Symantec Control Compliance Suite Data Collection...

Symantec™ ControlCompliance Suite DataCollection Privileges Guide

Version: 11.0

Symantec™ Control Compliance Suite Data CollectionPrivileges Guide

The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.

Documentation version: 11.0

Legal NoticeCopyright © 2013 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo and the Checkmark Logo are trademarks or registeredtrademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Othernames may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The LicenseAgreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see theThird Party LegalNoticeAppendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq."Rightsin Commercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.

Personal Information. You may configure the Licensed Software to collect personalinformation, including but not limited to, IP address, domain name, domain users, username, login passwords, security logs, server logs, which is stored on Your system only and

is not transmitted to Symantec. Please contact Your network administrator for furtherdetails.

Telemetry Option; Non-Personal Information. The Licensed Software contains a telemetryfeature which may collect non-personal information. Such non-personal information mayinclude, without limitation, machine configuration, SQL server details, license status, andsystem performance and will not be correlated with any personal information. Unless Youaffirmatively opt-out of this feature, telemetry will be automatically enabled to transmitsuch non-personal information to Symantec so we can better understand the usability andsupportability of the product.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and/or Web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

■ Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our Web siteat the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level



■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs, DVDs, or manuals



Support agreement resourcesIf youwant to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

mailto:[email protected]



Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 1 Privileges for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Trust requirement to query Windows targets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Minimum required privileges to query Windows targets ... . . . . . . . . . . . . . . . . . . . . 9Windows domain cache credentials ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Frequently asked questions about Windows domain cachecredentials ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 2 Privileges for SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Trust requirement to query an SQL Server database ... . . . . . . . . . . . . . . . . . . . . . . . . 17Minimum required privileges to query an SQL Server database ... . . . . . . . . . . 17

Privileges to import an SQL Server Asset ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Privileges for all the data sources ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Privileges for specific data sources ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 3 Privileges for Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Trust requirement to query an Oracle database ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Minimum required privileges to query an Oracle database ... . . . . . . . . . . . . . . . . 31

Privileges for database-related queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Privileges for platform-specific queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Privileges on views to query database-related data sources ... . . . . . . . . . 33

Using sudo functionality for querying Oracle UNIX targets ... . . . . . . . . . . . . . . 35Disabling password prompt in the sudoers file ... . . . . . . . . . . . . . . . . . . . . . . . . . . 36Configuring the SupportsSudo parameter in the

bvAgentlessConfig.ini file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Optimizing queries using sudo in the ExecutionContext.ini

file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Example of the sudoers file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Contents

Contents8

Privileges for Windows

This chapter includes the following topics:

■ Trust requirement to query Windows targets

■ Minimum required privileges to query Windows targets

■ Windows domain cache credentials

Trust requirement to query Windows targetsBefore SCU 2012-03, you required a one way trust from the CCSManager domainto the target computer domain, if the CCS Manager in the data collector role, andthe Windows target computers are located in different domains. This trust wasrequired for the CCSManager to login to the target computer, in order to performdata collection on the targets.

CCS v11.0 SCU 2012-03 removes the trust requirement. You do not require trustbetween the CCS Manager domain and the target computer domain, once youinstall SCU 2012-03.

Minimum required privileges to query Windowstargets

CCS requires local administrator privileges on target computers for someWindowsAPIs which are built into the product.

As an example, following is the list of checks belonging to data sources mappedto PCI DSS v2.0 mandate, that required local administrator privileges.

1Chapter

Table 1-1 Data sources mapped to PCI DSS v2.0 mandate that require localadministrator privileges

Privilege requiredMapped checkname

Mapped Standardname

Data source

For IIS6, Queryinguser should be aLocal Administratoron the targetcomputer. For IIS7,most of the data iscollected using WMIAPIs.

■ 4.14.1 Has thetrust level beenset to medium?

■ 1.1.8 Has the/IISHelp VirtualDirectorymapping beenremoved?

■ 1.2.2 Has theImplicit remotefunctionality ofRDS beendisabled?

■ 3.2.1 IsClient-sideApplicationDebugging(AppAllowClientDebug)disabled?

■ 3.3.1 IsServer-sideApplicationDebugging notallowed?

CIS Benchmark forIIS 5.0 and 6.0 forMicrosoft Windows2000, XP and Server2003 v1.0

IIS related datasources

Queryinguser shouldhave either localadministrator orWMI rights on thetarget computer.Registry data iscollected using WMIAPIs.

■ Is "MSS:(NoDefaultExempt)Configure IPSecexemptions forvarious types ofnetwork traffic"set?

■ Has Configuringof TPM platformvalidation profilebeen disabled?

CIS SecurityConfigurationBenchmark ForMicrosoft WindowsServer 2008 andWindows Server2008 R2 v1.1.0

Registry

Privileges for WindowsMinimum required privileges to query Windows targets

10

Table 1-1 Data sources mapped to PCI DSS v2.0 mandate that require localadministrator privileges (continued)


Mapped Standardname

Data source

Queryinguser shouldbe a LocalAdministrator on thetarget computer.

■ 1.2.5 Have theRDS files anddirectories beenremoved fromProgramFiles\CommonFiles\System\Msadc?

■ 1.1.1 Have thecontents of the"inetpub\wwwroot"folder beenremoved?


Directory

1.1.2.8 Is the msadcfolder removed?

CIS SecurityConfigurationBenchmark ForMicrosoft IIS 7.0v1.1.0


■ 1.2.5 Have theRDS files anddirectories beenremoved fromProgramFiles\CommonFiles\System\Msadc?

■ 1.1.1 Have thecontents of the"inetpub\wwwroot"folder beenremoved?


Files

11Privileges for WindowsMinimum required privileges to query Windows targets

Table 1-1 Data sources mapped to PCI DSS v2.0 mandate that require localadministrator privileges (continued)


Mapped Standardname

Data source


■ 4.4.1.18%SystemRoot%\system32\regedt32.exeSecured?

■ 4.4.1.6%SystemRoot%\system32\drwatson.exeSecured?

CIS Legacy SecuritySettings Benchmarkfor Windows 2003Domain Controllerv2.0

File Security


■ 4.1.1.12 LicenseLogging ServicePermissionsRestricted?

■ 4.1.1.22 RemoteAdministrationServicePermissionsRestricted?

■ 4.1.1.35 TelnetServicePermissionsRestricted?

CIS Legacy SecuritySettings Benchmarkfor Windows 2003Domain Controllerv2.0

Service Security

Windows domain cache credentialsFor querying Windows targets, you must create a domain cache on CCS Managerto store the users, groups, computers and so on, for optimizing data collection.The domain cache can be created by an Active Directory user who is not a domainadministrator but has read access over the RootDSE objects of Active Directory.

See “Frequently asked questions about Windows domain cache credentials”on page 13.

Privileges for WindowsWindows domain cache credentials

12

Frequently asked questions about Windows domain cache credentialsThis sectionprovides functional informationonWindowsdomaincachecredentialswhich lets you address all your queries on using Windows domain cachecredentials.

Note: The information in this document is according to CCS v11.0 release.

Table 1-2 Windows Domain Cache Credentials - FAQ

ResolutionQuery

Domain cache is a Microsoft Access database file whichcontains information about users, groups, computers, andmiscellaneous domain that are required during datacollection. This cache is required to optimize data collectionjob and does not affect the domain controller for data perjob.

What is domain cache andwhy is domain cacherequired?

Yes. The Windows domain cache was built-in RMS as welland was built on the Master Query Engine.

Was the domain cachebuilt-in legacy RMS system?

Cache contains users, groups, computer information, andmiscellaneous domain that are required during datacollection.

What are contents of domaincache?

The data, which CCS requires during data collection, iscached. Entire Active Directory is not cached. The cachealso gets updated if there is any change in AD for the datawhich is cached.

Is the entireActiveDirectoryreplicated into the Windowscache?

You can provide Windows domain cache credentials bynavigating to the Settings menu. Go to Credentials view >AddCommonCredentials tab andSelectWindowsDomainCache as the Platform type.

Where do you providedomain cache credentials inCCS Reporting & Analytics?

Cache is built per domain. Hence, we need to providecredentials per domain.

For parent-child domain, doweneed to specify credentialfor each domain or only forthe parent domain?

The cache is stored on theCCSM in the folder at <InstallDir>/DPS/ Control/ Windows/ Cache.

Where is the cache stored?

Windows domain cache is a password-protected MicrosoftAccess database file.

How is thisWindowsdomaincache secured?

13Privileges for WindowsWindows domain cache credentials

Table 1-2 Windows Domain Cache Credentials - FAQ (continued)

ResolutionQuery

Domain cache is built internally during data collection.Using the domain cache credentials, CCS Manager (CCSM)connects to the domain controller (AD) and fetches therequired information to build and update the cache.

How does CCS use theWindows domain cachecredential to build thedomain cache?

Any entity or any data source that fetches data from thehost Windows computer refers to Windows domain cache.Thus, all Windows platform entities or data source refer tocache. SQL and Oracle entities, or data sources, which needto fetch data from the host Windows computers, also referto Windows domain cache.

Which data sources refer todata from the Windowsdomain cache?

Domain name field : Value should be in NetBIOS format forthe domain name.

Username field: domain name\username Orusername@domain name fqdn

Password field: <password>

What is the format ofcredentials which need to beprovided for Windowsdomain cache credentials?

At present the requirement is confined toWindows domainuser credentials.

The minimum privileges that are required for the accountto create domain cache are available with Security ContentUpdates 2012-3.

What are the minimumprivileges that are requiredfor the account to createdomain cache?

Symantec recommends that you restart CCSM service afteryou reset credentials.

Do I need to restart CCSMservice after providingdomain cache credentials?

Credentials in CCS R&A are required only during datacollection through new simplified architecture by the wayof CCSM.

Do we need to provideWindows domain cachecredentials even if weperform data collectionusing RMS?

Cache is built using MS RPC protocol and needs RPC portsopen. The mechanism is same as what CCS needs forWindows data collection.

What protocol does CCS useto build the domain cache?Any firewall port needs to beopened between the domaincontroller and the CCSserver?


14


ResolutionQuery

Cache is required for both agent based and agent less modeof data collection. The cache is always created and updatedon the CCSM. This cache is pushed to the agent when theagent has an outdated copy of the cache.

Is the cache created orrequired in agent-basedmode of data collection?

The entire cache is pushed to the agent up to the cache sizethreshold limit. If the cache size has crossed the thresholdlimit, then only cache difference (delta) is sent to the agent.The cache threshold limit can be managed using Windowsplatform settings page by navigating to Settings > SystemTopology > Map View > Common Tasks > ConfigurePlatform Settings > Windows.

Is the entire cache pushed tothe agent based during datacollection?

No.Can Windows domain cachebuilding be optional?

CCS does not provide a separate job to create the domaincache. The domain cache is created during data collectionif the cache file is not present on the CCSM.

Is there a separate job tocreate the domain cache?

CCS does not provide a separate job to update the domaincache. The domain cache is updated during data collectionif the cache on the CCSM is out of date.

Is there a separate job toupdate the domain cache?

By default, the cache refresh interval is 72 hrs. The refreshinterval can bemanagedupdating the cache refresh intervalusingWindows platform for a particular site using platformsettings page by navigating to Settings > SystemTopology> Grid View > Common Tasks > Configure PlatformSettings > Windows.

What is the refresh intervalfor domain cache?

You can set the lowest value for domain cache refreshinterval to 5 hrs.

What is the lowest value thatcan be set for domain cacherefresh interval?

Last Logon Interval is required for updating the user lastlogon field in the cache file.

Why do we need the setting,Last logon interval?

Windowsdomain cache is required only for domainmemberserver targets or assets. Since workgroup assets do notbelong to a domain, Windows cache is not built forworkgroup computer assets.

Is the Windows domaincache built for workgroupcomputer assets?

15Privileges for WindowsWindows domain cache credentials


ResolutionQuery

These warning messages are shown for trusted domain forwhich the cache cannot be built. It is optional and hence thedata collection job gets successfully completed. Symantecrecommends that you provide domain cache credentials forthe trusted domains also so that the cache for the same canbe built and the data collection results can be accurate.

Whydoes theData collectionjob show an error for notable to build the cachenevertheless the datacollection job completessuccessfully?

Restart the CCSM service on the computer where the cachewas stored. Next run of data collection job builds the cacheagain.

What if the cache file getsdeleted accidentally?

CCSM manager requires minimum one-way trust betweenthe CCSM and the domain for which it creates the cache.Hence, CCSM cannot build cache for a not trusted domainor if CCSM is on a workgroup.

What if Windows domaincache is unable to build onworkgroup CCSM?

The CCSM, that gets the data collection job automatically,refreshes the cache for itself and no synchronization isrequired between CCSM.

Is the cache synchronizedbetween all CCSM?


16

Privileges for SQL Server


■ Trust requirement to query an SQL Server database

■ Minimum required privileges to query an SQL Server database

Trust requirement to query an SQL Server databaseEnsure that there is a domain trust relationship if the CCS Manager in the datacollector role, and the target computers for SQL are located in different domains.You must have a one way trust from the CCS Manager domain to the targetcomputer domain. CCS Manager must be able to login to the target computer, inorder to perform data collection using the minimum privileges mentioned in thisdocument.

Note:The trust requirementsmentioned in this document are applicable as of thecurrent release of Control Compliance Suite 11.x. Symantec continues toinvestigate theopportunity to enable product functionalitywith the least privilegesand trust requirements as an on-going effort.

See “Minimum required privileges to query an SQL Server database” on page 17.

Minimum required privileges to query an SQL Serverdatabase

CCS requires certain minimum rights to query against the data sources.

Theseminimumrights are required by the credentials specified in the CredentialsDatabase.

2Chapter

Note: For data collection on SQL Server 2008, if your organization has specificroles for a SQL Database Administrator, Symantec recommends that the DBAenters the SQL DB Admin privileges wherever required.

The SQL DB Admin privileges may be mandated by the SQL Server application.The CCS Administrator does not require to have a SQL DB Admin role.

The following minimum user rights are required to query the SQL Server:

■ Theuser credentials supplied (Windowsuser orSQLServeruser) for connectingto the SQLServer should be a user for the SQLServer. Otherwise, the credentialverification in SQL data collector fails.

■ The user credentials supplied for connecting to the SQLServer (Windows useror SQLServer user)must have read rights on themaster database. Thismasterdatabase must be of the SQL Server being queried. Otherwise, the credentialverification in SQL data collector fails.

■ To query on a particular database on SQL Server, read rights are required onthat database.

■ You must have VIEW DEFINITION privileges on the Microsoft SQL Serverbeing queried.To achieve this privilege, the following SQL statement must be executed,against the master database, for the user, whose credentials are mentioned inthe Credential Database:GRANT VIEW ANY DEFINITION TO [Server Login]For example,GRANT VIEW ANY DEFINITION TO [TestDomain\TestUser]

See “Privileges to import an SQL Server Asset” on page 18.

See “Privileges for all the data sources” on page 19.

See “Privileges for specific data sources” on page 19.

Privileges to import an SQL Server AssetTo import an SQL server asset into CCS, the Windows user credentials suppliedfor connecting to the SQLServer should be a local administrator on the SQLServermachine. Otherwise, the SQL server asset does not get imported.

In order to import the SQL Server asset, CCS requires a list of all SQL instancesrunning on target computer hosting the SQL Server. Each SQL instance has aseparate service which can be seen in Service Control Manager (SCM) of targetcomputer. To get the list of SQL instances, CCS requires to connect to the SCM oftarget computer. As only administrators can remotely connect to the SCM of a

Privileges for SQL ServerMinimum required privileges to query an SQL Server database

18

target computer, CCS requires the user credentials to have local administratorrights.

Privileges for all the data sourcesThe following table specifies the Execute/Select permissions required on theStored Procedures/SystemTables in theMaster database for all the data sources.

Table 2-1 Minimum required privileges for all the data sources

Rights on the dependentdatabase object

Master/ CurrentDatabaseDependent Tables (T)/Stored Procedure (SP) inSQL Server

ExecMastersp_MSSQLDMO80_version

ExecMastersp_MSSQLDMO70_version

ExecMastersp_Msdbuserpriv

ExecMastersp_MSdbuseraccess

SelectMastersysprocesses

Privileges for specific data sourcesThe following table specifies whether Select/Execute permissions are requiredon the System Tables/Stored Procedures/Views/Database in theMaster/Current/msdb database.

Note: You require sysadmin rights to query the SQL-DMO SERVERS data source.The xp_regread stored procedure of the SQL-DMOSERVERSdata source requiresthe user to be a member of the sysadmin role.

19Privileges for SQL ServerMinimum required privileges to query an SQL Server database

Table 2-2 Minimum required privileges for all the data sources

Rights on thedependentdatabaseobject

Master/Current/msdbdatabase

Dependent Tables (T)/ViewsStored Procedure (SP)/Database in SQL Server

SQLServerversion

SQL-DMO/SystemTables,andSupporteddatasources

Select

Select

Select

Current

Master

Master

sysusers

syslogins

sysdevices

2005 and2008

SQL-DMO

Datasource:BackupDevices

Select

Select

Exec

Master

Master

Master

configurations

spt_values

xp_msver

2005 and2008

SystemTables

Datasource:Configuration

Select

Select

Select

Select

Msdb

Msdb

Msdb

Msdb

Backupset

Backupmediaset

Backupmediafamily

Backupfile

2005 and2008

SystemTables

Datasource:DatabaseBackups

Select

Select

Exec

Exec

Select

Select

Current

Master

Master

Master

Current

Current

sysusers

syslogins

sp_MSdbuserpriv

sp_MSdbuseraccess

sysfilegroups

sysfiles

2005 and2008

SQL-DMO

Datasource:DatabaseFileGroups

Select

Select

Exec

Exec

Select

Select

Current

Master

Master

Master

Current

Current

sysusers

syslogins

sp_MSdbuserpriv

sp_MSdbuseraccess

sysfilegroups

sysfiles

2005 and2008

SQL-DMO

Datasource:DatabaseFiles


20

Table 2-2 Minimum required privileges for all the data sources (continued)




SQLServerversion


Select

Select

Exec

Exec

Select

Current

Master

Master

Master

Master

sysusers

syslogins

sp_MSdbuserpriv

sp_MSdbuseraccess

sysfilegroups

2005 and2008

SQL-DMO

Datasource:DatabaseOptions

Select

Select

Select

Exec

Select

Select

Select

Select

Select

Select

Master

Master

Master

Master

Master

Current

Current

Current

Current

Current

sysdatabases

syslogins

sysusers

xp_msver

spt_values

server_permissions

database_permissions

database_principals

server_principals

schemas

2005 and2008

SystemTables

Datasource:DatabasePermissions

Select

Select

Select

Select

Select

Exec

Current

Current

Current

Current

Master

Master

database_permissions

database_principals

all_objects

schemas

spt_values

xp_msver

2005 and2008

SystemTables

Datasource:DatabaseRolePermissions






SQLServerversion


Select

Select

Exec

Select

Select

Exec

Exec

Exec

Exec

Current

Master

Master

Current

Current

Master

Master

Master

Master

sysusers

syslogins

sp_helprole

sysprotects

sysobjects

sp_helprolemember

sp_dbfixedrolepermission

sp_MSdbuserpriv

sp_MSdbuseraccess

2005 and2008

SQL-DMO

Datasource:DatabaseRoles

Select

Select

Exec

Exec

Exec

Exec

Select

Current

Master

Master

Master

Master

Master

Current

sysusers

syslogins

sp_MSdbuserpriv

sp_MSdbuseraccess

sp_dbcmptlevel

sp_helprolemember

sysusers

2005 and2008

SQL-DMO

Datasource:DatabaseUsers

Select

Select

Master

Master

databases

dbo.spt_values

2005 and2008

SystemTables

Datasource:Databases


22





SQLServerversion


Select

Select

Exec

Exec

Exec

Exec

Exec

Exec

Exec

Exec

Current

Master

msdb

msdb

msdb

msdb

msdb

Master

msdb

msdb

sysusers

syslogins

sp_help_category

sp_help_alert

sp_get_sqlagent_properties

sp_help_job

sp_help_operator

xp_servicecontrol

sp_help_targetservergroup

sp_help_targetserver

2005 and2008

SQL-DMO

Datasource: JobServer

Select

Select

Exec

Exec

Exec

Exec

Current

Master

msdb

msdb

msdb

msdb

sysusers

syslogins

sp_help_job

sp_get_job_alerts

sp_help_jobschedule

sp_help_jobstep

2005 and2008

SQL-DMO

Datasource: JobServer Jobs

Select

Select

Exec

Exec

Current

Master

msdb

msdb

sysusers

syslogins

sp_help_job

sp_help_jobstep

2005 and2008

SQL-DMO

Datasource: JobSteps

Select

Select

Select

Exec

Current

Master

Master

Master

sysusers

syslogins

sysservers

sp_helplinkedsrvlogin

2005 and2008

SQL-DMO

Datasource:LinkedServers






SQLServerversion


Select

Select

Select

Select

Master

Master

Current

Master

sysservers

sysremotelogins

sysusers

syslogins

2005 and2008

SQL-DMO

Datasource:RemoteLogins

Select

Select

Select

Select

Exec

Current

Master

Master

Master

Master

sysusers

syslogins

sysservers

sysremotelogins

sp_MSdbuserpriv

2005 and2008

SQL-DMO

Datasource:RemoteServers

Select

Select

Exec

Current

Master

Master

sysusers

syslogins

xp_instance_regread

2005 and2008

SQL-DMO

Datasource:ServerIntegratedSecurity

Select

Select

Exec

Master

Master

Master

syslogins

spt_values

xp_msver

2005 and2008

SystemTables

Datasource:ServerLogins

Select

Select

Exec

Exec

Current

Master

Master

Master

sysusers

syslogins

sp_helpsrvrole

sp_helpsrvrolemember

2005 and2008

SQL-DMO

Datasource:ServerRoles


24





SQLServerversion


Select

Select

Exec

Exec

Select

Select

Select

Exec

Select

Select

Select

Exec

Exec

Exec

Exec

Exec

Exec

Exec

Exec

Current

Master

Master

Master

Master

Master

Master

Master

Master

Master

Master

Master

Master

Master

Master

Master

Master

Master

Master

sysusers

syslogins

sp_MSdbuserpriv

xp_regread

sysdevices

sysconfigures

syscurconfigs

sp_MSdbuseraccess

syslanguages

sysservers

fn_helpcollations

xp_msver

sp_helpsort

xp_instance_regenumvalues

xp_instance_regread

sp_server_info

xp_loginconfig

sp_helpsrvrole

xp_servicecontrol

2005 and2008

SQL-DMO

Datasource:Servers






SQLServerversion


Select

Select

Select

Select

Select

Select

Select

Select

Select

Select

Select

Exec

Current

Current

Current

Current

Current

Current

Current

Master

Current

Current

Current

Master

all_objects

procedures

sql_modules

database_principals

schemas

syscomments

assembly_modules

spt_values

objects

indexes

sysdepends

xp_msver

2005 and2008

SystemTables

Datasource:StoredProcedures


26





SQLServerversion


For SQL Server2008, you musthave any of thefollowingpermissions:

■ ControlServer

■ Alter anyServerAudit

■ Alter anyDatabaseAudit

■ DBO role

For SQL Server2008 R2, youmust have anyof the followingpermissions:

■ ControlServer

■ View ServerState

■ View AuditState

■ Alter anyAudit

■ DBO role

Master

Master

Master

Master

database_audit_specification_details

database_audit_specifications

server_audits

server_file_audits

2008SystemTables

Datasource:DatabaseAuditSpecification






SQLServerversion



■ ControlServer



■ DBO role


■ ControlServer


■ View AuditState

■ Alter anyAudit

■ DBO role

Master

Master

server_audits

server_file_audits

2008SystemTables

Datasource:ServerAudits


28





SQLServerversion



■ ControlServer



■ DBO role


■ ControlServer


■ View AuditState

■ Alter anyAudit

■ DBO role

Master

Master

Master

Master

database_audit_specification_details

database_audit_specifications

server_audits

server_file_audits

2008SystemTables

Datasource:ServerAuditSpecification



30

Privileges for Oracle


■ Trust requirement to query an Oracle database

■ Minimum required privileges to query an Oracle database

■ Using sudo functionality for querying Oracle UNIX targets

Trust requirement to query an Oracle databaseEnsure that there is a domain trust relationship if the CCS Manager in the datacollector role, and the target computers forOracle are located in different domains.You must have a one way trust from the CCS Manager domain to the targetcomputer domain. CCS Manager must be able to login to the target computer, inorder to perform data collection using the minimum privileges mentioned in thisdocument.

Note:The trust requirementsmentioned in this document are applicable as of thecurrent release of Control Compliance Suite 11.x. Symantec continues toinvestigate theopportunity to enable product functionalitywith the least privilegesand trust requirements as an on-going effort.

See “Minimum required privileges to query an Oracle database” on page 31.

Minimum required privileges to query an Oracledatabase

CCS requires certain minimum rights on the databases and the operating systemon which the queries report.

3Chapter

Note: If your organization has specific roles for aOracle DatabaseAdministrator,Symantec recommends that the DBA enters the Oracle DB Admin privilegeswherever required.

The Oracle DB Admin privileges may be mandated by the Oracle application. TheCCS Administrator does not require to have a Oracle DB Admin role.

See “Privileges for database-related queries” on page 32.

See “Privileges for platform-specific queries” on page 33.

See “Privileges on views to query database-related data sources” on page 33.

Privileges for database-related queriesThe credential user needs certain privileges to run queries on database-relateddata sources.

For information on specific SELECT privileges to query database-related datasources, refer to Appendix B: SELECT Privileges.

ForOracleDatabaseVersion 9i and later, you can provide the following privileges:

Table 3-1 Privileges required for Oracle Database Version 9i and later

DescriptionPrivilege

Allows access to the required data dictionaryobjects.

SELECT ANY DICTIONARY

Allows access to theSYSTEM.PRODUCT_USER_PROFILEsynonym, which is used for reporting in theSQL*Plus Security data source.

SELECT ONSYSTEM.PRODUCT_USER_PROFILE

For Oracle Database Version 8i, you can provide the following privileges:

Table 3-2 Privileges required for Oracle Database Version 8i and later

DescriptionPrivilege

Allows access to the required "DBA_" viewsand the V$ dynamic performance views.

SELECT_CATALOG_ROLE

Allows access to theSYSTEM.PRODUCT_USER_PROFILEsynonym, which is used for reporting in theSQL*Plus Security datasource.

SELECT ONSYSTEM.PRODUCT_USER_PROFILE

Privileges for OracleMinimum required privileges to query an Oracle database

32

Note: Oracle 8i does not have SELECT ANY DICTIONARY privilege and SELECTANY TABLE PRIVILEGE is not useful if O7_DICTIONARY_ACCESSIBILITY is setto false.

The following privileges grant access to the dictionary objects that are requiredfor reporting on Database Audit Trail datasource:

■ SELECT ON SYS.OBJAUTH$

■ SELECT ON SYS.OBJ$

■ SELECT ON SYS.USER$

■ SELECT ON SYS.COL$

■ SELECT ON SYS.TABLE_PRIVILEGE_MAP

ForOracle 8i, the SELECTprivilegesmust be granted on individual data dictionaryobjects becauseOracle 8i doesnot support theSELECTANYDICTIONARYprivilege.Also, the SELECT ANY TABLE privilege does not allow access to data dictionaryobjects when the O7_DICTIONARY_ACCESSIBILITY parameter is set to FALSE.

Privileges for platform-specific queriesTo obtainWindows platform-specific information, the credentials usermust haveadministrator privileges on the Windows computer.

Youmust have root access privileges for the computer onwhich youwant to installthe CCS Agent for UNIX for Oracle data collection. The CCS Agent for UNIX isinstalled only under root account credentials. Communication between the CCSManager and the CCS Agent uses TCP port 5600.

Privileges on views to query database-related data sourcesSELECT privileges are required on certain views to query database-related datasources.

Table B-1 lists the viewnames that require SELECTprivileges and the data sourcesthat contain these views.

Table 3-3 Data sources and the associated Views

View nameDatasource name

DBA_CONTEXTDatabase Application Contexts

DBA_AUDIT_TRAILDatabase Audit Trail

33Privileges for OracleMinimum required privileges to query an Oracle database

Table 3-3 Data sources and the associated Views (continued)


DBA_POLICIESDatabase Fine Grained Access ControlPolicies

DBA_FGA_AUDIT_TRAILDatabase Fine Grained Auditing Audit Trail

V$SYSTEM_PARAMETER2Database Initialization Parameters

DBA_DB_LINKSDatabase Links

DBA_OBJ_AUDIT_OPTSDatabase Object Auditing

SYS.OBJAUTH$, SYS.OBJ$, SYS.USER$,TABLE_PRIVILEGE_MAP, DBA_ROLES,DBA_OBJECTS, SYS.COL$C

Database Object Privilege Assignments

DBA_OBJECTSDatabase Objects

DBA_POLICY_CONTEXTSDatabase Policy Contexts

DBA_POLICY_GROUPSDatabase Policy Groups

DBA_PRIV_AUDIT_OPTSDatabase Privilege Auditing

DBA_PROFILESDatabase Profiles

DBA_RSRC_CONSUMER_GROUPSDatabase Resource Consumer Groups

V$RESOURCE_LIMITDatabase Resource Limits

DBA_ROLE_PRIVS, DBA_ROLESDatabase Role Assignments

DBA_ROLESDatabase Roles

V$SESSIONDatabase Sessions

DBA_STMT_AUDIT_OPTSDatabase Statement Auditing

DBA_SYS_PRIVS, DBA_ROLESDatabase System Privilege Assignments

DBA_COMMON_AUDIT_TRAILDatabase Uniform Audit Trail

DBA_TS_QUOTASDatabase User Tablespace Quotas

PROXY_USERSDatabase Users DBA_USERS

V$DATABASE ,V$INSTANCE,GLOBAL_NAME,V$VERSION

Database and Instance Information

SYSTEM.PRODUCT_USER_PROFILESQL*Plus Security

Privileges for OracleMinimum required privileges to query an Oracle database

34

Table 3-3 Data sources and the associated Views (continued)


v$system_parameter2, v$controlfile,v$datafile, v$logfile, V$tempfilev$archive_dest

UNIX and LinuxDatabase File andDirectoryPermissions

v$system_parameter2, v$controlfile,v$datafile, v$logfile, V$tempfilev$archive_dest

Windows Database File and FolderPermissions

Using sudo functionality for querying Oracle UNIXtargets

Though CCS requires only minimum privileges for data collection, in some casesyou may require to query targets using higher privileges. The Sudo functionalitypermits you to execute a command on the target computer, as a super user, oranother user. For agent-less raw data collection on Oracle UNIX targets, you canuse the Oracle sudo (superuser do) functionality to run queries in the context ofa super user.

To use the Sudo functionality:

■ Ensure that the sudo programmust be installed on theUNIX target computer,on which you want to use the sudo functionality.

■ In the sudoers file, list the user accounts you will use to run the commands.Users whose credentials are added in the credentials database must havecorresponding user accounts listed in the sudoers file. The sudoers file islocated in the /etc directory of the UNIX target computer.

If you are the invoking user and a root user, and if the target user is the sameas the invoking user, no password is required. However, if the invoking userand the target user are different, you must specify a password to executecommands on the target computer.See “Example of the sudoers file” on page 38.

■ Disable password prompt in the sudoers file.

See “Disabling password prompt in the sudoers file” on page 36.

■ In thebvAgentlessConfig.ini file, enable the sudooptionmust by configuringthe SupportsSudo parameter. The bvAgentlessConfig.ini file is located inthe <INSTALL_DIR>\Symantec\CCS\Reporting and

Analytics\DPS\control\Unix\ConfigFilesfolder of the CCS Manager.

35Privileges for OracleUsing sudo functionality for querying Oracle UNIX targets

See “Configuring the SupportsSudo parameter in the bvAgentlessConfig.inifile” on page 36.

■ In the ExecutionContext.ini file, prefix theword sudo before the commandsof a query, to run the queries in the context of a super user. TheExecutionContext.ini file is located in the<INSTALL_DIR>\Symantec\CCS\Reporting and

Analytics\DPS\control\Unix\ConfigFilesfolder of the CCS Manager.

See “Optimizingqueries using sudo in theExecutionContext.ini file”onpage37.

Disabling password prompt in the sudoers fileTo be able to use sudo for running queries in the context of a super user, you canadd the following in the sudoers file to disable password prompt for everycommand:

<name> ALL=NOPASSWD: ALL

where, <name> is the native user, whose credentials are specified in the credentialdatabase.

You may encounter the following issues if the password prompt is not disabled,and certain commands get blocked by not specifying a password:

■ Special values for certain commands such as hostname, may return differentvalues.

■ If the uname command is blocked, validation of agent-less targets may failsand the data sources will not return data.

■ Data sources may return incomplete data.

See “Example of the sudoers file” on page 38.

See “Configuring the SupportsSudo parameter in the bvAgentlessConfig.ini file”on page 36.

See “Optimizing queries using sudo in the ExecutionContext.ini file” on page 37.

See “Using sudo functionality for querying Oracle UNIX targets ” on page 35.

Configuring the SupportsSudo parameter in the bvAgentlessConfig.inifile

To be able to use sudo for running queries in the context of a super user, youmustenable the sudo option by configuring the SupportsSudo parameter in thebvAgentlessConfig.ini file.

The parameter and its value is as follows:

Privileges for OracleUsing sudo functionality for querying Oracle UNIX targets

36

SupportsSudo=<value>

Where, <value> is true or false.

The default value is false, which means the use of sudo is disabled by default.

To enable sudo for running queries on UNIX targets, specify the value as true.You must also specify the FQDN of the UNIX target computer before theSupportsSudo parameter.

For example,

[testcomputer.example.com]

SupportsSudo=true

Where, [testcomputer.example.com] is the FQDN of the UNIX target computer.

Once sudo is enabled in the bvAgentlessConfig.ini file, you can use theExecutionContext.ini file for optimizing queries by prefixing the word sudobefore the commands specified in the ExecutionContext.ini file.


See “Optimizing queries using sudo in the ExecutionContext.ini file” on page 37.


Optimizing queries using sudo in the ExecutionContext.ini fileTo be able to use sudo for running queries in the context of a super user, youmustprefix the word sudo before the commands of the query specie in theExecutionContext.ini file.

Following table lists the parameters which you can configure to run commandsusing sudo:

Table 3-4 Parameters to be configured for running commands using sudo

DescriptionParameter

Specify the value as true if you want to run all commands of aquery on the target computer using sudo.

If you want to run only specific commands of a query using sudo,then specify the value as false.

ApplyPrefixForAll


Table 3-4 Parameters to be configured for running commands using sudo(continued)

DescriptionParameter

If you have specified the value as true for the ApplyPrefixForAllparameter, you can specify if any commands must be run withoutsudo.

If you have specified the value as false for the ApplyPrefixForAllparameter, you can specify if any commandsmust be runwith sudo.In this case the word sudo must be prefixed to each command..

Default

Specify for which platforms the queries must be run using sudo.<target platform>

AIX, LINUX, SunOS,HP-UX

Specify for which targets the queries must be run using sudo. Thename can be the name of the target computer as displayed in theCCS console, or the IP address of the target computer

Target


See “Configuring the SupportsSudo parameter in the bvAgentlessConfig.ini file”on page 36.


Example of the sudoers fileThis is an example of the contents of the sudoers file is located in the /etcdirectory of the UNIX target computer. This example contains sampleconfigurations required to use the sudo functionality asmentioned in the sectionUsing sudo functionality for querying Oracle UNIX targets.

# User alias specification

##

User_Alias UNIX_USERS = unix1, unix2, unix3

User_Alias BV_CONTROL_USERS = bvunix1, bvunix2, bvunix3

##

# Runas alias specification

Defaults:UNIX_USERS !authenticate

Defaults:BV_CONTROL_USERS !authenticate


38

##

Runas_Alias SUPER_USERS = root

Defaults logfile=/var/log/sudolog

##

# Cmnd alias specification

##

Cmnd_Alias APPLICATIONS = /usr/sbin/named

Cmnd_Alias AIX_ADMINCMDS = /usr/sbin/lsps, /usr/sbin/lsattr

Cmnd_Alias ADMINCMDS = /usr/sbin/prtconf, /sbin/runlevel, ulimit,

AIX_ADMINCMDS,

Cmnd_Alias NETWORKCMDS = /sbin/ifconfig, /usr/local/bin/nslookup,

inetadm -p

Cmnd_Alias FILECMDS = /bin/cat, /bin/date '+%Z', /usr/bin/strings

-n, \

/usr/bin/diff, /usr/bin/cmp, /usr/bin/find, \

/bin/echo, /usr/bin/file, /bin/df -P, \

/usr/bin/cksum, /bin/ls -la, /bin/ls -lad, \

/bin/ls -lac, /bin/ls -lau

#Cmnd_Alias COMMONCMDS = /usr/bin, /bin, /usr/local/bin

Cmnd_Alias SU = /usr/bin/su

Cmnd_Alias SYSADMCMD = /usr/lib/sendmail

Cmnd_Alias ACTIVEADMCMDS = /usr/sbin/adduser

UNIX_USERS ALL = (SUPER_USERS) APPLICATIONS, NETWORKCMDS, ADMINCMDS,

FILECMDS, !SU, !ACTIVEADMCMDS,

!SYSADMCMD, NOPASSWD: ALL

BV_CONTROL_USERS ALL = NOPASSWD: ALL





40

Date post:	24-Mar-2018
Category:	Documents
Upload:	dinhnhu
View:	221 times
Download:	1 times

Symantec Control Compliance Suite Data Collection...

Documents