Symantec Enterprise Security Manager Modules for Sybase ......Symantec Enterprise Security Manager...

Symantec™ EnterpriseSecurity Manager Modulesfor Sybase Adaptive ServerEnterprise User Guide Sybase3.1.0

Release 3.1.0 for Symantec ESM 6.5.xand 9.0.1 For Sybase Adaptive ServerEnterprise on AIX, HP-UX, Linux, andSolaris

Symantec™ Enterprise Security Manager Modules forSybase Adaptive Server Enterprise User Guide

The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.

Documentation version: 3.1.0

Legal NoticeCopyright © 2010 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, ActiveAdmin, BindView, bv-Control, Enterprise SecurityManager, andLiveUpdate are trademarks or registered trademarks of SymantecCorporationor its affiliates in the U.S. and other countries. Other names may be trademarks of theirrespective owners.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s maintenance offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and Web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers automatic software upgrade protection

■ Global support that is available 24 hours a day, 7 days a week

■ Advanced features, including Account Management Services

For information about Symantec’sMaintenance Programs, you can visit ourWebsite at the following URL:

www.symantec.com/techsupp/

Contacting Technical SupportCustomerswith a currentmaintenance agreementmay access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level

■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

www.symantec.com/techsupp/www.symantec.com/techsupp/

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and maintenance contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs or manuals

www.symantec.com/techsupp/www.symantec.com/techsupp/

Maintenance agreement resourcesIf you want to contact Symantec regarding an existing maintenance agreement,please contact the maintenance agreement administration team for your regionas follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

Additional enterprise servicesSymantec offers a comprehensive set of services that allow you tomaximize yourinvestment in Symantec products and to develop your knowledge, expertise, andglobal insight, which enable you to manage your business risks proactively.

Enterprise services that are available include the following:

These solutions provide early warning of cyber attacks, comprehensive threatanalysis, and countermeasures to prevent attacks before they occur.

SymantecEarlyWarningSolutions

These services remove the burdenofmanaging andmonitoring security devicesand events, ensuring rapid response to real threats.

Managed Security Services

Symantec Consulting Services provide on-site technical expertise fromSymantec and its trustedpartners. SymantecConsultingServices offer a varietyof prepackaged and customizable options that include assessment, design,implementation,monitoring, andmanagement capabilities. Each is focused onestablishing andmaintaining the integrity and availability of your IT resources.

Consulting Services

Educational Services provide a full array of technical training, securityeducation, security certification, and awareness communication programs.

Educational Services

To access more information about Enterprise services, please visit our Web siteat the following URL:

www.symantec.com

Select your country or language from the site index.

mailto:[email protected]:[email protected]:[email protected]

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 1 Introducing Symantec ESM modules for SybaseAdaptive Server Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

About the Symantec ESM modules for Sybase ASE .... . . . . . . . . . . . . . . . . . . . . . . . . . 11What you can do with the Symantec ESM modules for Sybase

ASE .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Where you can get more information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 2 Installing Symantec ESM modules for SybaseASE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Before you install .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Minimum account privileges for custom roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16About using an alternate account ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20System requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21About using parameters in the esmsybaseenv.dat file ... . . . . . . . . . . . . . . . . . . . . . . 23Installing the ESM modules for Sybase ASE .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Silently installing the ESM modules for Sybase ASE .... . . . . . . . . . . . . . . . . . . . . . . . 30Configuration of the ESM modules for Sybase ASE .... . . . . . . . . . . . . . . . . . . . . . . . . . 31

Editing configuration records ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31About configuring the Sybase ASE in a network-based

environment .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Silently configuring the ESM modules for Sybase ASE .... . . . . . . . . . . . . . . . . . . . . 33Configuring theSybaseASE server byusing theSybaseASEDiscovery

module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Configuring a new Sybase ASE server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Validating Sybase ASE server credentials ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Configuring Sybase ASE with generic credentials ... . . . . . . . . . . . . . . . . . . . . . . 36Reusing generic credentials of a Sybase ASE .... . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Removing unreachable or deleted servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

About the Logging functionality on the Sybase ASE modules ... . . . . . . . . . . . . . 38About the log levels of the messages ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Creating the configuration file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Parameters of the configuration file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Contents

About the ESM agent log file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Format of the log file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42About the backup of logs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Chapter 3 Symantec ESM module checks for Sybase ASE . . . . . . . . . . . . 43About Symantec ESM module checks for Sybase ASE .... . . . . . . . . . . . . . . . . . . . . . . 43Sybase ASE Discovery .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Detect new database server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Detect deleted database server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Automatically add new database server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Automatically remove deleted database server ... . . . . . . . . . . . . . . . . . . . . . . . . . 45Validate configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Sybase ASE Account ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Servers to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Automatically update snapshots ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Unlocked default logon accounts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Logon accounts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47New logon accounts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Deleted logon accounts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Database user aliases ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Login triggers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Inactive accounts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Accounts with system roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Accounts with default master database ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Sybase ASE Auditing .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Servers to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Auditing enabled .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Auditing threshold procedure .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Audit segments ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Audit queue size ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Suspend audit when dev is full .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Trunc transaction log on chkpt ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Procedure Audit Options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Object Audit Options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Login Audit Options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Database Audit Options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Global Audit Options .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Sybase ASE Configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Servers to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Version and product level ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Configuration parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Master dev default disk status ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Contents8

Device status ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Net password encryption .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Trusted remote logins ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Databases on master device ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Sybase homes .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Sample databases ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Sybase ASE Object ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Servers to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Automatically update snapshots ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Database owners to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Database status ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58User access to database ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58New database .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Deleted database ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Object permission .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Object types to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Databases to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Object actions to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Objects to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Grantors to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Grantable object permission .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Granted object permission .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61New granted object permission .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Deleted granted object perm .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Exclude granted object perm .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Accounts with CREATE permission .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Stored procedure signature ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Grantees to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Accounts with set proxy permission .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Owners to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Object owners ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Sybase ASE Password Strength .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Servers to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Empty password .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Password = login name .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Password = any login name .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Password = wordlist word .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Reverse order ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Double occurrences ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Plural ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Prefix ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Suffix ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Roles without password .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

9Contents

Hide guessed password details ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Password complexity parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Login options(account) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Password contains digits ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Roles to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Password expiration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Maximum failed login attempts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Minimum password length .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Roles - minimum password length .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Roles - password expiration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Roles - maximum failed login attempts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Maximum reported messages ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Monitor password age .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Sybase ASE Patches ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Servers to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Patch templates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Sybase ASE Roles and Groups .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Servers to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Role status ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Role grantees ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74New roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Deleted roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Accounts to check .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Database groups .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Group members ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76New groups .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Deleted groups .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Automatically update snapshots ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Granted prohibited roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Chapter 4 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Encryption exception .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79RDL error ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80LiveUpdate error ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Contents10

Introducing Symantec ESMmodules for SybaseAdaptive Server Enterprise

This chapter includes the following topics:

■ About the Symantec ESM modules for Sybase ASE

■ What you can do with the Symantec ESM modules for Sybase ASE

■ Template

■ Where you can get more information

About the Symantec ESM modules for Sybase ASEThe Symantec Enterprise Security Manager (ESM) modules for Sybase AdaptiveServerEnterprise (ASE) servers extendsSymantecESMprotection to yourSybaseASE servers.

Thesemodules implement the checks and options that are specific to Sybase ASEservers, to protect them fromexposure to known security problems. Themodulesmay be installed locally on the Symantec ESM agent that resides on your SybaseASE server.

Themodulesmay also assess SybaseASE servers over thenetwork andbe installedon an ESM agent that has the Sybase ASE client installed. You can use theSymantec ESM modules for Sybase ASE server in the same way that you use forother Symantec ESM modules.

1Chapter

What you can dowith the Symantec ESMmodules forSybase ASE

You can use the ESM Application modules to scan the Sybase ASE servers forreporting vulnerabilities.

You can perform the following tasks using the ESM console:

■ Create a policy.

■ Configure the policy.

■ Create a rules template.

■ Run the policy.

■ Review the policy run.

■ Correct security problems from the console.

■ Create reports.

TemplateSeveral of the documented modules use templates to store the Sybase ASEparameters and object settings. Differences between the current settings andtemplate values are reported when the modules run. Modules use templates tostore Sybase ASE parameters and object settings.

Table 1-1 Template name

Predefinedtemplate

Template nameCheck nameModule

noneSybase ProcedureAudit Options

Procedure AuditOptions

Sybase ASE Auditing

noneSybase ASE ObjectAudit Options

Object Audit Options

noneSybase ASE LoginAudit Options

Login Audit Options

noneSybase DatabaseAudit Options

Database AuditOptions

noneSybase ASE GlobalAudit Options

Global Audit Options

Introducing Symantec ESM modules for Sybase Adaptive Server EnterpriseWhat you can do with the Symantec ESM modules for Sybase ASE

12

Table 1-1 Template name (continued)

Predefinedtemplate

Template nameCheck nameModule

noneSybaseConfigurationParameter

ConfigurationParameters

Sybase ASEConfiguration

noneSybase ASE DeviceStatus

Device Status

noneSybase ASE ObjectPermissions

Object PermissionSybase ASE Object

excludegrantedobjperm.gop

Sybase Grantedobject perm

Exclude grantedobject perm

noneSybase StoredProcedureSignatures

Stored proceduresignature

sybasepatch.syqSybase ASE PatchPatch templatesSybase ASE Patches

noneSybase PasswordParameter

Password complexityparameters

SybaseASEPasswordStrength

Where you can get more informationFor more information about Symantec ESM modules and Security Updates, seethe latest versions of the SymantecEnterprise SecurityAdministrator’sGuide andthe Symantec ESM Security Update User’s Guide.

Formore information onSymantec Enterprise SecurityManager (ESM), SymantecESMSecurityUpdates, and Symantec ESM support for database products, see theSymantec Security Response Web site at the following URL: Security ResponseWeb site

13Introducing Symantec ESM modules for Sybase Adaptive Server EnterpriseWhere you can get more information

http://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=esmhttp://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=esm

Introducing Symantec ESM modules for Sybase Adaptive Server EnterpriseWhere you can get more information

14

Installing Symantec ESMmodules for Sybase ASE


■ Before you install

■ Minimum account privileges for custom roles

■ About using an alternate account

■ System requirements

■ About using parameters in the esmsybaseenv.dat file

■ Installing the ESM modules for Sybase ASE

■ Silently installing the ESM modules for Sybase ASE

■ Configuration of the ESM modules for Sybase ASE

■ Silently configuring the ESM modules for Sybase ASE

■ Configuring the SybaseASE server by using the SybaseASEDiscoverymodule

■ About the Logging functionality on the Sybase ASE modules

Before you installBefore you install the Symantec ESM modules for Sybase ASE, you must do thefollowing:

■ Ensure that Sybase ASE client is installed on the same ESM agent computerthat the Sybase ASE module should report on.

2Chapter

■ Ensure that connectivity to all Sybase ASE servers is established. There mustbe a valid interfaces file at the following location on the ESM agent computer://interfaces

The interfaces file contains the names of the SybaseASE servers and the portson which it is running.

■ Log on as root to install the esmsyb.tpi.If you want to use a non-root account for installation, See “About using analternate account” on page 20..

Minimum account privileges for custom rolesIn the ESM modules for Sybase ASE, you can now create a custom role and use itinstead of the sa_role. You can assign to the custom role, theminimumprivilegesthat are required for a Sybase module to work. You do not need to assign all theprivileges associated with the sa_role when you use the custom role.

To use the custom role instead of the sa_role, youmust grant the custom role andsso_role using the SymEsmDbaRoles parameter in the esmsybaseenv.dat file:

config SymEsmDbaRoles custom_role,sso_role

See “About using parameters in the esmsybaseenv.dat file” on page 23.

During configuration of the ESMSybasemodule, the custom role and the sso_roleare granted to the SYMESMDBA account instead of the sa_role and sso_role.

To make the custom role active, use the following command:

sp_modifylogin ESMSYMDBA, "add default role", custom_role

While configuring the ESM Sybase module using pre-created account instead ofthe “sa” account, you must assign the minimum account privileges to thepre-created account. Alternately you can also assign the custom role towhich youassigned the minimum account privileges, to the pre-created account by usingthe following command:

sp_modifylogin precreated_user, "add default role", custom_role

The following stored procedures used by ESM Sybase Module require sso_role:

■ sp_displayaudit

■ sp_passwordpolicy

If the sso_role is not assigned to ESMSYMDBA or the pre-created user, then ESMSybase Module reports errors on the following modules and checks:

Installing Symantec ESM modules for Sybase ASEMinimum account privileges for custom roles

16

Inactive accounts (only onSybase 15.0.2 or laterversions)

Sybase ASE Accountsp_displayaudit

Password contains digits

Minimum password length

Password expiration

Maximum failed loginattempts

Password complexityparameters

Sybase ASE PasswordStrength

sp_passwordpolicy

Table 2-1 gives the list of minimum privileges required to run Sybase modules.

Note: You can also assign the privileges to an existing role to run the variousSybase modules.

You must grant the following privileges to every database on which ESM checksreport:

■ grant select on syscolumns to CUSTOM

■ grant select on sysprotects to CUSTOM

■ grant select on sysobjects to CUSTOM

■ grant select on sysprotects to CUSTOM

■ grant select on sysusers to CUSTOM

■ grant select on sysroles to CUSTOM

Table 2-1 Minimum privileges required for Custom role

PrivilegesModule

select master..sysloginsSybase ASE Account

exec sp_helpdb

select master..sysalternates

select master..sysattributes

exec sybsystemprocs..sp_passwordpolicy

select master..sysloginroles

17Installing Symantec ESM modules for Sybase ASEMinimum account privileges for custom roles

Table 2-1 Minimum privileges required for Custom role (continued)

PrivilegesModule

select master..sysloginsSybase ASE Auditing

exec sp_helpthreshold

exec sybsecurity..sp_helpthreshold

exec master..sp_configure

exec sp_helpdb

"For each database to check execsp_displayaudit 'object'"

exec sp_displayaudit 'login'

exec sp_displayaudit 'global'

select @@version as 'Version'Sybase ASE Configuration

exec master..sp_configure

exec master..sp_helpdevice

exec master..sp_helpserver

exec sp_helpdevice master ->

Note:Applicable to Sybase 15.0.1 and aboveversions.

select master..sysdevices ->

Note: Applicable to Sybase versions earlierthan 15.0.1.

exec master..sp_helpremotelogin

exec sp_helpdb

Installing Symantec ESM modules for Sybase ASEMinimum account privileges for custom roles

18


PrivilegesModule

exec sp_helpdbSybase ASE Object

exec sp_helpuser

Note:Applicable for each database to check.

create table .. tempdb

select syscolumns

select sysprotects

select sysobjects


select master.dbo.sysmessages

select master.dbo.spt_values

select master..sysprotects

exec sp_help

exec sybsystemprocs..sp_passwordpolicySybase ASE Password Strength

select master..syslogins

select master.dbo.sysattributes

select master.dbo.syslogins

master..sp_configure


select master..syssrvroles

select @@version as 'Version'Sybase ASE Patches

select master..syssrvrolesSybase ASE Roles and Grooups


exec sp_helpdb

select sysusers

select sysroles


19Installing Symantec ESM modules for Sybase ASEMinimum account privileges for custom roles


PrivilegesModule

select master..sysloginsSybase ASE Discovery

exec sp_droplogin

exec sp_password

exec sp_addlogin

select master..sysloginsSybase Setup

select @@version as 'Version'

exec sp_displaylogin

About using an alternate accountIn the previous releases, the root user logged on to the ESM agent computer toinstall and configure the ESMmodules for Sybase ASE. In the current release, thenon-root (alternate account) users can install and configure the ESMmodules forSybase ASE after the root has changed the ownership of the tpi and theSybaseSetup.

The root must change the ownership of the esmsyb.tpi, before the non-root userruns the esmsyb.tpi installer.

To change the ownership of the esmsyb.tpi

1 Log on to the ESM agent computer as the root.

2 Copy the esmsyb.tpi to the desired location on the sameESMagent computer.

3 Create a new group.

The non-root user should be a member of the new group.

4 Tochange the ownership of the esmsyb.tpi fromroot group to another group,type the following at the command prompt:

chown root: esmsyb.tpi

5 To apply setuid bit to esmsyb.tpi, type the following at the command prompt:

chmod 4750 esmsyb.tpi

The users of the specified group are assigned the root’s privileges to use theesmsyb.tpi.

Installing Symantec ESM modules for Sybase ASEAbout using an alternate account

20

To install esmsyb.tpi as a non-root user

1 Log on to the ESM agent computer as a non-root user.

2 Run the esmsyb.tpi to install the ESM modules for Sybase ASE.

See “Installing the ESM modules for Sybase ASE” on page 26.

See “Silently installing the ESM modules for Sybase ASE” on page 30.

The rootmust change the ownership of the SybaseSetup, before thenon-root userconfigures ESM modules for Sybase ASE by using the SybaseSetup.

To change the ownership of the SybaseSetup

1 Log on to the ESM agent computer as the root.

2 Fromthe/esm/bin/directory, copy theSybaseSetup to thedesiredlocation on the same ESM agent computer.

3 To change the ownership of the SybaseSetup from root group to anothergroup, type the following in the command prompt:

chown root: SybaseSetup.

The users of the specified group are assigned the root privileges to use theSybaseSetup.

4 To apply setuid bit to the SybaseSetup, type the following in the command:

chmod 4750 SybaseSetup.

To configure ESMmodules for Sybase ASE by using SybaseSetup as a non-root user

1 Log on to the ESM agent computer as a non-root user.

2 Run the SybaseSetup to configure the Sybase ASE servers.

See “Configuration of the ESM modules for Sybase ASE” on page 31.

System requirementsTable 2-2 list the supported SybaseASE versions and operating systems onwhichthe ESM application modules for Sybase ASE can report.

Note:As per Symantec's End of Life product support policy, the ESM Modules forSybase ASE are not supported on ESM 6.0.

21Installing Symantec ESM modules for Sybase ASESystem requirements

Table 2-2 Supported Sybase ASE versions and operating systems

SupportedSybase versions

Supported OS versionsArchitectureSupportedoperatingsystems

12.5.2, 12.5.4,15.0.0, 15.0.1,15.0.2

5.2RS 6000AIX (32-bit)

12.5.2, 12.5.4,15.0.0, 15.0.1,15.0.2, 15.0.3

5.3, 6.1PPC 64AIX (64-bit)

12.5.2, 12.5.4,15.0.0, 15.0.1,15.0.2, 15.0.3

2.8, 2.9, 2.10SPARCSun Solaris (32-bitand 64-bit)

12.5.2, 12.5.4,15.0.0, 15.0.1,15.0.2

11.11, 11.23, 11.31PARISCHP-UX (32-bit and64-bit)

12.5.2, 12.5.4,15.0.0, 15.0.1,15.0.2

11.23Itanium®HP-UX (64-bit)

12.5.2, 12.5.4,15.0.0, 15.0.1,15.0.2

3, 4x86, x64Red Hat EnterpriseLinux AS (32-bitand 64-bit )

12.5.2, 12.5.4,15.0.0, 15.0.1,15.0.2

3, 4, 5.0, 5.1, 5.2, 5.3, 5.4x86, x64Red Hat EnterpriseLinux ES (32-bitand 64-bit )

Note: You can use HPUX-Itanium only in a network-based environment. You canuse the other operating systems in a network-based andhost-based environment.

See “About configuring the Sybase ASE in a network-based environment”on page 32.

To install the ESMmodules for Sybase ASE, youmust have the following free diskspace:

Note: The disk space requirements are only for the Symantec ESM Modules forSybase and not for the ESM agents.

Installing Symantec ESM modules for Sybase ASESystem requirements

22

Table 2-3 Disk space requirements

Disk spaceSupported OSVersion

ArchitectureSupportedoperating systems

90 MB5.2RS 6000AIX (32-bit)

108 MB5.3, 6.1PPC 64AIX (64-bit)

37 MB2.8,2.9,2.10SPARCSun Solaris (32-bitand 64-bit)

70 MB11.11, 11.23, 11.31PARISCHP-UX (32-bit and64-bit)

36 MB3, 4x86, x64Red Hat EnterpriseLinux AS (32-bit and64-bit )

36 MB3, 4, 5.0, 5.1, 5.2, 5.3,5.4

x86, x64Red Hat EnterpriseLinux ES (32-bit and64-bit )

About using parameters in the esmsybaseenv.dat fileThis table lists the different parameters that you canuse in the esmsybaseenv.datfile to work with the Sybase ASE modules.

23Installing Symantec ESM modules for Sybase ASEAbout using parameters in the esmsybaseenv.dat file

Table 2-4 Parameters and their usage

ExampleParameter valueDescriptionParameter name

configSymEsmDbaRoles

The default rolesare the sa_role andthe sso_role.

If you do notspecify theparameter in theesmsybaseenv.datfile then defaultroles are assigned.If you specify theparameter thenuser-defined rolesor existing roles areassigned.

You can add thisparameter to theesmsybaseenv.dat

file as configSymEsmDbaRoles.

You can use thisparameter togrant roles to theSYMESMDBAaccount whileconfiguring theSybase ASE.

SymEsmDbaRoles

config PassSpecString$@%

The default specialcharacters are theunderscore (_) andthe hash (#).

The other specialcharacters that youcan use are $@%.


file as configPassSpecString.

You can use thisparameter tospecify thespecialcharacters thatyou can usewhile generatingthe password forthe configuredaccount.

PassSpecString

Installing Symantec ESM modules for Sybase ASEAbout using parameters in the esmsybaseenv.dat file

24

Table 2-4 Parameters and their usage (continued)


configPassChangedPeriod 30

If you want tochange thepassword of yourconfigured accountthen you set thePasswordexpiration intervalsetting parameterto 0.

If you do notspecify any valuethen by default thevalue is 35 days.


file as configPassChangedPeriod.

You can use thisparameter tospecify theperiod afterwhich you wantto change thepassword of theconfiguredaccount.

PassChangedPeriod

configPrecreatedNoPassChange1

If you do not wantto change thepassword of yourconfigured accountthen you set thePrecreatedNoPassChangeparameter to 1.This value is notset by default.

You can use thispassword to notto change thepassword of thepre-createdaccount.

PrecreatedNoPassChange

25Installing Symantec ESM modules for Sybase ASEAbout using parameters in the esmsybaseenv.dat file

Table 2-4 Parameters and their usage (continued)


config UsingTimeout 50If you set thedefault value to 0,the Sybase ASEserver never timesout.


file as configUsingTimeout.

You can use theparameter tospecify thetimeout period ifthe Sybase ASEserver is unableto complete therequest withinthe specifiedtime.

UsingTimeout

See “Installing the ESM modules for Sybase ASE” on page 26.

See “Configuring the Sybase ASE server by using the Sybase ASE Discoverymodule” on page 34.

Installing the ESM modules for Sybase ASEYou can install the Sybase ASE module on the ESM agent computer by using theesmsyb.tpi.

You must have SU 23 or later installed on the ESM agent computer before youinstall the ESM modules for Sybase ASE.

The installation program does the following:

■ Extracts and installs module executables, configuration (.m) files, and thetemplate files.

■ Registers the .m and the template files by using the ESM agent’s registrationprogram.

Note: If you register the .m files during a module installation on an agent thatis installed on the same platform, then you do not have to re-register the .mfiles again.

■ Launches the SybaseSetup program to create the SYMESMDBA account forreporting.

Installing Symantec ESM modules for Sybase ASEInstalling the ESM modules for Sybase ASE

26

The password for the SYMESMDBA account is 12 characters long and isgenerated randomly. The password is encrypted by using a 256-bit AESencryption algorithm and is stored in the /esm/config/SybaseModule.datfile.

Note: The SYMESMDBA account can perform only the Read operations.

■ Grants the following default roles to SYMESMDBA account:

■ sa_role

■ sso_roleYou can either grant one role or multiple roles. You can grant a role in thefollowing way:

■ Addaparameter "config SymEsmDbaRoles ” entryto the esmsybaseenv.dat file.

You can use a comma or a space to separate the multiple roles.

Note: The esmsybaseenv.dat file does not exist by default and you mustcreate it manually.

■ Auto-generates the password for the reporting account. The ESMmodules forthe Sybase ASE considers the following parameters during auto-generationof the passwords :

■ PassChangedPeriodThe “PassChangedPeriod” parameter specifies the number of days afterwhich you want to change the password of the configured account.If you set the "Password expiration interval” setting of the configuredaccount to 0, the password changes after every policy run.

■ PrecreatedNoPassChangeIf you do not want to change the password of your pre-created accountthen you set the PrecreatedNoPassChange parameter to 1.This value is not set by default. Periodically, you must manually changethe pre-created account password that you have configured.

■ PassSpecStringThe password must contain at least one upper-case, one lower-case, onenumeric character (0-9), and one special character. The default specialcharacters are the underscore (_) and the hash (#). If you want to use otherspecial characters, you can also add a parameter ‘’config PassSpecString

27Installing Symantec ESM modules for Sybase ASEInstalling the ESM modules for Sybase ASE

$@%” entry into the /esm/config/esmsybaseenv.dat file before you run theSybase configuration.

Note: If you change the password for the pre-created account then youmustmodify the records byusing the /esm/bin//SybaseSetup.

To install the ESM modules for Sybase ASE

1 Fromtheproductdisc, run the /DATABASES/Sybase/Modules//esmsyb.tpi.

You can also download and copy the esmsyb.tpi from the Security ResponseWeb site to the desired location.

2 Choose one of the following option:

To display the contents of the package.Option 1

To install the module.Option 2

3 The 'Do you wish to register the template or .m files?' message appears. Doone of the following:

■ Type a Y, if the files are not registered with the manager.

■ Type an N, if the files have already been registered and skip to See “Toconfigure for the Sybase ASE servers on the ESM agent computers”on page 29.

Note:Youmust register the template and the .m files once for the agents thatuse the same manager on the same operating system.

4 Enter the ESM manager that the agent is registered to.

Usually, it is the name of the computer that the manager is installed on.

5 Enter the ESM access name (login name) for the manager.

6 Enter the ESM password that is used to log on to the ESM manager.

7 Enter the network protocol that is used to contact the ESM manager.

8 Enter the port that is used to contact the ESM Manager. The default port is5600.

9 Enter the name of the agent as it is currently registered to the ESMmanager.

Usually, it is the name of the computer that the agent is installed on.

Installing Symantec ESM modules for Sybase ASEInstalling the ESM modules for Sybase ASE

28

http://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=esmhttp://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=esm

10 The 'Is this information correct?' message appears. Do one of the following:

■ Type a Y, the agent continues with the registration to the ESM manager.

■ Type an N, the setup prompts to re-enter the details of the new manager.

When the extraction is complete, you are prompted to add configurationrecords to enable the ESM security checking for your Sybase ASE.

11 The 'Continue and add configuration records to enable ESMsecurity checkingfor your Sybase ASE? [yes]' message appears. Do one of the following:

■ Type a Y, to configure the Sybase ASE module on the agent computer.If you have typed a Y, the installation program reads the existingconfiguration records and displays them.

■ Type an N, the program installation continues without configuration.

To configure for the Sybase ASE servers on the ESM agent computers

1 To add a configuration record for the Sybase ASE server, do the following:

■ Enter the Sybase path.You must specify the path where you have installed the Sybase ASE onthe ESM agent computer.

■ Enter the SYBASE_OCS directory in Sybase path [OCS-XX_0]: default OCSpath.The ESM for Sybase ASE servers module installation program displaysthe existing Sybase ASE servers that are found in the OCS path that youprovide.

2 The ‘Would you like to add a configuration record for this server’ “Servername”? message appears [yes]. Do the following:

■ Enter the sa or pre-created login for server “Server name” [sa]:

■ Enter the password that is used to log on to the “Server name” server:

■ Re-Enter password:The sa account creates the SYMESMDBA login account to perform thesecurity checks and then displays the login information of theSYMESMDBA account.

3 The 'Is this information correct?' message appears. Do one of the following:

■ Type a Y, to continue and add configuration records to enable the ESMsecurity checking for your Sybase ASE.

■ Type an N, to re-enter the configuration information.

After the setup completes the configuration for the first detected SybaseASEserver, you are prompted to configure the other detected SybaseASE servers.

29Installing Symantec ESM modules for Sybase ASEInstalling the ESM modules for Sybase ASE

4 The ‘Would you like to add a configuration record for this server "Servername"? [yes] message appears. Do the following:

■ Type a Y, to add another server record.

5 The ‘Would you like to continue for another Sybase path?’ [no] messageappears.

If you type an N, the configuration exits and the setup continues with theinstallation program. After you have created the configuration records foreach Sybase ASE server, the program lists all of the configuration records.

6 The ‘Do you wish to push the report content file [no]? message appears’. Dothe following:

■ Type a Y, to push the RDL package to the manager.

■ Type an N, to exit the program.

Note: The encryption that is used to store the credentials for reporting is 256-bitAES encryption algorithm.

Silently installing the ESM modules for Sybase ASEYou can silently install the ESMmodules for Sybase ASE by using the esmsyb.tpi.

Table 2-5 lists the command line options for silently installing the ESM modulesfor Sybase ASE.

Table 2-5 Options to silently install the ESM modules for Sybase ASE

DescriptionOption

Install this tune-up/third-party package.-i

Display the description and contents of this tune-up/third-party package.-d

Specify the ESM access record name.-U

Do not execute the before and after executables (installation withoutconfiguration).

-e

Specify the ESM access record password.-P

Specify the TCP port to use.-p

Specify the ESM manager name.-m

Connect to the ESM manager by using TCP.-t

Installing Symantec ESM modules for Sybase ASESilently installing the ESM modules for Sybase ASE

30

Table 2-5 Options to silently install the ESM modules for Sybase ASE(continued)

DescriptionOption

Connect to the ESM manager by using IPX (Windows only).-x

Specify the ESM agent name to use for registration-g

Do not prompt for and do the re-registration of the agents.-K

No return is required to exit the tune-up package (Windows only).-n

Do not update the report content file on the manager.-N

Update the report content file on the manager.-Y

To silently install the ESM modules for Sybase ASE without configuration

◆ At the command prompt, type the following:

./esmsyb.tpi -it -m -U -p -P-g -e

If the installation succeeds, the return value is 0. If the installation fails, the returnvalue is 1.

Configuration of the ESM modules for Sybase ASEAfter installing Symantec ESM Modules for Sybase ASE, you can edit theconfiguration records. A configuration record is created for each Sybase ASEserver when you enable the security checking during installation.

Note: Before a policy run, you must configure the ESM modules for Sybase ASErelated information and credentials for the applicationmodules to report on. Youcan use a pre-created account or an sa account. With an sa account, ESM uses aSYMESMDBAaccount for reporting. Pre-created account is a non-sa account thatyou can create before the configuration.

Editing configuration recordsYou can add, modify, or remove the Sybase ASE servers that are configured forSymantec ESM security checks by using the SybaseSetup program. By default,SybaseSetup is located in the \ESM\bin\\.

Table 2-6 lists the options that you can use when running the SybaseSetup.

31Installing Symantec ESM modules for Sybase ASEConfiguration of the ESM modules for Sybase ASE

Table 2-6 Editing configuration records

To do thisType

Display help.SybaseSetup -h

Create configuration records for detected Sybase ASE servers.SybaseSetup -c

Add a new configuration record for undetected Sybase ASEservers.

SybaseSetup -a

Modify existing Sybase ASE configuration records.SybaseSetup -m

List existing Sybase ASE configuration records.SybaseSetup -l

Add configuration records for the generic credentials.SybaseSetup -G

Note: If no option is specified, SybaseSetup runs with the -h option.

About configuring the Sybase ASE in a network-based environmentYou cannot install the ESM application modules for Sybase ASE on the HP-UXItanium ESM agent computers. Instead, these agents must be queried from aremoteESMagent computer onadifferent platform that is supported for theESMapplication modules for the Sybase ASE.

To report on a Sybase ASE in a network-based environment

1 Copy the Sybase ASE server and port information from the network-basedSybase ASE server interfaces file //interfaces to the interfaces file that is present on thehost-basedSybase ASE server.

You must ensure that you can connect to the network-based Sybase ASEserver by using the isql utility on the host-based Sybase ASE server.

2 Configure the host-based SybaseASE server by using the SybaseSetup utility.

Note: You cannot use the Sybase ASE Discovery module to configure thenetwork-based Sybase ASE server.

Installing Symantec ESM modules for Sybase ASEConfiguration of the ESM modules for Sybase ASE

32

Silently configuring the ESMmodules for SybaseASEYou can silently configure the ESM modules for Sybase ASE by using theSybaseSetup. You can find the SybaseSetup at /esm/bin//SybaseSetup.

Table 2-7 lists the command line options for silently configuring the ESMmodulesfor Sybase ASE.

Table 2-7 Options to silently configure the ESM modules for Sybase ASE

DescriptionOption

Display help.-h

Add a new configuration record for undetected Sybase ASE.-a

Do not delete the existing SYMESMDBA account duringconfiguration.

Note: This is an optional switch.

-n

Directory path of Sybase ASE.-S

Directory of Sybase OCS.-O

The sa login for Sybase ASE server to create SYMESMDBA account,or pre-created account for ESM to perform checks.

-A

The password for Sybase ASE server login.-P

Specify the file name that contains the encrypted generic credentialrecord.

-gif

Specify the file name that should be created with the encryptedgeneric credentials record.

-gof

Use this option with -gif option.

If you select the option and if at the same time, you replace thegeneric pre-created credentials with 'sa' credentials then all therecords that are configured to use generic pre-created credentialsare deleted from the configuration file.

-ng

Note: If you do not specify any option then ./SybaseSetup runswith the -h option.

33Installing Symantec ESM modules for Sybase ASESilently configuring the ESM modules for Sybase ASE

To silently configure the ESM modules for Sybase ASE

◆ At the command prompt, type the following:

./SybaseSetup -a -S -O -A

-P

If the configuration succeeds, the return value is 0.

If the configuration fails, the return value is 255.

After you have run the SybaseSetup, the logs are created in/esm/system// EsmSybaseConfig.log.

Configuring the Sybase ASE server by using theSybase ASE Discovery module

The host-based Sybase ASE Discovery module automates the detection andconfiguration of new Sybase ASE servers that are not yet configured on the ESMagent computers. TheSybaseASEDiscoverymodule alsodetects andautomaticallyremoves the deleted or the unreachable Sybase ASE servers.

You can configure the Sybase ASE servers by using the generic credentials. Thegeneric credentials are the common Sybase ASE credentials that you can useacross servers. The generic credentials can be a “sa” account or a pre-createdaccount. If you use a “sa” account then a SYMESMDBAaccount is created on everyserver and is used for reporting.

If you use a pre-created account then you can add the new configuration optionPrecreatedNoPassChange 1 in the esm/config/esmsybaseenv.dat file.

Formore information on the PrecreatedNoPassChange parameter, See “Installingthe ESM modules for Sybase ASE” on page 26.

Configuring a new Sybase ASE serverTo report on the Sybase ASE server, you must first configure the Sybase ASEserver on an ESM agent computer. The configuration helps the ESM applicationmodules for Sybase ASE to understand which servers the module should reporton.

Installing Symantec ESM modules for Sybase ASEConfiguring the Sybase ASE server by using the Sybase ASE Discovery module

34

To configure a new Sybase ASE server

1 Run the Sybase ASE Discovery module on the ESM agent computer that hasthe Sybase ASE server installed.

The module lists all the new Sybase ASE servers that were not configuredearlier.

2 Select multiple Sybase ASE servers and do one of the following:

■ Right-click and select Correction option.The Correction option configures the Sybase ASE servers with the servercredentials. When you enter the pre-created credentials the server isconfigured using the pre-created credentials. When you enter the “sa”credentials the SYMESMDBA is created. However, if you are using thepre-created credentials then SYMESMDBA is not created.

■ Right-click and select Snapshot Update option.The Snapshot Update option configures the Sybase ASE servers withgeneric credentials. Before you select the Snapshot Update option, youmust first configure the generic credentials.See “Configuring SybaseASEwith generic credentials” on page 36.

To configure a new Sybase ASE server automatically

1 Enable the check Automatically add new Sybase ASE server.

The check automatically configures the newly discovered Sybase ASE serverin the configuration file /esm/config/SybaseModule.dat. The check usesthe generic credentials and attempts to connect to the server. After eachsuccessful connection, the SybaseASEDiscoverymodule adds a configurationrecord in the configuration file. If the connection attempt fails then themodule returns a correctable message.

2 To use the Correctable option

■ Right-click on the message.

■ Choose Correction option.You are prompted to enter the credentials to connect to the server again.Do one of the following

■ Enter pre-created credentials.The SybaseASE server is configured using the pre-created credentials.

■ Enter “sa” credentials.The SYMESMDBA account is created.

35Installing Symantec ESM modules for Sybase ASEConfiguring the Sybase ASE server by using the Sybase ASE Discovery module

Validating Sybase ASE server credentialsThe Validate configuration check uses the configured credentials and connectsto the server.

The module does the following:

■ Checks whether the configured account is unlocked.

■ Checks for the assigned roles of the configured account.

If the SymEsmDbaRoles parameter is configured in the esmsybaseenv.dat filethen the module checks for the defined roles. By default the module checks forthe “sa” and the “sso” roles.

If the validation of the SYMESMDBA account fails and the generic credentials arepresent then the SYMESMDBA account is recreated. For pre-created account, themodule returns a correctable message. When the server is configured usingpre-created account, auto-correction is not supported.

To use the Correction option

1 Right-click on the message.

2 Select Correction option.

You are prompted to enter the credentials to connect to the server again. Doone of the following:

■ Enter the sa credentials.The SYMESMDBA account is recreated. This SYMESMDBA account isunlocked and the required roles are assigned to it.

■ Enter the pre-created credentials.The server is configured with the pre-created credential

See “Validate configuration” on page 45.

Configuring Sybase ASE with generic credentialsYou can configure a new Sybase ASE server on an ESM agent computer by usinga generic credential. The generic credential option helps you to configure acommon Sybase ASE server credential for all the Sybase ASE servers on an ESMagent computer.

To specify generic credentials

1 On the command prompt , type SybaseSetup –G.

2 Enter the Generic Login ID: User name.

Installing Symantec ESM modules for Sybase ASEConfiguring the Sybase ASE server by using the Sybase ASE Discovery module

36

3 Enter a password for the generic login. Reconfirm the password.

4 Press Enter.

The generic credentials are configured in the SybaseModule.dat file.

If you have a pre-created account configured and you want to replace it with ansa account then the setup returns a message warning that the records that wereconfigured to use the pre-created generic credentials will be removed.

If you enter YES, the setup does the following:

■ Removes the records that were configured to use the pre-created genericcredentials.

■ Replaces the generic credentials.You must run the Sybase ASE Discovery module again.

Reusing generic credentials of a Sybase ASEIf you want to specify a common generic credential on multiple ESM agentcomputers it is not necessary to use SybaseSetup –G option on every ESM agentcomputer. Instead, you canuse -gif and -gof options to specify a generic credential.The specified generic credential is then stored in an encrypted format in a filethat can be reused on every ESM agent computer.

To specify generic credentials

1 On the command prompt, type SybaseSetup -gof

For example: SybaseSetup -gof < /esm/bin//pass.dat>.

2 Enter the Generic Login ID: User name.

3 Enter a password for the generic login. Reconfirm the password.

4 Press Enter.

The pass.dat file is created with the encrypted generic credentials that arespecified in Step 1.

To reuse generic credentials

1 Copy the pass.dat file on a SybaseASEESMagent computerwhere youwantto import the generic credentials.

2 On the command prompt, type SybaseSETUP -gif

The generic credentials are imported in the SybaseModule.dat file.

See “Configuring a new Sybase ASE server” on page 34.

37Installing Symantec ESM modules for Sybase ASEConfiguring the Sybase ASE server by using the Sybase ASE Discovery module

Removing unreachable or deleted serversAlthough, you may have deleted a Sybase ASE server, the configurationinformation still exists in the configuration file /esm/config/SybaseModule.dat.The Sybase ASE Discovery module when executed removes the configurationinformation of such Sybase ASE servers.

To remove unreachable or deleted servers manually

1 Run the Sybase ASE Discovery module on the target ESM agent computers.Themodule lists all the unreachable and the deleted Sybase ASE servers thatwere configured earlier.

2 Select multiple Sybase ASE servers right-click, and select Snapshot Updateoption. The Snapshot Update option removes the configuration informationof such Sybase ASE servers.

To remove unreachable or deleted servers automatically

◆ Enable the check Automatically remove deleted Sybase ASE servers. Themodule automatically removes the corresponding server records from theconfiguration file /esm/config/SybaseModule.dat.

About the Logging functionality on the Sybase ASEmodules

The logging feature in the Sybase ASE modules enables the ESM agent to log theinformation, such as errors and exceptions that a module generates at the runtime. This feature is currently enabled for the Sybase ASE Discovery module.

About the log levels of the messagesTheESM log level specifies the type and criticality of amessage. You canmanuallycreate a configuration file on the ESM agent computer and specify the log levelmessages that you want to be logged.

ESM checks the log level that you set in the configuration file and stores only thequalifying messages in the log file.

See “Creating the configuration file” on page 40.

You can specify the following log levels:

Installing Symantec ESM modules for Sybase ASEAbout the Logging functionality on the Sybase ASE modules

38

All errors are logged.

The following are some examples of theerrors:

■ Template file not found

■ Configuration file not found

ESM_LOG_ERROR

All warnings are logged.ESM_LOG_WARNING

All information messages are logged.

The information that is gathered during apolicy run is also logged at this level.

Note: When you enable theESM_LOG_INFORMATION level, theperformance of the module may be affectedbecause all the information messages arelogged.

ESM_LOG_INFORMATION

All debug information is logged.ESM_LOG_TRACE

Includes all log levels except ESM_NO_LOG.ESM_LOG_MAXIMUM

Disable logging for the module.ESM_NO_LOG

You specify the log level in the LogLevel parameter of the configuration file. Forexample, to log the messages that are related to critical failures, specify the loglevel as follows:

[sybasediscovery_LogLevel] = ESM_LOG_TRACE

You can also specifymultiple log levels by separating themwith a pipe (|) characteras follows:

[sybasediscovery_LogLevel] = ESM_LOG_INFORMATION|ESM_LOG_ERROR

You can use log levels for specific operations as follows:

ESM_LOG_INFORMATION andESM_LOG_ERROR

For regular policy runs

ESM_LOG_INFORMATION,ESM_LOG_ERROR, and ESM_LOG_TRACE

To generate detailed logs for policy failure

39Installing Symantec ESM modules for Sybase ASEAbout the Logging functionality on the Sybase ASE modules

Creating the configuration fileYou can create a configuration file named esmlog.conf in the /config folder on the ESM agent computer and specify the values that ESMuses to store the logs of a module.

To create the configuration file

1 Change to the /config folder.

2 Create a new text file and specify the parameters and their values.

3 Save the text file as esmlog.conf.

See “Parameters of the configuration file” on page 40.

The following is an example of the entries in the configuration file:

[MaxFileSize] = 1024

[NoofBackupFile] = 20

[LogFileDirectory] = /system/agentname/logs

[sybasediscovery_LogLevel] = ESM_LOG_INFORMATION|ESM_LOG_TRACE

[sybasediscovery_LogLevel] = ESM_LOG_INFORMATION

Note: No default configuration file is shipped with the Sybase ASE modules. Youneed to manually create the file and specify the parameters in it.

Parameters of the configuration fileTable 2-8 lists the parameters that you need to specify in the configuration file.

Table 2-8 Configuration file parameters

Default valueRange of valuesDescriptionParameter name

1 MB1 MB to 1024 MB (1GB)

Specify themaximum file sizefor the log file in MB

[MaxFileSize]


40

Table 2-8 Configuration file parameters (continued)

Default valueRange of valuesDescriptionParameter name

10 to 20Specify the numberof backup files of thelogs that can bestored per module.

For example, if thevalue ofNOOFBACKUPFILEis3, then ESM stores amaximum of 3backup files for themodule.

[NoOfBackupFile]

The directory/esm/system//tmp/

N/ASpecify the absolutepath to store the logfile and backup logfiles.

[LogFileDirectory]

ESM_LOG_ERRORN/ASpecify the log levelalong with the shortname of the module.

For example, to logall errormessages forthe Sybase ASEDiscovery module,specify the following:

[sybasediscovery_LogLevel]=ESM_LOG_ERROR

[_LogLevel]

If the configuration file esmlog.conf is not present then the logging functionalityappears to be disabled and no logs are generated.

About the ESM agent log fileThe ESM agent computer now stores the log file esmlog.conf of the modules inthe directory that the user specifies. If the directory that the user specifies doesnot exist, then the module first creates the directory and then stores the log filesin it.

The log file has the following format:

.log

41Installing Symantec ESM modules for Sybase ASEAbout the Logging functionality on the Sybase ASE modules

The is the short name of the module. For example, the log fileof the Sybase ASE Discovery module is named sybasediscovery.log. The backupfile name for Sybase ASE Discovery module is named sybasediscovery.log_1.bakand so on.

Note: During the process of logging, ESM locks the log file to store the logginginformation. If the log file is open at that time, the information about the logsmay be lost.

Format of the log fileA log file contains the following fields:

Serial number of the log file entry

The serial number is displayed inhexadecimal format.

The serial number is reset in the next policyrun on the module.

Serial Number

Thread identifier of the process thatgenerated the message

Thread ID

Name of the source file that generates themessage.

Source File Name

Line number in the source file from wherethe message generates

Line Number

Date on which the log was createdDate

Time at which the log was createdTime

Theactualmessage thatwasgeneratedalongwith the log level of that message.

Message

About the backup of logsWhen the log file reaches a specified size limit, ESM backs up the log file. Thissize limit is configurable and you can specify it in the MaxFileSize parameter ofthe configuration file.

If the log file reaches the MaxFileSize value, ESM creates a backup of the log filedepending on theNoofBackupFile value that is specified in configuration file. Forexample, if the NoofBackupFile value is 0, ESM overwrites the existing log file, ifany, for the module.


42

Symantec ESM modulechecks for Sybase ASE


■ About Symantec ESM module checks for Sybase ASE

■ Sybase ASE Discovery

■ Sybase ASE Account

■ Sybase ASE Auditing

■ Sybase ASE Configuration

■ Sybase ASE Object

■ Sybase ASE Password Strength

■ Sybase ASE Patches

■ Sybase ASE Roles and Groups

About Symantec ESMmodule checks for Sybase ASEBy default, the checks are disabled when you install the module. To enable thechecks, right-click on a policy and select Properties. The Properties dialog boxis displayed. See the SymantecEnterprise SecurityManagerAdministrator'sGuidefor more information on using module properties.

3Chapter

Sybase ASE DiscoveryThe checks in the Sybase ASE Discovery module automate the detection andconfiguration of new Sybase ASE servers that are not yet configured on the ESMagent computers. TheSybaseASEDiscoverymodule alsodetects andautomaticallyremoves thedeletedSybaseASEservers fromthe/esm/config/SybaseModule.datconfiguration file.

Note: The Sybase ASE Discovery module detects the new servers when you startthe database server with the full path and use the option –s . Forexample, /opt/sybase/ASE-12_5/bin/dataserver -sSYBASESERVER.

Detect new database serverThis check reports the Sybase ASE servers that are newly detected on the ESMagent computers and that were not configured earlier.

Table 3-1 lists the message output for the Detect new database server check.

Table 3-1 Detect new database server message

SeverityTitleMessage name

yellow-1New Database ServerESM_SYBASE_NEW_DB_SERVER_DETECTED

Detect deleted database serverThis check reports the Sybase ASE servers that are deleted or unreachable butare still configured in the /esm/config/SybaseModule.dat configuration file.

Table 3-2 lists the message output for the Detect deleted database server check.

Table 3-2 Detect deleted database server message


yellow-1Deleted Database ServerESM_SYBASE_DEL_DB_SERVER_DETECTED

Symantec ESM module checks for Sybase ASESybase ASE Discovery

44

Automatically add new database serverThis check works with the Detect new database server check. The checkAutomatically add new database server uses the generic credentials toautomatically configure the newly detected Sybase ASE servers.

Table 3-3 lists themessage output for the Automatically add new database servercheck.

Table 3-3 Automatically add new database server message


yellow-1Added New Database ServerESM_SYBASE_NEW_DB_SERVER_ADDED

yellow-1Failed to Add New DatabaseESM_SYBASE_ADD_DB_SERVER_FAILED

Automatically remove deleted database serverThis checkworkswith theDetectdeleteddatabaseserver check to automaticallyremove the deleted or the unreachable Sybase ASE server records from the/esm/config/SybaseModule.dat configuration file.

Table 3-4 lists themessage output for theAutomatically remove deleted databaseserver check.

Table 3-4 Automatically remove deleted database server message


yellow-1Deleted Database ServerESM_SYBASE_DEL_DB_SERVER_DETECTED

Validate configurationThis check validates the entries of the configuration records for successfulconnection and assigned roles. The Sybase ASE Discovery module automaticallycorrects the accounts, if the generic credential that is used is sa and theconfiguration record entry is SYMESMDBA.

Table 3-5 lists the message output for the Validate configuration check.

45Symantec ESM module checks for Sybase ASESybase ASE Discovery

Table 3-5 Validate configuration message


yellow-1Server validation successfulESM_SYBASE_CREDENTIALS_VERIFIED

yellow-1Sybase validation failedESM_SYBASE_CREDENTIALS_FAILED

yellow-1Sybase server credentialsrectified

ESM_SYBASE_CREDENTIALS_RECTIFIED

yellow-1Sybase server credentialsroles validation failed

ESM_SYBASE_CREDENTIALS_ROLES_FAILED

Sybase ASE AccountThe checks in the Sybase ASE Account module evaluate the account settings ofthe Sybase ASE server. The checks report on the accounts that are found to benew or deleted.

Servers to checkThis check specifies the SybaseASE servers that themodule includes or excludes.Use the name list to include or exclude the Sybase ASE servers for all the SybaseASE Account checks.

Automatically update snapshotsEnable this check to automatically update the snapshots with the currentinformation.

Unlocked default logon accountsThis check reports the default logon accounts that should be locked.Use the namelist to include the default logon accounts that you want the check to report on. Ifthe name list is left empty the check reports no problems found.

Table 3-6 lists the new message for the Unlocked default logon accounts check.

Symantec ESM module checks for Sybase ASESybase ASE Account

46

Table 3-6 Unlocked default logon accounts message


Yellow-2Unlocked default logonaccount

ESM_SYBASE_DEFAULT_LOGON_ACCOUNT

Logon accountsThis check reports the logon accounts and the status. Use the name list to includeor exclude the logon names for this check.

Table 3-7 lists the new message for the Logon accounts check.

Table 3-7 Logon accounts message


Yellow-2Logon accountsESM_SYBASE_LOGON_ACCOUNTS

New logon accountsThis check reports the logon accounts that were added to the database after thelast snapshot update. Use the name list to include or exclude the logon names forthis check.

Table 3-8 lists the new message for the New logon accounts check.

Table 3-8 New logon accounts message


Yellow-2New logon accountsESM_SYBASE_NEW_LOGON_ACCOUNTS

Deleted logon accountsThis check reports the logon accounts that were deleted from the database afterthe last snapshot update. Use the name list to include or exclude the logon namesfor this check.

Table 3-9 lists the new message for the Deleted logon accounts check.

47Symantec ESM module checks for Sybase ASESybase ASE Account

Table 3-9 Deleted logon accounts message


Yellow-2Deleted logon accountsESM_SYBASE_DELETED_LOGON_ACCOUNT

Database user aliasesThis check reports the aliases of the database users that are present on the server.Use the name list to include or exclude the database users whose aliases youwantto report.

Table 3-10 lists the new message for the Database user aliases check.

Table 3-10 Database user aliases message


Yellow-2Alias of the Database userESM_SYBASE_ALIAS

Login triggersThis check reports the Sybase ASE logins that have login triggers assigned tothem and the global login trigger defined on the Sybase ASE server. Use the namelist to include or exclude the login names that the check should report on.

The Global login trigger is useful when you want all the logins to apply the samelogin trigger.

The login triggers that the check reports are the ASE stored procedures. Thesestoredprocedures are automatically executed in the settingswhenyou successfullylog on to the Sybase ASE server.

Table 3-11 lists the new message for the Login triggers check.

Table 3-11 Login triggers message


Yellow-2Global login triggerESM_SYBASE_GLOBAL_TRIGGER

Yellow-2Login triggerESM_SYBASE_LOGIN_TRIGGER

The following table lists the messages the check reports on different versions:

Symantec ESM module checks for Sybase ASESybase ASE Account

48

ESM_SYBASE_LOGIN_ TRIGGERSybase ASE all versions

ESM_SYBASE_GLOBAL_ TRIGGERSybase ASE 12.5.4 and later and 15.0.2 andlater versions

Inactive accountsThis check reports the unlocked Sybase ASE logins that have not logged on to theserver for more than the days that are specified in the Days since last login textbox. Use the name list to include or exclude the login names that the check shouldreport on. Sybase ASE 15.0.2 and later supports this check.

Enable the configuration parameter 'enable the last login updates.'

The check also reports those login accounts that do not have an entry against thelast login date parameter but were created earlier than the days specified.Moreover, the check reports those login accounts as inactivewhose last login dateparameter indicates that there has been no login to the server for more than thedays specified.

An inactive account is an easy target for those who can break into your system.Hence, you should remove or disable all inactive accounts.

Note: If you specify 0 in the Days since last login text box, the check overlooksthat value and by default reports on 30 days.

Table 3-12 lists the new message for the Inactive accounts check.

Table 3-12 Inactive accounts message


Yellow-2Last loginupdatenot enabledESM_SYBASE_LAST_LOGIN_UPDATE

Red-4Inactive accountESM_SYBASE_INACTIVE_ACCOUNT

Accounts with system rolesThis check reports the accounts that have both the sa_role and sso_role assignedto them. Use the name list to include or exclude the login names that the checkshould report on.

Table 3-13 lists the new message for the Accounts with system roles check.

49Symantec ESM module checks for Sybase ASESybase ASE Account

Table 3-13 Accounts with system roles message


Red-4Account with system rolesESM_SYBASE_SA_SSO_ROLE

Accounts with default master databaseThis check reports the accounts that have master as their default database. Usethe name list to include or exclude the login names that the check should reporton.

Table 3-14 lists the new message for the Accounts with default master databasecheck.

Table 3-14 Accounts with default master database message


Red-4Accountswithdefaultmasterdatabase

ESM_SYBASE_DEFAULT_DB_MASTER

Sybase ASE AuditingThe checks in the Sybase ASE Auditing module validate the audit settings of theSybase ASE server.

Servers to checkThis check specifies the SybaseASE servers that themodule includes or excludes.

Auditing enabledThis check reports the Sybase ASE servers that do not have auditing enabled inthe configuration parameters.

Table 3-15 lists the new message for the Auditing enabled accounts check.

Table 3-15 Auditing enabled message


Red-4Auditing enabledESM_SYBASE_AUDITING_NOT_ENABLED

Symantec ESM module checks for Sybase ASESybase ASE Auditing

50

Auditing threshold procedureThis check reports the Sybase ASE servers that do not have an auditing thresholdprocedure enabled. It checks the sybsecurity database to verify if a valid auditprocedure is defined for each audit segment.

This check works with the Audit segments check.

Use the name list to define the valid threshold procedure names. An empty namelist returns a message for each segment list in the Audit segments check namelist.

Table 3-16 lists the new message for the Auditing threshold procedure check.

Table 3-16 Auditing threshold procedure message


Red-4Auditing thresholdprocedure

ESM_SYBASE_NO_THRESHOLD_PROCEDURE

Audit segmentsThis check specifies which audit segments to check for an audit thresholdprocedure. The Auditingthresholdprocedurecheckworks in collaborationwiththe Audit segments check.

Use the name list to define the audit segments to check. An empty name listreturns a message for every audit segment in the sybsecurity database.

Audit queue sizeThis check reports the Sybase ASE servers that have an audit queue size largerthan the specified value.

When you set the audit queue size, consider that a large value may lose auditrecords if the system goes down before writing records to the table. However, avalue that is too lowmay result in frequent saves to the disk andmay significantlyslow the system.

Table 3-17 lists the new message for the Audit queue size check.

Table 3-17 Audit queue size message


Red-4Audit queue sizeESM_SYBASE_AUDIT_QUEUE_SIZE

51Symantec ESM module checks for Sybase ASESybase ASE Auditing

Suspend audit when dev is fullThis check reports the Sybase ASE servers that have a parameter value for theSuspend audit when dev is full that does not match the specified value.

A value of 0 causes the server to truncate the next audit table and begin using itas the latest audit table once the current audit table fills.

A value of 1 causes the server to suspend

Date post:	29-Jan-2021
Category:	Documents
Upload:	others
View:	7 times
Download:	0 times

Symantec Enterprise Security Manager Modules for Sybase ......Symantec Enterprise Security Manager...

Documents