DB2 process from monitoring more than one instance at a time, and it prevents it from switching from one instance to another (unless you re-start the Sensor).

There is a workaround, however, that allows you to monitor multiple instances on an DB2 server. For more information, see Appendix P: Monitoring Multiple Instances on a DB2 Server.

USER GROUP REQUIREMENT

The account running the DB2 instance must be a member of the AppRadarAppRadarAppRadarAppRadar group, and the account running the Sensor must be a member of the DB2 group.

DB2 AUDITING USAGE FOR FAILED LOGINS

"Failed login" support utilizes DB2's "auditing" feature. This is unique to host-based Sensors for DB2, since all other types of host-based Sensor utilize "event monitoring."

The host-based Sensors for DB2 automtically turns on DB2 auditing. If you enable any Rule related to failed logins (specifically, "Failed Login", "Password Guessing", or "Scripted Password Attack"). The host-based Sensors for DB2 monitor all other types of events using the DB2 "event monitoring" facility.

For more information on how the host-based Sensors for DB2 uses auditing to monitor failed logins and how to manually manage the resulting audit files, see the DbProtect Administrator’s Guide.

Caution! Host-based Sensors for DB2 fully control DB2 "auditing" if user

authentication (failed login) events are enabled in a Policy

(specifically, "Failed Login", "Password Guessing", or "Scripted

Password Attack"). In other words, the host-based Sensor for

DB2 turns "auditing" on, sets it, and turns it off. If you are using

DB2 "auditing" on other applications, the host-based Sensors for

DB2 can potentially override (and effectively disable) DB2

"auditing" on these other applications. The host-based Sensors

for DB2 monitor all other types of events using the DB2 "event

monitoring" facility”.



Host-based Sensorfor DB2 (on Solaris)- minimum system

requirements

This help topic provides detailed minimum system requirements for the host-based Sensor for DB2 (on Solaris).



• Supported Solaris versions


• Required Solaris patches

• Hardware







SUPPORTED SOLARIS VERSIONS

Solaris 8, 9, and 10 (64-bit SPARC).







REQUIRED SOLARIS PATCHES

The following table lists OS patches required for Solaris versions 8 and 9.

Solaris version Required patch

Solaris 8 Patch Id: 108434-22

Summary: SunOS 5.8: 32-bit shared library patch for C++

108435-22 is the corresponding 64-bit patch.

Date: Aug/01/2006

Patch Id: 111721-04

Summary: SunOS 5.8: Math Library (libm) patch

Date: May/08/2003

Patch Id: 117350-39

Summary: SunOS 5.8: kernel patch

Date: Jul/20/2006

Solaris 9 Patch Id: 111711-15 / 111712-16


11712-16 is the corresponding 64-bit patch

Date: Aug/07/2006

Patch Id: 111722-04


Date: May/08/2003

Patch Id: 118558-25 (or better)

Summary: SunOS 5.9: Kernel Patch

Date: Apr/25/2006



HARDWARE


• Hard drive space. Hard drive space. Hard drive space. Hard drive space. 50 MB of free disk space. A minimum of 100 MB of space is required if you configure the Sensor to log to a local file.



You can specify a different port number during installation, or you change the port number in the sensor.xml and sensor_original.xml files; for more information, see Appendix C: Modifying the Sensor Listener Port Number.








The host-based Sensors for DB2 automtically turns on DB2 auditing. If you enable any Rule related to failed logins (specifically, "Failed Login", "Password Guessing", or "Scripted Password Attack"). The host-based Sensors for DB2 monitor all other types of events using the DB2 "event monitoring" facility














Host-based Sensorfor DB2 (on AIX) -minimum system

requirements

This help topic provides detailed minimum system requirements for the host-based Sensor for DB2 (on AIX).



• Supported AIX versions

• Rights and Privileges

• Hardware







SUPPORTED AIX VERSIONS

AIX 5.2 Technology Level 5 and greater (32-bit and 64-bit).





HARDWARE

• RAM. RAM. RAM. RAM. 2GB, or at least 512 MB in addition to operating system and database memory requirements. Application Security, Inc. recommends adding more memory if your data volume is high.






If you are installing a host-based Sensor on a *nix platform, you can, at any time, specify a different port number in the sensor.xml and sensor_original.xml files; for more information, see Appendix C: Modifying the Sensor Listener Port Number.








The host-based Sensors for DB2 automtically turns on DB2 auditing. If you enable any Rule related to failed logins (specifically, "Failed Login", "Password Guessing", or "Scripted Password Attack"). The host-based Sensors for DB2 monitor all other types of events using the DB2 "event monitoring" facility














Host-based Sensorfor DB2 (onWindows) -

minimum systemrequirements

This help topic provides detailed minimum system requirements for the host-based Sensor for DB2 (on Red Hat Enterprise Linux).





• Hardware






• Windows 2000 Server (including Advanced Server), 32-bit

• Windows Server 2003 (including Enterprise Edition), 32-bit.





HARDWARE









Host-based Sensorfor Oracle (on

Solaris) - minimumsystem

requirements

This help topic provides detailed minimum system requirements for the host-based Sensor for Oracle (on Solaris).


• Supported Oracle versions

• Supported Solaris versions


• Required Solaris patches

• Hardware


• Important port information


• Oracle Word size prerequisite

• Firewall considerations

• Creating the appradar Runtime User Account and working with Oracle (on Solaris) SGA shared memory permissions

• Java Oracle Packages (requirement for monitoring DDL statements)

• Sensor re-start requirement (for DDL trigger removals/re-adds) - on Solaris.

SUPPORTED ORACLE VERSIONS

Oracle 9iR2, 10g, and 10gR2.

SUPPORTED SOLARIS VERSIONS

Solaris 8, 9, and 10 (32- and 64-bit SPARC).


Host-based Sensor for Oracle installations on all UNIX platforms (Solaris, AIX, HP-UX, and Red Hat Enterprise Linux) require the following rights and privileges:

• To installinstallinstallinstall the host-based Sensor for Oracle package, you must have administrative (root) privileges on the host. If this is not possible, a tar distribution of the host-based Sensor for Oracle is also available.



• To runrunrunrun the host-based Sensor for Oracle, you must use a user that is a member of the same “dba” group as oracle on the host.

The appradar account must belong to the Oracle DBA group or to the database, and it must allow for login by a system account.

REQUIRED SOLARIS PATCHES

The following table lists OS patches required for Solaris versions 8 and 9.

Solaris version Required patch

Solaris 8 Patch Id: 108434-22


108435-22 is the corresponding 64-bit patch.

Date: Aug/01/2006

Patch Id: 111721-04


Date: May/08/2003

Patch Id: 117350-39

Summary: SunOS 5.8: kernel patch

Date: Jul/20/2006

Solaris 9 Patch Id: 111711-15 / 111712-16


11712-16 is the corresponding 64-bit patch

Date: Aug/07/2006

Patch Id: 111722-04


Date: May/08/2003

Patch Id: 118558-25 (or better)

Summary: SunOS 5.9: Kernel Patch

Date: Apr/25/2006



To determine your Solaris patch level:

HARDWARE






IMPORTANT PORT INFORMATION

Every Sensor requires its own dedicated port. During installation, you must specify which port number the Sensor will use to receive commands from the Console. The Sensor can not share the same port with any other program. This does not mean each Sensor requires a different port number on each separate host. For example, you can use the same port number for each Sensor you install on each individual host machine (e.g., port 20000). Or you can specify a different port number for each Sensor on each host.

On the host where the Console is installed, Sensors listen on port 20080 (by default) for commands from the Console. The next consecutive port number (i.e., 20081 if you use the default) must be open in order for the Console to receive Alerts.

If you are installing the Sensor on the same host server where the Console is installed, do not specify ports 20080 or 20081 (unless you’re certain these ports are available).

Step Action

1 Note:Note:Note:Note: Any user can execute this command.

Execute the following command:

uname -a; showrev -p | egrep -e '^Patch: 117350|^Patch:

111721|^Patch: 108434' | cut -d" " -f1,2

Result: The output displays your OS and patches; for example:

SunOS sunny14 5.8 Generic_117350-38 sun4u sparc SUNW,Ultra-80

Patch: 117350-38

Patch: 111721-04

Patch: 108434-21



For more information on Console installation, see DbProtect suite management components - installation steps.

Host-based and network-based Sensors listen on port 20000 for HTTPS traffic from the Console (e.g., reconfiguration or status requests) unless you configure them differently during installation.




• One Sensor can monitor multiple Oracle SIDs on a single machine.

• You can monitor as many Oracle SIDs as your license allows; for more information, see Chapter 4 - Licensing.

ORACLE WORD SIZE PREREQUISITE

You must install a host-based Sensor for Oracle corresponding to the word-size Oracle uses, not the operating system. For example, if Oracle is 32-bit but the operating system is 64-bit, your host-based Sensor for Oracle must be 32-bit. This is only true for host-based Sensor for Oracle installations, and it’s true for all Unix operating systems on which it runs (i.e., AIX, HP-UX, Red Hat Enterprise Linux, and Solaris).

FIREWALL CONSIDERATIONS

You must allow DbProtect traffic through firewalls.

The Console is accessible via HTTPS on port 20080. You can allow all machines, certain machines, or no machines to have access from outside your firewall. In the latter case, only machines inside the firewall can access DbProtect. This is completely at your discretion, but for convenience Application Security, Inc. recommends you at least allow users to connect from their desktop machines.

DbProtect has its own method of authentication and using a firewall is not required to restrict access. The Message Collector component of DbProtect listens for HTTPS traffic on port 20081 (unless you configure it differently during the Console installation) which the Sensor uses to send Alerts to the Console. Application Security, Inc. recommends you disallow all traffic to that port except from the Sensors.

Components of DbProtect communicate via Internet Protocol (IP) connections. To help you configure your firewall properly, the table in Appendix D: Network Ports Used by DbProtect lists each component and describes how they each use the network.



CREATING THE APPRADAR RUNTIME USER ACCOUNT AND WORKING WITH ORACLE (ON SOLARIS) SGA SHARED MEMORY PERMISSIONS

Creating the appradar Runtime User Account:Creating the appradar Runtime User Account:Creating the appradar Runtime User Account:Creating the appradar Runtime User Account:

Application Security, Inc. strongly recommends you create a unique DbProtect user called appradar, and use this account for host-based Sensor for Oracle installation. While creating this user is not mandatory, it will ensure that other database administrators can’t turn off your host-based Oracle Sensors.

The appradar user must belong to the primary group of the Oracle user. In many cases oracle is the default Oracle user name, while the default group name is typically either oracle or dba. The user (i.e., appradar) must be a member of the same dba group as oracle on the host.

To determine your Oracle group name, enter the following command: id oracle. Your Oracle user name (uid) and group name (gid) should display, e.g., uid=1001(oracle) gid=503(dba)

Note:Note:Note:Note: To ensure proper permissioning, verify group ownership of the Oracle process memory segments by executing ipcs -m. This command displays current user and group memberships of the Oracle segment. Confirm the appradar user has the same primary group as the group ownership of the shared memory, and that this user is also in the dba group.

To create the runtime user account:

Working with Oracle SGA Shared Memory Permissions:Working with Oracle SGA Shared Memory Permissions:Working with Oracle SGA Shared Memory Permissions:Working with Oracle SGA Shared Memory Permissions:

The Oracle System Global Area (SGA) Oracle System Global Area (SGA) Oracle System Global Area (SGA) Oracle System Global Area (SGA) is a group of shared memory areas that are dedicated to an Oracle instance. Oracle processes use SGA to store and communicate information. Among other things, SGA allows processes (such as the host-based Sensor for Oracle on any *nix platform) to attach, read, and/or write -- but notnotnotnot execute. SGA properties are similar to those of a file, i.e., owner, group, and mode. The permission to attach, read, and/or write depends on the SGA mode. The mode for shared memory and a file both depend on the umask setting of the OS session that creates the shared memory or file.

When you start an Oracle instance, Oracle creates SGA. The SGA mode depends on the umask setting of the OS session which starts the Oracle instance. If the umask setting of the OS session masks the bit "read for group", the SGA's modes will notnotnotnot have permission for the group to read. Consequently, your host-based Sensor for

Step Action

1 Use an administrative account to create a runtme user account called appradar (suggested name).

2 Set the proper Oracle permissions for this user; see above.



Oracle on any *nix platform -- which is in the same group as Oracle OS user -- can notnotnotnot read information from the SGA. As a result, your host-based Sensor for Oracle on a *nix platform will notnotnotnot fire Alerts.

Solution: Solution: Solution: Solution: Use the umask command to change the user mask of the session to make sure the group read bit is notnotnotnot masked off. (An example of a correct setting is: umask 026.) You should place this command in the appropriate shell startup file for the Oracle database user ID. After you change the umask value, restart Oracle. After Oracle starts up, use ipcs –m to check the SGA to make sure the modes for the Oracle segments include group read, which grants other users in this group permission to read the segment. This allows the appradar runtime user (who is part of the same group) to read the SGA and monitor activity.

JAVA ORACLE PACKAGES (REQUIREMENT FOR MONITORING DDL STATEMENTS)

If you are using a host-based Sensor to monitor DDL statements (e.g., CREATE TABLE) on an Oracle instance, you must install Oracle Java Packages. For more information, see Appendix E: Configuring Your Host-Based Sensor for Oracle DDL Triggers.

SENSOR RE-START REQUIREMENT (FOR DDL TRIGGER REMOVALS/RE-ADDS) - ON SOLARIS

If you remove and re-add a DDL trigger for any reason, you must re-start the Sensor afterwards. Most DDL rules will not fire until this is done.



Host-based Sensorfor Oracle (on AIX)- minimum system

requirements

This help topic provides detailed minimum system requirements for the host-based Sensor for Oracle (on AIX).



• Supported AIX versions


• Oracle Java Packages requirement for monitoring DDL statements on an Oracle instance

• Minimum AIX bos.rte fileset level

• Hardware





• Creating the appradar Runtime User Account and working with Oracle (on AIX) SGA shared memory permissions

• Sensor re-start requirement (for DDL trigger removals/re-adds) - on AIX.



SUPPORTED AIX VERSIONS

AIX 5.2 Technology Level 5 and greater.





ORACLE JAVA PACKAGES REQUIREMENT FOR MONITORING DDL STATEMENTS ON AN ORACLE INSTANCE




MINIMUM AIX BOS.RTE FILESET LEVEL

Host-based Sensors for Oracle installations on AIX require the bos.rte fileset to be at (or above) maintenance level 5.2.0.50.

• Fileset: bos.rte ("Base Operating System Runtime")

• Maintenance Level: 5.2.0.50

• Date: January 2005

To determine your AIX patch level:

HARDWARE



Step Action



lslpp -l bos.rte

Result: The output displays your maintenace level for the bos.rte fileset; for example:

Fileset Level State Description

------------------------------------------------------------

Path: /usr/lib/objrepos

bos.rte 5.2.0.50 COMMITTED Base Operating System Runtime

Path: /etc/objrepos

bos.rte 5.2.0.50 COMMITTED Base Operating System Runtime

2 Change the shmmax parameter to 3 in /etc/sysctl.conf on Red Hat Enterprise Linux, and go to Step 2.

Or, if you do not want to reboot your Red Hat Enterprise Linux host server, you can change the shmmax parameter to 3 in /proc/sys/kernel/shmmax, and go to Step 3.

3 Reboot your host server.

4 Re-start Oracle.









If you are installing the Sensor on the same host server where the Console is installed, do not specify ports 20080 or 20081 (unless you’re certain these ports are available). For more information on Console installation, see DbProtect suite management components - installation steps.












CREATING THE APPRADAR RUNTIME USER ACCOUNT AND WORKING WITH ORACLE (ON AIX) SGA SHARED MEMORY PERMISSIONS









When you start an Oracle instance, Oracle creates SGA. The SGA mode depends on the umask setting of the OS session which starts the Oracle instance. If the umask setting of the OS session masks the bit "read for group", the SGA's modes will notnotnotnot have permission for the group to read. Consequently, your host-based Sensor for

Step Action





Oracle on any *nix platform -- which is in the same group as Oracle OS user -- can notnotnotnot read information from the SGA. As a result, your host-based Sensor for Oracle on a *nix platform will notnotnotnot fire Alerts.


SENSOR RE-START REQUIREMENT (FOR DDL TRIGGER REMOVALS/RE-ADDS) - ON AIX




Host-based Sensorfor Oracle (on HP-

UX) - minimumsystem

requirements

This help topic provides detailed minimum system requirements for the host-based Sensor for Oracle (on HP-UX).



• Supported HP-UX versions



• Hardware





• Shared memory maximum size requirement on your HP-UX host server (for host-based Sensors prior to 3.3 only)

• Creating the appradar Runtime User Account and working with Oracle(on HP-UX) SGA shared memory permissions

• Sensor re-start requirement (for DDL trigger removals/re-adds) - on HP-UX.



SUPPORTED HP-UX VERSIONS

HP-UX 11i v1 or later on the PA-RISC processor and HP-UX 11i v2 or later on the Itanium (IA64) processor.






If you are using a host-based Sensor to monitor DDL statements (e.g., CREATE TABLE) on an Oracle instance, you must install Oracle Java Packages. For more information see Appendix E: Configuring Your Host-Based Sensor for Oracle DDL Triggers.



HARDWARE





















SHARED MEMORY MAXIMUM SIZE REQUIREMENT ON YOUR HP-UX HOST SERVER (FOR HOST-BASED SENSORS PRIOR TO 3.3 ONLY)

The host-based Sensor for Oracle (on an HP-UX host only, for host-based Sensors prior to version 3.3 only) required Oracle's SGA to reside in a single shared memory segment.

CREATING THE APPRADAR RUNTIME USER ACCOUNT AND WORKING WITH ORACLE(ON HP-UX) SGA SHARED MEMORY PERMISSIONS











When you start an Oracle instance, Oracle creates SGA. The SGA mode depends on the umask setting of the OS session which starts the Oracle instance. If the umask setting of the OS session masks the bit "read for group", the SGA's modes will notnotnotnot have permission for the group to read. Consequently, your host-based Sensor for Oracle on any *nix platform -- which is in the same group as Oracle OS user -- can notnotnotnot read information from the SGA. As a result, your host-based Sensor for Oracle on a *nix platform will notnotnotnot fire Alerts.


SENSOR RE-START REQUIREMENT (FOR DDL TRIGGER REMOVALS/RE-ADDS) - ON HP-UX


Step Action





Host-based Sensorfor Oracle (on Red

Hat EnterpriseLinux) - minimum

systemrequirements

This help topic provides detailed minimum system requirements for the host-based Sensor for Oracle (on Red Hat Enterprise Linux).



• Supported Red Hat Enterprise Linux versions



• Hardware





• Creating the appradar Runtime User Account and working with Oracle (on Red Hat Enterprise Linux) SGA shared memory permissions

• Sensor re-start requirement (for DDL trigger removals/re-adds) - on Red Hat Enterprise Linux.



SUPPORTED RED HAT ENTERPRISE LINUX VERSIONS

Red Hat Enterprise Linux 3, 4, and 5 (32-bit x86 and 64-bit x64).









HARDWARE





















CREATING THE APPRADAR RUNTIME USER ACCOUNT AND WORKING WITH ORACLE (ON RED HAT ENTERPRISE LINUX) SGA SHARED MEMORY PERMISSIONS







Step Action

1 Use an administrative account to create a runtme user account called appradar

(suggested name).






When you start an Oracle instance, Oracle creates SGA. The SGA mode depends on the umask setting of the OS session which starts the Oracle instance. If the umask setting of the OS session masks the bit "read for group", the SGA's modes will notnotnotnot have permission for the group to read. Consequently, your host-based Sensor for Oracle on any *nix platform -- which is in the same group as Oracle OS user -- can notnotnotnot read information from the SGA. As a result, your host-based Sensor for Oracle on a *nix platform will notnotnotnot fire Alerts.


SENSOR RE-START REQUIREMENT (FOR DDL TRIGGER REMOVALS/RE-ADDS) - ON RED HAT ENTERPRISE LINUX





Windows) -minimum system

requirements

This help topic provides detailed minimum system requirements for the host-based Sensor for Oracle (on Windows).




• Hardware

• Network connectivity.




• Windows 2000 Server (including Advanced Server), 32-bit

• Windows Server 2003 (including Enterprise Edition), 32-bit.

HARDWARE

• RAM. RAM. RAM. RAM. 2GB, or at least 512 MB in addition to operating system and database memory requirements. Application Security, Inc. recommends adding more memory if your data volume is high.



Network connectivity is required in order for the Sensor to communicate with the Console and, optionally, with SNMP and Syslog systems.

Network-basedSensor for Sybase -

minimum systemrequirements

This help topic provides detailed minimum system requirements for the network-based Sensor for Sybase.


• Supported Sybase versions



• Hardware


SUPPORTED SYBASE VERSIONS

Sybase 11.x-15.




• Windows 2000 Server (including Advanced Server), 32-bit only (64-bit not currently supported)

• Windows Server 2003 (including Enterprise Edition), 32-bit only (64-bit not currently supported).

Note:Note:Note:Note: The network-based Sensor only runs on the Windows OS, but the databases it monitors do notnotnotnot need to be running on Windows.


• To installinstallinstallinstall the network-based Sensor, you must have administrative privileges on Windows.

• To runrunrunrun the network-based Sensor, you must have administrative and “run as a service" privileges on Windows.

• To create a custom Filter for Sybase, you require read access to the following tables: master..sysdatabases and the sysobjects, sysusers, and syscolumns tables in the target databases being audited.

For more information on Filters, see the DbProtect Administrator’s Guide and the

DbProtect User’s Guide.

HARDWARE

• Dedicated hardware recommendation. Dedicated hardware recommendation. Dedicated hardware recommendation. Dedicated hardware recommendation. Application Security, Inc. recommends you install the network-based Sensor on dedicated hardware, because it improves performance and it’s easier to support. However, you can install the network-based Sensor and the Console on the same machine.

Note:Note:Note:Note: Generally, to facilitate the networking requirements listed below, your network administrator will install the network-based Sensor on a machine in the same data center as the database(s) it will be monitoring.

• RAM.RAM.RAM.RAM. At least 512 MB. Application Security, Inc. recommends adding more memory if your data volume is high.

• Hard drive space.Hard drive space.Hard drive space.Hard drive space. 50 MB of free disk space. A minimum of 100 MB of space is required if you configure the to log to a local file.


• Network connectivity is required for communication with the Console and, optionally, with SNMP and Syslog systems.

• During installation you must enter a port where the Sensor listens for commands from the Console (default port 20000).



• The Sensor machine must be on the same Local Area Network (LAN) as the database machine(s) that it is monitoring, or otherwise have access to network traffic going to/coming from each database machine being monitored. You can accomplish this using a variety of methods, including a Switched Port Analyzer (SPAN) port on a Cisco switch, a mirror port, Network Tap, a Data Aggregator device, or re-direction using VLANs.

• Two network interface cards (NICs) are required, i.e., one for communication from the network-based Sensor to the Console, and one to capture database traffic.

• The network environment must be standard Ethernet (10MB, 100MB, or 1GB -- whatever standard Ethernet card the machine supports). Older drivers may not work. Other environments currently not supported: ATM, Token Ring, FDDI.

Note:Note:Note:Note: Application Security, Inc. recommends you use two network interface cards: one for “listening” to database traffic, and one to communicate with the Console, if data volume is high.

Network-basedSensor for Oracle -minimum system

requirements

This help topic provides detailed minimum system requirements for the network-based Sensor for Oracle.





• Hardware



Oracle 7.x; Oracle 8, 8i, 9i, 9iR2, 10g, 10gR2.










• To create a custom Filter for Oracle, you must have the following privileges: all_users, all_tables, all_tab_columns, and all_objects.



HARDWARE



• Dedicated hardware recommendation. Dedicated hardware recommendation. Dedicated hardware recommendation. Dedicated hardware recommendation. Application Security, Inc. recommends you install the network-based Sensor on dedicated hardware, because it improves performance and it’s easier to support. However, you can install the network-based Sensor and the Console on the same machine.











Network-basedSensor for DB2 -minimum system

requirements

This help topic provides detailed minimum system requirements for the network-based Sensor for DB2.





• Hardware



DB2 UDB versions 8 and 9; DB2 for zSeries v8, v7 (DRDA) (TCP/IP).








• To create a custom Filter for DB2, you must install the appropriate DB2 administrative client drivers (for more information, see Appendix G: DB2 Administrative Client Driver Installation), and configure it to recognize the monitored database (either through Discovery or reference). Creating a custom Filter for DB2 also requires access to read the following tables:

-sysibm.systables

-ysibm.syscolumns

-sysibm.sysroutines





HARDWARE



• Dedicated hardware recommendation.Dedicated hardware recommendation.Dedicated hardware recommendation.Dedicated hardware recommendation. Application Security, Inc. recommends you install the network-based Sensor on dedicated hardware, because it improves performance and it’s easier to support. However, you can install the network-based Sensor and the Console on the same machine.











Scan Engines - Minimum System RequirementsDbProtect’s network-based, vulnerability assessment Scan Engines discover database applications within your infrastructure and assesses their security strength. Backed by a proven security methodology and extensive knowledge of application-level vulnerabilities, DbProtect locates, examines, reports, and fixes security holes and misconfigurations. Scan Engines scan your databases for vulnerabilities, and allow you to perform Penetration (Pen) Tests and Audits against them.

Target databases (on Windows) include:

• Oracle

• Oracle Application Server

• SQL Server

• Lotus Notes/Domino

• Sybase

• DB2

• DB2 on the Mainframe

• MySQL.


• Supported versions of target databases

• Supported Windows versions (on your Scan Engine host server)


• Hardware

• Operating system


• Lotus/Domino requirements

• Sybase requirements

• DB2 requirements

• Required third-party software.



Supportedversions of target

databases

The following table lists which databases the Scan Engines are licensable and scannable, and the supported version(s) of each database type.

SupportedWindows versions

(on your ScanEngine host server)

Windows 2000 Professional Service Pack (SP) 4, Windows XP Professional SP 1, Windows 2003 Server SP 2 or greater, Windows 2000 Advanced Server SP 4, MDAC 2.8 SP1.

Target database Supported versions

ORACLE DATABASE SERVERS

Oracle 11g, Oracle 10g, Oracle9i, Oracle8i, Oracle8, and Oracle7.

Note:Note:Note:Note: Audit does not work for Oracle versions prior to 8.1.7.4, because the client drivers are now shipped with the Scan

Engine.

ORACLE APPLICATION SERVERS

Oracle Application Server 9i, 9i Release 2.

SQL SERVER SQL Server Versions 6.x, 7.0; SQL Server 2000 and 2005 Express Edition; MSDE 1.0, 2000.

LOTUS NOTES/

DOMINO

Lotus Notes/Domino v4.5 through 7.0.

Note:Note:Note:Note: DbProtect AppDetective performs Audits (but not Penetration Tests) against Domino Groupware (Notes). DbProtect AppDetective performs Penetration Tests (but

not Audits) against Domino Web.

SYBASE DATABASE SERVERS

Sybase 11.0, 11.5, 11.9.2, 12.0, 12.5, 15.

DB2 UDB (LUW) DB2 Version 8.2, DB2 Version 8.1, DB2 Version 7.2, DB2 Version 7.1, DB2 Version 6.1.

Note:Note:Note:Note: For DB2 Version 7, DbProtect only supports a 32-bit instance for Penetration Test and Audits.

DB2 Z SERIES DB2 Version 7 (z/OS and OS/390) and 8 (z/OS).

Note:Note:Note:Note: Additional requirement: DB2 Connect installed.

MYSQL SERVERS MySQL 3.20, 3.21, 3.22, 3.23, 3.20, 4.0, 4.1, 5.0.



Rights andprivileges

Required rights and privileges follow:

• To install a Scan Engine, you must have administrative privileges on Windows.

• Since the Scan Engine installs and runs as a service, the service account must have the the “logon as a service” privilege enabled.

• The minimum privileges required on the Data Repository are the database roles (db_datawriter and db_datareader) and server role (dbcreator).

Note:Note:Note:Note: Contact Application Security, Inc. Support at [email protected] if you plan to install Scan Engines across multiple Active Directory Domains.

• In order to run DbProtect with a Scan Engine installed, you must have the permission Full Control on the following items:

-The directory where you installed DbProtect.

-The SYSTEM32 directory.

-The registry key HKEY_LOCAL_MACHINE\SOFTWARE\ASI and all subkeys underneath.

-The registry key HKEY_LOCAL_MACHINE\SOFTWARE\ODBC and all subkeys

underneath.

• If you plan to run DbProtect on Windows 2000, the operating system account that DbProtect runs under must have the “act as part of the operating system” privilege enabled.

Hardware • RAM.RAM.RAM.RAM. 512 MB recommended, in addition to operating system memory requirements.

• Hard drive space.Hard drive space.Hard drive space.Hard drive space. 80 MB of free disk space with additional space required to store vulnerability information.

• Processor.Processor.Processor.Processor. 750 MHz or larger.

Operating system Windows 2000 Professional Service Pack (SP) 4, Windows XP Professional SP 1, Windows 2003 Server, Windows 2000 Advanced Server SP 4, MDAC 2.8 SP 1.

Networkconnectivity

Network connection to scanned application and to the Console.



Lotus/Dominorequirements

In order to run Lotus Domino features, you must have the Lotus Notes Client installed on your system. DbProtect requires a valid .id file and password to function properly. If you are already a Lotus Notes user, you do not need to reload your Lotus Notes client. For more information, see Lotus Notes client driver installation.

Note:Note:Note:Note: DbProtect does not perform Audits on Lotus Notes/Domino applications.

Sybaserequirements

To run an Audit on a Sybase SQL Server/Adaptive Server Enterprise application, your workstation requires the appropriate client drivers installed. For more information, see Sybase client driver installation.

You must have Full Control on the registry key: HKEY_LOCAL_MACHINE\SYBASE\Setup.

If you are using ODBC Drivers versions less than 3.7, you must also have read/write permissions on the following local system files on the client machine: ${SYBASE_ROOT}\ini\sql.ini.

DB2 requirements To run an Audit on DB2, your workstation requires the appropriate client drivers installed. For more information, see Appendix G: DB2 Administrative Client Driver Installation.

Required third-party software

You must have SQL Server 2000 or SQL Server 2005 installed in an accessible location on the network. This is the Data Repository for the Console, which the Sensor and Scan Engines components must access. For more information, see Conceptual diagram and Data Repository.



Chapter 4 - LicensingThis chapter explains DbProtect licensing.

What you will find in this chapter:What you will find in this chapter:What you will find in this chapter:What you will find in this chapter:

• DbProtect licensing overview

• How are licenses consumed?

• The mechanics of DbProtect licensing

• Viewing your “node locked” Scan Engine licensing information.

DbProtectlicensing overview

DbProtect licensing is enforced and controlled by information obtained from an Application Security, Inc.-provided set of license fileslicense fileslicense fileslicense files.

If a license is notnotnotnot installed, you will not be able to log into DbProtect. If you have subscribed to software updates, the license file also determines when the DbProtect maintenance subscription is scheduled to expire.

DbProtect license files are “node locked”. In order to receive a license for your product implementation, you will need to provide some specific details about your server(s) to Application Security, Inc.

How are licensesconsumed?

Each database/application on your network requires a license to be Penetration Tested or Audited (by a Scan Engine) or monitored (by a Sensor). Discovery results are notnotnotnot metered.

• Vulnerabilty Assessment license consumption.Vulnerabilty Assessment license consumption.Vulnerabilty Assessment license consumption.Vulnerabilty Assessment license consumption. When you run a test against a database/application for the first time, one license of the appropriate type (i.e., Penetration Test or Audit) is consumed from the available set of licenses for that particular database/application type. The consumed license is then “node locked” to the IP address of the Penetration Tested or Audited database/application. You can re-test these applications any time without consuming another license. For more information on viewing your number of available licenses, see Viewing your “node locked” Scan Engine licensing information.

• Activity Monitoring license consumption.Activity Monitoring license consumption.Activity Monitoring license consumption.Activity Monitoring license consumption. When you enumerate a database asset to monitor with the appropriate type of Sensor, the Sensor registration process is what consumes a Sensor license. The license remains “node locked” for a given database as long as it is registered via the Sensor ManagerSensor ManagerSensor ManagerSensor Manager in the DbProtect AppRadar Console (for more information, see Registering a Sensor in the DbProtect User’s Guide).



The mechanics ofDbProtectlicensing

To use DbProtect, you must install at least two license files, i.e., one for DbProtect, and one for each registered/installed Scan EngineScan EngineScan EngineScan Engine.

What you will find in this help topic:What you will find in this help topic:What you will find in this help topic:What you will find in this help topic:

• What you will need

• Licensing artifacts

• Deploying your license files

• Viewing your “node locked” Scan Engine licensing information.

WHAT YOU WILL NEED

Contact Application Security, Inc. Customer Support ([email protected]) and provide the following information:

• For each host where a Console and a Scan EngineScan EngineScan EngineScan Engine is installed, provide Application Security, Inc. Customer Support with the VolumeIDVolumeIDVolumeIDVolumeID, and specify the number of Penetration Test and Audit licenses you require for each database type.

Note:Note:Note:Note: To obtain the VolumeID, run asiidentify.exe at the command line. By default, asiidentify.exe is usually located in the following folder: C:\<DbProtect Installation

Folder>\AppSecInc\DbProtect\GUI\bin

• Application Security, Inc. Customer Support or your sales representative will email your license files and installation instructions.

LICENSING ARTIFACTS

Application Security, Inc. Customer Support will email you a set of license files (ADnnnnnnnnn.lic and ARnnnnnnnnn.lic).

You must copy the:

• ADnnnnnnnnn.lic and ARnnnnnnnnn.lic license files on your DbProtect hostDbProtect hostDbProtect hostDbProtect host, so you can monitor database activity and assess database vulerabilities via the Console

• ADnnnnnnnnn.lic on each host running a Scan EngineScan EngineScan EngineScan Engine (to activate vulnerability assessment).

The following sub-topic (Deploying your license files) explains specifically where you should deploy your license (.lic) files.



DEPLOYING YOUR LICENSE FILES

The following table explains specifically where you should deploy your license (.lic) files.

If you are adding or changing any licenses, then you must manually restart the following services (as applicable to the host):

• DbProtect Console

• DbProtect Scan Engine.

Viewing your“node locked”

Scan Enginelicensing

information

On any Scan Engine host, you can open the License ViewerLicense ViewerLicense ViewerLicense Viewer. It shows where your Scan Engine license file is located, how many licenses you have, how many Penetration Test and Audit licenses you’ve used (and on which platforms), etc.

On your

DbProtectDbProtectDbProtectDbProtect host:

Install each ADnnnnnnnnn.lic file in the following folders:

• c:\<DbProtect Installation

Folder>\AppSecInc\AppDetective\licenses


Folder>\AppSecInc\DbProtect\GUI\licenses

Install each ARnnnnnnnnn.lic file in the following folder: c:\<DbProtect Installation

Folder>\AppSecInc\DbProtect\GUI\licenses

On each Scan Scan Scan Scan

EngineEngineEngineEngine host:

Install each ADnnnnnnnnn.lic file in the following folders:


Folder>\AppSecInc\AppDetective\licenses

• c:\<DbProtect Installation Folder>\AppSecInc\licenses



To view your Scan Engine licensing info:

Step Action

1 Choose Start > Programs > AppSecInc > AppDetective ScanEngine > Start > Programs > AppSecInc > AppDetective ScanEngine > Start > Programs > AppSecInc > AppDetective ScanEngine > Start > Programs > AppSecInc > AppDetective ScanEngine > LicenseViewer.exeLicenseViewer.exeLicenseViewer.exeLicenseViewer.exe.

Result:Result:Result:Result: The License ViewerLicense ViewerLicense ViewerLicense Viewer displays.

The License Viewer License Viewer License Viewer License Viewer provides:

• the license file location in the License File: License File: License File: License File: field (stored by default in the

c:\<DbProtect Installation

Folder>\AppSecInc\Adscanengine\adse\licenses folder)

• your basic license file information, including:

- Customer Name Customer Name Customer Name Customer Name- License Type- License Type- License Type- License Type

- Product Version- Product Version- Product Version- Product Version- Expiration Date- Expiration Date- Expiration Date- Expiration Date- ASAP Expiration- ASAP Expiration- ASAP Expiration- ASAP Expiration

- Machine ID#- Machine ID#- Machine ID#- Machine ID#

2 The AppDetective - Licensing InfoAppDetective - Licensing InfoAppDetective - Licensing InfoAppDetective - Licensing Info dialog box allows you to:

• view how many licenses you purchased (see the Licenses Purchased: Licenses Purchased: Licenses Purchased: Licenses Purchased: field, which is below the Penetration TestsPenetration TestsPenetration TestsPenetration Tests and Security AuditsSecurity AuditsSecurity AuditsSecurity Audits tabs)

• click the Penetration TestsPenetration TestsPenetration TestsPenetration Tests and Security AuditsSecurity AuditsSecurity AuditsSecurity Audits tabs, respectively, to see how

many Penetration Test and Audit licenses you’ve used to-date

• use the Application Type: Application Type: Application Type: Application Type: drop-down to filter your used license data by platform (e.g., OracleOracleOracleOracle, My SQLMy SQLMy SQLMy SQL, SybaseSybaseSybaseSybase, Web ApplicationsWeb ApplicationsWeb ApplicationsWeb Applications, etc.).

3 You can also click the:

• Get Machine ID #Get Machine ID #Get Machine ID #Get Machine ID # button to display the AppDetective - Machine ID NumberAppDetective - Machine ID NumberAppDetective - Machine ID NumberAppDetective - Machine ID Number pop up, which displays your machine ID

Hint:Hint:Hint:Hint: Click the Copy to clipboard Copy to clipboard Copy to clipboard Copy to clipboard button to copy your machine ID to your

computer’s clipboard, whereupon you can paste the number into a field, document, etc.

• Select License File Select License File Select License File Select License File button to display an Open Open Open Open dialog box, which allows you to

open your .lic file.



Chapter 5 - Installing the DbProtect Components and Logging Into the ConsoleThis chapter explains how to install the following DbProtect components: the Console, the Sensors, and the Scan Engines. It also explains how to log into the Console for the first time.

Note:Note:Note:Note: First make sure you have carefully read the minimum system requirements for the DbProtect components. For more information, see Chapter 3 - Minimum System Requirements.


• Installing the DbProtect Suite Management Components

• Installing and Starting/Stopping the Sensors

• Installing Scan Engines

• Logging Into the Console.



Installing the DbProtect Suite Management ComponentsThe DbProtect suite DbProtect suite DbProtect suite DbProtect suite is comprised of a management bundlemanagement bundlemanagement bundlemanagement bundle, which consists of the following components: Console, Message Collector, and the Database Component. In addition, the suite employs data collection agents: a Scan Engine (for vulnerability asssessment), and Sensors (for activity monitoring).

The DbProtect management bundle is deployed as one distribution, which detects/installs prerequisites, and installs the Console, Message Collector component, and the Database Component.

Note:Note:Note:Note: First make sure you have carefully read the minimum system requirements for the Console and Data Repository. For more information, see Console - Minimum System Requirements.


• Installing files to a drive other than the default C drive

• MSDE lockdown scripts “behind the scenes”

• Post-upgrade recommendation: clear your Java cache

• DbProtect suite management components - installation steps.

Installing files to adrive other than

the default C drive

DbProtect places the ASAP Updater and the license files into a common area: the Windows Program Files directory default (C:\Program Files). If you want to install these files on a differentdifferentdifferentdifferent drive, refer to http://support.microsoft.com/kb/933700, which has instructions on (and warnings about) changing the default Program Files location.

MSDE lockdownscripts “behind the

scenes”

If you want to know what the MSDE lockdown scripts are doing “behind the scenes” during the installation of the Console, see Appendix B: What Are the MSDE Lockdown Scripts Doing During the Installation of DbProtect?

Post-upgraderecommendation:

clear your Javacache

Application Security, Inc. recommends you clear your Java cache after an upgrade. The Java cache does notnotnotnot get automatically cleared following a reboot. For more information, see Appendix Q: Clearing Your Java Cache.



DbProtect suitemanagementcomponents -

installation steps

This topic explains how to install the DbProtect suite management components (i.e., Console, Message Collector, and Database Component). All components are deployed as one distribution.

To install the DbProtect management suite:

Step Action

1 Locate the DbProtect setup file on the Application Security, Inc.-provided CD, or download it from the Application Security, Inc. FTP site. If downloading, save the file

to a convenient location (e.g., c:\temp).

2 The installer detects/installs prerequisites.

• Double click DbProtect executable (.exe) file to begin installing the DbProtect prerequisites and components.

The first screen of the DbProtect installer checks your host machine for prerequisites and components, and displays which (if any) missing prerequisites

and components it will install for you. For more information, see Console - Minimum System Requirements.

FIGURE: DbProtect installer

• Click the InstallInstallInstallInstall button to begin the installation of the prerequisites (if any are

listed), and the components in the order in which they are displayed.



3

FIGURE: Progress screen (installing Microsoft .NET Framework 2.0 prerequisite)

• The installation beginsThe installation beginsThe installation beginsThe installation begins. . . . The DbProtect installer installs any missing prerequisites and components detected in Step 2.

Note:Note:Note:Note: Depending which prerequisites and components are missing, this part of the installation could take some time. For example, if your host server is missing Microsoft .NET Framework 2.0 SP1 (x86).

• Next the Database Component Setup WizardDatabase Component Setup WizardDatabase Component Setup WizardDatabase Component Setup Wizard welcome screen displays.

Step Action



4 The Database Component Setup Database Component Setup Database Component Setup Database Component Setup welcome screen is shown below.

FIGURE: Database Component Setup Database Component Setup Database Component Setup Database Component Setup (welcome screen)

• Click the NextNextNextNext button to display the End-User License AgreementEnd-User License AgreementEnd-User License AgreementEnd-User License Agreement screen.

Step Action



5 The End-User License AgreementEnd-User License AgreementEnd-User License AgreementEnd-User License Agreement screen is shown below.

FIGURE: Database Component Setup Database Component Setup Database Component Setup Database Component Setup (End-User License AgreementEnd-User License AgreementEnd-User License AgreementEnd-User License Agreement screen)

• Read the License Agreement. If you accept the terms of the License Agreement,

check I accept the terms of the license agreementI accept the terms of the license agreementI accept the terms of the license agreementI accept the terms of the license agreement to illuminate the NextNextNextNext button.

• Click the NextNextNextNext button to display the Destination FolderDestination FolderDestination FolderDestination Folder screen.

Step Action



6 The Destination FolderDestination FolderDestination FolderDestination Folder screen is shown below.

FIGURE: Database Component Setup Database Component Setup Database Component Setup Database Component Setup (Destination Folder Destination Folder Destination Folder Destination Folder screen)

• By default, the DbProtect installer installs the Database Component in the

\Database sub-folder located under C:\Program Files\AppSecInc. You can click the Change...Change...Change...Change... button to specify a different installation path for the Database Component.

• Click the NextNextNextNext button to display the Database Component Repository Database Component Repository Database Component Repository Database Component Repository screen.

Step Action



7 The Database Component Repository Database Component Repository Database Component Repository Database Component Repository screen is shown below.

FIGURE: Database Component Setup Database Component Setup Database Component Setup Database Component Setup (Database Component Repository Database Component Repository Database Component Repository Database Component Repository screen)

• The DbProtect suite requires a Microsoft SQL Server data respository. The DbProtect suite requires a Microsoft SQL Server data respository. The DbProtect suite requires a Microsoft SQL Server data respository. The DbProtect suite requires a Microsoft SQL Server data respository. This screen allows you to specify the location of the Microsoft SQL Server instance, which can be local or remote. You can use the Database InstanceDatabase InstanceDatabase InstanceDatabase Instance drop-down to

select an available instance for the Database Component Repository. Or you can manually enter an instance name (in the editable Database InstanceDatabase InstanceDatabase InstanceDatabase Instance drop-down field) using the syntax hostname\instance (e.g., myserver\myinstance)

or hostname:port (e.g., myserver:1883).

Note:Note:Note:Note: If you enter hostname:port, you do notnotnotnot need to have the SQL Server

browser service turned on; for more information, see Additional Console

assumptions, prerequisites, and recommendations.

You can manually change the connection string by modifying the following XML files: appradar.xml, appdetective.xml, messagecollector.xml, and appradarsoap.xml. For more information, see Appendix G: Moving or

Changing Your DbProtect Back-End Database in the DbProtect Administrator’s Guide.

If you select an instance name and the SQL Server browser service is down at the

time of installation, an error message displays informing you the installer was unable to establish a connection to the specified instance. However, if you select an instance name and SQL Server browser service is up at the time of installation

-- but then is subsequently turned off -- DbProtect will not be able to function until you turn the SQL Server browser service back on, or change the connection string to a valid port number instead of an instance name.

Hint:Hint:Hint:Hint: You can also click the Browse...Browse...Browse...Browse... button to locate a different instance on your network. The Select ComputerSelect ComputerSelect ComputerSelect Computer pop-up displays, allowing you to search for a database host.

Click the NextNextNextNext button to display the Database Installation Credentials Database Installation Credentials Database Installation Credentials Database Installation Credentials screen.

Step Action



8 The Database Installation Credentials Database Installation Credentials Database Installation Credentials Database Installation Credentials screen is shown below (with the default Windows Authentication Windows Authentication Windows Authentication Windows Authentication database authentication type selected).

FIGURE: Database Component Setup Database Component Setup Database Component Setup Database Component Setup (Database Installation Credentials Database Installation Credentials Database Installation Credentials Database Installation Credentials screen --

default Windows Authentication Windows Authentication Windows Authentication Windows Authentication database authentication type selected)

The Database User CredentialsDatabase User CredentialsDatabase User CredentialsDatabase User Credentials screen allows you to select the authentication type to use to connect to the database. DbProtect will use this user to create/modify

tables, views, and other objects in the database.

Note:Note:Note:Note: The DbProtect installer automatically creates the database.

Select one of the following authentication types for the database user:

• Windows AuthenticationWindows AuthenticationWindows AuthenticationWindows Authentication (default), and go to Step 9

• SQL AuthenticationSQL AuthenticationSQL AuthenticationSQL Authentication, and go to Step 10.

Note:Note:Note:Note: If you're not sure which authentication type to select, see your database

administrator.

Step Action



9 If you selected default Windows Authentication Windows Authentication Windows Authentication Windows Authentication database authentication type in Step 8, the Database Installation Credentials Database Installation Credentials Database Installation Credentials Database Installation Credentials screen looks like this:


default Windows Authentication Windows Authentication Windows Authentication Windows Authentication database authentication type selected)

• The default Windows AuthenticationWindows AuthenticationWindows AuthenticationWindows Authentication (a/k/a <domain\user>) database authentication type uses the Windows credentials from the account with which

you are currently logged in (for fresh installations).

• You mustmustmustmust click the Test ConnectionTest ConnectionTest ConnectionTest Connection button to test the database user credentials. If the connection is successful, a green checkmark icon displays, and the NextNextNextNext

button is illuminated.

• You can click either one of the following buttons:

-Modify Database PropertiesModify Database PropertiesModify Database PropertiesModify Database Properties button to display the Database PropertiesDatabase PropertiesDatabase PropertiesDatabase Properties

dialog box, which allows you to modify your database data file and log file location. Go to Step 11.

-NextNextNextNext button to display the Ready to Install Database Component Ready to Install Database Component Ready to Install Database Component Ready to Install Database Component screen

and go to Step 12.

Note:Note:Note:Note: These credentials are used only for first-time installations in order to create the database. When you upgrade, the DbProtect installer will attempt to use

Windows Authentication (if possible). If Windows Authentication fails, this screen displays during the upgrade.

Step Action



10 If you selected default SQL Authentication SQL Authentication SQL Authentication SQL Authentication database authentication type in Step 8, the Database Installation Credentials Database Installation Credentials Database Installation Credentials Database Installation Credentials screen looks like this:


default SQL Authentication SQL Authentication SQL Authentication SQL Authentication database authentication type selected)

Important: Make sure you have enabled SQL authentication on the database.

• Enter a valid Login: Login: Login: Login: and Password:Password:Password:Password: combination.

• You mustmustmustmust click the Test ConnectionTest ConnectionTest ConnectionTest Connection button to test the database user credentials. If the connection is successful, a green checkmark icon displays, and the NextNextNextNext button is illuminated.

Hint:Hint:Hint:Hint: You can check the Remember the database credentials for upgradesRemember the database credentials for upgradesRemember the database credentials for upgradesRemember the database credentials for upgrades checkbox (unchecked by default) if you want to store this SQL authentication login/password combination to use when you upgrade to a newer version of

DbProtect in the future. This checkbox only displays if you select the SQL SQL SQL SQL AuthenticationAuthenticationAuthenticationAuthentication database authentication type.

• You can click either one of the following buttons:

-Modify Database PropertiesModify Database PropertiesModify Database PropertiesModify Database Properties button to display the Database PropertiesDatabase PropertiesDatabase PropertiesDatabase Properties dialog box, which allows you to modify your database data file and log file location. Go to Step 11.

-NextNextNextNext button to display the Ready to Install Database Component Ready to Install Database Component Ready to Install Database Component Ready to Install Database Component screen and go to Step 12.

Note:Note:Note:Note: DbProtect does notnotnotnot store the credentials provided in this step unlessunlessunlessunless you

check the Remember the database credentials for upgradesRemember the database credentials for upgradesRemember the database credentials for upgradesRemember the database credentials for upgrades checkbox. These credentials are used only for first-time installations in order to create the database.

Step Action



11 If you click the Modify Database PropertiesModify Database PropertiesModify Database PropertiesModify Database Properties button in Step 9 or Step 10, the Database Properties Database Properties Database Properties Database Properties dialog box displays, which allows you to modify your database

data file and log file location.

FIGURE: Database Component Setup WizardDatabase Component Setup WizardDatabase Component Setup WizardDatabase Component Setup Wizard (Database PropertiesDatabase PropertiesDatabase PropertiesDatabase Properties screen)

Important: This is an advanced option, and if you have no reason to force locations, Application Security, Inc. recommends you leave these fields blank.

Do the following:

• Specify the::::

----Database data file pathDatabase data file pathDatabase data file pathDatabase data file path

-Database log file pathDatabase log file pathDatabase log file pathDatabase log file path.

Hint:Hint:Hint:Hint: You can click the Recommend PathRecommend PathRecommend PathRecommend Path button to have the Database Component Database Component Database Component Database Component Setup WizardSetup WizardSetup WizardSetup Wizard populate the fields automatically.

• Click the:

-OKOKOKOK button to apply any changes you made to the database data file and/or log file locations.

-CancelCancelCancelCancel button to cancel any changes.

• Go back to the Database Installation Credentials Database Installation Credentials Database Installation Credentials Database Installation Credentials screen displayed in Step 9 (if you selected Windows AuthenticationWindows AuthenticationWindows AuthenticationWindows Authentication in Step 8), or the Database Installation Database Installation Database Installation Database Installation

Credentials Credentials Credentials Credentials screen displayed Step 10 (if you selected SQL AuthenticationSQL AuthenticationSQL AuthenticationSQL Authentication in Step 8).

Step Action



12 The Ready to install Database ComponentReady to install Database ComponentReady to install Database ComponentReady to install Database Component screen is shown below.

FIGURE: Database Component Setup WizardDatabase Component Setup WizardDatabase Component Setup WizardDatabase Component Setup Wizard (Ready to install Database Ready to install Database Ready to install Database Ready to install Database

Component Component Component Component screen)

Do the following:

• Click the InstallInstallInstallInstall button to install the database component.

FIGURE: Database Component Setup WizardDatabase Component Setup WizardDatabase Component Setup WizardDatabase Component Setup Wizard (Installing Database Component Installing Database Component Installing Database Component Installing Database Component screen)

When the installation is complete, the Completed theCompleted theCompleted theCompleted the Database Component Setup Database Component Setup Database Component Setup Database Component Setup

Wizard Wizard Wizard Wizard screen displays.

Step Action



13 The Completed theCompleted theCompleted theCompleted the Database Component Setup Wizard Database Component Setup Wizard Database Component Setup Wizard Database Component Setup Wizard screen is shown below.

FIGURE: Database Component Setup WizardDatabase Component Setup WizardDatabase Component Setup WizardDatabase Component Setup Wizard (Completed theCompleted theCompleted theCompleted the Database Database Database Database Component Setup WizardComponent Setup WizardComponent Setup WizardComponent Setup Wizard screen)

• Click the FinishFinishFinishFinish button to complete the Database Component installation. Next, the Console Management Server Setup Console Management Server Setup Console Management Server Setup Console Management Server Setup wizard welcome screen displays.

Step Action



14 The Console Management Server Setup Console Management Server Setup Console Management Server Setup Console Management Server Setup wizard welcome screen is shown below.

FIGURE: Console Management Server Setup Console Management Server Setup Console Management Server Setup Console Management Server Setup wizard (welcome screen)

Note:Note:Note:Note: Application Security, Inc. stronglystronglystronglystrongly recommends you close all other

applications before continuing the installation.

• Click the NextNextNextNext button to display the Destination Folder Destination Folder Destination Folder Destination Folder screen.

Step Action



15 The Destination Folder Destination Folder Destination Folder Destination Folder screen is shown below.

FIGURE: Console Management Server SetupConsole Management Server SetupConsole Management Server SetupConsole Management Server Setup wizard (Destination Folder Destination Folder Destination Folder Destination Folder screen)

• By default, the DbProtect installer installs the Console under C:\Program

Files\AppSecInc. You can click the Change...Change...Change...Change... button to specify a different installation path for the Console.

• Click the NextNextNextNext button to display the DbProtect Server Port DbProtect Server Port DbProtect Server Port DbProtect Server Port screen.

Step Action



16 The DbProtect Server Port DbProtect Server Port DbProtect Server Port DbProtect Server Port screen is shown below.

FIGURE: Console Management Server SetupConsole Management Server SetupConsole Management Server SetupConsole Management Server Setup wizard (DbProtect Server Port DbProtect Server Port DbProtect Server Port DbProtect Server Port screen)

The Console Management Server is DbProtect’s web application management

interface. You access it via a web browser. This screen allows you to select the server port the web service runs on. DbProtect users connect to the Console via secure HTTPS connection to the specified server port.

Do the following:

• Specify the Console server portserver portserver portserver port. The default port (20080) is recommended for most configurations. If necessary, enter a different port number (1-65535).

Consult your network administrator to determine which network port is acceptable. For more information on required open listen ports, see Conceptual diagram.

• Check the Test Port Test Port Test Port Test Port button to test the availability of the specified server port. If the port is available, a checkmark icon displays, and the NextNextNextNext button is illuminated.

• Click the NextNextNextNext button to display the Service Log On Credentials Service Log On Credentials Service Log On Credentials Service Log On Credentials screen.

Step Action



17 The Service Log On Credentials Service Log On Credentials Service Log On Credentials Service Log On Credentials screen is shown below.

FIGURE: Console Management Server SetupConsole Management Server SetupConsole Management Server SetupConsole Management Server Setup wizard (Service Log On Credentials Service Log On Credentials Service Log On Credentials Service Log On Credentials screen)

This step allows you to specify the user DbProtect will use to:

• run the DbProtect Console and DbProtect Message Collector services

• browse the Windows Active Directory or NT 4 domains.

Note:Note:Note:Note: For all operating systems, this user mustmustmustmust have the “Logon as a service” privilege, and mustmustmustmust belong to the local Administrators group. Windows 2000 Super Users mustmustmustmust also have the “Act as part of the operating system”

privilege.

• You can select:

-Run service as LocalSystemRun service as LocalSystemRun service as LocalSystemRun service as LocalSystem to run the DbProtect Console service as

the current logged-in user.

-Select Run service as: Run service as: Run service as: Run service as:, then manually enter (or click the Browse...Browse...Browse...Browse... button to select) the Windows account domain path and user name in the

Account:Account:Account:Account: field (e.g., Domain1\Account1), then enter the Windows account password in the Password:Password:Password:Password: field.

• Check the Test Credentials Test Credentials Test Credentials Test Credentials button to test the Run service as:Run service as:Run service as:Run service as: credentials

provided. If the credentials are valid, a checkmark icon displays, and the NextNextNextNext button is illuminated.

• Click the NextNextNextNext button to display the Database Run Time Credentials Database Run Time Credentials Database Run Time Credentials Database Run Time Credentials screen.

Step Action



18 The Database Run Time CredentialsDatabase Run Time CredentialsDatabase Run Time CredentialsDatabase Run Time Credentials screen is shown below.

FIGURE: Console Management Server SetupConsole Management Server SetupConsole Management Server SetupConsole Management Server Setup wizard (Database Run Time Database Run Time Database Run Time Database Run Time Credentials Credentials Credentials Credentials screen)

This service connects to the Database Component using either Windows Windows Windows Windows

AuthenticationAuthenticationAuthenticationAuthentication (using the Local System Windows Service account) or SQL SQL SQL SQL AuthenticationAuthenticationAuthenticationAuthentication.

• You can select:

-Windows AuthenticationWindows AuthenticationWindows AuthenticationWindows Authentication. If you select this option, DbProtect uses the service credentials that you specified in Step 17 to connect to the database at run-time.

-SQL AuthenticationSQL AuthenticationSQL AuthenticationSQL Authentication (make sure you have enabled SQL authentication). If you select this option, you must also enter a valid Login: Login: Login: Login: and Password:Password:Password:Password: combination.

Caution! Caution! Caution! Caution! SQL Server authentication information is stored in clear text in the following configuration files: files: appradar.xml, appdetective.xml, messagecollector.xml, and appradarsoap.xml. These files

contain two parameters: username and password. In their corresponding <value> fields, you will find the SQL Server authentication values filled in by default. For more information, see the

DbProtect Administrator’s Guide.

Regardless of your selection, the Console uses these credentials to read and write data. Only the db_datareader and db_datawriter roles are required

for these credentials.

• Click the Test ConnectionTest ConnectionTest ConnectionTest Connection button to test the database run time credentials. If the connection is successful, a green checkmark icon displays, and the NextNextNextNext button

is illuminated.

• Click the NextNextNextNext button to display the Ready to Install Console Management Ready to Install Console Management Ready to Install Console Management Ready to Install Console Management Server Server Server Server screen.

Step Action



19 The Ready to Install Console Management ServerReady to Install Console Management ServerReady to Install Console Management ServerReady to Install Console Management Server screen is shown below.

FIGURE: Console Management Server SetupConsole Management Server SetupConsole Management Server SetupConsole Management Server Setup wizard (Ready to Install Console Ready to Install Console Ready to Install Console Ready to Install Console Management Server Management Server Management Server Management Server screen)

• Click the InstallInstallInstallInstall button to begin the Console installation. When the Console installation completes, a success message displays and the FinishFinishFinishFinish button is illuminated.

Step Action



20 The Completed the Completed the Completed the Completed the Console Management Server SetupConsole Management Server SetupConsole Management Server SetupConsole Management Server Setup screen is shown below.

FIGURE: Console Management Server SetupConsole Management Server SetupConsole Management Server SetupConsole Management Server Setup wizard (Completed the Completed the Completed the Completed the Console Console Console Console Management Server SetupManagement Server SetupManagement Server SetupManagement Server Setup screen)

• Click the FinishFinishFinishFinish button to complete the Console installation. Next, the Message Message Message Message Collector SetupCollector SetupCollector SetupCollector Setup wizard welcome screen displays.

Step Action



21 The Message Collector SetupMessage Collector SetupMessage Collector SetupMessage Collector Setup wizard welcome screen is shown below.

FIGURE: Message Collector Setup Message Collector Setup Message Collector Setup Message Collector Setup wizard (welcome screen)

Note:Note:Note:Note: Application Security, Inc. recommends you close all other applications before

continuing the installation.

• Click the NextNextNextNext button to display the Service Log On Credentials Service Log On Credentials Service Log On Credentials Service Log On Credentials screen.

Step Action



22 The Service Log On CredentialsService Log On CredentialsService Log On CredentialsService Log On Credentials screen is shown below.

FIGURE: Message Collector SetupMessage Collector SetupMessage Collector SetupMessage Collector Setup wizard (Service Log On Credentials Service Log On Credentials Service Log On Credentials Service Log On Credentials screen)

This service runs using either Windows AuthenticationWindows AuthenticationWindows AuthenticationWindows Authentication (using the Local System

Windows Service account) or SQL AuthenticationSQL AuthenticationSQL AuthenticationSQL Authentication.

• If you selected:

-Windows AuthenticationWindows AuthenticationWindows AuthenticationWindows Authentication in Step 18, the Message Collector will use the

service credentials to connect to the database at run-time.

-SQL AuthenticationSQL AuthenticationSQL AuthenticationSQL Authentication in Step 18, the Message Collector will use the SQL credentials you entered in Step 18 to connect to the database at run-

time.

• Click the Test ConnectionTest ConnectionTest ConnectionTest Connection button to test the database run time credentials. If the connection is successful, a green checkmark icon displays, and the NextNextNextNext button

is illuminated.

• Click the NextNextNextNext button to display the Ready to Install Console Management Ready to Install Console Management Ready to Install Console Management Ready to Install Console Management Server Server Server Server screen.

Step Action



23 The Ready to Install Message Collector Ready to Install Message Collector Ready to Install Message Collector Ready to Install Message Collector screen is shown below.

FIGURE: Message Collector SetupMessage Collector SetupMessage Collector SetupMessage Collector Setup wizard (Ready to Install Message Collector Ready to Install Message Collector Ready to Install Message Collector Ready to Install Message Collector screen)

• Click the InstallInstallInstallInstall button to begin the Message Collector installation. When the Message Collector installation completes, the Completed the Message Completed the Message Completed the Message Completed the Message Collector Setup WizardCollector Setup WizardCollector Setup WizardCollector Setup Wizard screen displays and the FinishFinishFinishFinish button is illuminated.

Step Action



24 The Completed the Message Collector Setup Wizard Completed the Message Collector Setup Wizard Completed the Message Collector Setup Wizard Completed the Message Collector Setup Wizard screen is shown below.

FIGURE: Message Collector SetupMessage Collector SetupMessage Collector SetupMessage Collector Setup wizard (Completed the Message Collector Completed the Message Collector Completed the Message Collector Completed the Message Collector Setup WizardSetup WizardSetup WizardSetup Wizard screen)

• Click the FinishFinishFinishFinish button to complete the Message Collector (and DbProtect management bundle) installation. A “Congratulations” pop up displays after you successfully complete the installation.

FIGURE: “Congratulations” pop up

• Click the OKOKOKOK button to closethe pop up.

25 DbProtect begins running as a Windows service on your computer. This service automatically starts when you start your computer.

Step Action



26 Obtain and install your Application Security, Inc.-issued DbProtect licenses. You will need:

• ADnnnnnnnnn.lic and ARnnnnnnnnn.lic license files on your DbProtect DbProtect DbProtect DbProtect hosthosthosthost, so you can monitor database activity and assess database vulerabilities via the Console

• an individual ADnnnnnnnnn.lic license file on each hosteach hosteach hosteach host running a Scan Scan Scan Scan EngineEngineEngineEngine (to activate vulnerability assessment).

For specific details, see Chapter 4 - Licensing.

27 Restart the DbProtect Console and DbProtect Message Collector services

after you copy the license files. Wait 20 seconds for the license to initialize.

All DbProtect services start automatically every time you start your computer. If you need to start or stop any DbProtect services for any reason, see the DbProtect

Administrator’s Guide.

Step Action



Installing and Starting/Stopping the SensorsThis section provides detailed installation steps for the SensorSensorSensorSensor components of DbProtect. There are two types of Sensors available: host-basedhost-basedhost-basedhost-based and network-basednetwork-basednetwork-basednetwork-based. This section also explains how to start and stop the Sensors (on Windows and *nix platforms).

Note:Note:Note:Note: First make sure you have carefully read the minimum system requirements for the Sensors. For more information, see Sensors - Minimum System Requirements.


• Host-based Sensors (supported databases and platforms)

• Network-based Sensors (supported databases and platforms)

• Host-based Sensor for SQL Server (on Windows) - installation steps

• Host-based Sensor for DB2 (on Red Hat Enterprise Linux) - installation steps

• Host-based Sensor for DB2 (on Solaris) - installation steps

• Host-based Sensor for DB2 (on AIX) - installation steps

• Host-based Sensor for DB2 (on Windows) - installation steps

• Host-based Sensor for Oracle (on Solaris) - installation steps

• Host-based Sensor for Oracle (on AIX) - installation steps

• Host-based Sensor for Oracle (on HP-UX) - installation steps

• Host-based Sensor for Oracle (on Red Hat Enterprise Linux) - installation steps

• Host-based Sensor for Oracle (on Windows) - installation steps

• Network-based Sensor for Sybase, Oracle, and DB2 - installation steps

• Starting and stopping the Sensors.



Host-basedSensors

(supporteddatabases and

platforms)


• SQL ServerSQL ServerSQL ServerSQL Server on Windows

• DB2DB2DB2DB2 on Solaris, AIX, Red Hat Enterprise Linux, and Windows

• OracleOracleOracleOracle on Solaris, AIX, HP-UX, Red Hat Enterprise Linux, and Windows.

If you want to install a host-based Sensor, the table below lists supported database/OS combinations, and links you to the installation steps.

DB OS Go to:

SQL

SERVER

WINDOWS Host-based Sensor for SQL Server (on Windows) -

installation steps


Host-based Sensor for DB2 (on Red Hat Enterprise Linux) - installation steps

SOLARIS Host-based Sensor for DB2 (on Solaris) - installation steps

AIX Host-based Sensor for DB2 (on AIX) - installation steps

WINDOWS Host-based Sensor for DB2 (on Windows) - installation steps

ORACLE SOLARIS Host-based Sensor for Oracle (on Solaris) - installation steps

AIX Host-based Sensor for Oracle (on AIX) - installation steps

HP-UX Host-based Sensor for Oracle (on HP-UX) - installation steps

RED HAT

ENTERPRISE LINUX

Host-based Sensor for Oracle (on Red Hat Enterprise Linux) -

installation steps

WINDOWS Host-based Sensor for Oracle (on Windows) - installation steps



Network-basedSensors

(supporteddatabases and

platforms)

Network-based Sensors allow you to monitor SybaseSybaseSybaseSybase, OracleOracleOracleOracle, and DB2DB2DB2DB2 on the network. If you want to install a network-based Sensor, the table below lists supported database/OS combinations, and links you to the installation steps.


Host-based Sensorfor SQL Server (on

Windows) -installation steps

To install the host-based Sensor for SQL Server on Windows:

DB OS Go to:

DB2 WINDOWS Network-based Sensor for Sybase, Oracle, and DB2 -

installation stepsSYBASE

ORACLE

Step Action

1 Locate the setup file on the Application Security, Inc.-provided CD, or download it from the Application Security, Inc. FTP site or website.

2 Save the file to a convenient location (e.g., c:\temp).

3 • Double click the executable file to display the installation wizard (WelcomeWelcomeWelcomeWelcome

page) and begin the Sensor installation.

FIGURE: WelcomeWelcomeWelcomeWelcome page

• Click the NextNextNextNext button to display the License AgreementLicense AgreementLicense AgreementLicense Agreement page.



4

FIGURE: License AgreementLicense AgreementLicense AgreementLicense Agreement page

• Read the License Agreement.

• If you accept the terms of the License AgreementLicense AgreementLicense AgreementLicense Agreement, select I accept the terms of the license agreement.

• Click the NextNextNextNext button to display the Choose Destination Location Choose Destination Location Choose Destination Location Choose Destination Location page.

5

FIGURE: Choose Destination Location Choose Destination Location Choose Destination Location Choose Destination Location page

• Choose the location of the Sensor installation directory. You can click the:

-ChangeChangeChangeChange button to choose a directory manually

-NextNextNextNext button to choose the default location. (The default location is: c:\Program Files\AppSecInc\AppRadar Sensor\).

• Click the NextNextNextNext button to display the Ready to Install the Program Ready to Install the Program Ready to Install the Program Ready to Install the Program page.

Step Action



6

FIGURE: Ready to Install Ready to Install Ready to Install Ready to Install page

Click the InstallInstallInstallInstall button. When the installation finishes, the CompleteCompleteCompleteComplete page displays.

7

FIGURE: Complete Complete Complete Complete page

Click the FinishFinishFinishFinish button to display the Sensor Initialization UtilitySensor Initialization UtilitySensor Initialization UtilitySensor Initialization Utility.

8

FFFFIIIIGGGGUUUURRRREEEE: : : : Sensor Initialization UtilitySensor Initialization UtilitySensor Initialization UtilitySensor Initialization Utility

Click the Host-Based Sensor for Microsoft SQL Server, DB2 and OracleHost-Based Sensor for Microsoft SQL Server, DB2 and OracleHost-Based Sensor for Microsoft SQL Server, DB2 and OracleHost-Based Sensor for Microsoft SQL Server, DB2 and Oracle button to display the Sensor Communication Port InformationSensor Communication Port InformationSensor Communication Port InformationSensor Communication Port Information page.

Step Action



9

FIGURE: Sensor Communication Port InformationSensor Communication Port InformationSensor Communication Port InformationSensor Communication Port Information page

• Specify which port number the Sensor should use to receive commands from the Console. The default port (20000) is recommended for most configurations. If necessary, enter a different port number (1-65535). Consult your network

administrator to determine which network port is acceptable. For more information on required open listen ports, see Conceptual diagram.

Note:Note:Note:Note: Every Sensor installation requires its own dedicated port for communication.

Specify which port number the Sensor should use to receive commands from the Console. The Sensor can notnotnotnot share the same port with any other program. This does notnotnotnot mean each Sensor requires a different port number on each

separate host server. For example, you can use the same port number for each Sensor you install on each individual host machine (e.g., port 20000). Or you can specify a different port number for each Sensor on each host

machine.

The Console uses port 20080 (by default) to send data to, and receive data

from, the Sensors. The Sensors, by comparison, send data to, and receive data from, the Console on port 20000 (by default). Additionally, when the Sensor sends Alerts (via port 20000) to the Console's Message Collector

component, the Message Collector receives these Alerts on port 20081 (by default).


• Click the NextNextNextNext button to display the Sensor Service Logon Details Sensor Service Logon Details Sensor Service Logon Details Sensor Service Logon Details page.

Step Action



10

FIGURE: Sensor Service Logon Details Sensor Service Logon Details Sensor Service Logon Details Sensor Service Logon Details page

• Specify a database user login and password.

Important: If you want to specify a non-local user username and password for the

Sensor to run under, you must do so in this step.

You can select:

----Use "Local System" AccountUse "Local System" AccountUse "Local System" AccountUse "Local System" Account, if you want to use the "local system"

account, which has full access rights and privileges on the host computer.

-Existing domain user having the "log on as service" privilege. Existing domain user having the "log on as service" privilege. Existing domain user having the "log on as service" privilege. Existing domain user having the "log on as service" privilege. This selection allows you to specify a domain user login and password in the

bottom half of the screen.

Important: The Sensor logs in to the monitored database, and the Sensor service runs, under this user profile. This profile mustmustmustmust be a Windows user with

administrator rights. Also, the account name specified mustmustmustmust have the "log on as service" permission set in the Local Security Policy of the server (for more information, see your Windows help). If you select

Existing domain user having the "log on as service" privilegeExisting domain user having the "log on as service" privilegeExisting domain user having the "log on as service" privilegeExisting domain user having the "log on as service" privilege, then in the bottom half of the screen you must enter the: a.) domain name\user name, or click the Find User Find User Find User Find User button to display the Select UsersSelect UsersSelect UsersSelect Users pop-up

and locate a valid user, and b.) password for the specified user. Also, the domain user mustmustmustmust be a Windows user with administrative rights on both the host server and SQL Server, and mustmustmustmust have domain administrator

rights to install a host-based Sensor for SQL Server in a cluster.

Caution! Caution! Caution! Caution! When using the Sensor Initialization UtilitySensor Initialization UtilitySensor Initialization UtilitySensor Initialization Utility, you may encounter issues when implementing the Windows Control that displays when you click the

Find UserFind UserFind UserFind User button. Depending on your OS version, it may not be possible to select a user from a list. Subsequently, you may have to enter a valid domain name\user name manually. Additionally, on operating systems

where this control does work, picking the user name from the Find UserFind UserFind UserFind User list may not display it in the required format (domain name\user name) if you select a local user rather than a domain user.

• Click the NextNextNextNext button to display the SummarySummarySummarySummary page.

Step Action



11

FIGURE: SummarySummarySummarySummary page

• Verify the installation details. If want to review or change any settings you can

click the BackBackBackBack button.

• Click the Initialize SensorInitialize SensorInitialize SensorInitialize Sensor button. When the initialization finishes, the ResultsResultsResultsResults page displays.

Step Action



12

FIGURE: ResultsResultsResultsResults page

• Review the installation details at the bottom of the page.

• Click the FinishFinishFinishFinish button.

Step Action



Host-based Sensorfor DB2 (on RedHat Enterprise

Linux) - installationsteps

HOST-BASED DB2 (ON RED HAT ENTERPRISE LINUX) SENSOR INSTALLATION

To install a host-based Sensor for DB2 on Red Hat Enterprise Linux 3, 4, or 5 (32-bit x86 and 64-bit x64):

Step Action

1 The Unix administrator (root) creates the appradar user and group.

2 The Unix administrator (root) puts the instance (db2inst1) default user account (or the account of whomever runs the DB2 user process) into the appradar group.

The DB2 user (db2inst1) must be in the appradar group, and the appradar user must be in the same group as the DB2 user (db2grp1). Both actions must be taken in order for the host-based DB2 Sensor to work properly.

Caution! Caution! Caution! Caution! A host-based Sensor for DB2 can only monitor one DB2 instance. If you want to monitor multiple instances on an DB2 server, see Appendix C: Modifying the Sensor Listener Port Number and Appendix P: Monitoring

Multiple Instances on a DB2 Server.

3 The DB2 administrator must grant the following privileges to the appradar user for every DB2 database in the instance you want to monitor:

• SYSADM if you want to monitor unsuccessful authentication attempts

• DBADM if you do notnotnotnot want to monitor unsuccessful authentication attempts.

4 The person installing the host-based DB2 Sensor logs in as the user who will run the host-based DB2 Sensor, i.e., appradar, or the user created by the Unix administrator (root) in Step 1.

Caution! Caution! Caution! Caution! The account running the DB2 database must be in the same user group as the account running the host-based Sensor for DB2 installation script.

5 Download or copy the host-based Sensor file to your target database host. The file names are:

• AppRadar Sensor_<version number>_Linux32.tgz.sh for Red Hat Enterprise Linux (32-bit x86)(32-bit x86)(32-bit x86)(32-bit x86)

• AppRadar Sensor_<version number>_Linux64.tgz.sh for Red Hat

Enterprise Linux (64-bit x64)(64-bit x64)(64-bit x64)(64-bit x64).



6 Install the host-based Sensor file as follows:

• sh "./AppRadar Sensor_<version number>_Linux32.tgz.sh" install

<installation_dir>

for Red Hat Enterprise Linux (32-bit x86)(32-bit x86)(32-bit x86)(32-bit x86), where <installation_dir> is the

directory where you want to install the Sensor, e.g. /opt.


<installation_dir>

for Red Hat Enterprise Linux (64-bit x64)(64-bit x64)(64-bit x64)(64-bit x64), where <installation_dir> is the directory where you want to install the Sensor, e.g. /opt.

Note:Note:Note:Note: If the filename contains spaces, then don't forget to quote these spaces in the command.

The host-based Sensor is installed in the "<installation_dir>/

ASIappradar/" directory.

7 Start your Sensor; for more information, see Starting and stopping the Sensors.

Step Action



Host-based Sensorfor DB2 (on Solaris)- installation steps

To install a host-based Sensor for DB2 on Solaris 8, 9, and 10 (64-bit SPARC):

Step Action



The DB2 user (db2inst1) must be in the appradar group, and the appradar user must be in the same group as the DB2 user (db2grp1). Both actions must be taken in order for the host-based DB2 Sensor to work properly.

Caution! Caution! Caution! Caution! A host-based Sensor for DB2 can only monitor one DB2 instance. If you want to monitor multiple instances on an DB2 server, see Appendix C: Modifying the Sensor Listener Port Number and Appendix P: Monitoring

Multiple Instances on a DB2 Server.

3 The DB2 administrator must grant the following privileges to the appradar user for every DB2 database in the instance you want to monitor:



4 The person installing the host-based DB2 Sensor logs in as the user who will run the host-based DB2 Sensor, i.e., appradar, or the user created by the Unix administrator (root) in Step 1.

Caution! Caution! Caution! Caution! The account running the DB2 database must be in the same user group as the account running the host-based Sensor for DB2 installation script.

5 Download or copy the host-based Sensor installation file to your target database host. The file is: AppRadar Sensor_<version number>__Solaris64.tgz.sh


sh "./AppRadar Sensor_<version number>__Solaris64.tgz.sh" install

<installation_dir>

where <installation_dir> is the directory where you want to install the Sensor, e.g. /opt.


The host-based Sensor is installed in the "<installation_dir>/ASIappradar/"

directory.




Host-based Sensorfor DB2 (on AIX) -installation steps

Note:Note:Note:Note: For information on performing an ASAP update of a host-based Sensor for DB2 on a Unix or Red Hat Enterprise Linux host, see the DbProtect Administrator’s Guide.

To install a host-based Sensor for DB2 on a Unix host running AIX 5.2 Technology Level 5 and up:

Step Action



The DB2 user (db2inst1) must be in the appradar group, and the appradar

user must be in the same group as the DB2 user (db2grp1). Both actions must be taken in order for the host-based DB2 Sensor to work properly.

Caution! Caution! Caution! Caution! A host-based Sensor for DB2 can only monitor one DB2 instance. If you

want to monitor multiple instances on an DB2 server, see Appendix C: Modifying the Sensor Listener Port Number and Appendix P: Monitoring Multiple Instances on a DB2 Server.

3 The DB2 administrator must grant the following privileges to the appradar user for

every DB2 database in the instance you want to monitor:



4 The person installing the host-based DB2 Sensor logs in as the user who will run the

host-based DB2 Sensor, i.e., appradar, or the user created by the Unix administrator (root) in Step 1.

Caution! Caution! Caution! Caution! The account running the DB2 database must be in the same user group as

the account running the host-based Sensor for DB2 installation script.


• AppRadar Sensor_<version number>_aix-ppc-32.tgz.sh for AIX (32-(32-(32-(32-

bit)bit)bit)bit)

• AppRadar Sensor_<version number>_aix-ppc-64.tgz.sh for AIX (64-(64-(64-(64-bit)bit)bit)bit).



Host-based Sensorfor DB2 (onWindows) -

installation steps

To install a host-based Sensor for DB2 on Windows:


• sh "./AppRadar Sensor_<version number>_aix-ppc-32.tgz.sh" install

<installation_dir>

for AIX (32-bit)(32-bit)(32-bit)(32-bit), where <installation_dir> is the directory where you want

to install the Sensor, e.g. /opt.

• sh "./AppRadar Sensor_<version number>_aix-ppc-64.tgz.sh" install

<installation_dir>

for AIX (64-bit)(64-bit)(64-bit)(64-bit), where <installation_dir> is the directory where you want to install the Sensor, e.g. /opt.


The host-based Sensor is installed in the "<installation_dir>/



Step Action

Step Action

1 Locate the setup file on the Application Security, Inc.-provided CD, or download it

from the Application Security, Inc. FTP site or website.


3 • Double click the executable file to display the installation wizard (WelcomeWelcomeWelcomeWelcome page) and begin the Sensor installation.





4



• If you accept the terms of the License Agreement, select I accept the terms of I accept the terms of I accept the terms of I accept the terms of the license agreementthe license agreementthe license agreementthe license agreement.

• Click the NextNextNextNext button to display the Choose Destination LocationChoose Destination LocationChoose Destination LocationChoose Destination Location page.

5

FIGURE: Choose Destination LocationChoose Destination LocationChoose Destination LocationChoose Destination Location page




• Click the NextNextNextNext button to display the Ready to Install the Program Ready to Install the Program Ready to Install the Program Ready to Install the Program page.

Step Action



6

FIGURE: Ready to Install the Program Ready to Install the Program Ready to Install the Program Ready to Install the Program page


7

FIGURE: CompleteCompleteCompleteComplete page


8

FFFFIIIIGGGGUUUURRRREEEE: : : : Sensor Initialization Utilityensor Initialization Utilityensor Initialization Utilityensor Initialization Utility

Click the Host-Based Sensor for Microsoft SQL Server, DB2 and Oracle Host-Based Sensor for Microsoft SQL Server, DB2 and Oracle Host-Based Sensor for Microsoft SQL Server, DB2 and Oracle Host-Based Sensor for Microsoft SQL Server, DB2 and Oracle button to display the Sensor Communication Port InformationSensor Communication Port InformationSensor Communication Port InformationSensor Communication Port Information page.

Step Action



9







machine.





• Click the NextNextNextNext button to display the Sensor Service Logon Details Sensor Service Logon Details Sensor Service Logon Details Sensor Service Logon Details page.

Step Action



10





You can select:





Important: The Sensor logs in to the monitored database, and the Sensor service runs, under this user profile. This profile must be a Windows user with

administrator rights. Also, the account name specified must have the "log on as service" permission set in the Local Security Policy of the server (for more information, see your Windows help). If you select

Existing domain user having the "log on as service" privilegeExisting domain user having the "log on as service" privilegeExisting domain user having the "log on as service" privilegeExisting domain user having the "log on as service" privilege, then in the bottom half of the screen you must enter the: a.) domain name\user name, or click the Find UserFind UserFind UserFind User button to display the Select UsersSelect UsersSelect UsersSelect Users pop-up

and locate a valid user, and b.) password for the specified user.

Caution! Caution! Caution! Caution! When using the Sensor Initialization Utility, you may encounter issues when implementing the Windows Control that displays when you click the Find Find Find Find

UserUserUserUser button. Depending on your OS version, it may not be possible to select a user from a list. Subsequently, you may have to enter a valid domain name\user name manually. Additionally, on operating systems



Step Action



11




• Click the Initialize Sensor Initialize Sensor Initialize Sensor Initialize Sensor button. When the initialization finishes, the ResultsResultsResultsResults page displays.

Step Action



12





Step Action




Solaris) -installation steps

Note:Note:Note:Note: For information on performing an ASAP update of a host-based Sensor for Oracle on a Unix or Red Hat Enterprise Linux host, see the DbProtect Administrator’s Guide.

To install a host-based Sensor for Oracle on a Unix host running Solaris 8, 9, 10 (32- and 64-bit SPARC):

Step Action

1 Login as a user that will run the Sensor, i.e., appradar.

Caution! Caution! Caution! Caution! Do notnotnotnot log in as root

Note:Note:Note:Note: The user (i.e., appradar) must be a member of the same “dba” group as

oracle on the host.


• AppRadar Sensor_<version number>_Solaris32.tgz.sh for Solaris (32-(32-(32-(32-

bit SPARC)bit SPARC)bit SPARC)bit SPARC)

• AppRadar Sensor_<version number>_Solaris64.tgz.sh for Solaris (64- (64- (64- (64-bit SPARC)bit SPARC)bit SPARC)bit SPARC).


• sh "./AppRadar Sensor_<version number>_Solaris32.tgz.sh" install

<installation_dir>

for Solaris (32-bit SPARC)(32-bit SPARC)(32-bit SPARC)(32-bit SPARC), where <installation_dir> is the directory where you want to install the Sensor, e.g. /opt.

• sh "./AppRadar Sensor_<version number>_Solaris64.tgz.sh" install

<installation_dir>

for Solaris (64-bit SPARC)(64-bit SPARC)(64-bit SPARC)(64-bit SPARC), where <installation_dir> is the directory where

you want to install the Sensor, e.g. /opt.


The host-based Sensor is installed in the "<installation_dir>/ASIappradar/" directory.

4 Finally, you must configure your host-based Sensor for Oracle DDL triggers, and configure your host-based Sensor for Oracle audit trail to monitor failed logins. For

more information, see Appendix E: Configuring Your Host-Based Sensor for Oracle

DDL Triggers and Appendix J: Configuring Your Oracle Audit Trail in Order to Monitor Logins, respectively.

Note:Note:Note:Note: If you remove and re-add a DDL trigger for any reason, you must re-start the

Sensor afterwards. Most DDL rules will not fire until this is done.




Host-based Sensorfor Oracle (on AIX)- installation steps


To install a host-based Sensor for DB2 on a Unix host running AIX 5.2 (64-bit) Technology Level 5 and up (or AIX 5.3 Technology Level 5 for Sensors prior to version 3.3):

Step Action


Caution! Caution! Caution! Caution! Do notnotnotnot log in as root.

Note:Note:Note:Note: The user (i.e., appradar) must be a member of the same “dba” group as oracle on the host.

2 Download or copy the host-based Sensor file to your target database host. The file

name is: AppRadar Sensor_<version number>_aix-ppc-64.tgz.sh for 64-bit AIX.


sh "./AppRadar Sensor_<version number>_aix-ppc-64.tgz.sh" install

<installation_dir>

for AIX 5.2 (64-bit), where <installation_dir> is the directory where you want to install the Sensor, e.g. /opt.

Note:Note:Note:Note: If the filename contains spaces, then don't forget to quote these spaces in the

command.

Result: Result: Result: Result: The host-based Sensor is installed in the "<installation_dir>/ASIappradar/" directory.

4 Finally, you must configure your host-based Sensor for Oracle DDL triggers, and

configure your host-based Sensor for Oracle audit trail to monitor failed logins. For

more information, see Appendix E: Configuring Your Host-Based Sensor for Oracle

DDL Triggers and Appendix J: Configuring Your Oracle Audit Trail in Order to Monitor Logins, respectively.

Note:Note:Note:Note: If you remove and re-add a DDL trigger for any reason, you must re-start the Sensor afterwards. Most DDL rules will not fire until this is done.




Host-based Sensorfor Oracle (on HP-UX) - installation

steps


To install a host-based Sensor for Oracle on a Unix host running HP-UX 11i v1 (11.11) and greater on the PA-RISC processor and HP-UX 11i v2 (11.23) and greater on the Itanium (IA64) processor:

Step Action


Caution! Caution! Caution! Caution! Do not log in as root.


2 Download or copy the host-based Sensor file to your target database host. If you

are installing a host-based Sensor on a Unix host running:

• HP-UX 11i v1 (11.11) and greater on the PA-RISC processorHP-UX 11i v1 (11.11) and greater on the PA-RISC processorHP-UX 11i v1 (11.11) and greater on the PA-RISC processorHP-UX 11i v1 (11.11) and greater on the PA-RISC processor, the name if the file is: AppRadar Sensor_<version number>_hpux-hppa-64.tgz.sh

• HP-UX 11i v2 (11.23) and greater on the Itanium (IA64) processorHP-UX 11i v2 (11.23) and greater on the Itanium (IA64) processorHP-UX 11i v2 (11.23) and greater on the Itanium (IA64) processorHP-UX 11i v2 (11.23) and greater on the Itanium (IA64) processor, the name if the file is: AppRadar Sensor_<version number>_hpux-ia64-64.tgz.sh


• sh "./AppRadar Sensor_<version number>_hpux-hppa-64.tgz.sh" install

<installation_dir>

for HP-UX 11i v1 (11.11) and greater on the PA-RISC processorHP-UX 11i v1 (11.11) and greater on the PA-RISC processorHP-UX 11i v1 (11.11) and greater on the PA-RISC processorHP-UX 11i v1 (11.11) and greater on the PA-RISC processor, where

<installation_dir> is the directory where you want to install the Sensor, e.g. /opt.

• sh "./AppRadar Sensor_<version number>_hpux-ia64-64.tgz.sh" install

<installation_dir>

for HP-UX 11i v2 (11.23) and greater on the Itanium (IA64) processorfor HP-UX 11i v2 (11.23) and greater on the Itanium (IA64) processorfor HP-UX 11i v2 (11.23) and greater on the Itanium (IA64) processorfor HP-UX 11i v2 (11.23) and greater on the Itanium (IA64) processor, where

<installation_dir> is the directory where you want to install the Sensor, e.g. /opt.

Note:Note:Note:Note: If the filename contains spaces, then don't forget to quote these spaces in the

command.

The host-based Sensor is installed in the "<installation_dir>/ASIappradar/" directory.

4 Finally, you must configure your host-based Sensor for Oracle DDL triggers, and

configure your host-based Sensor for Oracle audit trail to monitor failed logins. For more information, see Appendix E: Configuring Your Host-Based Sensor for Oracle

DDL Triggers.






Host-based Sensorfor Oracle (on Red

Hat EnterpriseLinux) - installation

steps


Caution! The host-based Sensor installer may display a warning message

if you run it on Red Hat Enterprise Linux 3 to inform you DB2 is

not supported on version 3. You may safely ignore this warning.

To install a host-based Sensor for Oracle on a host running Red Hat Enterprise Linux 3, 4, or 5 (32-bit x86 and 64-bit x64):

Step Action


Caution! Caution! Caution! Caution! Do notnotnotnot log in as root.


2 Download or copy the host-based Sensor file to your target database host. The file

names are:

• AppRadar Sensor_<version number>_Linux32.tgz.sh for Red Hat Enterprise Linux (32-bit x86)(32-bit x86)(32-bit x86)(32-bit x86)

• AppRadar Sensor_<version number>_Linux64.tgz.sh for Red Hat Enterprise Linux (64-bit x64)(64-bit x64)(64-bit x64)(64-bit x64).



<installation_dir>

for Red Hat Enterprise Linux (32-bit x86)(32-bit x86)(32-bit x86)(32-bit x86), where <installation_dir> is the

directory where you want to install the Sensor, e.g. /opt.

• sh "./AppRadar Sensor_<version number>_Linux64.tgz.sh" install <installation_dir>

for Red Hat Enterprise Linux (64-bit x64)(64-bit x64)(64-bit x64)(64-bit x64), where <installation_dir> is the directory where you want to install the Sensor, e.g. /opt.


Result:Result:Result:Result: The host-based Sensor is installed in the "<installation_dir>/


4 Finally, you must configure your host-based Sensor for Oracle DDL triggers, and configure your host-based Sensor for Oracle audit trail to monitor failed logins. For

more information, see Appendix E: Configuring Your Host-Based Sensor for Oracle DDL Triggers.






Windows) -installation steps

To install a host-based Sensor for Oracle on Windows:


Step Action

Step Action

1 Locate the setup file on the Application Security, Inc.-provided CD, or download it from the Application Security, Inc. FTP site or website.


3 • Double click the executable file to display the installation wizard (WelcomeWelcomeWelcomeWelcome page) and begin the Sensor installation.





4



• If you accept the terms of the License Agreement, select I accept the terms of I accept the terms of I accept the terms of I accept the terms of the license agreementthe license agreementthe license agreementthe license agreement.

• Click the NextNextNextNext button to display the Choose Destination Location Choose Destination Location Choose Destination Location Choose Destination Location page.

5





• Click the NextNextNextNext button.

Step Action



6

FIGURE: Ready to Install the ProgramReady to Install the ProgramReady to Install the ProgramReady to Install the Program page


7



8


Click the Host-Based Sensor for Microsoft SQL Server, DB2 and Oracle Host-Based Sensor for Microsoft SQL Server, DB2 and Oracle Host-Based Sensor for Microsoft SQL Server, DB2 and Oracle Host-Based Sensor for Microsoft SQL Server, DB2 and Oracle button to display the Sensor Communication PortSensor Communication PortSensor Communication PortSensor Communication Port page.

Step Action



9

FIGURE: Sensor Communication Port Sensor Communication Port Sensor Communication Port Sensor Communication Port page






machine.





• Click the NextNextNextNext button to display the Sensor Service Logon DetailsSensor Service Logon DetailsSensor Service Logon DetailsSensor Service Logon Details page.

Step Action



10





You can select:







Existing domain user having the "log on as service" privilegeExisting domain user having the "log on as service" privilegeExisting domain user having the "log on as service" privilegeExisting domain user having the "log on as service" privilege, then in the bottom half of the screen you must enter the: a.) domain name\user name, or click the Find UserFind UserFind UserFind User button to display the Select UsersSelect UsersSelect UsersSelect Users pop-up



UserUserUserUser button. Depending on your OS version, it may not be possible to select a user from a list. Subsequently, you may have to enter a valid domain name\user name manually. Additionally, on operating systems



Step Action



11




• Click the Initialize Sensor Initialize Sensor Initialize Sensor Initialize Sensor button. When the initialization finishes, the ResultsResultsResultsResults page displays.

Step Action



12





Step Action



Network-basedSensor for Sybase,Oracle, and DB2 -installation steps


To install a network-based Sensor for DB2, Oracle, or Sybase:

Step Action

1 Locate the setup file on the Application Security, Inc.-provided CD, or download it

from the Application Security, Inc. FTP site or website.


3 Double click the executable file to start the Sensor installation.

Result:Result:Result:Result: The WelcomeWelcomeWelcomeWelcome page of the installation wizard displays, and the Sensor installation begins.

FIGURE: Installation wizard (WelcomeWelcomeWelcomeWelcome page)

Click the NextNextNextNext button.

4

FIGURE: Installation wizard (License AgreementLicense AgreementLicense AgreementLicense Agreement page)


• If you accept the terms of the License Agreement, select I accept the terms of I accept the terms of I accept the terms of I accept the terms of

the license agreementthe license agreementthe license agreementthe license agreement.




5




-NextNextNextNext button to choose the default location. (The default location is:

c:\Program Files\AppSecInc\AppRadar Sensor\).


6

FIGURE: Installation wizard (Ready to Install the Program Ready to Install the Program Ready to Install the Program Ready to Install the Program page)


7



Step Action



8


From the Sensor Initialization UtilitySensor Initialization UtilitySensor Initialization UtilitySensor Initialization Utility page, click the Network-Based Sensor for DB2, Network-Based Sensor for DB2, Network-Based Sensor for DB2, Network-Based Sensor for DB2, Oracle & SybaseOracle & SybaseOracle & SybaseOracle & Sybase button.

Step Action



9







machine.





• Click the NextNextNextNext button to display the Sensor Service Logon DetailsSensor Service Logon DetailsSensor Service Logon DetailsSensor Service Logon Details page.

Step Action



10

FIGURE: Sensor Service Logon DetailsSensor Service Logon DetailsSensor Service Logon DetailsSensor Service Logon Details page




You can select:







Existing domain user having the "log on as service" privilegeExisting domain user having the "log on as service" privilegeExisting domain user having the "log on as service" privilegeExisting domain user having the "log on as service" privilege, then in the bottom half of the screen you must enter the: a.) domain name\user name, or click the Find User Find User Find User Find User button to display the Select UsersSelect UsersSelect UsersSelect Users pop-up



User User User User button. Depending on your OS version, it may not be possible to select a user from a list. Subsequently, you may have to enter a valid domain name\user name manually. Additionally, on operating systems



Step Action



11


• Verify the installation details. If want to review or change any settings you can click the BackBackBackBack button.

• Click the Initialize SensorInitialize SensorInitialize SensorInitialize Sensor button. When the initialization finishes, the ResultsResultsResultsResults

page displays.

12


Click the FinishFinishFinishFinish button.


Step Action



Starting andstopping the

Sensors


• Starting and stopping the Sensors on Windows

• Starting and stopping the Sensors on *nix platforms.

STARTING AND STOPPING THE SENSORS ON WINDOWS

There are four DbProtect services:

• DbProtect

• One of the following:

-MSSQL$(YourInstanceName)

-MSSQLSERVER (default instance)

• DbProtect Message Collector

• AppRadar Sensor

You only need to start the AppRadar Sensor service in order for DbProtect to collect data from Sensors, and for you to connect to DbProtect. These services are configured to start whenever Windows starts.

There are several ways to start and stop the services on Windows.

Starting a Sensor from the command lineStarting a Sensor from the command lineStarting a Sensor from the command lineStarting a Sensor from the command line

To start a Sensor from the command line:

Step Action

1 Choose Start > RunStart > RunStart > RunStart > Run to display the RunRunRunRun dialog box.

2 Enter cmd.exe in the OpenOpenOpenOpen field.

3 Click the OKOKOKOK button to display a command window.

4 Enter the following to start the service:

C:\> net start ServiceName

where ServiceName is one of the following:

• DbProtect

• MSSQL$(YourInstanceName) or MSSQLSERVER


• AppRadar Sensor

The following messages display:

The ServiceName service is starting.

The ServiceName service was started successfully.



Stopping a Sensor from the command lineStopping a Sensor from the command lineStopping a Sensor from the command lineStopping a Sensor from the command line

To stop a Sensor from the command line:

Starting a Sensor from the Control PanelStarting a Sensor from the Control PanelStarting a Sensor from the Control PanelStarting a Sensor from the Control Panel

To start a Sensor from the Control Panel:

Step Action




4 Enter the following to stop the service:

C:\> net stop ServiceName

where ServiceName is one of the following:

• DbProtect



• AppRadar Sensor

The following messages display:

The ServiceName service is stopping.

The ServiceName service was stopped successfully.

Step Action

1 Choose Start > Control PanelStart > Control PanelStart > Control PanelStart > Control Panel to display the Control PanelControl PanelControl PanelControl Panel dialog box.

2 Double click the Administrative ToolsAdministrative ToolsAdministrative ToolsAdministrative Tools icon to display the Administrative Tools Administrative Tools Administrative Tools Administrative Tools dialog box.

3 Double click the ServicesServicesServicesServices icon to display the ServicesServicesServicesServices dialog box.

4 Highlight any of the following services:

• DbProtect



• AppRadar Sensor

5 Click the StartStartStartStart link to display the Service ControlService ControlService ControlService Control pop-up. The service starts. The StatusStatusStatusStatus column in the ServicesServicesServicesServices dialog box should read StartedStartedStartedStarted.



Stopping a Sensor from the Control PanelStopping a Sensor from the Control PanelStopping a Sensor from the Control PanelStopping a Sensor from the Control Panel

To stop a Sensor from the Control Panel:

STARTING AND STOPPING THE SENSORS ON *NIX PLATFORMS

To start and stop the Sensors on a *nix platform:

Step Action

1 Choose Start > Control PanelStart > Control PanelStart > Control PanelStart > Control Panel to display the Control PanelControl PanelControl PanelControl Panel dialog box.

2 Double click the Administrative ToolsAdministrative ToolsAdministrative ToolsAdministrative Tools icon to display the Administrative ToolsAdministrative ToolsAdministrative ToolsAdministrative Tools dialog box.


4 Highlight any of the following services:

• DbProtect



• AppRadar Sensor

5 Click the StopStopStopStop link to display the Service ControlService ControlService ControlService Control pop-up. The service stops. The

StatusStatusStatusStatus column in the ServicesServicesServicesServices dialog box should be blank.

Step Action

1 To startstartstartstart a host-based Sensor on a *nix platform, do the following:

• Log in as the user you created in during the installation process (appradar, for example).

• Once you are successfully authenticated as this user, go to the /util directory

where you installed the host-based Sensor (for example:/opt/ASIappradar/sensor/util).

• Run the command: ./appradar_start

2 To startstartstartstart a host-based Sensor on a *nix platform, do the following:

• Log in as the user you created in during the installation process (appradar, for example).

• Once you are successfully authenticated as this user, go to the /util directory

where you installed the host-based Sensor (for example:/opt/ASIappradar/sensor/util).

• Run the command: ./appradar_stop



Installing Scan EnginesThis section provides detailed installation steps for the Scan EngineScan EngineScan EngineScan Engine component of DbProtect.

Note:Note:Note:Note: First make sure you have carefully read the minimum system requirements for the Console and Data Repository. For more information, see Scan Engines - Minimum System Requirements.


• Scan Engine - installation steps.

Scan Engine -installation steps

To install a Scan Engine:

Step Action

1 Download the Scan Engine setup file from the Application Security, Inc. website (contact Customer Support at [email protected] if you need the exact URL).

2 Double click the Scan Engine executable (.exe) file to start the DbProtect Scan

Engine installation.

FIGURE: Scan Engine installation wizard

Click the NextNextNextNext button to display the License Agreement License Agreement License Agreement License Agreement page.



3

FIGURE: License Agreement License Agreement License Agreement License Agreement page


• If you accept the terms of the License Agreement, select I accept the terms of accept the terms of accept the terms of accept the terms of

the license agreementthe license agreementthe license agreementthe license agreement.

• Click the NextNextNextNext button to display the Destination Folder Destination Folder Destination Folder Destination Folder page.

Step Action



4

FIGURE: Destination Folder Destination Folder Destination Folder Destination Folder page

• Click the Change...Change...Change...Change... button to select the folder where the installation wizard will install files.

• Click the NextNextNextNext button to display the Setup Type Setup Type Setup Type Setup Type page.

Step Action



5

FIGURE: Setup Type Setup Type Setup Type Setup Type page

Select a setup type. If you select:

•••• CustomCustomCustomCustom to install only certain features (and specify where to install them), and click the NextNextNextNext button, then the Custom SetupCustom SetupCustom SetupCustom Setup page displays (go to Step 6)

• CompleteCompleteCompleteComplete to install allallallall features (recommended), and click the NextNextNextNext button, then the Scan Engine ConfigurationScan Engine ConfigurationScan Engine ConfigurationScan Engine Configuration page displays (go to Step 7).

Step Action



6 The Custom SetupCustom SetupCustom SetupCustom Setup page displays if you select CustomCustomCustomCustom in Step 5. This page allows you to install only certain features (and specify where to install them).

Click the + icon to display the following Scan Engine installation components:

•••• Core FunctionalityCore FunctionalityCore FunctionalityCore Functionality

•••• AppDetectiveAppDetectiveAppDetectiveAppDetective

•••• SQL-DMOSQL-DMOSQL-DMOSQL-DMO

•••• Visual Basic RuntimeVisual Basic RuntimeVisual Basic RuntimeVisual Basic Runtime

FIGURE: Custom SetupCustom SetupCustom SetupCustom Setup page

• You mustmustmustmust install the Core FunctionalityCore FunctionalityCore FunctionalityCore Functionality, and Visual Basic RuntimeVisual Basic RuntimeVisual Basic RuntimeVisual Basic Runtime components.

• Click the Change...Change...Change...Change... button to specify a folder where you want to install files for the selected components.

• Click the NextNextNextNext button to display the Scan Engine ConfigurationScan Engine ConfigurationScan Engine ConfigurationScan Engine Configuration page and go to

Step 7.

Step Action



7

FIGURE: Scan Engine ConfigurationScan Engine ConfigurationScan Engine ConfigurationScan Engine Configuration page

• On the Scan Engine ConfigurationScan Engine ConfigurationScan Engine ConfigurationScan Engine Configuration page, do the following:

In the installation information portion:

-Enter the HOSTNAMEHOSTNAMEHOSTNAMEHOSTNAME of the machine where you installed DbProtect; for

more information, see DbProtect suite management components - installation steps.

-Enter which HTTP portportportport DbProtect AppDetective uses (1-65535). (For

more information on required open listen ports, see Conceptual diagram.)

-If you do not know the DbProtect AppDetective port number, do the

following:

a.) Open the server.xml file (stored under \<DbProtect

Installation Folder>\AppSecInc\gui\tomcat\conf.

b.) Locate the following line: <Connector

className=”org.apache.coyote.tomcat4.CoyoteConnector”

port = “<port number used>”.

c.) Use this port number.

• Click the NextNextNextNext button to display the Initialization ParametersInitialization ParametersInitialization ParametersInitialization Parameters page.

Step Action



8

FIGURE: Initialization ParametersInitialization ParametersInitialization ParametersInitialization Parameters page

If you:

• installed your Scan Engine and Console on different hosts, you mustmustmustmust copy the cacert.pem file located in:

<DbProtect AppDetective Installation

Folder>\GUI\repository\cacert.pem

to:

<Scan Engine Installation Folder>\adse\certs\cacert.pem

Note:Note:Note:Note: If this file already exists, you must overwrite it.

• need to synch the database where your Scan Engine results are stored with the

Data Repository (required), you can run the AppDSN utility on the Scan Engine server; for more information, see Appendix I: Using App DSN, the Repair ODBC

Utility

Step Action



Logging Into the ConsoleCaution! Some older version of Google Desktop (5.1 and earlier) may

cause problems when loading the Console applet in Internet

Explorer. You should turn off Google Desktop, or re-install a

newer (5.2 or greater) version.

To log into the Console:

Step Action

1 Do one of the following:

• Choose Start > All Programs > AppSecInc > DbProtectStart > All Programs > AppSecInc > DbProtectStart > All Programs > AppSecInc > DbProtectStart > All Programs > AppSecInc > DbProtect.

• Open Internet Explorer 6.0 or greater with JavaScript enabled, and the screen

resolution set to a minimum of 1024x768.

• Enter https://YourMachineName: InstallPort in the AddressAddressAddressAddress line, where:

-YourMachineName is the computer name of your Console machine

-InstallPort is the port number entered during installation.

A Security AlertSecurity AlertSecurity AlertSecurity Alert pop-up displays, prompting you to accept a security certificate from

Application Security, Inc. DbProtect uses this certificate to communicate with users over a secure channel.

Note:Note:Note:Note: If you experience difficulty logging into DbProtect and connecting to

DbProtect, you may need to troubleshoot the Java Runtime Environment (JRE) security settings on your Internet Explorer 6 or greater web browser. For more information on a workaround, see Appendix N: Troubleshooting the

Java Run Time Environment (JRE) Security Settings on Internet Explorer 6 and Greater.

Another possible solution is to clear your Java cache. For more information, see Appendix Q: Clearing Your Java Cache.



2 Click the OKOKOKOK button.

FIGURE: Console login page

Do the following:

• In the Username:Username:Username:Username: field, enter your DbProtect user name.

• In the Password:Password:Password:Password: field, enter your DbProtect password.

• Use the Domain:Domain:Domain:Domain: drop-down to select your domain, or manually enter a domain

in the Domain:Domain:Domain:Domain: field.

Caution! Caution! Caution! Caution! If you cannot log in, it may be because you have not entered your full-qualified domain name in the Domain: field. If you need help determining

your full-qualified domain name, see Appendix O: Determining Your NetBIOS Name and Your Full-Qualified Domain Name.

Note:Note:Note:Note: DbProtect is designed to use only Secure Sockets Layer (SSL) communication,

which encrypts your user name and credentials prior to transmission to DbProtect. DbProtect then uses the Windows Authentication subsystem to verify the credentials.

Use the Log into: drop down to log into:

• DbProtect AppRadarDbProtect AppRadarDbProtect AppRadarDbProtect AppRadar and display the AppRadar Console (i.e., the DbProtect AppRadar-specific part of the Console)

• DbProtect AppDetectiveDbProtect AppDetectiveDbProtect AppDetectiveDbProtect AppDetective to display the AppDetective Console (i.e., the DbProtect AppDetective-specific part of the Console).

For more information on using DbProtect AppDetective and DbProtect AppRadar,

see the DbProtect User’s Guide.

Step Action



Chapter 6 - Uninstalling the DbProtect ComponentsThis chapter explains how to uninstall the following DbProtect components: the ConsoleConsoleConsoleConsole, SensorsSensorsSensorsSensors, and Scan EnginesScan EnginesScan EnginesScan Engines.


• Uninstalling the Console

• Uninstalling and Unregistering a Sensor

• Uninstalling a Scan Engine.



Uninstalling the ConsoleThis section provides uninstallation steps for thethethethe ConsoleConsoleConsoleConsole.

What you will find in this section:What you will find in this section:What you will find in this section:What you will find in this section:

• Important back-end database deletion considerations

• ASAP Updater uninstallation considerations

• Uninstalling the Console.

Important back-end database

deletionconsiderations

If you originally installed the Console with the option of: using MSDEMSDEMSDEMSDE as your back-end database (for more information, see DbProtect suite management components - installation steps), then your MSDE instance is automatically removed during the uninstallation of the Console.

However, if you originally installed the Console with the option of using SQL ServerSQL ServerSQL ServerSQL Server as your back-end database (for more information, see DbProtect suite management components - installation steps), then the uninstallation wizard will prompt you to delete the DbProtect AppRadar database from the instance. In this case, you should delete the database onlyonlyonlyonly if you no longer need the data it contains.

If you are uninstalling the Console with the intention of re-installing it later on a different server, you should back-up your SQL Server back-end database before you begin un-installing the Console. Then you can restore the SQL Server back-end database to whichever instance you select after you re-install the Console elsewhere. For more information, see the DbProtect Administrator’s Guide.

ASAP Updateruninstallation

considerations

In addition to uninstalling the Console, the uninstallation process also automatically uninstalls the ASAP Updater utility unless there is at least one other Application Security, Inc.-registered product also installed on the server (for example, AppDetectivePro).

Uninstalling theConsole

You can uninstall the Console from the Start Menu or from the Control Panel. This topic consists of the following sub-topics:

• Before you uninstall the Console

• Uninstalling the Console from the Start Menu

• Uninstalling the Console from the Control Panel.



BEFORE YOU UNINSTALL THE CONSOLE

Before you uninstall the Console, do the following:

UNINSTALLING THE CONSOLE FROM THE START MENU

To uninstall the Console from the Start Menu:

Step Action

1 Unregister allallallall Sensors from within DbProtect before uninstalling the Console.

Unregistering a Sensor brings the Sensor back to its original install state, allowing you to register the Sensor again with the Console. For more information, see

Uninstalling and Unregistering a Sensor.

2 If you have registered a Sensor to monitor the APPSECINCCONSOLEAPPSECINCCONSOLEAPPSECINCCONSOLEAPPSECINCCONSOLE instance, uninstall the Sensor before uninstalling the Console.

Caution! Caution! Caution! Caution! Failure to uninstall the Sensor before uninstalling the Console can result in

the inability to reinstall the Console later, because the APPSECINCCONSOLE instance may be running at that time.

3 If you are uninstalling the Console with the intention of re-installing it later on a different server, you should back-up your SQL Server back-end database before you

begin un-installing the Console. Then you can restore the SQL Server back-end database to whichever instance you select after you re-install the Console elsewhere. For more information on backing up your back-end database, see the


Step Action

1 Choose Start > AppSecInc > DbProtect > Uninstall DbProtectStart > AppSecInc > DbProtect > Uninstall DbProtectStart > AppSecInc > DbProtect > Uninstall DbProtectStart > AppSecInc > DbProtect > Uninstall DbProtect to display the

uninstallation wizard.

2 Follow the prompts.

Note:Note:Note:Note: If you encountered an MSDE error message during installation -- and you chose to continue the installation -- a message may display during

uninstallation informing you a package was not found. Click the OK button and disregard the message.

Caution! Caution! Caution! Caution! If you originally installed the Console with the option of using SQL Server

as your back-end database, then the uninstallation wizard prompts you to delete the Console database from the instance. In this case, you should delete the database only if you no longer need the data it contains. For

more information, see the DbProtect Administrator’s Guide.

3 A message informs you when the uninstallation is complete. Click the FinishFinishFinishFinish button.



UNINSTALLING THE CONSOLE FROM THE CONTROL PANEL

To uninstall the Console from the Control Panel:

Step Action

1 Choose Start > Control PanelStart > Control PanelStart > Control PanelStart > Control Panel to display the Control Panel.

2 Double click the Add or Remove ProgramsAdd or Remove ProgramsAdd or Remove ProgramsAdd or Remove Programs icon.

3 Select DbProtectDbProtectDbProtectDbProtect.

4 Click the Change/RemoveChange/RemoveChange/RemoveChange/Remove button.


Caution! Caution! Caution! Caution! If you originally installed the Console with the option of using SQL Server as your back-end database, then the uninstallation wizard prompts you to delete the Console database from the instance. In this case, you should

delete the database only if you no longer need the data it contains. For

more information, see the DbProtect Administrator’s Guide.

Note:Note:Note:Note: If you encountered an MSDE error message during installation -- and you chose to continue the installation -- a message may display during

uninstallation informing you a package was not found. Click the OK button and disregard the message.




Uninstalling and Unregistering a SensorThis section provides uninstallation and unregistration (including forced unregistration) steps for a SensorSensorSensorSensor.


• Uninstallation vs. unregistration

• Uninstalling a Sensor (on Windows)

• Uninstalling a Host-Based Sensor for Oracle (on a *nix platform)

• Uninstalling a Host-Based Sensor for DB2 (on a *nix platform)

• Unregistering a Sensor.

Uninstallation vs.unregistration

DbProtect AppRadar allows you to uninstalluninstalluninstalluninstall and/or unregisterunregisterunregisterunregister your Sensors. The key differences between uninstallation and unregistration follow:

• UnregistrationUnregistrationUnregistrationUnregistration removes the Sensor from the Console, but does notnotnotnot remove the Sensor from the host where it is installed.

• UninstallationUninstallationUninstallationUninstallation removes the Sensor from the server where is installed, but does notnotnotnot remove the Sensor from the Console where it may have been registered (assuming the Sensor was not ununununregistered before it was uninstalled).

Uninstalling aSensor (onWindows)

Note:Note:Note:Note: Unregister all Sensors from within DbProtect beforebeforebeforebefore uninstalling the Console or Sensors. Unregistering a Sensor brings the Sensor back to its original install state, allowing you to register the Sensor again with DbProtect. For more information, see Unregistering a Sensor.

You can uninstall anyanyanyany host-based or network-based Sensor (installed on Windows) from the Start Menu or the Control Panel.


• Uninstalling a Sensor (on Windows) from the Start Menu

• Uninstalling a Sensor (on Windows) from the Control Panel.



UNINSTALLING A SENSOR (ON WINDOWS) FROM THE START MENU

To uninstall a Sensor (on Windows) from the Start Menu:

UNINSTALLING A SENSOR (ON WINDOWS) FROM THE CONTROL PANEL

To uninstall a Sensor (on Windows) from the Control Panel:

Uninstalling aHost-Based Sensor

for Oracle (on a*nix platform)

To uninstall a host-based Sensor for Oracle (on a *nix platform):

Step Action

1 Choose Start > AppSecInc > DbProtect AppRadar > Uninstall AppRadar SensorStart > AppSecInc > DbProtect AppRadar > Uninstall AppRadar SensorStart > AppSecInc > DbProtect AppRadar > Uninstall AppRadar SensorStart > AppSecInc > DbProtect AppRadar > Uninstall AppRadar Sensor to

display the uninstallation wizard.



Step Action



3 Select AppRadar SensorAppRadar SensorAppRadar SensorAppRadar Sensor.




Step Action

1 If you installed a DDL trigger, use remove.sql (located in <Sensor Install Directory>/ASIappradar/sensor/java) to remove it.

2 If you turned on native auditing for failed logins, do the following (if necessary):

• Modify the audit_trail value in the pfile init.ora file

• Truncate the dba_audit_session table.

3 Unregister the host-based Sensor for Oracle; for more information, see Uninstalling

and Unregistering a Sensor.



Uninstalling aHost-Based Sensorfor DB2 (on a *nix

platform)

To uninstall a host-based Sensor for DB2 (on a *nix platform):

Unregistering aSensor

When you unregister a Sensor unregister a Sensor unregister a Sensor unregister a Sensor via the Sensor ManagerSensor ManagerSensor ManagerSensor Manager, the Sensor stops sending messages and Alerts. Unregistration returns the Sensor to its original, unconfigured installation state -- but it is not removed.

Note:Note:Note:Note: An unregistered Sensor continues to log events to a notification file (appradar_app.txt located in the Sensor’s log directory), but onlyonlyonlyonly whether the Sensor is “up” or “down”.

You can forcibly unregister a Sensor in the rare event it does not respond to an unregistration request via the Sensor ManagerSensor ManagerSensor ManagerSensor Manager.


• Unregistering a Sensor via the Sensor Manager

• Forcibly unregistering a Sensor (if unregistration via the Sensor Manager fails).

UNREGISTERING A SENSOR VIA THE SENSOR MANAGER

To unregister a Sensor via the Sensor Manager Sensor Manager Sensor Manager Sensor Manager:

4 Stop the host-based Sensor for Oracle; for more information, see Starting and stopping the Sensors in the DbProtect User’s Guide or DbProtect Administrator’s

Guide.

5 Delete the installation directory of the host-based Sensor for Oracle.

Step Action

Step Action

1 Unregister the host-based Sensor for DB2; for more information, see Uninstalling

and Unregistering a Sensor.

2 Stop the host-based Sensor for Oracle; for more information, see Starting and stopping the Sensors in the DbProtect User’s Guide or DbProtect Administrator’s Guide.

3 Delete the installation directory of the host-based Sensor for DB2.

Step Action

1 Log into the Console and select AppRadarAppRadarAppRadarAppRadar.



2 Do one of the following to display the Sensor ManagerSensor ManagerSensor ManagerSensor Manager:

• Click the Sensors - Manage Sensor Sensors - Manage Sensor Sensors - Manage Sensor Sensors - Manage Sensor workflow link on the HomeHomeHomeHome page.

• Click the SensorsSensorsSensorsSensors tab from anywhere on the page.

FFFFIIIIGGGGUUUURRRREEEE: : : : Sensor ManagerSensor ManagerSensor ManagerSensor Manager

Highlight a registered Sensor, and click the UnregisterUnregisterUnregisterUnregister button. An unregistration confirmation pop-up displays.

3

FIGURE: Unregistration confirmation pop-up

Click the YesYesYesYes button. DbProtect unregisters your Sensor.

Note:Note:Note:Note: If unregistration is unsuccessful, DbProtect prompts you to let it attempt a

forced unregistration; for more information, see Forcibly unregistering a Sensor (if unregistration via the Sensor Manager fails).

Step Action



FORCIBLY UNREGISTERING A SENSOR (IF UNREGISTRATION VIA THE SENSOR MANAGER FAILS)

You can forcibly unregister a Sensor in the rare event it does not respond to an unregistration request via the Sensor ManagerSensor ManagerSensor ManagerSensor Manager.

To forcibly unregister a Sensor:

Step Action

1 Do the following (in any order):

• On the Sensor ManagerSensor ManagerSensor ManagerSensor Manager, click the YesYesYesYes button when you are prompted to forcibly unregister a Sensor.

• Run force_unregister.bat (on Windows) or force_unregister (on *nix platforms) on the Sensor's host, located by default in the following directories:

-On WindowsWindowsWindowsWindows installations: <Sensor Install

Directory>\AppSecInc\AppRadar Sensor\utils

-On *nix*nix*nix*nix installations: <Sensor Install Directory>/ASIappradar/sensor/util

Your Sensor is forcibly unregistered.

Note:Note:Note:Note: You can register the Sensor again, if necessary; for more information, see the DbProtect User’s Guide.



Uninstalling a Scan EngineThis section provides uninstallation steps for a Scan EngineScan EngineScan EngineScan Engine.


• Unregistering a Scan Engine

• Uninstalling a Scan Engine.

Unregistering aScan Engine

When you unregister a Scan Engineunregister a Scan Engineunregister a Scan Engineunregister a Scan Engine, you return the Scan Engine to its original, unconfigured installation state -- but it is notnotnotnot removed.

Note:Note:Note:Note: You should unregister your Scan Engine before you uninstall it.

To unregister a Scan Engine:

Step Action

1 Log into DbProtect and select AppDetectiveAppDetectiveAppDetectiveAppDetective.

2 Click the Scan Engines Scan Engines Scan Engines Scan Engines button on the toolbar.

3 Do one of the following to unregister a Scan Engine:

• Choose Scan Engines > Unregister Scan Engines > Unregister Scan Engines > Unregister Scan Engines > Unregister from the menu.

• Right click a Scan Engine in the Scan EnginesScan EnginesScan EnginesScan Engines portion of the Scan EnginesScan EnginesScan EnginesScan Engines page,

and choose UnregisterUnregisterUnregisterUnregister.

4 The Confirm Unregister Confirm Unregister Confirm Unregister Confirm Unregister pop up prompts you to confirm the unregistration. Click the YesYesYesYes button.

5 DbProtect unregisters your Scan Engine.



Uninstalling a ScanEngine

You can uninstalluninstalluninstalluninstall an Scan Engine from the Control PanelControl PanelControl PanelControl Panel.

Note:Note:Note:Note: You should unregister an Scan Engine before you uninstall it; for more information, see Unregistering a Scan Engine.

To uninstall a Scan Engine:

Step Action



3 Select AppDetectiveAppDetectiveAppDetectiveAppDetective Scan EngineScan EngineScan EngineScan Engine.






Chapter 7 - Installation TroubleshootingThis chapter provides answers to some troubleshooting questions.


• How do I contact Customer Support?

• How can I watch (or "tail") my log files?

• What happens if I uninstall the SQL Server instance a Sensor is monitoring?

• I uninstalled DbProtect without unregistering my Sensors. What can I do so I can register my Sensors again without reinstalling them?

• How can I find out my SQL Server virtual server name?

• How can I review the audit events in a log file?

• The DbProtect or Sensor service failed to start, and when I look at the DbProtect or Sensor log file located in the log directory, they indicate a "bind to port" error. What should I do?

• My Sensor is using a Policy with only the Select from User Table Rule enabled. I executed a SQL DELETE statement against my database, and the Select from User Table Rule fired. Why?

• Are there any firewall issues I should consider?

• Do I require domain administrator rights after I install a Sensor on a Cluster?

• Is a Windows account created when I install a Sensor on SQL Server?

• Are any accounts created within SQL Server?

• I see my Sensor listed as timed out in the Sensor Manager. What can I do to reactivate my Sensor?

• What should I do if the following error message displays: “Error Occurred. The DbProtect database is not available at the moment. Please retry your request later.”?

• What should I do if I’m not receiving any Alerts?

• Why am I displaying a blank page on the UI?

• How do I change my IPC port number?.



How do I contactCustomerSupport?

A:A:A:A: Email [email protected]; for more information, see What should I do if I’m not receiving any Alerts?.

How can I watch(or "tail") my log

files?

A:A:A:A: DbProtect provides a tail program if you wish to watch the Sensor and DbProtect log files. To watch the:

• Sensor log file, execute the tailSensor.bat file, stored in C:\<DbProtect Installation Folder>\AppSecInc\AppRadar Sensor\utils

• DbProtect log file, execute the tailconsole.bat file, stored in C:\<DbProtect Installation Folder>\AppSecInc\DbProtect\GUI\util.

What happens if Iuninstall the SQLServer instance a

Sensor ismonitoring?

A: A: A: A: The Sensor will notnotnotnot receive any new Alerts. You should unregister the Sensor first, then uninstall it. For more information on unregistering a Sensor, see the DbProtect User’s Guide. For more information on uninstalling a Sensor, see Uninstalling and Unregistering a Sensor.

Alternately, you can reconfigure your Sensor to monitor another database instance. For more information on reconfiguring a Sensor, see the DbProtect User’s Guide.

I uninstalledDbProtect withoutunregistering my

Sensors. What canI do so I canregister my

Sensors againwithout

reinstalling them?

A: A: A: A: Application Security, Inc. provides a Sensor reset batch file (force_unregister.bat on Windows and force_unregister on Unix) with each Sensor installation. The file is located in the utils folder of the Sensor installation directory (c:\<DbProtect Installation Folder>\AppSecInc\AppRadar Sensor\utils\force_unregister.bat). When you execute the batch file, it resets the Sensor to its original settings. You can then register the Sensor again.



How can I find outmy SQL Servervirtual server

name?

A:A:A:A: You can find the SQL_virtual_server_name in the Cluster AdministratorCluster AdministratorCluster AdministratorCluster Administrator, located in the cluster's ResourcesResourcesResourcesResources folder. To display: right click the SQL Network Name SQL Network Name SQL Network Name SQL Network Name ResourceResourceResourceResource, and select PropertiesPropertiesPropertiesProperties. In the dialog box that displays, click the ParametersParametersParametersParameters tab. Your SQL_virtual_server_name displays in the NameNameNameName field.

How can I reviewthe audit events in

a log file?

A:A:A:A: The log file (appradar_notifications.txt) is stored in c:\<DbProtect Installation Folder>\AppSecInc\AppRadar Sensor\logs. Optionally, you can specify a different target location on this page. Audit logs, when configured to go to a file, are in the \logs sub-folder in the Sensor installation directory; for more information Installing and Starting/Stopping the Sensors.

The DbProtect orSensor service

failed to start, andwhen I look at the

DbProtect orSensor log file

located in the logdirectory, they

indicate a "bind toport" error. What

should I do?

A:A:A:A: Make sure no other application is using the ports you specified during installation of the Sensor and DbProtect. Restart the service after you’ve shut down any software that is using or blocking the ports.

My Sensor is usinga Policy with onlythe Select fromUser Table Rule

enabled. Iexecuted a SQL

DELETE statementagainst my

database, and theSelect from UserTable Rule fired.

Why?

A:A:A:A: When SQL Server executes a DELETE statement, its underlying engine first does a SELECT statement on the target table before proceeding with the deletion.



Are there anyfirewall issues I

should consider?

A:A:A:A: The Console UI is accessible via HTTPS on port 20080. You can allow all machines, certain machines, or no machines to have access from outside your firewall. In the latter case, only machines inside the firewall can access the Console UI. This is completely at your discretion, but for convenience Application Security, Inc. recommends you at least allow users to connect from their desktop machines. DbProtect has its own method of authentication and using a firewall is not required to restrict access.

The Message CollectorMessage CollectorMessage CollectorMessage Collector component of DbProtect “listens” for HTTPS traffic on port 20081, which the Sensor uses to send Alerts. Application Security, Inc. recommends you disallow all traffic to that port except from the Sensors.

Sensors listen on port 20000 for HTTPS traffic from DbProtect unlessunlessunlessunless you configure them differently during installation, or you change the port number in the sensor.xml and sensor_original.xml files; for more information, see Installing and Starting/Stopping the Sensors.

No other machines should be permitted to connect to the Sensors.

Do I requiredomain

administratorrights after I install

a Sensor on aCluster?

A:A:A:A: No. For more information on installing Sensors on a SQL Server Cluster, see Appendix A: Installing/Uninstalling DbProtect in a SQL Server Cluster.

Is a Windowsaccount createdwhen I install aSensor on SQL

Server?

A:A:A:A: No.

Are any accountscreated within SQL

Server?

A:A:A:A: No.



I see my Sensorlisted as timed out

in the SensorManager. What

can I do toreactivate my

Sensor?

A: A: A: A: When a Sensor times out, it means DbProtect is unable to communicate with it. Do the following:

• The Sensor may be under heavy load. Wait two minutes and check again.

• Determine if the IP address of either DbProtect or the Sensor has changed since you registered the Sensor. If either one has, change the IP address back to its original value, or, if that’s not possible, unregister and register the Sensor. For more information on unregistering a Sensor, see the DbProtect Administrator’s Guide. For more information on manually removing a Sensor, if necessary, see Uninstalling and Unregistering a Sensor.

• Use your ping utility to verify your DbProtect machine can communicate with your Sensor machine.

• On the Sensor machine, ensure the AppRadar Sensor service is running. If the service was stopped, try starting it again; for more information on starting and stopping DbProtect services, see the DbProtect Administrator’s Guide.

• Verify that you have correctly configured any firewalls between DbProtect and the Sensor; for more information, see Are there any firewall issues I should consider?.

• Make sure the following services are running:

-DbProtect Console

-Message Collector

-The database instance that DbProtect uses, i.e., MSSQL$APPSECINCCONSOLE (if you

are using an MSDE 2000 database), MSSQL$(YourInstanceName), or MSSQL (default instance).

For more information on starting and stopping DbProtect services, see the


• Check the dbprotect.log file for errors; for more information, see Appendix H: DbProtect Log Files.

• Email [email protected]; for more information, see What should I do if I’m not receiving any Alerts?

What should I do ifthe following errormessage displays:“Error Occurred.The DbProtectdatabase is notavailable at themoment. Please

retry your requestlater.”?

• A: Make sure the database instance that DbProtect uses (i.e., MSSQL$APPSECINCCONSOLE) is running, and make sure the database credentials you specified during installation are correct. For more information on starting and stopping DbProtect services, see the DbProtect Administrator’s Guide. For more information on DbProtect component installation, see Chapter 5 - Installing the DbProtect Components and Logging Into the Console.

• Email [email protected]; for more information, see What should I do if I’m not receiving any Alerts?.



What should I do ifI’m not receiving

any Alerts?

A:A:A:A: If you’re not receiving any Alerts, make sure you have:• met all of the minimum system requirements, including required patches and permissions; for more information, see Chapter 3 - Minimum System Requirements.

• properly installed your Sensor; for more information, see Installing and Starting/Stopping the Sensors.

• properly connected to the Console; for more information, see the DbProtect User’s Guide.

• no firewall issues that may be blocking communication between DbProtect and your Sensors; for more information, see Are there any firewall issues I should consider?

A: A: A: A: If you are still not receiving any Alerts, here are some Alert considerationsAlert considerationsAlert considerationsAlert considerations:

• A security Alert is a notification of a monitored security event on the database host or network. DbProtect fires an Alert when the criteria for the Rule in the associated Policy is met (unless an exception or Filter prevents the Alert from firing). The level of a security Alert is either HighHighHighHigh, MediumMediumMediumMedium, or LowLowLowLow. For more information on Policies, see the DbProtect User’s Guide.

• An Informational Alert (also known as an audit) is a record of standard database activity. The level of an Informational Alert can be Info-1 Info-1 Info-1 Info-1, Info-2Info-2Info-2Info-2, Info-3Info-3Info-3Info-3, or Info-4r Info-4r Info-4r Info-4.

Note:Note:Note:Note: The Alert ManagerAlert ManagerAlert ManagerAlert Manager only displays security Alerts. It does notnotnotnot display Informational Alerts. For more information, see the DbProtect User’s Guide.

If you want to view your Informational Alerts, must run the Auditing Event

Summary Report or create a new report template that includes the Informational

risk level. For more information, see the DbProtect User’s Guide.

Note:Note:Note:Note: The default settings for new report templates do notnotnotnot include Informational Alerts.

• Alternately, you can view your most recent Informational Alerts via the DashboardDashboardDashboardDashboard; for more information, see the DbProtect User’s Guide

• Informational Alerts may only show up every 15 minutes depending on the configuration.

A: A: A: A: If you are still not receiving any Alerts, here are some Sensor considerationsSensor considerationsSensor considerationsSensor considerations:

For network-based Sensors:For network-based Sensors:For network-based Sensors:For network-based Sensors:

• Make sure you have properly configured your SPAN port; for more information, see Network-based Sensor for Sybase, Oracle, and DB2 - installation steps.

• Ensure that your SPAN port is detecting network traffic. Do the following:

-On your Sensor machine, double click c:\<DbProtect Installation

Folder>\AppSecInc\AppRadar Sensor\utils\net_cfg_test.exe to display the Network Configuration Test Tool.



-Use the drop-down to select the network card that is connected to your SPAN port.

The tool should display a list of servers which are either sending or receiving network traffic.

-If this list does not include your database server, confirm you have correctly configured

the SPAN port.

• If you SPAN port is detecting network activity, verify you have properly configured your network-based Sensor. Specifically, did you configure the network-based Sensor with the correct IP address(es) and port(s)?

• For Oracle, is the network-based Sensor configured with the correct SID and service name?

For more information, see the DbProtect User’s Guide.

For host-based Sensors:For host-based Sensors:For host-based Sensors:For host-based Sensors:

• Is the host-based Sensor pointing to the correct database?

• Is the database active right now?

For more information, see the DbProtect User’s Guide.

• Are you specifically not receiving DDL Alerts? Open the appsensor.log. See if it contains the following error message.

[ error ] [ 95103920 ] [ Tue Aug 21 2007 14:45:02.631528 ] [ open

] Error opening port ( LINE 49, FILE ipc_server.cpp )

If so, this means the IPC port is already in use. As a workaround, you must change the IPC port. For more information, see How do I change my IPC port number?.

A: A: A: A: If you are still not receiving any Alerts, here are some Policy considerationsPolicy considerationsPolicy considerationsPolicy considerations:

• What Policy did you deploy?

• Will the deployed Policy fire Alerts based on the database events you want to monitor?

• Edit the deployed Policy. Change a rule to display a common, Informational Alert event (i.e., Info-1Info-1Info-1Info-1, Info-2 Info-2 Info-2 Info-2, Info-3Info-3Info-3Info-3, or Info-4 Info-4 Info-4 Info-4) as a LowLowLowLow event, i.e., an event that will trigger a LowLowLowLow security Alert and display in the Alert Manager Alert Manager Alert Manager Alert Manager; for more information, see for more information, see the DbProtect User’s Guide.

Then, go to the Alert ManagerAlert ManagerAlert ManagerAlert Manager to see if LowLowLowLow security Alert displays; for more information, see the DbProtect User’s Guide.

A: A: A: A: If you are still not receiving any Alerts, here are some SSL-related considerations:• Is the time the same on the DbProtect and the Sensor machines? Time zone differences are acceptable as long as both machines represent the same point in time (within a few minutes).



• Has the IP address or hostname of the DbProtect or the Sensor machine changed recently? If so, un-register and re-register the Sensor. You may need to forcibly unregister the Sensor.

A: A: A: A: Finally, if you are still not receiving any Alerts, contact Application Security, Inc. Customer Support.

Execute the collectinfo.bat files on both your DbProtect and Sensor machines.

On your DbProtect DbProtect DbProtect DbProtect machine, you must execute two, separatetwo, separatetwo, separatetwo, separate collectinfo.bat files (one for the MessageCollector service, and one for the GUI). These collectinfo.bat files are located in the following folders:

• c:\<DbProtect Installation Folder>\AppSecInc\AppRadar

Sensor\utils


Folder>\DbProtect\MessageCollector\util.

Executing these .bat files creates a .zip file in each folder, i.e., one for the MessageCollector service, and one for the GUI.

Caution! The GUI and MessageCollector.zip files are both named

AppsecIncConsole.zip. Re-name one before sending to

Application Security, Inc. Customer support.

On your SensorSensorSensorSensor machine, execute the collectinfo.bat files located here: C:\<DbProtect Installation Folder>\DbProtect\GUI\util. Executing this .bat file creates a .zip file (one for each Sensor). This .zip file contains configuration and log files which allow Application Security, Inc. Customer Support to troubleshoot your issue.

Attach all threethreethreethree generated .zip files (i.e., two from your DbProtect machine and one from your Sensor server) to an email, and send to [email protected] for analysis.

Why am Idisplaying a blankpage on the UI?

A: A: A: A: You must enable Javascript on your web browser.

How do I changemy IPC port

number?

A:A:A:A: Appendix E: Configuring Your Host-Based Sensor for Oracle DDL Triggers explains how to configure DDL triggers in the host-based Sensor for Oracle. After you start the host-based Sensor for Oracle you may notice you are not receiving any DDL Alerts. Open the appsensor.log. See if it contains the following error message.

[ error ] [ 95103920 ] [ Tue Aug 21 2007 14:45:02.631528 ] [ open ]

Error opening port ( LINE 49, FILE ipc_server.cpp )



If so, this means the IPC port is already in use. As a workaround, you must change the IPC port. Complete the following steps:

Step Action

1 Open the sensor.xml and sensor_original.xml files located in <installation dir>/ASIappradar/sensor/conf.

2 Change the following line to a different port number: <ipc port="7777"></ipc>

3 Re-start the host-based Sensor for Oracle; for more information, see the DbProtect

Administrator’s Guide.

Note:Note:Note:Note: If the host-based Oracle Sensor was already registered, you must unregister it

and re-register it. For more information, see Uninstalling and Unregistering a

Sensor (in this guide) and Registering a Sensor in the DbProtect User’s Guide.

You may also need to re-configure and re-deploy your host-based Sensor for Oracle. If it’s already configured, you should note the current configuration

setup in order to re-configure your re-registered host-based Sensor for Oracle to match the original configuration. For more information, see the DbProtect User’s Guide.

4 Edit <installation dir>/ASIappradar/sensor/add.sql to change the

port. Specifically, edit the second parameter on the line, which should look like this:

sys.asi_writeEvent(100079, 7777, ...

If you:

• already ran add.sql, first run remove.sql in that same directory, then run add.sql

• haven't already run add.sql, do so now.



AppendicesWhat you will find in this chapter:What you will find in this chapter:What you will find in this chapter:What you will find in this chapter:

• Appendix A: Installing/Uninstalling DbProtect in a SQL Server Cluster

• Appendix B: What Are the MSDE Lockdown Scripts Doing During the Installation of DbProtect?

• Appendix C: Modifying the Sensor Listener Port Number

• Appendix D: Network Ports Used by DbProtect

• Appendix E: Configuring Your Host-Based Sensor for Oracle DDL Triggers

• Appendix F: Modifying the "Log On As" User for the AppRadar Sensor and DbProtect Message Collector Services

• Appendix G: DB2 Administrative Client Driver Installation

• Appendix H: DbProtect Log Files

• Appendix I: Using App DSN, the Repair ODBC Utility

• Appendix J: Configuring Your Oracle Audit Trail in Order to Monitor Logins

• Appendix K: Required Client Drivers for Audits

• Appendix L: Required Audit Privileges

• Appendix M: Auditing SQL Server (Using Windows Authentication) Against a Machine on a Different or Untrusted Domain

• Appendix N: Troubleshooting the Java Run Time Environment (JRE) Security Settings on Internet Explorer 6 and Greater

• Appendix O: Determining Your NetBIOS Name and Your Full-Qualified Domain Name

• Appendix P: Monitoring Multiple Instances on a DB2 Server

• Appendix Q: Clearing Your Java Cache.



Appendix A: Installing/Uninstalling DbProtect in a SQL Server ClusterThis appendix explains how to configure DbProtect in a Clustered environment.

Note:Note:Note:Note: DbProtect allows you to build oneoneoneone (or multiplemultiplemultiplemultiple) database instances within one (or multiple) virtual servers. For more information, see Installing DbProtect in a SQL Server Cluster (single instance) and Installing DbProtect in a SQL Server Cluster (multiple instances), respectively.

In this appendix:In this appendix:In this appendix:In this appendix:

• Assumptions

• Working with a SQL Server Cluster (DbProtect installed on a single instance)

• Working with a SQL Server Cluster (DbProtect installed on multiple instances).

Assumptions This appendix assumes you:

• have a strong working knowledge of implementation and administration of Windows and SQL Server Clustering

• have a Windows Cluster configured with SQL Server in a Cluster Group

• are logged in as a user with both domain and SQL Server administrative privileges

• your shared drive (referred to as X:, in this paper) is currently located in the same Resource Group as the Virtual SQL Server instance your Sensor will monitor (applies to single instance installations only)

• all necessary Cluster resources are currently online, and you have identified the Cluster’s Active Node (applies to single instance installations only)

• are working with multiple virtual servers, each one containing at least one database instance (applies to multiple instance installations only).



Working with aSQL Server Cluster

(DbProtectinstalled on a

single instance)

This topic explains how to install/uninstall DbProtect on a single instancesingle instancesingle instancesingle instance of a SQL Server Cluster.

What you will find in this help topic:What you will find in this help topic:What you will find in this help topic:What you will find in this help topic:

• SQL Server Cluster diagram (single instance)

• Installing DbProtect in a SQL Server Cluster (single instance)

• Upgrading DbProtect in a SQL Server Cluster (single instance)

• Uninstalling DbProtect in a SQL Server Cluster (single instance).

SQL SERVER CLUSTER DIAGRAM (SINGLE INSTANCE)

The following diagram displays a SQL Server Cluster setup, where the Sensor files are installed on a shared drive. The AppRadar SensorAppRadar SensorAppRadar SensorAppRadar Sensor service is installed on each Node.

FIGURE: SQL Server Cluster diagram (single instance)



INSTALLING DBPROTECT IN A SQL SERVER CLUSTER (SINGLE INSTANCE)

To install a single instancesingle instancesingle instancesingle instance of DbProtect in a SQL Server Cluster:

Step Action

1 Open the Cluster Administrator Cluster Administrator Cluster Administrator Cluster Administrator and determine which Node is Active, i.e., the owner

of the SQL Server Cluster Resource.

2 Log in to the Active Node.

3 Install a Sensor on the shared drive (X:X:X:X:); for more information, see Installing and

Starting/Stopping the Sensors.

Note:Note:Note:Note:When installing a host-based Sensor for SQL Server, you must install the Sensor on your shared drive, not in the default location.

Also, when initializing a host-based Sensor for SQL Server, note whether you select Existing domain user or the “Local System” Account. You will need this

information in Step 7, below.

Result: Result: Result: Result: The Sensor files are copied to your shared drive (X:X:X:X:), and a service called AppRadar SensorAppRadar SensorAppRadar SensorAppRadar Sensor is created, pointing to the DbProtect .exe file on your shared

drive (X:X:X:X:).

4 Since the AppRadar SensorAppRadar SensorAppRadar SensorAppRadar Sensor service is only installed on the Active Node (Node ANode ANode ANode A) at this point, you must also install the service on the other Node (Node BNode BNode BNode B) in your Cluster.

Use the Cluster AdministratorCluster AdministratorCluster AdministratorCluster Administrator to change ownership to the Node where you need to install the AppRadar Sensor AppRadar Sensor AppRadar Sensor AppRadar Sensor service (i.e., Node BNode BNode BNode B).

5 Log in to the new Active Node (e.g., Node BNode BNode BNode B), i.e., the owner of the resources. Make sure it has access to the shared drive (X:X:X:X:).

6 Open a command prompt and go to the bin directory where you installed the

Sensor in Step 3, e.g., c:\<DbProtect Installation Folder>\AppSecInc\AppRadar Sensor\bin.

7 Run the following command:

appradar_sensor -i 3 -S “user” -P “password”

where “user” and “password” specify the logon account used to run the service.

Note:Note:Note:Note: The local system account does not require a password.

Examples:Examples:Examples:Examples:

appradar_sensor -i 3 -S “.\LocalSystem”

or

• appradar_sensor -i 3 -S “DomainName\DomainUser” -P “password”



8 Repeat Steps 4-7 for other Nodes in the Cluster.

9 From the Active Node, open the Cluster AdministratorCluster AdministratorCluster AdministratorCluster Administrator and locate the Group with the shared drive and SQL Server resources.

10 Choose File > New > Resource File > New > Resource File > New > Resource File > New > Resource to display the New ResourceNew ResourceNew ResourceNew Resource dialog box.

11 Add a new Resource to the same Group to which the shared drive (X:X:X:X:) belongs.

• Enter a name in the NameNameNameName field, e.g., DbProtect

• Under Resource TypeResource TypeResource TypeResource Type, select Generic ServiceGeneric ServiceGeneric ServiceGeneric Service.

• Select a GroupGroupGroupGroup type from the drop-down.

Note:Note:Note:Note: The correct Group may (or may not) already display in the Group field as the default selection; it depends how you configured the Cluster and where you installed the Sensor. Regardless, you must select the Group that contains the

shared drive (X:)

• Optionally, you can enter a DescriptionDescriptionDescriptionDescription.

• Do notnotnotnot check Run this Resource in a separate Resource monitorRun this Resource in a separate Resource monitorRun this Resource in a separate Resource monitorRun this Resource in a separate Resource monitor.


Result:Result:Result:Result: The Possible OwnersPossible OwnersPossible OwnersPossible Owners dialog box displays.

12 • Verify all your Nodes in the Cluster display in the Possible owners: Possible owners: Possible owners: Possible owners: box. All your Nodes mustmustmustmust display in this list. If necessary, add a possible owner from the

Available NodesAvailable NodesAvailable NodesAvailable Nodes list.

• Click the NextNextNextNext button to display the DependenciesDependenciesDependenciesDependencies dialog box.

13 • Move the shared drive (X:X:X:X:), the SQL ServerSQL ServerSQL ServerSQL Server, and the virtual IP address from the Available resources:Available resources:Available resources:Available resources: box to the Resource dependencies:Resource dependencies:Resource dependencies:Resource dependencies: box.

• Click the NextNextNextNext button to display the Generic Service Parameters Generic Service Parameters Generic Service Parameters Generic Service Parameters dialog box.

14 Specify the following parameters:

• In the ServiceServiceServiceService name:name:name:name: field enter AppSecInc_AppSensor

• Leave the Start parameters:Start parameters:Start parameters:Start parameters: field blank.

• Do notnotnotnot check Use Network Name for computer nameUse Network Name for computer nameUse Network Name for computer nameUse Network Name for computer name.

• Click the NextNextNextNext button to display the Registry Replication Registry Replication Registry Replication Registry Replication dialog box.

15 Click the Finish Finish Finish Finish button. The Resource (DbProtectDbProtectDbProtectDbProtect, which you named in Step 11, above) displays in the Resource Group in the Cluster AdministratorCluster AdministratorCluster AdministratorCluster Administrator. The Resource is

initially OfflineOfflineOfflineOffline (in the StateStateStateState column).

16 Right click your new Resource (DbProtect) and select Bring OnlineBring OnlineBring OnlineBring Online to bring your new Resource online.

Step Action



Note:Note:Note:Note: For more information on how to register a Sensor, and on how to configure and deploy a Sensor, see the DbProtect User’s Guide.

UPGRADING DBPROTECT IN A SQL SERVER CLUSTER (SINGLE INSTANCE)

Note:Note:Note:Note: This topic onlyonlyonlyonly applies to single instancesingle instancesingle instancesingle instance SQL Server Cluster installations. For multiple instancemultiple instancemultiple instancemultiple instance installations, see the DbProtect Administrator’s Guide.

To upgrade DbProtect in a Cluster:

17 Prevent the DbProtect DbProtect DbProtect DbProtect Resource from causing an entire group to failover.

• Do the following:

- Open the Cluster AdministratorCluster AdministratorCluster AdministratorCluster Administrator.- Right click the Resource.

- Select PropertiesPropertiesPropertiesProperties.

• Select the AdvancedAdvancedAdvancedAdvanced tab.

• Uncheck Affect The GroupAffect The GroupAffect The GroupAffect The Group.

When the DbProtect Resource fails over, it does not impact the other resources in that group. On the other hand, when other resources in the group failover (e.g., the disk or SQL Server), the DbProtect Resource also fails over because other

Resources in the group still have the Affect The GroupAffect The GroupAffect The GroupAffect The Group option enabled.

Step Action

1 Go to the Node where you initially ran the installer in Installing DbProtect in a SQL

Server Cluster (single instance), and ensure this is the Active Node (i.e., Node A).

2 Take the DbProtect DbProtect DbProtect DbProtect Resource offline. You can:

• Open the Cluster AdministratorCluster AdministratorCluster AdministratorCluster Administrator.

• Right click the DbProtect DbProtect DbProtect DbProtect Resource.

• Select Take Offline Take Offline Take Offline Take Offline.

Or, you can:


• Highlight the DbProtect DbProtect DbProtect DbProtect Resource.

• Choose File > Take OfflineFile > Take OfflineFile > Take OfflineFile > Take Offline.

3 Run the Sensor installer from Node A (it should automatically detect that it needs to

perform an upgrade install rather than a new install). You can also perform an ASAP Update from Node A; for more information on ASAP Updates, see the DbProtect Administration Guide.

Step Action



UNINSTALLING DBPROTECT IN A SQL SERVER CLUSTER (SINGLE INSTANCE)

Note:Note:Note:Note: For multiple instancemultiple instancemultiple instancemultiple instance installations, you must uninstall the Sensor on each Node. For more information, see Chapter 6 - Uninstalling the DbProtect Components.

Uninstalling DbProtect in a SQL Server Cluster is somewhat more complex than a standard DbProtect uninstallation.

Note:Note:Note:Note: You mustmustmustmust perform the uninstallation steps in the order specified, or you will not have a “clean slate”.

There are two prerequisitesprerequisitesprerequisitesprerequisites:

• Node B must start out as the Active Node; if it is not already the Active Node, simulate a failover to create this condition.

• If you registered/configured the clustered Sensor via the UI, you should first unregister it via the UI prior to uninstallation; for more information, see the DbProtect User’s Guide.

4 Bring the DbProtect DbProtect DbProtect DbProtect Resource back online. You can:


• Right click the DbProtect DbProtect DbProtect DbProtect Resource.

• Select Bring Online Bring Online Bring Online Bring Online.

Or, you can:


• Highlight the DbProtect DbProtect DbProtect DbProtect Resource.

• Choose File > Bring OnlineFile > Bring OnlineFile > Bring OnlineFile > Bring Online.

Step Action



To uninstall DbProtect in a SQL Server Cluster:

Step Action

1 Take the DbProtect nbhbhResource offline.

Steps 9-16 in Installing DbProtect in a SQL Server Cluster (single instance) explain

how to create a Resource. You mustmustmustmust take this Resource offline prior to uninstallation.

To take the Resource offline:


• Right click the Resource.

• Select Take Offline Take Offline Take Offline Take Offline.

Or, you can:


• Highlight the Resource.

• Choose File > Take OfflineFile > Take OfflineFile > Take OfflineFile > Take Offline.

2 With the secondary Node (i.e., Node B) the Active Node, delete the AppRadar With the secondary Node (i.e., Node B) the Active Node, delete the AppRadar With the secondary Node (i.e., Node B) the Active Node, delete the AppRadar With the secondary Node (i.e., Node B) the Active Node, delete the AppRadar

Sensor service from this Node.Sensor service from this Node.Sensor service from this Node.Sensor service from this Node.

• Open a command prompt on the Node where you installed the Sensor manually (i.e., Node B).

• Go to the bin directory of the shared drive where you installed the Sensor in Step 3 of Installing DbProtect in a SQL Server Cluster (single instance), e.g., c:\<DbProtect Installation Folder>\AppSecInc\AppRadar

Sensor\bin.

• Run the following command: appradar_sensor -u.

• Press <ENTER>.

The AppRadar SensorAppRadar SensorAppRadar SensorAppRadar Sensor service is uninstalled on the secondary Node.

3 Delete the DbProtectDbProtectDbProtectDbProtect Resource via the Cluster Administrator.

To delete the DbProtect DbProtect DbProtect DbProtect Resource:


• Right click the Resource.

• Select Delete Delete Delete Delete.

Or, you can:



• Choose File > DeleteFile > DeleteFile > DeleteFile > Delete.



4 Make Node A your Active Node.


• Right click the SQL Server Resource.

• Select Initiate Failure Initiate Failure Initiate Failure Initiate Failure.

Or, you can:



• Choose File > Initiate FailureFile > Initiate FailureFile > Initiate FailureFile > Initiate Failure.

Note:Note:Note:Note: You must perform these steps four times before the simulated failover actually occurs.

5 Uninstall the Sensor from Node A.Uninstall the Sensor from Node A.Uninstall the Sensor from Node A.Uninstall the Sensor from Node A.

• Go to the Node where you installed the Sensor (i.e., Node A, which is now the

Active Node).

• Uninstall the Sensor; for more information, see Chapter 6 - Uninstalling the DbProtect Components.

6 At this point, the AppRadar SensorAppRadar SensorAppRadar SensorAppRadar Sensor service should no longer be running or present,

and the SQL Server Cluster should be both online and functioning normally.

Step Action



Working with aSQL Server Cluster

(DbProtectinstalled on

multiple instances)

This topic explains how to install/uninstall DbProtect on a Cluster consisting of multiple virtual serversmultiple virtual serversmultiple virtual serversmultiple virtual servers, each with at least one instance of SQL Server. It consists of the following sub-topics:

• SQL Server Cluster diagram (multiple instances)

• Installing DbProtect in a SQL Server Cluster (multiple instances)

• Upgrading DbProtect in a SQL Server Cluster (single instance)

• Uninstalling DbProtect in a SQL Server Cluster (multiple instances).

SQL SERVER CLUSTER DIAGRAM (MULTIPLE INSTANCES)

The following diagram displays a SQL Server Cluster setup, where the Sensor is installed on multiple Cluster Nodesmultiple Cluster Nodesmultiple Cluster Nodesmultiple Cluster Nodes.

FIGURE: SQL Server Cluster diagram (multiple instances)



INSTALLING DBPROTECT IN A SQL SERVER CLUSTER (MULTIPLE INSTANCES)

DbProtect allows you to build multiple database instances within one (or multiple) virtual servers.

To install DbProtect on a Cluster consisting of multiple virtual servers multiple virtual servers multiple virtual servers multiple virtual servers, each with at least one instance of SQL Server:

UPGRADING DBPROTECT IN A CLUSTER (MULTIPLE INSTANCES)

For more information on multiple instancemultiple instancemultiple instancemultiple instance upgrades, see the DbProtect Administrator’s Guide.

UNINSTALLING DBPROTECT IN A SQL SERVER CLUSTER (MULTIPLE INSTANCES)

For multiple instancemultiple instancemultiple instancemultiple instance installations, you must uninstall the Sensor on each Node. For more information, see Uninstalling and Unregistering a Sensor.

Step Action

1 Install a Sensor on each each each each Node in your SQL Server Cluster. For more information, see

the Installing and Starting/Stopping the Sensors.

2 In a multiple instance installation, you must register each Sensor using the Node'sNode'sNode'sNode's hostname or IP address, notnotnotnot the virtual host or IP address.

Example:Example:Example:Example: Using the diagram in SQL Server Cluster diagram (single instance) as an example, register one Sensor as IP address 192.168.0.1 (Node ANode ANode ANode A), and the other Sensor as IP address 192.168.0.2 (Node BNode BNode BNode B).

For more information on registering a Sensor, see Registering a Sensor in the DbProtect User’s Guide.

3 When you install multiple instances of DbProtect in a SQL Server Cluster, you mustmustmustmust configure and deploy eacheacheacheach Sensor.

Note:Note:Note:Note: For more information on configuring a Sensor, see Configuring an AppRadar Sensor and Deploying the Configuration Information.

DbProtect does notnotnotnot allow you to use the same database instance alias twice, so you

mustmustmustmust use aliases like:

• MySQLServerInstance1_Node1 and MySQLServerInstance2_Node1 on the firstfirstfirstfirst Sensor

• MySQLServerInstance1_Node2 and MySQLServerInstance2_Node2 on the secondsecondsecondsecond Sensor

• And so on.

Note:Note:Note:Note: Alerts will appear as if they come from a different database instance if your primary Node fails over to the secondary Node.



Appendix B: What Are the MSDE Lockdown Scripts Doing During the Installation of DbProtect?The MSDE lockdown scripts protect the MSDE instance from known security vulnerabilities. The MSDE lockdown scripts only run if you select MSDEMSDEMSDEMSDE as an installation option when you install the Console; for more information, see DbProtect suite management components - installation steps.

So what are the MSDE lockdown scripts doing ‘behind the scenes’ during the installation of DbProtect? This appendix explains.

# During installation of DbProtect, the lockdown scripts:

1 Tighten jobs procedures in case the SQL Agent service is activated. This prevents

low-privileged users from submitting or managing jobs.

REVOKE execute on msdb..sp_add_job FROM public

REVOKE execute on msdb..sp_add_'jobs' FROM public

REVOKE execute on msdb..sp_add_jobserver FROM public

REVOKE execute on msdb..sp_start_job FROM public

2 Revoke the DTS package procedure from public.

REVOKE execute on dbo.sp_enum_dtspackages FROM public

REVOKE execute on dbo.sp_get_dtspackage FROM public

3 Tighten permissions on the web tasks table to prevent malicious users from creating or altering tasks.

REVOKE ALL on msdb..mswebtasks FROM public

4 Tighten permissions on extended procedures that require heavy use but should not

be allowed public access.

REVOKE execute on sp_runwebtask FROM public

REVOKE execute on sp_readwebtask FROM public

REVOKE execute on sp_MSSetServerProperties FROM public

REVOKE execute on sp_MScopyscriptfile FROM public

REVOKE execute on sp_MSsetalertinfo FROM public

REVOKE execute on xp_regread FROM public

REVOKE execute on xp_instance_regread FROM public



5 Revoke guest access to msdb in order to keep any non-system administrators from accessing the database without explicit permissions.

EXECUTE msdb..sp_revokedbaccess guest

6 Turn off the ability to allow remote access in order to prevent other SQL Servers from connecting to this server via RPC.

EXECUTE sp_configure 'remote access', '0'

RECONFIGURE WITH OVERRIDE

7 Increase the SQL Server log history threshold in order to maintain logs for a longer amount of time (defaulted to 365 days).

8 Remove any residual setup files (\sqldir\setup.iss - \winnt\setup.iss -\winnt\sqlstp.log) that may be lingering on the file system.

9 Grant permission to select from syslogins. Only members of the sysadmin role

should have permissions to perform any action on the syslogins table.

REVOKE SELECT ON master.dbo.syslogins FROM public

10 Remove xp_cmdshell

execute sp_dropextendedproc @functname='xp_cmdshell'

# During installation of DbProtect, the lockdown scripts:



Appendix C: Modifying the Sensor Listener Port NumberHost-based and network-based Sensors listen on port 20000 for HTTPS traffic from DbProtect (e.g., reconfiguration or status requests) unlessunlessunlessunless you configure them differently during installation, or you change the port number in the sensor.xml and sensor_original.xml files.

Note:Note:Note:Note: While, technically speaking, you can follow the steps in this appendix to modify the listen port number for anyanyanyany Sensor on anyanyanyany operating system, these steps are only recommended for modifying the listen port number for host-based Sensors for Oracle (running on *nix platform) and host-based Sensors for DB2 (running on *nix platform). For all other host- and network-based Sensors running on Windows, Application Security, Inc. recommends you specify the listen port number during Sensor installation; for more information, see Installing and Starting/Stopping the Sensors.

As explained in Appendix P: Monitoring Multiple Instances on a DB2 Server, one reason you may want to modify the port number in the sensor.xml and sensor_original.xml files is because you want to monitor multiple instances on an DB2 server. To do so, you must install one host-based Sensor for DB2 for each instance you want to monitor. You must then modify the XML files for each host-based Sensor for DB2 installation and assign a unique port number to eacheacheacheach host-based Sensor for DB2.

To modify a Sensor listen port number:

Step Action

1 Make sure the Sensor is unregistered; for more information, see the DbProtect

User’s Guide.

Note:Note:Note:Note: You may also need to re-configure and re-deploy your Sensor. If it’s already configured, you should note the current configuration setup in order to re-

configure your re-registered Sensor to match the original configuration. For more information, see the DbProtect User’s Guide.

2 Open the sensor.xml and sensor_original.xml files located in <installation dir>/ASIappradar/sensor/conf.

3 Locate the following line:

<appSensorRoot sensorType="host-based" displayName="AppRadar

Sensor" id="55555" ip="127.0.0.1" port="20000"> and change

port="20000" to a new value.

20000 is the default value; your port number may be different.

4 Re-start the Sensor.



Appendix D: Network Ports Used by DbProtectComponents of DbProtect communicate via Internet Protocol (IP) connections. To help you configure your firewall properly, the following table lists each component and describes how they each use the network.

Application

Application Protocol

Type PortEncrypte

d

User (GUI)-Config-urable?

Direction

SensorsSensorsSensorsSensors

All Sensors SOAP TCP 20000 Over SSL Yes Inbound/Listen

Host-based Oracle with

DDL Triggers Installed

Internal UDP 7777 No Inbound/ Listen (local

connections only)

Scan EnginesScan EnginesScan EnginesScan Engines

All Scan Engines

SOAP TCP 20001 Over SSL At install time

Inbound/Listen

SQL 1433 No No Inbound/ Listen (local

connections only)

ConsoleConsoleConsoleConsole



All Consoles HTTP TCP 20080 Yes Inbound/

Listen

Tomcat 32XXX No No Inbound/ Listen (local connections

only)

Java 30005

SQL 1433 Outbound/ Console back-end

database

Message CollectorMessage CollectorMessage CollectorMessage Collector

All Message Collectors

HTTP TCP 20081 Over SSL No, ARC + 1

Inbound/ Listen

Tomcat 32XXX No No Inbound/

Listen (local connections only)

Java 30006

Application

Application Protocol

Type PortEncrypte

d

User (GUI)-Config-urable?

Direction



Appendix E: Configuring Your Host-Based Sensor for Oracle DDL TriggersThis appendix consists of the following topics:

• Configuring your host-based Sensor for Oracle DDL triggers

• Determining whether Oracle Java Packages are installed on your Oracle instance.

Configuring yourhost-based Sensor

for Oracle DDLtriggers

DbProtect relies on the use of DDL triggers to capture traffic that does not pass through Oracle’s SGA memory structures.

Note:Note:Note:Note: Because this step is optional, you only need to complete these steps for SIDs that you want to monitor for DDL activity. You should complete these steps for each each each each SID that resides on a server, assuming the host-based Sensor is going to monitor these SIDs.

Optionally, you can complete the following steps for eacheacheacheach Oracle database instance that your host-based Sensor for Oracle is configured to monitor (assuming you want to monitor DDL-related Alerts).

Caution! You must have Oracle Java Packages installed on your Oracle

instances. To determine whether you have Oracle Java Packages

installed, see Determining whether Oracle Java Packages are installed on your Oracle instance.

To configure your host-based Sensor for Oracle for DDL triggers:

Step Action

1 Find the Sensor installation subdirectory java. (Typically <installation_directory>/ASIappradar/sensor/java.)

2 If your installation path differs from the default one, you need to edit the first line in the file add.sql, and replace it with the actual path. For example:

CREATE OR REPLACE DIRECTORY sensor_dir AS

'/<installation_directory>/ASIappradar/sensor/java';



3 Run sqlplus from this location and login as sysdba. Remember to set the appropriate ORACLE_HOME and ORACLE_SID values for your for the environment

of the Sensor's runtime account (e.g., appradar).

Note:Note:Note:Note: You must grant read permissions to the Oracle process on the DLL.class file in the host-based Sensor for Oracle’s directory in order to successfully

execute the add.sql script. Failure to configure the Oracle process correctly triggers add.sql script error messages when it runs.

Caution! Caution! Caution! Caution! If you encounter the following error message in the appsensor.log

when you start the host-based Sensor for Oracle, it means the IPC port is already in use:

[ error ] [ 95103920 ] [ Tue Aug 21 2007

14:45:02.631528 ] [ open ] Error opening port ( LINE

49, FILE ipc_server.cpp )

Workaround: change the IPC port number. For more information, see How do I change my IPC port number?.

4 Run the @add command to load the DDL triggers.

Caution! Caution! Caution! Caution! If you execute the script to add triggers more than once (i.e., you remove the triggers, then re-add them), then the next statement executed on any active Oracle session will encounter the following error once:

"ORA-29549: class string.string has changed, Java session state cleared".

This occurs because Oracle, internally, forces a reload of the underlying Java class used by the DbProtect trigger. Subsequent statements will

function normally, and DbProtect will process them as expected.

Notes:Notes:Notes:Notes:

• Use the command @remove to remove triggers at a later date, or to reinstall

them.

• If the Sensor is already running, you need to restart it; for more information, see the DbProtect Administrator’s Guide.

Step Action



Determiningwhether Oracle

Java Packages areinstalled on yourOracle instance

To determine if Oracle Java Packages are installed on your Oracle instance:

Step Action



select banner from all_registry_banners

The output displays information about any Oracle Java Packages installed on your Oracle instance; for example:

Oracle9i Catalog Views Release 9.2.0.4.0 - Production JServer

JAVA Virtual Machine

Release 9.2.0.4.0 - Production Oracle XDK for Java Release

9.2.0.6.0 - Production

Oracle9i Java Packages Release 9.2.0.4.0 - Production

Caution! Caution! Caution! Caution! If executing this command yields no results -- i.e., Oracle Java Packages

are not installed on your Oracle instance, and you intend to use a host-based Sensor to monitor DDL statements (e.g., CREATE TABLE) -- then you must manually install Oracle Java Packages on your Oracle instance.



Appendix F: Modifying the "Log On As" User for the AppRadar Sensor and DbProtect Message Collector ServicesIn this appendix:In this appendix:In this appendix:In this appendix:

• What is the "Log On As" user?

• Modifying the Windows Authentication LocalSystem account.

What is the "LogOn As" user?

When you install DbProtect (see Chapter 5 - Installing the DbProtect Components and Logging Into the Console), the Database Runtime ConfigurationDatabase Runtime ConfigurationDatabase Runtime ConfigurationDatabase Runtime Configuration page allows you to configure your DbProtect runtime user account. This is the "log on as" user, i.e., the user whose privileges are used to log into and use DbProtect.

You can connect to your custom SQL Server instance using SQL Authentication or Windows Authentication. The latter uses the LocalSystem account as the run-as user for the services installed (i.e., DbProtectDbProtectDbProtectDbProtect and DbProtect Message CollectorDbProtect Message CollectorDbProtect Message CollectorDbProtect Message Collector).

This chapter explains how to modify the Windows Authentication LocalSystem account if you want.



Modifying theWindows

AuthenticationLocalSystem

account

To modify the Windows Authentication LocalSystem account:

Step Action


2 Double click the Administrative Tools Administrative Tools Administrative Tools Administrative Tools icon.


4 Highlight a service (e.g., DbProtect Message CollectorDbProtect Message CollectorDbProtect Message CollectorDbProtect Message Collector) to display the DbProtect DbProtect DbProtect DbProtect Message Collector Properties Message Collector Properties Message Collector Properties Message Collector Properties pop-up.

5 Click the Log On Log On Log On Log On tab to display the Log on as: Log on as: Log on as: Log on as: portion of the DbProtect Message DbProtect Message DbProtect Message DbProtect Message

Collector Properties Collector Properties Collector Properties Collector Properties pop-up displays.

6 Select This account: This account: This account: This account: and enter the:

• new "log on as" user’s domain name\user name (or click the BrowseBrowseBrowseBrowse button to display the Select UserSelect UserSelect UserSelect User pop-up and locate a valid user) \

• password for the specified user.

7 Click the ApplyApplyApplyApply button.

A message informs you the revised "log on as" account change will not take effect until you reboot your computer. Click the OKOKOKOK button.



Appendix G: DB2 Administrative Client Driver InstallationTo download and install DB2 client drivers:

Step Action

1 Do one of the following to download and install a DB2 client driver:

• Contact your system administrator, who can provide the DB2 installation CD containing the client drivers.

• Visit the IBM website (http://www.ibm.com/support/all_download_

drivers.html) and search for an appropriate driver.

• As a final alternative, you can download an evaluation version of DB2 from the IBM website, and install the client drivers which come with the installation

package. For more information, see http://www.ibm.com/software/data/db2/.

2 Locate the downloaded client driver on your hard drive (a .zip file), and install using the wizard.



Appendix H: DbProtect Log FilesIn this appendix:In this appendix:In this appendix:In this appendix:

• DbProtect log files

• Sensor log files.

DbProtect log files Normal operations Console log files: Normal operations Console log files: Normal operations Console log files: Normal operations Console log files:

Log file: Description: Location:

dbprotect.log This is the main application log that is written to during system usage.

Log entries are in the following format:

Sat 01 Jan 23:59:59

[ThreadIdentifer] LEVEL

Component – Log Message

where the date and time are presented first, followed by the DbProtect thread identifier, the level of the log message

(which will be either INFOINFOINFOINFO, WARNWARNWARNWARN or ERRORERRORERRORERROR), the DbProtect component and then the log message.

Each log message entry can span multiple lines.

\<DbProtect

Installation

Folder>\

AppSecInc\

DbProtect\GUI\

logs\

gui_wrapper.log Log for the component that manages

the service life cycle of the DbProtect

service.

catalina*.log Application logs for the Tomcat engine

used by DbProtect.

\<DbProtect

Installation

Folder>\AppSecInc

\ DbProtect\GUI\

tomcat\logs\

and

\<DbProtect

Installation

Folder>\AppSecInc

\

DbProtect\Message

Collector\tomcat\

logs\



DbProtect installation and upgrade log files:DbProtect installation and upgrade log files:DbProtect installation and upgrade log files:DbProtect installation and upgrade log files:

The following DbProtect log files are related to installation and upgrade. Once installation is completed, you can ignore these files (or you can safely remove them).

• appradar_load_data.log

• appradar_load_policies.log

• appradar_load_reports.log

• appradar_load_rules.log

• appradargroup_install.log

• createlocalenv_install.log

• dbbuild_install.log

• keyutil_install.log

• testappradarconn.log.

Sensor log files The section of the appendix explains:

• Archiving

• Normal operations Sensor log files

• Replay log files

• Sensor installation and upgrade log file.

ARCHIVING

Log files automatically archive themselves when they reach a certain size, e.g. 100 MB. For example, when a log file named AppRadar Sensor.log reaches its limit, the file is renamed AppRadar Sensor.log.1 and a new AppRadar Sensor.log file is started.

When AppRadar Sensor.log again reaches its limit, appsensor.log.1 is renamed appsensor.log.2, appsensor.log is renamed appsensor.log.1, a new appsensor.log is started, and so on. Each type of log listed below has a different file size limit at which archiving occurs, and each has a different maximum number of archives.

messagecollector

_wrapper.log

Log for the component that manages the service life cycle of the Message Message Message Message

CollectorCollectorCollectorCollector service.

\<DbProtect

Installation

Folder>\

AppSecInc\

DbProtect\Message

Collector\logs\

messagecollector

.log

This is a log file for DbProtect. It tracks the error entries for the Alert-collecting component of DbProtect.




NORMAL OPERATIONS SENSOR LOG FILES


appsensor.

log

Sensor application log (created during

normal operations).

This file generally contains warnings and errors, and at the default WarningWarningWarningWarning level

the file size grows slowly. However, you can configure this file to include also debug messages for troubleshooting, if

the Application Security, Inc. Support Team asks you to set the level to Debug Debug Debug Debug or Development Development Development Development. In this case, the file size

grows rapidly.

Note:Note:Note:Note: This file “rolls over” at 100MB and does so a maximum of three times.

"Failed login" support utilizes DB2's "auditing" feature. This is unique to host-based Sensors for DB2, since all

other types of host-based Sensors utilize "event monitoring."

The host-based Sensors for DB2

automtically turns on DB2 auditing. If you enable any Rule related to failed logins (specifically, "Failed Login", "Password

Guessing", or "Scripted Password Attack"), then the host-based Sensors for DB2 write errors to the appsensor.log

file(s).

For more information on how the host-based Sensors for DB2 uses auditing to

monitor failed logins and how to manually manage the resulting audit files, see the DbProtect Administrator’s

Guide.

\<DbProtect

Installation Folder>\

AppSecInc\AppRadar

Sensor\logs\



REPLAY LOG FILES

Also in the logs directory are Sensor log files related to “store-&-forward”, i.e., Application Security, Inc.’s method of storing Alerts temporarily in case DbProtect becomes unavailable. These are more commonly known as the replay log filesreplay log filesreplay log filesreplay log files. They come in two forms:

• *.replay.log, which contains Alerts to be forwarded to DbProtect when it becomes available

• *.replay.log.bookmark, which is a bookmark pointing to the replay log indicating where forwarding left off the last time it ran.

If DbProtect becomes unavailable, these files ensure your Alerts will continue to be logged. They store Alerts in binary form which are “replayed” to DbProtect when it is back online.

The growth rate of the Alert log files depends on Alert rate and size. An average replay log grows at rate of approximately 2k/second -- but only when the Sensor cannot communicate with DbProtect.

The number of and size of Alert log files depends on how many Alerts per second are being fired and how long the Message Collector Message Collector Message Collector Message Collector component of DbProtect has been down. Once it’s back online, the replay logs will notnotnotnot shrink in size, but rather they will disappear one file at a time.

Replay logs “roll over” at 500MB and continue to do so every 500MB until DbProtect becomes available.

SENSOR INSTALLATION AND UPGRADE LOG FILE

The Sensor configuration.log file is related to installation and upgrade. Once installation is completed, you can ignore these files (or you can remove them safely).



Appendix I: Using App DSN, the Repair ODBC UtilityApp DNNApp DNNApp DNNApp DNN is a built-in Repair OBDC (Open Database Connectivity) utility that allows you to synch the database where your Scan Engine results are stored with the DbProtect Data Repository component.

App DNN also allows you to change the type of authentication DbProtect AppDetective uses to authenticate to the database server (i.e., from Windows authentication to SQL Server authentication -- or vice-versa).

To use App DSN:

Step Action

1 Choose Start > Programs > AppSecInc > AppDetective Scan Engine > AppDSNStart > Programs > AppSecInc > AppDetective Scan Engine > AppDSNStart > Programs > AppSecInc > AppDetective Scan Engine > AppDSNStart > Programs > AppSecInc > AppDetective Scan Engine > AppDSN to display the App DSNApp DSNApp DSNApp DSN utility.

FIGURE: App DSNApp DSNApp DSNApp DSN utility

2 Use the ServerServerServerServer drop-down to select the SQL Server 2005 instance where the Scan Engine stores its results, or enter the SQL Server 2005 instance name.

Important: This must be the same database DbProtect AppDetective uses.

Hint: Click the Locate instances... button to search for/display all SQL Server instances

on your network.



3 Select to authenticate to the database server using: Windows AuthenticationWindows AuthenticationWindows AuthenticationWindows Authentication (strongly recommended) or SQL Server AuthenticationSQL Server AuthenticationSQL Server AuthenticationSQL Server Authentication.

If you select:

• Windows AutenticationWindows AutenticationWindows AutenticationWindows Autentication, then the AppDetective Scan Engine service uses the login/password credentials supplied in the Sensor installation section of the

DbProtect Installation Guide. If you want to change or verify these values, you must run services.msc

• SQL Server AuthenticationSQL Server AuthenticationSQL Server AuthenticationSQL Server Authentication, then you must enter a SQL Server authentication

Login Name:Login Name:Login Name:Login Name: and Password:Password:Password:Password:.

4 Click the OK OK OK OK button.

The Repair ODBC Repair ODBC Repair ODBC Repair ODBC utility changes the database server the Scan Engine uses to store its results, and/or changes the type of authentication DbProtect AppDetective uses

to authenticate to the database server.

Step Action



Appendix J: Configuring Your Oracle Audit Trail in Order to Monitor LoginsYou can configure your Oracle audit trail settings in order for your host-based Sensor for Oracle to monitor logins. Specifically, the following DbProtect Rules can monitor failed and successful logins:

• “Login attempt – successful”

• “Failed Login”

• “Password guessing”

• “Password scripted attack”.

To configure your Oracle audit trail settings so your host-based Sensor for Oracle can monitor logins, you must set the Oracle audit trail of the database to db so that it logs the logins (failed and successful) to the dba_audit_session table.

Note:Note:Note:Note: Because this step is optional, you only need to complete these steps for SIDs that you want to monitor for logins. You should complete these steps for each each each each SID that resides on a server, assuming the host-based Sensor is going to monitor these SIDs.

You can complete the following steps for eacheacheacheach Oracle database instance that your host-based Sensor for Oracle is configured to monitor (assuming you want to monitor logins).

To configure your host-Oracle audit trail to enable your host-based Sensor for Oracle to monitor logins:

Step Action

1 Using an Oracle client such as sqlplus, set the audit trail to db:

alter system set audit_trail='db' scope=spfile;

shutdown

startup

2 Enable session auditing:

audit session;

Note:Note:Note:Note: If your host-based Sensor for Oracle is already running, you need to re-start it;

for more information, see the DbProtect Administrator’s Guide.



Appendix K: Required Client Drivers for AuditsIn this appendix:In this appendix:In this appendix:In this appendix:

• DB2 client driver installation

• Lotus Notes client driver installation

• Sybase client driver installation

• DB2 Connect installation.

DB2 client driverinstallation

To perform an Audit on a DB2 server, you mustmustmustmust install the DB2 administrative client. If you do not have these drivers and privileges, DbProtect AppDetective cannot access tables that are critical for information gathering.

If you are already a DB2 user, and you have the administrative client installed, you do not need to reinstall the client drivers. You only need your login name and password.

In this help topic:In this help topic:In this help topic:In this help topic:

• Supported and non-supported client configurations

• Downloading and installing the DB2 client drivers.

SUPPORTED AND NON-SUPPORTED CLIENT CONFIGURATIONS

DB2 version 7 client local connections to a DB2 version 8 server are not supported. For example, you cannot use a DB2 version 7 client to catalog a DB2 version 8 instance on the same machine as a local node.

A detailed matrix on the DB2 website describes the standard and gateway configuration support for DB2 clients. For more information, see the following: http://publib.boulder.ibm.com/infocenter/db2help/index.jsp?topic=/

com.ibm.db2.udb.doc/start/r0009731.htm.



DOWNLOADING AND INSTALLING THE DB2 CLIENT DRIVERS

To download and install DB2 client drivers:

Step Action

1 The client drivers needed are Administration. Do one of the following:

• Contact your system administrator, who can provide the DB2 installation CD containing the client drivers.

• For DB2 Version 7, download the appropriate driver from the IBM website

(http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html)

• For DB2 Version 8, download the appropriate driver from the IBM website

(http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html)

• Visit the IBM website (http://www-1.ibm.com/support/

all_download_drivers.html) and search for an appropriate driver.

• As a final alternative, you can download an evaluation version of DB2 from the IBM website, and install the client drivers which come with the installation

package. For more information, see http://www-3.ibm.com/software/data/db2/.

2 Locate the downloaded client driver on your hard drive (a .zip file).

3 Use a utility like Winzip to unzip the contents into a temporary install directory.

4 Once the files are extracted into the temporary install directory, double click the setup file (setup.exe) to begin the installation process.

5 Click the NextNextNextNext button to choose the DB2 Administration client.

6 Choose TypicalTypicalTypicalTypical.

7 Click the NextNextNextNext button.

8 Choose to install the client in the default location.

9 Click the NextNextNextNext button. A dialog box informs you if there is enough information to

complete the installation.


11 Click the FinishFinishFinishFinish button.

12 Reboot your system.

Result: Result: Result: Result: The DB2 client drivers are now installed. You can now perform Audits on an

DB2 server.



Lotus Notes clientdriver installation

To perform an Audit of a Lotus Notes-based Domino Mail Server, you mustmustmustmust install the Lotus Notes client drivers. If you are already a Lotus Notes user, you do not need to re-install the client drivers. You only need to find your .id file, typically located in your C:\Lotus\Notes\Data folder. You mustmustmustmust also know your password.


• Downloading and installing Lotus Notes client software

• Starting Lotus Notes for the first time.

DOWNLOADING AND INSTALLING LOTUS NOTES CLIENT SOFTWARE

To download and install Lotus Notes client software:

Step Action

1 Open http://www.lotus.com in your browser.

2 Click the DownloadsDownloadsDownloadsDownloads link.

3 Click the most appropriate Lotus Notes client software download link.

Note:Note:Note:Note: You must register to access the download site.

4 Download the Lotus Notes client software setup file to a convenient location (e.g., C:\temp).

5 Double click the setup file you downloaded from the Lotus website to display the welcome dialog box.

6 Click the NextNextNextNext button to display the license dialog box.

7 Read the License Agreement.

8 If you consent to the License AgreementLicense AgreementLicense AgreementLicense Agreement, press the Yes Yes Yes Yes button to display the name

and company dialog box.

9 Enter your name and company name.

10 Click the NextNextNextNext button to display the default installation directory dialog box.

11 Do notnotnotnot change the default installation directories.

12 Click the NextNextNextNext button to display the setup dialog box.

13 Select Typical SetupTypical SetupTypical SetupTypical Setup.

14 Click the NextNextNextNext button to display the Lotus Notes program icons dialog box.

15 Specify the folder where you want to install the Lotus Notes program icons.

16 Lotus Notes is installed.



STARTING LOTUS NOTES FOR THE FIRST TIME

Your Domino administrator mustmustmustmust set up a valid Lotus Notes account for you. He/she can provide you with a password as well as an .id file which you mustmustmustmust copy to your C:\Lotus\Notes\Data folder. Contact your Domino administrator if you are unsure about the proper responses to give in the following procedure.

To start Lotus Notes for the first time:

Step Action

1 Choose Start > Lotus Applications > Lotus NotesStart > Lotus Applications > Lotus NotesStart > Lotus Applications > Lotus NotesStart > Lotus Applications > Lotus Notes to display the set up connections dialog box.

2 Click the NextNextNextNext button to display the Connect to Domino ServerConnect to Domino ServerConnect to Domino ServerConnect to Domino Server dialog box.


4 Choose your desired method of connecting to the server. If you are in an office,

select Connect through a LANConnect through a LANConnect through a LANConnect through a LAN.

5 Click the NextNextNextNext button to display the ServerServerServerServer dialog box.

6 Enter your server name. (Ask your Domino administrator if you are unsure.)

7 Click the NextNextNextNext button to display the Browse for Your ID File/Lotus Notes NameBrowse for Your ID File/Lotus Notes NameBrowse for Your ID File/Lotus Notes NameBrowse for Your ID File/Lotus Notes Name dialog box.

8 Browse for your .id file, or use your Lotus Notes name. (Ask your Domino administrator if you are unsure.)

9 Click the Next Next Next Next button.

10 Setup is complete.

Note:Note:Note:Note: You may or may not want to set up your email, news, directory server, and proxy servers. This is usually done by your Domino administrator. At this point, you have provided enough information to run AppDetective for Lotus

Domino.



Sybase clientdriver installation

To perform an Audit on a Sybase ASE dataserver, you mustmustmustmust have the Sybase ASE ODBC driver installed on your workstation. The Sybase ASE ODBC driver is packaged with the Sybase ASE Client driver. DbProtect uses the Sybase ASE ODBC driver to access your Sybase dataserver.

Specifically, DbProtect supports the following Sybase ASE ODBC drivers:

• Sybase ASE ODBC driver (packaged in the 12.5.2 client driver)

• Adapter Server Enterprise ODBC driver (packaged in the 15.x client driver or Software Development Kit).


• Checking if you have the proper Sybase ASE ODBC drivers installed

• Downloading and installing Sybase ASE ODBC drivers.

CHECKING IF YOU HAVE THE PROPER SYBASE ASE ODBC DRIVERS INSTALLED

To check if you have the proper Sybase ASE ODBC driver installed:

Step Action

1 Choose Start > Settings > Control PanelStart > Settings > Control PanelStart > Settings > Control PanelStart > Settings > Control Panel.

2 Double click the Administrative ToolsAdministrative ToolsAdministrative ToolsAdministrative Tools icon.

3 Double click the Data Sources (ODBC) Data Sources (ODBC) Data Sources (ODBC) Data Sources (ODBC) icon.

4 Click the DriversDriversDriversDrivers tab.

5 Scroll down and check if you have either the Sybase ASE ODBC Driver Sybase ASE ODBC Driver Sybase ASE ODBC Driver Sybase ASE ODBC Driver or the Adaptive Server Enterprise ODBC Driver Adaptive Server Enterprise ODBC Driver Adaptive Server Enterprise ODBC Driver Adaptive Server Enterprise ODBC Driver installed (in the NameNameNameName column).

6 If you:

• have the drivers on your machine, you are ready to use DbProtect’s security Audit feature

• do notnotnotnot have the driver installed, go to Downloading and installing Sybase ASE

ODBC drivers.



DOWNLOADING AND INSTALLING SYBASE ASE ODBC DRIVERS

To download and install Sybase ASE ODBC drivers:

DB2 Connectinstallation

To run an Audit on DB2 on the Mainframe, you must install DB2 Connect (Enterprise Edition) software on your scanning machine.

To download and install DB2 Connect (Enterprise Edition):

Step Action

1 Refer to the Sybase installation CDs shipped with your database installation to

obtain the correct Sybase ASE ODBC drivers, or download them from http://download.sybase.com/eval/ASE_1252_DE/pcclient_1252.zip

Note:Note:Note:Note: The Adaptive Server Enterprise ODBC Driver version 15.x is not a free

download. Refer to the Sybase installation CDs shipped with your database installation to obtain it. If you do not have this, you can obtain the Adaptive Server Enterprise ODBC driver in the Software Developer kit as a licensed

contact, or for purchase. Alternately, you can try to download a free Developer’s Edition copy of ASE 15.x from Sybase. However, Application Security, Inc. is not responsible for the time frame in which Sybase is making

this available.

Step Action

1 Go to the IBM website, click the How to buy How to buy How to buy How to buy link, follow the download and

installation instructions.



Appendix L: Required Audit PrivilegesThis appendix consists of the following topics:

• DB2 Audit privileges

• DB2 z/OS Audit privileges

• Lotus Domino Groupware Audit privileges

• SQL Server Audit privileges

• MySQL Audit Privileges

• Oracle Audit privileges

• Sybase Audit privileges

• Operating system considerations.

DB2 Auditprivileges

Note:Note:Note:Note: For more information on DB2 OS check requirements, see Operating system considerations.

To conduct a full DB2 Audit, you need the following privileges. Make sure the account you are using has rights to use the following tables and views:

• CONNECT

• GET DATABASE MANAGER CONFIGURATION & LIST DATABASE DIRECTORY

• Service Info (Windows ONLY)

• SYSIBM.SYSCOLAUTH

• SYSIBM.SYSINDEXAUTH

• SYSIBM.SYSPASSTHRUAUTH

• SYSIBM.SCHEMAAUTH

• SYSIBM.SYSDBAUTH

• SYSIBM.SYSTABAUTH

• SYSIBM.SYSFUNCTIONS

• SYSIBM.SYSPROCEDURES

• SYSIBM.SYSVERSIONS



Below is a list of checks within DbProtect AppDetective for an DB2 Audit, and the tables and views they need permission to access in order to function properly:

• CLIENT authentication: GET DATABASE MANAGER CONFIGURATION & LIST

DATABASE DIRECTORY

• SERVER authentication: GET DATABASE MANAGER CONFIGURATION & LIST

DATABASE DIRECTORY

• DCS authentication: GET DATABASE MANAGER CONFIGURATION & LIST

DATABASE DIRECTORY

• Trust All Client: GET DATABASE MANAGER CONFIGURATION & LIST

DATABASE DIRECTORY

• Authentication type: GET DATABASE MANAGER CONFIGURATION & LIST

DATABASE DIRECTORY

• Service runs as LocalSystem: Service Info (Windows ONLY)

• Permissions granted to PUBLIC: SYSIBM.SYSCOLAUTH,

SYSIBM.SYSINDEXAUTH, SYSIBM.SYSPASSTHRUAUTH, SYSIBM.SCHEMAAUTH,

SYSIBM.SYSDBAUTH, SYSIBM.SYSTABAUTH

• Permissions granted to user: SYSIBM.SYSCOLAUTH,

SYSIBM.SYSINDEXAUTH, SYSIBM.SYSPASSTHRUAUTH, SYSIBM.SCHEMAAUTH,

SYSIBM.SYSDBAUTH, SYSIBM.SYSTABAUTH

• Permissions grantable: SYSIBM.SYSCOLAUTH, SYSIBM.SYSINDEXAUTH,

SYSIBM.SYSPASSTHRUAUTH, SYSIBM.SCHEMAAUTH, SYSIBM.SYSDBAUTH,

SYSIBM.SYSTABAUTH

• Permissions on system catalog: SYSIBM.SYSDBAUTH,

SYSIBM.SYSTABAUTH

• Permissions to list users: SYSIBM.SYSDBAUTH, SYSIBM.SYSTABAUTH

• db2ckpwd buffer overflow (Version verify): SYSIBM.SYSVERSIONS

• Query Compiler DoS (Verify version): SYSIBM.SYSVERSIONS

• Date/Varchar DoS (Verify version): SYSIBM.SYSVERSIONS

• Latest FixPak not installed: SYSIBM.SYSVERSIONS

• Control Center buffer overflow (Verify version):

SYSIBM.SYSVERSIONS

Some DB2 Audit checks need to differentiate between fixpaks such as 4/4a, 6/6a, etc. These checks require specific permissions. Specifically, the checks affected are:

• Arbitrary code execution in a federated system (Verify version)

• Arbitrary code execution when processing connection messages

(Verify version)

• Arbitrary file creation in XML Extender functions (Verify version)

• Buffer overflow in CALL statement (Verify version)

• Buffer overflow in db2fmp (Verify version)

• Buffer overflow in generate_distfile procedure (Verify version)

• Buffer overflow in REC2XML function (Verify version)

• Buffer overflow in SATADMIN.SATENCRYPT function (Verify version)

• Buffer overflow in the JDBC listener (Verify version)

• Buffer overflows in XML Extender functions (Verify version)

• DoS in string formatting functions (Verify version)



• Latest FixPak not installed

• Multiple Buffer overflows in libdb2.so.1 library (Verify version)

• Multiple critical vulnerabilities in IBM DB2 (Verify version)

• Multiple DoS vulnerabilities in SQLJRA protocol

• SELECT privilege escalation

In order for DbProtect AppDetective to work properly with any of these checks, you must set special permissions, depending on what version of DB2 is running on your server. The following table explains which permissions are required for which versions of DB2:

DB2 z/OS Auditprivileges

You must have at least SELECT privilege on the following system catalog tables (which as SYSADM has by default):

• SYSIBM.SYSCOLAUTH

• SYSIBM.SYSDBAUTH

• SYSIBM.SYSPACKAUTH

• SYSIBM.SYSPLANAUTH

• SYSIBM.SYSROUTINEAUTH

• SYSIBM.SYSSCHEMAAUTH

• SYSIBM.SYSTABAUTH

• SYSIBM.SYSUSERAUTH

If your server is running DB2 version:

Requirements:

9.10 or later SELECT or CONTROL privilege on the ENV_INST_INFO administrative view.

OR

EXECUTE privilege on the ENV_GET_INST_INFO table function.

OR

SYSADM and/or ATTACH privileges.

8.2.2 or later EXECUTE privilege on the ENV_GET_INST_INFO table function.

8.1.0 or later SYSADM or ATTACH privileges.

7 Registry access or OS access.



Lotus DominoGroupware Audit

privileges

Note:Note:Note:Note: For more information on Lotus Domino OS check requirements, see Operating system considerations.

To conduct a full Lotus Domino Groupware Audit, you need the following privileges. Make sure the account you are using has rights to use the following tables and views:

• Read all databases

• Read decsadm.nsf and all of its documents

• Read names.nsf and all of its documents

• Execute commands on the server

• Read all user documents

Below is a list of checks within the Scan Engine for a Lotus Domino Audit, and the tables and views they need permission to access in order to function properly:

• Anonymous can create documents: Read all databases

• Anonymous granted Designer or higher access: Read all databases

• Anonymous user in Authors field: Read all databases

• Default has Editor or higher access: Read all databases

• Encrypted field full-text indexed: Read all databases

• Unspecified user type in ACL: Read all databases

• DECS password unencrypted: Read decsadm.nsf and all of its

documents

• Anonymous ACL missing: Read all databases, Read names.nsf and all

of its documents

• Access server unrestricted: Read names.nsf and all of its

documents

• All people can use monitors: Read names.nsf and all of its

documents

• All users can run personal agents: Read names.nsf and all of its

documents

• Anonymous access via HTTPS: Read names.nsf and all of its

documents

• Anonymous access via Notes RPC: Read names.nsf and all of its

documents

• Bindsock arbitrary file creation: Read names.nsf and all of its

documents

• CGI directory leak: Read names.nsf and all of its documents

• Check passwords on Notes IDs: Read names.nsf and all of its

documents

• Create databases unrestricted: Read names.nsf and all of its

documents

• Enumerate groups: Read names.nsf and all of its documents

• Failed access control on file attachments: Read names.nsf and all

of its documents



• iNotes client ActiveX control buffer overflow: Read names.nsf and

all of its documents

• iNotes s_ViewName buffer overflow: Read names.nsf and all of its

documents

• Latest maintenance release not applied: Read names.nsf and all of

its documents

• Long POST request DoS: Read names.nsf and all of its documents

• Maximum number of request headers: Read names.nsf and all of its

documents

• Maximum size of request contents: Read names.nsf and all of its

documents

• Maximum size of request headers: Read names.nsf and all of its

documents

• Maximum URL length: Read names.nsf and all of its documents

• Maximum URL path segments: Read names.nsf and all of its

documents

• Non-admins can use monitors: Read names.nsf and all of its

documents

• Notes RPC buffer overflow: Read names.nsf and all of its

documents

• Notes_ExecDirectory buffer overflow: Read names.nsf and all of

its documents

• Password change interval for user: Read names.nsf and all of its

documents

• PATH buffer overflow: Read names.nsf and all of its documents

• Public keys compared to directory: Read names.nsf and all of its

documents

• Restricted agents runlist: Read names.nsf and all of its

documents

• Restricted Java/COM runlist: Read names.nsf and all of its

documents

• Saved email not encrypted: Read names.nsf and all of its

documents

• Servlets disabled: Read names.nsf and all of its documents

• Unrestricted agents runlist: Read names.nsf and all of its

documents

• Unrestricted Java/COM runlist: Read names.nsf and all of its

documents

• User can create new databases: Read names.nsf and all of its

documents

• Administration over HTTP: Read names.nsf and all of its

documents, Execute a command on the server



• Anonymous access via HTTP: Read names.nsf and all of its


• Anonymous access via IIOP: Read names.nsf and all of its


• Anonymous access via IIOPS: Read names.nsf and all of its


• Anonymous access via LDAP: Read names.nsf and all of its


• Anonymous access via LDAPS: Read names.nsf and all of its


• ESMTP buffer overflow: Read names.nsf and all of its documents,

Execute a command on the server

• Expired certificates allowed: Read names.nsf and all of its


• HTTP authenticate buffer overflow: Read names.nsf and all of its


• HTTP database browsing: Read names.nsf and all of its documents,


• HTTP logging not enabled: Read names.nsf and all of its


• HTTP methods excluded from logging: Read names.nsf and all of its


• HTTP MIME types excluded from logging: Read names.nsf and all of

its documents, Execute a command on the server

• HTTP return codes excluded from logging: Read names.nsf and all

of its documents, Execute a command on the server

• HTTP user agents excluded from logging: Read names.nsf and all of

its documents, Execute a command on the server

• HTTPS allows anonymous access: Read names.nsf and all of its


• Inadequate amgr process logging: Read names.nsf and all of its


• Incomplete POST DoS: Read names.nsf and all of its documents,


• Interface address leak in banner: Read names.nsf and all of its


• LDAP buffer overflow: Read names.nsf and all of its documents,


• LDAP format string: Read names.nsf and all of its documents,


• MS-DOS device web path leak: Read names.nsf and all of its


• Personal agents runlist: Read names.nsf and all of its documents,




• Redirected host/location buffer overflow: Read names.nsf and all


• Routing loop DoS (Verify version): Read names.nsf and all of its


• SMTP buffer overflow: Read names.nsf and all of its documents,


• Unencrypted HTTP: Read names.nsf and all of its documents,


• Unencrypted IIOP: Read names.nsf and all of its documents,


• Unencrypted IMAP: Read names.nsf and all of its documents,


• Unencrypted LDAP: Read names.nsf and all of its documents,


• Unencrypted NNTP: Read names.nsf and all of its documents,


• Unencrypted POP3: Read names.nsf and all of its documents,


• Web retriever HTTP status buffer overflow: Read names.nsf and all


• Web Retriever logging: Read names.nsf and all of its documents,


• Easily-guessed Internet password: Read all user documents

• Easily-guessed Notes password: Read all user documents

• Agent manager debugging not enabled: Execute a command on the

server

• Ambiguous webnames allowed: Execute a command on the server

• Console password not set: Execute a command on the server

• Inadequate console logging: Execute a command on the server

• NDS password present: Execute a command on the server

• NDS userid present: Execute a command on the server

• Phone line logging not enabled: Execute a command on the server



SQL Server Auditprivileges

Note:Note:Note:Note: For more information on SQL Server OS check requirements, see Operating system considerations.

This topic consists of the following sub-topics:

• SQL Server 7, SQL Server 2000, and MSDE Audit Privileges

• SQL Server 2005 Audit Privileges

• Credentials for SQL Server Audits.

SQL SERVER 7, SQL SERVER 2000, AND MSDE AUDIT PRIVILEGES

To conduct a full SQL Server Audit, you need the following privileges. Make sure the account you are using has rights to use the following tables and views:

Check Privileges required

master.dbo.xp_loginconfig EXECUTE

master.dbo.xp_regread

exec <db name>.dbo.sp_helprotect

msdb.dbo.sp_get_sqlagent_properties

master.dbo.xp_cmdshell

@@VERSION SELECT

master.dbo.syslogins

(MSSQLSysLogins)

master.dbo.sysxlogins

master.dbo.sysdatabases

master.dbo.sysconfigures

master.dbo.syscurconfigs

master.dbo.syscharsets

<db name>.dbo.sysusers

<db name>.dbo.sysobjects

<db name>.dbo.syscomments



Below is a list of checks within the Scan Engine for a SQL Server Audit, and the tables and views they need permission to access in order to function properly:

• Agent jobs privilege escalation: exec <db name>.dbo.sp_helprotect,


• Auditing of failed logins: master.dbo.xp_loginconfig

• Auditing of successful logins: master.dbo.xp_loginconfig

• Blank password: master.dbo.sysxlogins

• Blank password for sa: master.dbo.sysxlogins

• Blank password for well-known login: master.dbo.sysxlogins

• BULK INSERT buffer overflow: @@VERSION

• C2 Audit Mode: @@VERSION, master.dbo.sysconfigures,


• Case-insensitive sort order: master.dbo.syscharsets,

master.dbo.sysconfigures,master.dbo.syscurconfigs

• Changing mode may leave sa password blank: @@VERSION

• Cleartext password written by installation: @@VERSION,


• Computed Column UDF DoS: @@version

• Database ownership chaining not disabled:

sysconfigures,syscurconfigs

• DBCC addextendedproc buffer overflow: @@VERSION

• DBCC BUFFER buffer overflow: @@VERSION

• DBCC CHECKCONSTRAINTS buffer overflow: @@VERSION

• DBCC CLEANTABLE buffer overflow: @@VERSION

• DBCC INDEXDEFRAG buffer overflow: @@VERSION

• DBCC PROCBUF buffer overflow: @@VERSION

• DBCC SHOWCONTIG buffer overflow: @@VERSION

• DBCC SHOWTABLEAFFINITY buffer overflow: @@VERSION

• DBCC UPDATEUSAGE buffer overflow: @@VERSION

• Default login enabled: @@VERSION, master.dbo.syslogins,

master.dbo.xp_loginconfig

• Direct updates on data dictionary: master.dbo.sysconfigures,


• DTS package procedures granted to public: sp_helprotect

• DTS password exposed in properties dialog: @@VERSION

• DTS passwords publicly viewable: <db name>.dbo.sysuser, exec <db

name>.dbo.sp_helprotect, master.dbo.sysdatabases

• Easily-guessed password: @@VERSION

• Easily-guessed password for sa: @@VERSION

• Easily-guessed password for well-known login: @@VERSION

• Encoded password written by installation: @@VERSION,


• Enterprise Manager improperly revokes proxy account: @@VERSION

• Error logs can be overwritten: <db name>.dbo.sysobjects,

@@VERSION, master.dbo.sysdatabases



• Escalated privileges in heterogeneous joins: @@VERSION

• Extended stored proc privilege upgrade: exec <db


• Fixed server role granted: master.dbo.syslogins

• Format string in C runtime DoS: @@VERSION

• Format string vuln in xp_sprintf: @@VERSION

• FORMATMESSAGE buffer overflow: @@VERSION

• Global temporary stored proc exists: sysobjects,sysusers

• Guest user exists in database: <db name>.dbo.sysuser,


• Hello buffer overflow: @@VERSION

• Infected with Spida worm: <db name>.dbo.sysobjects,

master.dbo.sysdatabases, master.dbo.xp_cmdshell

• Jet running in sandbox Mode: <db name>.dbo.sysobjects, @@VERSION,


• Job output file handling: @@VERSION

• Latest service pack applied: @@VERSION

• Lumigent Log Explorer buffer overflow: <db name>.dbo.sysobjects,


• Malformed RPC request DoS: @@VERSION

• Malformed TDS packet header DoS: @@VERSION

• MDX Query buffer overflow: @@VERSION

• Objects not owned by dbo: <db name>.dbo.sysobjects,

master.dbo.sysdatabases, <db name>.dbo.sysuser

• OLEDB ad hoc queries allowed: @@VERSION, <db name>.dbo.sysobjects,


• Orphaned user: @@VERSION, <db name>.dbo.sysuser,

master.dbo.sysdatabases, master.dbo.syslogins

• Password same as login name: @@VERSION

• Permission grantable: exec <db name>.dbo.sp_helprotect,


• Permissions granted to public: <db name>.dbo.sp_helprotect

• Permission on mswebtasks: exec <db name>.dbo.sp_helprotect,


• Permission on registry extended proc: exec <db


• Permission on sp_MSsetalertinfo: exec <db name>.dbo.sp_helprotect,


• Permission on sp_MSSetServerProperties: exec <db


• Permission on sp_readwebtask: exec <db name>.dbo.sp_helprotect,


• Permission on sp_runwebtask: exec <db name>.dbo.sp_helprotect,


• Permission on xp_readerrorlog: exec <db name>.dbo.sp_helprotect,




• Permission to select from syslogins: exec <db


• Permission to select from system table: <db name>.dbo.sysobjects,

exec <db name>.dbo.sp_helprotect, master.dbo.sysdatabases

• Permissions granted on xp_cmdshell: @@VERSION, exec <db


• Permissions granted to user: <db name>.dbo.sysuser, exec <db


• Public can create Agent jobs: exec <db name>.dbo.sp_helprotect,


• pwdencrypt buffer overflow: @@VERSION

• RAISERROR buffer overflow: @@VERSION

• Registry extended proc not removed: <db name>.dbo.sysobjects,


• Remote access allowed: master.dbo.sysconfigures,


• Remote data source function unchecked buffer: @@VERSION

• Replication password publicly viewable:

xp_regread,sysobjects,@@version,sp_helprotect

• Resolution service DoS: @@VERSION

• Resolution service heap overflow: @@VERSION

• Resolution service stack overflow: @@VERSION

• Reusable cached administrator connection: @@VERSION

• sp_attachsubscription command injection: @@VERSION, <db

name>.dbo.sysobjects, master.dbo.sysdatabases

• sp_MScopyscriptfile command injection: <db name>.dbo.sysobjects,

master.dbo.sysdatabases, @@VERSION

• SQL Agent password publicly viewable: @@version,

msdb.dbo.sp_get_sqlagent_properties, sp_helprotect

• SQL Agent procedures granted to public: sp_helprotect

• SQLServerAgent password in registry: @@VERSION, <db


• srv_paraminfo buffer overflow in sp_OACreate: @@VERSION

• srv_paraminfo buffer overflow in sp_OADestroy: @@VERSION

• srv_paraminfo buffer overflow in sp_OAGetProperty: @@VERSION

• srv_paraminfo buffer overflow in sp_OAMethod: @@VERSION

• srv_paraminfo buffer overflow in sp_OASetProperty: @@VERSION

• srv_paraminfo buffer overflow in xp_displayparamstmt: @@VERSION

• srv_paraminfo buffer overflow in xp_execresultset: @@VERSION

• srv_paraminfo buffer overflow in xp_peekqueue: @@VERSION

• srv_paraminfo buffer overflow in xp_printstatements: @@VERSION

• srv_paraminfo buffer overflow in xp_proxiedmetadata: @@VERSION

• srv_paraminfo buffer overflow in xp_SetSQLSecurity: @@VERSION

• srv_paraminfo buffer overflow in xp_showcolv: @@VERSION

• srv_paraminfo buffer overflow in xp_sqlagent_monitor: @@VERSION



• srv_paraminfo buffer overflow in xp_sqlinventory: @@VERSION

• srv_paraminfo buffer overflow in xp_updatecolvbm: @@VERSION

• Standard SQL Server authentication allowed: @@VERSION, <db

name>.dbo.sysobjects, master.dbo.sysdatabases,


• Statement permission granted: master.dbo.sysdatabases, exec <db

name>.dbo.sp_helprotect

• SysAdmin only for CmdExec job steps: @@VERSION, <db


• sysadmin role granted: master.dbo.syslogins

• Table to store DTS passwords publicly viewable: <db

name>.dbo.sysuser, master.dbo.sysdatabases, exec <db

name>.dbo.sp_helprotect

• Temporary stored procedures bypass permissions: @@VERSION

• UDB broadcast buffer overflow: master.dbo.xp_cmdshell

• Windows account name shown as hostname: @@VERSION,


• XMLHTTP control allows local file access: <db

name>.dbo.sysobjects, master.dbo.sysdatabases, @@VERSION

• xp_cmdshell not removed: <db name>.dbo.sysobjects,


• xp_controlqueueservice buffer overflow: <db name>.dbo.sysobjects,


• xp_createprivatequeue buffer overflow: @@VERSION, <db


• xp_createqueue buffer overflow: @@VERSION,

master.dbo.sysdatabases, <db name>.dbo.sysobjects

• xp_decodequeuecmd buffer overflow: @@VERSION, <db


• xp_deleteprivatequeue buffer overflow: @@VERSION, <db


• xp_deletequeue buffer overflow: @@VERSION, <db


• xp_dirtree buffer overflow: @@VERSION, <db name>.dbo.sysobjects,


• xp_displayqueuemesgs buffer overflow: @@VERSION,


• xp_dsninfo buffer overflow: <db name>.dbo.sysobjects, @@VERSION,


• xp_mergelineages buffer overflow: @@VERSION,


• xp_oledbinfo buffer overflow: @@VERSION, <db name>.dbo.sysobjects,


• xp_proxiedmetadata buffer overflow: master.dbo.sysdatabases, <db

name>.dbo.sysobjects, @@VERSION

• xp_readpkfromqueue buffer overflow: @@VERSION, <db




• xp_readpkfromvarbin buffer overflow: @@VERSION, <db


• xp_repl_encrypt buffer overflow: @@VERSION, <db


• xp_resetqueue buffer overflow: @@VERSION, <db


• xp_sprintf buffer overflow: @@VERSION

• xp_sqlagent_param buffer overflow: @@VERSION, <db


• xp_sqlinventory buffer overflow: @@VERSION,


• xp_unpackcab buffer overflow: @@VERSION, <db name>.dbo.sysobjects,


• xstatus backdoor: @@VERSION, master.dbo.sysxlogins

SQL SERVER 2005 AUDIT PRIVILEGES

Any Audit check for SQL Server 2005 queries the following views:

• sys.databases

• sys.configurations

• sys.server_principals

• sys.server_role_members

In SQL Server 2005 public group can select from these views but due to metadata visibility concept not all records maybe returned.

This is why some checks require VIEW DEFINITION, VIEW ANY DEFINITION or even CONTROL SERVER permission to get data.

• Auditing of failed/successful logins: execute xp_loginconfig.

• Blank password checks: select password_hash column of

sys.sql_logins for all sql logins which implies CONTROL SERVER

permission.

• BUILTIN\Administrators not removed: select all rows from

sys.server_principals view which implies VIEW ANY DEFINITION

permission.

• C2 Audit Mode: select from sys.configurations view.

• Database ownership chaining not disabled: select from

sys.configurations view.

• Default password for well-known login: makes connection attempts.

• DTS package procedures granted to public: select from

msdb.sys.database_permissions view.

• Easily-guessed password checks: select password_hash column of

sys.sql_logins for all sql logins which implies CONTROL SERVER

permission.

• Error logs can be overwritten: execute xp_instance_regread.

• Fixed server role granted: select all rows from

sys.server_principals, sys.server_role_members views which

implies VIEW ANY DEFINITION permission.



• Global temporary stored proc exists: select from

tempdb.sys.all_objects.

• Guest user exists in database: select all rows from sys.databases

and <dbname>.sys.database_principals, and

<dbname>.sys.database_permissions views.

• Latest service pack/hot fix not applied: uses @@version - requires

no priveleges.

• Lumigent Log Explorer buffer overflow: select all rows from

master.sys.objects view which implies VIEW DEFINITION on master

database permission.

• Not using NTFS partition: execute xp_instance_regread.

• OLEDB ad hoc queries allowed: select from sys.configurations view,

execute xp_instance_regenumkeys.

• Password same as login name: select password_hash column of

sys.sql_logins view for all sql logins which implies CONTROL

SERVER permission.

• Permission grantable: select all rows from sys.databases,

<dbname>.sys.database_permissions views which implies VIEW

DEFINITION on database scope permission.

• Permission on OLE automation procs: select all rows from

master.sys.database_permissions view which implies VIEW DEFINITION

on database scope permission.

• Permission on registry extended proc: select all rows from



• Permission to select from system table: select all rows from



• Permissions granted on xp_cmdshell: select all rows from



• Permissions granted to PUBLIC: select all rows from sys.databases,

<dbname>.sys.database_permissions views.

• Permissions granted to user: select all rows from sys.databases,



• Permissions on files: execute xp_instance_regread.

• Registry extended proc not removed: select from

master.sys.system_objects view.

• Registry permissions: execute xp_instance_regread.

• Remote access allowed: select from sys.configurations view.

• Sample database not removed: select all rows from sys.databases

view.

• Service runs as LocalSystem: execute xp_instance_regread.

• Standard SQL Server authentication allowed: execute

xp_instance_regread.



• Statement permission granted: select all rows from sys.databases,



• sysadmin role granted: select all rows from sys.server_principals,

sys.server_role_members views which implies VIEW ANY DEFINITION

permission.

• xp_cmdshell not removed/not disabled: select from

sys.configurations view.

CREDENTIALS FOR SQL SERVER AUDITS

If you are unable to audit a SQL Server database using Windows Authentication, you may be using an account that lacks the proper credentials. There are a number of different ways to supply the proper credentials for SQL Server. The appropriate method depends on your circumstances.

The following table explains how to change your credentials under different scenarios when you attempt to perform an Audit on the SQL Server TARGET machine from another machine (HOST). Once you have valid credentials on the target HOST, you should be able to perform your Audit.

Part If Then

1 TARGET and HOST are in the same

or trusted domain.

• If you are logged in to HOST as a user that

has Administrative access to TARGET, you do not need to supply additional credentials.

Or...

• If you are logged in as user without Administrative access, you will need to supply TARGET’s sa credentials.



2 TARGET is in WORKGROUP_X and HOST is in DOMAIN_A

Or...

TARGET is in WORKGROUP_X and HOST is in WORKGROUP_Y

Or...

TARGET is in WORKGROUP_X and HOST is in WORKGROUP_X

• You can supply sa credentials in the Scan Engine.

Or...

• You can create a local user on TARGET and a local user on HOST with matching user

names and passwords.

Note:Note:Note:Note: You cannot use Domain names here.

Or...

• Select the PropertiesPropertiesPropertiesProperties branch option Connect to Microsoft SQL Servers via Connect to Microsoft SQL Servers via Connect to Microsoft SQL Servers via Connect to Microsoft SQL Servers via Named PipesNamed PipesNamed PipesNamed Pipes in the Console PropertiesPropertiesPropertiesProperties

branch (in the DbProtect AppDetective application), then use the Net Use technique to establish credentials on

TARGET. You must select this option to force the Scan Engine to use named pipes. You must check this option if you want to

Audit a SQL Server database (using Windows Authentication) against a machine on a different or untrusted

domain. Additional steps are required. Additional steps are required. Additional steps are required. Additional steps are required. For more information, see Appendix M: Auditing SQL Server (Using Windows

Authentication) Against a Machine on a Different or Untrusted Domain.

To use the Net Use technique:

-Open a command prompt.

-Enter the net use command to log

in to the target server with valid credentials.

-The command should adhere to the

following format: net use \\computerIP /

user:[domainname\]username

-You are prompted for a valid password on the target.

-Verify access by re-entering net

use

3 TARGET is in DOMAIN_A and HOST is either in an untrusted DOMAIN_B

or in WORKGROUP_X

• You can use any of the methods listed in Part 2, above.

Or...

• You can add HOST to DOMAIN_A.

Part If Then



MySQL AuditPrivileges

Note:Note:Note:Note: For more information on MySQL Server OS check requirements, see Operating system considerations.

To conduct a full MySQL Audit, you need the following privileges. Make sure the account you are using has rights to use the following tables and views:

• Anonymous user exists: SELECT on user table

• Blank account passwords: SELECT on user table

• Blank root password: SELECT on user table

• Default passwords for test accounts: SELECT on user table

• Easily-guessed account passwords: SELECT on user table

• Easily-guessed root password: SELECT on user table

• FILE privileges granted: SELECT on user table

• General log file not enabled: execute SHOW VARIABLES

• Password for user same as username: SELECT on user table

• Permissions grantable: SELECT on db table, SELECT on host table,

SELECT on user table

• Permissions on GRANT tables: SELECT on db table, SELECT on host

table, SELECT on user table, SELECT on columns_priv table, SELECT

on tables_priv table

• Permissions on user table: SELECT on user table

• PROCESS privileges granted: SELECT on user table

• Sample database not removed: execute SHOW DATABASES

• SSL encryption not enabled: execute SHOW VARIABLES

MYSQL CHECKS

MySQL Audit

• Easily-guessed root password

• Easily-guessed passwords

• Blank password

• Blank root password

• Universal access

• SSL is enabled

• Grant tables privileges

• Ensure sample databases have been removed

• Permissions on [User] table

• Permissions granted directly to user

• Logging not enabled

• MySQL mysqld Privilege Escalation Vulnerability



• MySQL libmysqlclient Library Read_One_Row Buffer Overflow

Vulnerability

• MySQL COM_CHANGE_USER Password Memory Corruption Vulnerability

• MySQL Double Free Heap Corruption Vulnerability

• MySQL COM_CHANGE_USER Password Length Account Compromise

Vulnerability

• MySQL libmysqlclient Library Read_Rows Buffer Overflow

Vulnerability

• MySQL COM_TABLE_DUMP Memory Corruption Vulnerability


• MySQL Bind Address Not Enabled Weak Default Configuration

Vulnerability

• MySQL Null Root Password Weak Default Configuration Vulnerability

• WinMySQLadmin Plain Text Password Storage Vulnerability

• MySQL Root Operation Symbolic Link File Overwriting Vulnerability

• MySQL SHOW GRANTS Password Hash Disclosure Vulnerability

• MySQL Local Buffer Overflow Vulnerability

• MySQL Authentication Algorithm Vulnerability

• MySQL GRANT Global Password Changing Vulnerability

• MySQL Unauthenticated Remote Access Vulnerability

MySQL Penetration Test

• Easily-guessed root password

• Easily-guessed password

• Blank password

• Blank root password

• MySQL mysqld Privilege Escalation Vulnerability

• MySQL libmysqlclient Library Read_One_Row Buffer Overflow

Vulnerability

• MySQL COM_CHANGE_USER Password Memory Corruption Vulnerability

• MySQL Double Free Heap Corruption Vulnerability

• MySQL COM_CHANGE_USER Password Length Account Compromise

Vulnerability

• MySQL libmysqlclient Library Read_Rows Buffer Overflow

Vulnerability



• MySQL Bind Address Not Enabled Weak Default Configuration

Vulnerability

• MySQL Null Root Password Weak Default Configuration Vulnerability



• WinMySQLadmin Plain Text Password Storage Vulnerability

• MySQL Root Operation Symbolic Link File Overwriting Vulnerability

• MySQL SHOW GRANTS Password Hash Disclosure Vulnerability

• MySQL Local Buffer Overflow Vulnerability

• MySQL Authentication Algorithm Vulnerability

• MySQL GRANT Global Password Changing VulnerabilityMySQL

• MySQL Unauthenticated Remote Access Vulnerability

Oracle Auditprivileges

Note:Note:Note:Note: For more information on Oracle OS check requirements, see Operating system considerations and/or “Appendix O: Oracle Critical Patch Update Detection” in the AppDetectivePro User’s Guide.

To conduct a full Oracle Audit, you need the following privileges. Make sure the account you are using has rights to use the following tables and views:

• DBA_PROFILES

• DBA_ROLES

• DBA_ROLE_PRIVS

• DBA_STMT_AUDIT_OPTS

• DBA_SYS_PRIVS

• DBA_TABLES

• DBA_TAB_PRIVS

• DBA_USERS

• PRODUCT_COMPONENT_VERSION

• SYS.LINK$

• SYS.USER$

• V_$PARAMETER (the Scan Engine selects from V$PARAMETER but you must grant SELECT on V_$PARAMETER)

• SYS.DBA_SOURCE

• DBA_OBJECTS

• V$LOG

Note:Note:Note:Note: The account must also have the CREATE SESSION privilege.

The following script creates an account with the minimum privileges necessary to perform a Security Audit on an Oracle SID. Be sure that whatever account is used to conduct your Audit has at least the SELECT privileges listed below:

• CREATE USER APPDETECTIVE_AUDITOR IDENTIFIED BY

APPDETECTIVE_AUDITOR_PASSWORD; GRANT SELECT ON DBA_PROFILES TO

APPDETECTIVE_AUDITOR;

• GRANT SELECT ON DBA_ROLES TO APPDETECTIVE_AUDITOR;

• GRANT SELECT ON DBA_ROLE_PRIVS TO APPDETECTIVE_AUDITOR;



• GRANT SELECT ON DBA_STMT_AUDIT_OPTS TO APPDETECTIVE_AUDITOR;

• GRANT SELECT ON DBA_SYS_PRIVS TO APPDETECTIVE_AUDITOR;

• GRANT SELECT ON DBA_TABLES TO APPDETECTIVE_AUDITOR;

• GRANT SELECT ON DBA_TAB_PRIVS TO APPDETECTIVE_AUDITOR;

• GRANT SELECT ON DBA_USERS TO APPDETECTIVE_AUDITOR;

• GRANT SELECT ON PRODUCT_COMPONENT_VERSION TO APPDETECTIVE_AUDITOR;

• GRANT SELECT ON SYS.LINK$ TO APPDETECTIVE_AUDITOR;

• GRANT SELECT ON SYS.USER$ TO APPDETECTIVE_AUDITOR;

• GRANT SELECT ON V_$PARAMETER TO APPDETECTIVE_AUDITOR;

• GRANT SELECT ON SYS.DBA_SOURCE TO APPDETECTIVE_AUDITOR;

• GRANT CREATE SESSION TO APPDETECTIVE_AUDITOR;

• GRANT SELECT ON DBA_OBJECTS TO APPDETECTIVE_AUDITOR

• GRANT SELECT ON SYS.V_$LOG TO APPDETECTIVE_AUDITOR;

The following is a list of checks within the Scan Engine for Oracle Security Audit, and the tables and views which they need permission to in order to function properly:

• Account associated with DEFAULT profile: DBA_USERS

• Account granted the predefined role CONNECT: DBA_ROLE_PRIVS

• Account granted the predefined role DBA: DBA_ROLE_PRIVS

• Account granted the predefined role RESOURCE: DBA_ROLE_PRIVS

• Accounts with SYSTEM as default tablespace: DBA_USERS

• ANSI join syntax bypasses object privileges:

PRODUCT_COMPONENT_VERSION

• ANY system privilege applies to data dictionary: V$PARAMETER

• Auditing Not Enabled: V$PARAMETER

• Auditing of CREATE SESSION not enabled: DBA_STMT_AUDIT_OPTS

• BFILENAME buffer overflow (Verify

version):PRODUCT_COMPONENT_VERSION

• Brute-force database password: DBA_USERS

• Brute-force role password: SYS.USER$

• Cleartext password stored with database link: SYS.LINK$

• Create library privilege: DBA_SYS_PRIVS,


• Database link buffer overflow (Verify


• Database user allows remote authentication: DBA_USERS,

V$PARAMETER

• DBLINK_ENCRYPT_LOGIN not enabled: SYS.LINK$, V$PARAMETER

• Default database password: DBA_USERS

• Easily-guessed database password: DBA_USERS



• Easily-guessed role password: SYS.USER$

• Expired password: DBA_USERS, PRODUCT_COMPONENT_VERSION

• Kick Listener DoS (Verify version): PRODUCT_COMPONENT_VERSION

• Label Security row label improperly assigned:


• Label Security SQL predicates bypassed: PRODUCT_COMPONENT_VERSION

• Label Security unauthorized higher level read:


• Listener debug DoS (Verify version): PRODUCT_COMPONENT_VERSION

• Listener format string buffer overflow (Verify version):


• Locked account: DBA_USERS, PRODUCT_COMPONENT_VERSION

• MTDS DoS (Verify version): PRODUCT_COMPONENT_VERSION

• NERP DoS (Verify version): PRODUCT_COMPONENT_VERSION

• Non-standard account with DBA role: DBA_ROLE_PRIVS

• NSPTCN buffer overflow (Verify version):


• NSPTCN data offset DoS (Verify version):


• Object privilege grantable: DBA_TAB_PRIVS

• Object privilege granted to account: DBA_TAB_PRIVS, DBA_USERS

• Object privilege granted to PUBLIC: DBA_TAB_PRIVS

• Oracle file overwrite: PRODUCT_COMPONENT_VERSION

• OS authentication prefix: V$PARAMETER

• Overdue password change: sys.user$

• Password for database user same as username: DBA_USERS

• Privilege granted to SELECT from data dictionary: DBA_TABLES,

DBA_TAB_PRIVS

• Privilege on audit trail table: DBA_TAB_PRIVS

• Privilege on database link table: DBA_TAB_PRIVS, DBA_USERS

• Privilege to execute UTL_FILE granted to PUBLIC: DBA_TAB_PRIVS

• Privilege to execute UTL_HTTP granted to PUBLIC: DBA_TAB_PRIVS

• Privilege to execute UTL_SMTP granted to PUBLIC: DBA_TAB_PRIVS

• Privilege to execute UTL_TCP granted to PUBLIC: DBA_TAB_PRIVS

• Profile settings - Failed Login Attempts: DBA_PROFILES,


• Profile settings - Password Grace Time: DBA_PROFILES,


• Profile settings - Password Life Time: DBA_PROFILES,




• Profile settings - Password Lock Time: DBA_PROFILES,


• Profile settings - Password Reuse Maximum: DBA_PROFILES,


• Profile settings - Password Reuse Time: DBA_PROFILES,


• Profile settings - Password Verify Function: DBA_PROFILES,


• Remote login password file not disabled: V$PARAMETER

• Remote OS Authentication enabled: V$PARAMETER

• Remote OS Roles enabled: V$PARAMETER

• Requestor version DoS (Verify version): PRODUCT_COMPONENT_VERSION

• Role without password: DBA_ROLES

• Roles granted WITH ADMIN OPTION: DBA_ROLE_PRIVS

• SERVICE_CURLOAD DoS (Verify version): PRODUCT_COMPONENT_VERSION

• SERVICE_NAME buffer overflow (Verify version):


• SNMP DoS (Verify version): PRODUCT_COMPONENT_VERSION

• SQL92_SECURITY parameter not enabled: V$PARAMETER

• SYSDBA auditing bug: PRODUCT_COMPONENT_VERSION

• System privilege granted to account: DBA_SYS_PRIVS, DBA_USERS

• System privilege granted to PUBLIC: DBA_SYS_PRIVS

• System privilege granted WITH ADMIN OPTION: DBA_SYS_PRIVS

• System privilege with ANY clause: DBA_SYS_PRIVS

• TCL debugger installs with setUID root: DBA_SYS_PRIVS

• TCL debugger installs with setUID root: PRODUCT_COMPONENT_VERSION

• TO_TIMESTAMP_TZ buffer overflow (Verify


• TZ_OFFSET buffer overflow (Verify


• Trace reporting buffer overflow: PRODUCT_COMPONENT_VERSION

• UTL_FILE_DIR unrestricted: V$PARAMETER

• XSQL Servlet stylesheet as URL parameter:




Sybase Auditprivileges

To conduct a full Sybase Audit, you need the following privileges. Make sure the account you are using has rights to use the following tables and views:

• SELECT @@VERSION

• master.dbo.syslogins

• master.dbo.syssrvroles

• master.dbo.sysdatabases

• master.dbo.sysconfigures

• master.dbo.syscurconfigs

• master.dbo.sysroles

• master.dbo.sysloginroles

• master.dbo.sysattributes

• master.dbo.sysservers

• exec sp_loginconfig

• exec sp_displayaudit (if it's >= 11.5)

• sp_auditoption (if it's < 11.5 and >= 11.0)

• master.dbo.syblicenseslog

• master.dbo.syscharsets

• <db name>.dbo.sysusers

• <db name>.dbo.sysobjects

• <db name>.dbo.syscomments

• exec <db name>.dbo.sp_help_resource_limit (if it's >= 11.5)

The following is a list of checks within the Scan Engine for Sybase Security Audit, and the tables and views which they need permission to in order to function properly:

• Absolute value of numeric DoS (Verify version): SELECT @@VERSION

• Allow resource limit: master.dbo.sysconfigures,


• Allow sendmsg: master.dbo.sysconfigures, master.dbo.syscurconfigs

• Audit logout not set ( if >= 11.5 ): master.dbo.sysconfigures,

master.dbo.syscurconfigs, exec sp_loginconfig, exec

sp_displayaudit (if it's >= 11.5), sp_auditoption (if it's < 11.5

and >= 11.0)

• Audit queue size: master.dbo.sysconfigures,


• Audit subsystem not installed: master.dbo.sysdatabases

• Auditing disabled: exec sp_loginconfig, exec sp_displayaudit (if

it's >= 11.5), sp_auditoption (if it's < 11.5 and >= 11.0),

master.dbo.sysconfigures, master.dbo.syscurconfigs

• Auditing of failed logins not enabled: (if it's >= 11.5) master.dbo.sysconfigures,



• master.dbo.syscurconfigs, exec sp_loginconfig, exec

sp_displayaudit (if it's >= 11.5), sp_auditoption (if it's < 11.5 and >= 11.0)

• Auditing of successful logins not enabled: ( if >= 11.5 ) master.dbo.sysconfigures, master.dbo.syscurconfigs, exec

sp_loginconfig, exec sp_displayaudit (if it's >= 11.5), sp_auditoption (if it's < 11.5 and >= 11.0)

• Blank password for sa: master.dbo.syslogins

• Buffer Overflow in DBCC CHECKVERIFY: SELECT @@VERSION

• Buffer Overflow in DROP DATABASE: SELECT @@VERSION

• Buffer Overflow in xp_freedll: <db name>.dbo.sysobjects, exec <db

name>.dbo.sp_helprotect, master.dbo.sysdatabases, SELECT

@@VERSION

• Check password for digit: master.dbo.sysconfigures,


• Current Audit Table: master.dbo.sysconfigures,


• Default login exists: exec sp_loginconfig, exec sp_displayaudit

(if it's >= 11.5, sp_auditoption ((if it's < 11.5 and >= 11.0), SELECT @@VERSION

• Default password for entldbdbo: master.dbo.syslogins

• Default password for entldbreader: master.dbo.syslogins

• Default password for pkiuser: master.dbo.syslogins

• Default password for PortalAdmin: master.dbo.syslogins

• Default password for pso: master.dbo.syslogins

• Easily-guessed password: master.dbo.syslogins

• Easily-guessed sa password: master.dbo.syslogins

• Event log computer name: master.dbo.sysconfigures,

master.dbo.syscurconfigs, SELECT @@VERSION

• Event logging: master.dbo.sysconfigures,

master.dbo.syscurconfigs, SELECT @@VERSION

• Exceeded licensing limitations: master.dbo.syblicenseslog

• Expired logins: master.dbo.sysconfigures,

master.dbo.syscurconfigs, master.dbo.syslogins

• Guest user exists in database: <db name>.dbo.sysusers,


• Guest user exists in sybsecurity: <db name>.dbo.sysusers,


• List resource limits: exec <db name>.dbo.sp_help_resource_limit

(if it's >= 11.5), master.dbo.sysdatabases

• Locked logins: master.dbo.syslogins



• Log audit logon failure: master.dbo.sysconfigures,


• Log audit logon success: master.dbo.sysconfigures,


• Login attributes less restrictive: master.dbo.sysattributes,

master.dbo.sysconfigures, master.dbo.syscurconfigs,

master.dbo.syslogins

• Login granted sa_role: <db name>.dbo.sysusers,

master.dbo.sysdatabases, master.dbo.sysloginroles,

master.dbo.syslogins, master.dbo.sysroles

• Login granted sso_role: <db name>.dbo.sysusers,

master.dbo.sysdatabases, master.dbo.sysloginroles,


• Login mode: exec sp_loginconfig, exec sp_displayaudit (if it's >= 11.5), sp_auditoption (if it's < 11.5 and >= 11.0), SELECT @@VERSION

• Maximum failed logins: master.dbo.sysconfigures,


• Minimum password length: master.dbo.sysconfigures,


• Objects not owned by dbo: <db name>.dbo.sysobjects, <db

name>.dbo.sysusers, master.dbo.sysdatabases,


• Orphaned user: <db name>.dbo.sysusers, master.dbo.sysdatabases,


• Password same as login name: master.dbo.syslogins

• Permission granted in sybsecurity: <db name>.dbo.sysobjects, exec

<db name>.dbo.sp_helprotect, master.dbo.sysdatabases

• Permission granted on system table : <db name>.dbo.sysobjects,

exec <db name>.dbo.sp_helprotect, master.dbo.sysdatabases,


• Permission granted on xp_cmdshell: <db name>.dbo.sysobjects, exec

<db name>.dbo.sp_helprotect, master.dbo.sysdatabases,


• Permission to select from syslogins: exec <db


• Permissions granted to public: exec <db name>.dbo.sp_helprotect,


• Permissions granted to user: <db name>.dbo.sysusers, exec <db

name>.dbo.sp_helprotect, master.dbo.sysdatabases,

master.dbo.sysroles

• Remote access allowed: master.dbo.sysconfigures,


• Require message confidentiality with encryption:

master.dbo.sysconfigures, master.dbo.syscurconfigs



• Require message integrity: master.dbo.sysconfigures,


• Roles revoked from the sa login: master.dbo.sysloginroles,

master.dbo.syslogins, master.dbo.syslogins,

master.dbo.syssrvroles

• Roles without passwords: master.dbo.syssrvroles

• Secure default login exists: master.dbo.sysconfigures,

master.dbo.syscurconfigs, master.dbo.syslogins

• Select all DoS (Verify version): SELECT @@VERSION

• Select/Into DoS (Verify version): SELECT @@VERSION

• Server configured with remote server: master.dbo.sysservers

• SSL Enabled: master.dbo.sysconfigures, master.dbo.syscurconfigs

• Start mail session: master.dbo.sysconfigures,


• Statement permission granted: exec <db name>.dbo.sp_helprotect,


• Suspend audit when full disabled: master.dbo.sysconfigures,


• System-wide password expiration: master.dbo.sysconfigures,


• Unified login required: master.dbo.sysconfigures,


• Unlocked sa login: master.dbo.syslogins

• Unrestricted access to syscomments: master.dbo.sysconfigures,


• Updates allowed to system tables: master.dbo.sysconfigures,


• Use security services: master.dbo.sysconfigures,


• With Grant Option: exec <db name>.dbo.sp_helprotect,


• xp_cmdshell context: <db name>.dbo.sysobjects,

master.dbo.sysconfigures, master.dbo.syscurconfigs,


• xp_cmdshell not removed: <db name>.dbo.sysobjects,




Operating systemconsiderations

Some Audit checks require more than just a valid database account to perform correctly. They have different requirements depending upon whether the operating operating operating operating systemsystemsystemsystem (OS) is Windows or UNIX. (The checks are listed in the Audit category OS OS OS OS IntegrityIntegrityIntegrityIntegrity.) They only run if the target database has the appropriate OS.

This topic consists of the following sub-topics:

• Windows OS Audit Check Requirements

• UNIX OS Audit Check Requirements.

WINDOWS OS AUDIT CHECK REQUIREMENTS

The Scan Engine performs Windows OS checks via Windows authentication. Make sure the account and computer you are running the Scan Engine from has the appropriate permissions for the corresponding checks:

• Not Using NTFS Partition. Not Using NTFS Partition. Not Using NTFS Partition. Not Using NTFS Partition. Permission to read the installation disk type.

• Registry Permissions.Registry Permissions.Registry Permissions.Registry Permissions. Remote registry access.

• Service Runs as Local System. Service Runs as Local System. Service Runs as Local System. Service Runs as Local System. Permission to list the system services.

• Permissions on Files. Permissions on Files. Permissions on Files. Permissions on Files. Permission to read files in the installation directory of the database.

UNIX OS AUDIT CHECK REQUIREMENTS

The Scan Engine performs Unix OS checks via a Telnet or SSH account. Your account must have the appropriate read and directory listing permissions activated on the database installation and running directories.

If you run the following checks:

Then you must have permission to:

Permissions on FilesPermissions on FilesPermissions on FilesPermissions on Files List files in the installation directories of the database.

Setgid Bit EnabledSetgid Bit EnabledSetgid Bit EnabledSetgid Bit Enabled

Setuid Bit EnabledSetuid Bit EnabledSetuid Bit EnabledSetuid Bit Enabled



Properly-Configured Environment Variables

The Scan Engine can Audit platforms that use system variables to specify the location of the database instances. In UNIX, you must set the environment variables correctly in order to use SSH or Telnet to access the accounts. Specific requirements follow.

If you want to Audit the following platform:

Then you must have permission to:

Oracle Make sure the $ORACLE_HOME variable is correct.

Sybase Make sure the $SYBASE variable is correct.

MySQL Define a datadir or basedir variable to point to the database root.



Appendix M: Auditing SQL Server (Using Windows Authentication) Against a Machine on a Different or Untrusted DomainIf you attempt to Audit a SQL Server database (using Windows Authentication) against a machine on a different or untrusted domain, the following error message may display:

SQLSTATE: 28000, Native error: 18452, Message: [Microsoft][ODBC

SQL Server Driver][SQL Server]Login failed for user ''. The user

is not associated with a trusted SQL Server connection..

To Audit a SQL Server database (using Windows Authentication) against a machine on a different or untrusted domain:

Step Action

1 Establish a connection to the target server.Establish a connection to the target server.Establish a connection to the target server.Establish a connection to the target server.

Enter the appropriate Net Use syntax. For a remote host that is a:

• member of domain, enter: net use \\ip /user:domain\username

• workgroup member (standalone computer), enter: net use \\ip /

user:username or net use \\ip /user:computername\username

2 Use named pipes to connect to an untrusted domain.Use named pipes to connect to an untrusted domain.Use named pipes to connect to an untrusted domain.Use named pipes to connect to an untrusted domain.

Select the PropertiesPropertiesPropertiesProperties branch option Connect to Microsoft SQL Servers via Named Connect to Microsoft SQL Servers via Named Connect to Microsoft SQL Servers via Named Connect to Microsoft SQL Servers via Named PipesPipesPipesPipes. You must check this option when Auditing a SQL Server database in an

untrusted domain.

Note:Note:Note:Note: You must enable the named pipes protocol on both the Scan Engine host and the SQL Server target server when using this option.



3 Make sure of the following:

• That the Server and Remote Registry services on your remote host are

running

• That the Net Use set of credentials file being used is a member of either the domain hosting the target server, or a domain that is trusted by that domain

• That login provides remote registry access and read-only file access to the remote machine. To check this, do the following:

-enter net use \\server with your credentials, and expand

HKEY_LOCAL_MACHINE on the target server

-enter net use \\server\c$ to verify you can access files on the target server.

• That access to the remote host can be restricted by firewall, which is common on Windows 2003/XP/Vista. You can verify this on the remote host by looking into the firewall settings/logs for rejects packets. This means there should be

connectivity on port 445 or 139 on the target host.

4 Do the following to create and test a DSN connection to the target host:

• Choose Control Panel > Administrative Tools > Data Sources (ODBC)Control Panel > Administrative Tools > Data Sources (ODBC)Control Panel > Administrative Tools > Data Sources (ODBC)Control Panel > Administrative Tools > Data Sources (ODBC).

• Open the System DSN System DSN System DSN System DSN tab and click the AddAddAddAdd button.

• Choose Microsoft SQL ServerMicrosoft SQL ServerMicrosoft SQL ServerMicrosoft SQL Server from the list.


• Enter a NameNameNameName and DescriptionDescriptionDescriptionDescription for this data source entry.

• In the ServerServerServerServer field, enter the IP address and listening port of the target server, e.g., 172.27.190.58,1756.


• Select SQL Server AuthenticationSQL Server AuthenticationSQL Server AuthenticationSQL Server Authentication and enter your database credentials in the Login ID Login ID Login ID Login ID and PasswordPasswordPasswordPassword fields.


• Follow the steps in the wizard.

5 You should now be able to test the connection to the data source. If this test is successful, you should also be able to perform the Audit with the Scan Engine. If you are unable to connect, try using the other IP address, or use Windows

Authentication rather than the SQL credentials (after connecting with Net Use).

Step Action



Appendix N: Troubleshooting the Java Run Time Environment (JRE) Security Settings on Internet Explorer 6 and GreaterIf you are experiencing difficulty logging into DbProtect, you may need to troubleshoot the Java Runtime Environment (JRE) security settings on your Internet Explorer (IE) 6 or greater web browser. This appendix explains how.

Your connection problems are probably related to one of the following causes:

• If your web browser is IE 6. Proper Active X controls and “enable third-party browser extensions” security settings may not be enabled on your IE 6 browser. If this is the case, you will encounter an error message you attempt to authenticate, and you can’t log in to the Console. To troubleshoot this problem, see Enabling proper Active X controls and “Enable Third-Party Browser Extensions” security settings (using IE 6).

• If your web browser is IE 7. JRE 1.6 may be disabled and/or multiple JREs may be enabled on your client (i.e., the location from which your IE 7 browser is running). JRE 1.6 must be enabled in order for you to connect to the Console. If JRE 1.6 is disabled, or if multiple JREs of different versions are enabled on your client, then you will encounter an error message when you attempt to authenticate, and you can’t log in to the Console. To troubleshoot this problem, see Ensuring JRE 1.6 is enabled and temporarily disabling other JREs on your client machine (using IE 7).



Enabling properActive X controls

and “Enable Third-Party Browser

Extensions”security settings

(using IE 6)

Note:Note:Note:Note: The following security settings shouldshouldshouldshould be the default values in your IE 6 web browser. You should only change the settings if you’re experiencing difficulty logging into the Console.

To enable proper Active X controls and “enable third-party browser extensions” security settings on IE 6:

Ensuring JRE 1.6 isenabled andtemporarily

disabling otherJREs on your clientmachine (using IE

7)

To ensure JRE 1.6 is enabled, and to temporarily disable multiple JREs on your client machine (using IE 7):

Step Action

1 Launch IE 6.

2 Do the following:

• Choose: Tools > Internet OptionsTools > Internet OptionsTools > Internet OptionsTools > Internet Options.

• Click the SecuritySecuritySecuritySecurity tab.

• Click the Custom LevelCustom LevelCustom LevelCustom Level button to display the Security Settings Security Settings Security Settings Security Settings dialog box.

3 • Set the following security settings to EnableEnableEnableEnable or PromptPromptPromptPrompt:

-Download signed ActiveX controls

-Run ActiveX controls and plug-insRun ActiveX controls and plug-insRun ActiveX controls and plug-insRun ActiveX controls and plug-ins.

• Click the OKOKOKOK button.

• Click the Advanced Advanced Advanced Advanced tab to display the Advanced SettingsAdvanced SettingsAdvanced SettingsAdvanced Settings dialog box.

4 • Check Enable Third-party browser extensions (requires restart)Enable Third-party browser extensions (requires restart)Enable Third-party browser extensions (requires restart)Enable Third-party browser extensions (requires restart).


• Close and re-launch IE 6 or greater.

5 Try to log back into the Console. If you continue to experience trouble, contact Application Security, Inc. Customer Support at [email protected].

Step Action

1 Launch IE 7.

2 Do the following:

• Choose: Tools > Internet OptionsTools > Internet OptionsTools > Internet OptionsTools > Internet Options.

• Click the AdvancedAdvancedAdvancedAdvanced tab to display the Settings Settings Settings Settings dialog box.



3 Scroll down to the Java (Sun) portion of the dialog box and verify the following:

• JRE 1.6 is enabled (i.e., the box must be checked)

• multiple JRE installations are listed.

JRE 1.6 mustmustmustmust be enabled in order for you to connect to the Console. If it is notnotnotnot, check the JRE 1.6 box.

If JRE 1.6 is enabled, and otherotherotherother JRE versions are also enabled, then you must temporarily disable them by un-checking the boxes.

4 • Click the ApplyApplyApplyApply button.


• Close and re-launch IE 7.

5 Try to log back into the Console. If you continue to experience trouble, contact Application Security, Inc. Customer Support at [email protected].

Step Action



Appendix O: Determining Your NetBIOS Name and Your Full-Qualified Domain NameIf you cannot log in to the Console, it may because, in your network environment, the NetBIOS name NetBIOS name NetBIOS name NetBIOS name is different from the full-qualified domain namefull-qualified domain namefull-qualified domain namefull-qualified domain name. You need to provide domain name in the Domain:Domain:Domain:Domain: field (on the Console login page). This appendix explains how to determine your:

• NetBIOS name (from a command line); for more information, see Determining your NetBIOS name using a command line

• full-qualified domain name (from the Windows Control PanelControl PanelControl PanelControl Panel); for more information, see Determining your full-qualified domain name using the Control Panel.

Determining yourNetBIOS name

using a commandline

To determine your NetBIOS name using the command linecommand linecommand linecommand line:

Step Action




Enter the nbtstat -n to display a listing of Net BIOS names associated with your local machine.



Determining yourfull-qualifieddomain name

using the ControlPanel

To determine your full-qualified domain name using the Windows Control PanelControl PanelControl PanelControl Panel:

4

FIGURE: Listing of Net BIOS names

5 Look up which Net Bios NameNameNameName belongs to the TypeTypeTypeType called GroupGroupGroupGroup and has a Net BIOS code of <00><00><00><00>. This is your NetBIOS name.

Step Action

Step Action


2 Double click the SystemSystemSystemSystem icon to display the System Properties System Properties System Properties System Properties dialog box.



3

FIGURE: System PropertiesSystem PropertiesSystem PropertiesSystem Properties window

4 Click the Computer NameComputer NameComputer NameComputer Name tab to display your full-qualified Domain: Domain: Domain: Domain: name.

Step Action



Appendix P: Monitoring Multiple Instances on a DB2 ServerTo monitor multiple instances on an DB2 server:

Step Action

1 Install one host-based Sensor for DB2 (on any *nix platform) for each instance you

want to monitor; for more information, see:

• Host-based Sensor for DB2 (on Red Hat Enterprise Linux) - installation steps

• Host-based Sensor for DB2 (on Solaris) - installation steps

• Host-based Sensor for DB2 (on AIX) - installation steps.

2 Modify the XML files for each host-based Sensor for DB2 installation and assign a unique port number to each host-based Sensor for DB2. To do so, you must change the port number in the sensor.xml and sensor_original.xml files (located in

<installation dir>/ASIappradar/sensor/conf) so each host-based Sensor for DB2 has a unique port number; for more information, see Appendix C: Modifying the Sensor Listener Port Number.

3 In these environments, when launching the sensor, go to <installation dir>/

ASIappradar/sensor/util, and launch it as follows: appradar_start -p. This allows the host-based Sensor for DB2 to co-exist with other Sensors on the same host.



Appendix Q: Clearing Your Java CacheIf you are experiencing difficulty logging into the DbProtect Console, you may need to clear your Java cache. Application Security, Inc. also recommends you clear your Java cache after an upgrade. The Java cache does notnotnotnot get automatically cleared following a reboot.

To clear your Java cache:

Step Action


2 Double click the Java Java Java Java icon to display the Java Control PanelJava Control PanelJava Control PanelJava Control Panel dialog box.

3 With the default General General General General tab selected, click the Settings... Settings... Settings... Settings... button (in the Temporary Temporary Temporary Temporary

Internet FilesInternet FilesInternet FilesInternet Files section of the dialog box) to display the Temporary Files SettingsTemporary Files SettingsTemporary Files SettingsTemporary Files Settings dialog box.

4 Click the Delete Files... Delete Files... Delete Files... Delete Files... button to clear your Java cache.

5 Close your web browser and attempt to log into the DbProtect Console again.

dbprotect installation guide - · pdf filethis chapter explains what’s in the dbprotect...

Documents