Symantec™ ControlCompliance Suite DataCollection Privileges Guide
Version: 11.0
Symantec™ Control Compliance Suite Data CollectionPrivileges Guide
The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.
Documentation version: 11.0
Legal NoticeCopyright © 2013 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo and the Checkmark Logo are trademarks or registeredtrademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Othernames may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The LicenseAgreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see theThird Party LegalNoticeAppendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.
THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq."Rightsin Commercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.
Personal Information. You may configure the Licensed Software to collect personalinformation, including but not limited to, IP address, domain name, domain users, username, login passwords, security logs, server logs, which is stored on Your system only and
is not transmitted to Symantec. Please contact Your network administrator for furtherdetails.
Telemetry Option; Non-Personal Information. The Licensed Software contains a telemetryfeature which may collect non-personal information. Such non-personal information mayinclude, without limitation, machine configuration, SQL server details, license status, andsystem performance and will not be correlated with any personal information. Unless Youaffirmatively opt-out of this feature, telemetry will be automatically enabled to transmitsuch non-personal information to Symantec so we can better understand the usability andsupportability of the product.
Symantec Corporation350 Ellis StreetMountain View, CA 94043
http://www.symantec.com
Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.
Symantec’s support offerings include the following:
■ A range of support options that give you the flexibility to select the rightamount of service for any size organization
■ Telephone and/or Web-based support that provides rapid response andup-to-the-minute information
■ Upgrade assurance that delivers software upgrades
■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis
■ Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our Web siteat the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.
Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.
When you contact Technical Support, please have the following informationavailable:
■ Product release level
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:
www.symantec.com/business/support/
Customer serviceCustomer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates, such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade assurance and support contracts
■ Information about the Symantec Buying Programs
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs, DVDs, or manuals
Support agreement resourcesIf youwant to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:
[email protected] and Japan
[email protected], Middle-East, and Africa
[email protected] America and Latin America
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 1 Privileges for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Trust requirement to query Windows targets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Minimum required privileges to query Windows targets ... . . . . . . . . . . . . . . . . . . . . 9Windows domain cache credentials ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Frequently asked questions about Windows domain cachecredentials ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 2 Privileges for SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Trust requirement to query an SQL Server database ... . . . . . . . . . . . . . . . . . . . . . . . . 17Minimum required privileges to query an SQL Server database ... . . . . . . . . . . 17
Privileges to import an SQL Server Asset ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Privileges for all the data sources ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Privileges for specific data sources ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 3 Privileges for Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Trust requirement to query an Oracle database ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Minimum required privileges to query an Oracle database ... . . . . . . . . . . . . . . . . 31
Privileges for database-related queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Privileges for platform-specific queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Privileges on views to query database-related data sources ... . . . . . . . . . 33
Using sudo functionality for querying Oracle UNIX targets ... . . . . . . . . . . . . . . 35Disabling password prompt in the sudoers file ... . . . . . . . . . . . . . . . . . . . . . . . . . . 36Configuring the SupportsSudo parameter in the
bvAgentlessConfig.ini file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Optimizing queries using sudo in the ExecutionContext.ini
file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Example of the sudoers file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Contents
Contents8
Privileges for Windows
This chapter includes the following topics:
■ Trust requirement to query Windows targets
■ Minimum required privileges to query Windows targets
■ Windows domain cache credentials
Trust requirement to query Windows targetsBefore SCU 2012-03, you required a one way trust from the CCSManager domainto the target computer domain, if the CCS Manager in the data collector role, andthe Windows target computers are located in different domains. This trust wasrequired for the CCSManager to login to the target computer, in order to performdata collection on the targets.
CCS v11.0 SCU 2012-03 removes the trust requirement. You do not require trustbetween the CCS Manager domain and the target computer domain, once youinstall SCU 2012-03.
Minimum required privileges to query Windowstargets
CCS requires local administrator privileges on target computers for someWindowsAPIs which are built into the product.
As an example, following is the list of checks belonging to data sources mappedto PCI DSS v2.0 mandate, that required local administrator privileges.
1Chapter
Table 1-1 Data sources mapped to PCI DSS v2.0 mandate that require localadministrator privileges
Privilege requiredMapped checkname
Mapped Standardname
Data source
For IIS6, Queryinguser should be aLocal Administratoron the targetcomputer. For IIS7,most of the data iscollected using WMIAPIs.
■ 4.14.1 Has thetrust level beenset to medium?
■ 1.1.8 Has the/IISHelp VirtualDirectorymapping beenremoved?
■ 1.2.2 Has theImplicit remotefunctionality ofRDS beendisabled?
■ 3.2.1 IsClient-sideApplicationDebugging(AppAllowClientDebug)disabled?
■ 3.3.1 IsServer-sideApplicationDebugging notallowed?
CIS Benchmark forIIS 5.0 and 6.0 forMicrosoft Windows2000, XP and Server2003 v1.0
IIS related datasources
Queryinguser shouldhave either localadministrator orWMI rights on thetarget computer.Registry data iscollected using WMIAPIs.
■ Is "MSS:(NoDefaultExempt)Configure IPSecexemptions forvarious types ofnetwork traffic"set?
■ Has Configuringof TPM platformvalidation profilebeen disabled?
CIS SecurityConfigurationBenchmark ForMicrosoft WindowsServer 2008 andWindows Server2008 R2 v1.1.0
Registry
Privileges for WindowsMinimum required privileges to query Windows targets
10
Table 1-1 Data sources mapped to PCI DSS v2.0 mandate that require localadministrator privileges (continued)
Privilege requiredMapped checkname
Mapped Standardname
Data source
Queryinguser shouldbe a LocalAdministrator on thetarget computer.
■ 1.2.5 Have theRDS files anddirectories beenremoved fromProgramFiles\CommonFiles\System\Msadc?
■ 1.1.1 Have thecontents of the"inetpub\wwwroot"folder beenremoved?
CIS Benchmark forIIS 5.0 and 6.0 forMicrosoft Windows2000, XP and Server2003 v1.0
Directory
1.1.2.8 Is the msadcfolder removed?
CIS SecurityConfigurationBenchmark ForMicrosoft IIS 7.0v1.1.0
Queryinguser shouldbe a LocalAdministrator on thetarget computer.
■ 1.2.5 Have theRDS files anddirectories beenremoved fromProgramFiles\CommonFiles\System\Msadc?
■ 1.1.1 Have thecontents of the"inetpub\wwwroot"folder beenremoved?
CIS Benchmark forIIS 5.0 and 6.0 forMicrosoft Windows2000, XP and Server2003 v1.0
Files
11Privileges for WindowsMinimum required privileges to query Windows targets
Table 1-1 Data sources mapped to PCI DSS v2.0 mandate that require localadministrator privileges (continued)
Privilege requiredMapped checkname
Mapped Standardname
Data source
Queryinguser shouldbe a LocalAdministrator on thetarget computer.
■ 4.4.1.18%SystemRoot%\system32\regedt32.exeSecured?
■ 4.4.1.6%SystemRoot%\system32\drwatson.exeSecured?
CIS Legacy SecuritySettings Benchmarkfor Windows 2003Domain Controllerv2.0
File Security
Queryinguser shouldbe a LocalAdministrator on thetarget computer.
■ 4.1.1.12 LicenseLogging ServicePermissionsRestricted?
■ 4.1.1.22 RemoteAdministrationServicePermissionsRestricted?
■ 4.1.1.35 TelnetServicePermissionsRestricted?
CIS Legacy SecuritySettings Benchmarkfor Windows 2003Domain Controllerv2.0
Service Security
Windows domain cache credentialsFor querying Windows targets, you must create a domain cache on CCS Managerto store the users, groups, computers and so on, for optimizing data collection.The domain cache can be created by an Active Directory user who is not a domainadministrator but has read access over the RootDSE objects of Active Directory.
See “Frequently asked questions about Windows domain cache credentials”on page 13.
Privileges for WindowsWindows domain cache credentials
12
Frequently asked questions about Windows domain cache credentialsThis sectionprovides functional informationonWindowsdomaincachecredentialswhich lets you address all your queries on using Windows domain cachecredentials.
Note: The information in this document is according to CCS v11.0 release.
Table 1-2 Windows Domain Cache Credentials - FAQ
ResolutionQuery
Domain cache is a Microsoft Access database file whichcontains information about users, groups, computers, andmiscellaneous domain that are required during datacollection. This cache is required to optimize data collectionjob and does not affect the domain controller for data perjob.
What is domain cache andwhy is domain cacherequired?
Yes. The Windows domain cache was built-in RMS as welland was built on the Master Query Engine.
Was the domain cachebuilt-in legacy RMS system?
Cache contains users, groups, computer information, andmiscellaneous domain that are required during datacollection.
What are contents of domaincache?
The data, which CCS requires during data collection, iscached. Entire Active Directory is not cached. The cachealso gets updated if there is any change in AD for the datawhich is cached.
Is the entireActiveDirectoryreplicated into the Windowscache?
You can provide Windows domain cache credentials bynavigating to the Settings menu. Go to Credentials view >AddCommonCredentials tab andSelectWindowsDomainCache as the Platform type.
Where do you providedomain cache credentials inCCS Reporting & Analytics?
Cache is built per domain. Hence, we need to providecredentials per domain.
For parent-child domain, doweneed to specify credentialfor each domain or only forthe parent domain?
The cache is stored on theCCSM in the folder at <InstallDir>/DPS/ Control/ Windows/ Cache.
Where is the cache stored?
Windows domain cache is a password-protected MicrosoftAccess database file.
How is thisWindowsdomaincache secured?
13Privileges for WindowsWindows domain cache credentials
Table 1-2 Windows Domain Cache Credentials - FAQ (continued)
ResolutionQuery
Domain cache is built internally during data collection.Using the domain cache credentials, CCS Manager (CCSM)connects to the domain controller (AD) and fetches therequired information to build and update the cache.
How does CCS use theWindows domain cachecredential to build thedomain cache?
Any entity or any data source that fetches data from thehost Windows computer refers to Windows domain cache.Thus, all Windows platform entities or data source refer tocache. SQL and Oracle entities, or data sources, which needto fetch data from the host Windows computers, also referto Windows domain cache.
Which data sources refer todata from the Windowsdomain cache?
Domain name field : Value should be in NetBIOS format forthe domain name.
Username field: domain name\username Orusername@domain name fqdn
Password field: <password>
What is the format ofcredentials which need to beprovided for Windowsdomain cache credentials?
At present the requirement is confined toWindows domainuser credentials.
The minimum privileges that are required for the accountto create domain cache are available with Security ContentUpdates 2012-3.
What are the minimumprivileges that are requiredfor the account to createdomain cache?
Symantec recommends that you restart CCSM service afteryou reset credentials.
Do I need to restart CCSMservice after providingdomain cache credentials?
Credentials in CCS R&A are required only during datacollection through new simplified architecture by the wayof CCSM.
Do we need to provideWindows domain cachecredentials even if weperform data collectionusing RMS?
Cache is built using MS RPC protocol and needs RPC portsopen. The mechanism is same as what CCS needs forWindows data collection.
What protocol does CCS useto build the domain cache?Any firewall port needs to beopened between the domaincontroller and the CCSserver?
Privileges for WindowsWindows domain cache credentials
14
Table 1-2 Windows Domain Cache Credentials - FAQ (continued)
ResolutionQuery
Cache is required for both agent based and agent less modeof data collection. The cache is always created and updatedon the CCSM. This cache is pushed to the agent when theagent has an outdated copy of the cache.
Is the cache created orrequired in agent-basedmode of data collection?
The entire cache is pushed to the agent up to the cache sizethreshold limit. If the cache size has crossed the thresholdlimit, then only cache difference (delta) is sent to the agent.The cache threshold limit can be managed using Windowsplatform settings page by navigating to Settings > SystemTopology > Map View > Common Tasks > ConfigurePlatform Settings > Windows.
Is the entire cache pushed tothe agent based during datacollection?
No.Can Windows domain cachebuilding be optional?
CCS does not provide a separate job to create the domaincache. The domain cache is created during data collectionif the cache file is not present on the CCSM.
Is there a separate job tocreate the domain cache?
CCS does not provide a separate job to update the domaincache. The domain cache is updated during data collectionif the cache on the CCSM is out of date.
Is there a separate job toupdate the domain cache?
By default, the cache refresh interval is 72 hrs. The refreshinterval can bemanagedupdating the cache refresh intervalusingWindows platform for a particular site using platformsettings page by navigating to Settings > SystemTopology> Grid View > Common Tasks > Configure PlatformSettings > Windows.
What is the refresh intervalfor domain cache?
You can set the lowest value for domain cache refreshinterval to 5 hrs.
What is the lowest value thatcan be set for domain cacherefresh interval?
Last Logon Interval is required for updating the user lastlogon field in the cache file.
Why do we need the setting,Last logon interval?
Windowsdomain cache is required only for domainmemberserver targets or assets. Since workgroup assets do notbelong to a domain, Windows cache is not built forworkgroup computer assets.
Is the Windows domaincache built for workgroupcomputer assets?
15Privileges for WindowsWindows domain cache credentials
Table 1-2 Windows Domain Cache Credentials - FAQ (continued)
ResolutionQuery
These warning messages are shown for trusted domain forwhich the cache cannot be built. It is optional and hence thedata collection job gets successfully completed. Symantecrecommends that you provide domain cache credentials forthe trusted domains also so that the cache for the same canbe built and the data collection results can be accurate.
Whydoes theData collectionjob show an error for notable to build the cachenevertheless the datacollection job completessuccessfully?
Restart the CCSM service on the computer where the cachewas stored. Next run of data collection job builds the cacheagain.
What if the cache file getsdeleted accidentally?
CCSM manager requires minimum one-way trust betweenthe CCSM and the domain for which it creates the cache.Hence, CCSM cannot build cache for a not trusted domainor if CCSM is on a workgroup.
What if Windows domaincache is unable to build onworkgroup CCSM?
The CCSM, that gets the data collection job automatically,refreshes the cache for itself and no synchronization isrequired between CCSM.
Is the cache synchronizedbetween all CCSM?
Privileges for WindowsWindows domain cache credentials
16
Privileges for SQL Server
This chapter includes the following topics:
■ Trust requirement to query an SQL Server database
■ Minimum required privileges to query an SQL Server database
Trust requirement to query an SQL Server databaseEnsure that there is a domain trust relationship if the CCS Manager in the datacollector role, and the target computers for SQL are located in different domains.You must have a one way trust from the CCS Manager domain to the targetcomputer domain. CCS Manager must be able to login to the target computer, inorder to perform data collection using the minimum privileges mentioned in thisdocument.
Note:The trust requirementsmentioned in this document are applicable as of thecurrent release of Control Compliance Suite 11.x. Symantec continues toinvestigate theopportunity to enable product functionalitywith the least privilegesand trust requirements as an on-going effort.
See “Minimum required privileges to query an SQL Server database” on page 17.
Minimum required privileges to query an SQL Serverdatabase
CCS requires certain minimum rights to query against the data sources.
Theseminimumrights are required by the credentials specified in the CredentialsDatabase.
2Chapter
Note: For data collection on SQL Server 2008, if your organization has specificroles for a SQL Database Administrator, Symantec recommends that the DBAenters the SQL DB Admin privileges wherever required.
The SQL DB Admin privileges may be mandated by the SQL Server application.The CCS Administrator does not require to have a SQL DB Admin role.
The following minimum user rights are required to query the SQL Server:
■ Theuser credentials supplied (Windowsuser orSQLServeruser) for connectingto the SQLServer should be a user for the SQLServer. Otherwise, the credentialverification in SQL data collector fails.
■ The user credentials supplied for connecting to the SQLServer (Windows useror SQLServer user)must have read rights on themaster database. Thismasterdatabase must be of the SQL Server being queried. Otherwise, the credentialverification in SQL data collector fails.
■ To query on a particular database on SQL Server, read rights are required onthat database.
■ You must have VIEW DEFINITION privileges on the Microsoft SQL Serverbeing queried.To achieve this privilege, the following SQL statement must be executed,against the master database, for the user, whose credentials are mentioned inthe Credential Database:GRANT VIEW ANY DEFINITION TO [Server Login]For example,GRANT VIEW ANY DEFINITION TO [TestDomain\TestUser]
See “Privileges to import an SQL Server Asset” on page 18.
See “Privileges for all the data sources” on page 19.
See “Privileges for specific data sources” on page 19.
Privileges to import an SQL Server AssetTo import an SQL server asset into CCS, the Windows user credentials suppliedfor connecting to the SQLServer should be a local administrator on the SQLServermachine. Otherwise, the SQL server asset does not get imported.
In order to import the SQL Server asset, CCS requires a list of all SQL instancesrunning on target computer hosting the SQL Server. Each SQL instance has aseparate service which can be seen in Service Control Manager (SCM) of targetcomputer. To get the list of SQL instances, CCS requires to connect to the SCM oftarget computer. As only administrators can remotely connect to the SCM of a
Privileges for SQL ServerMinimum required privileges to query an SQL Server database
18
target computer, CCS requires the user credentials to have local administratorrights.
Privileges for all the data sourcesThe following table specifies the Execute/Select permissions required on theStored Procedures/SystemTables in theMaster database for all the data sources.
Table 2-1 Minimum required privileges for all the data sources
Rights on the dependentdatabase object
Master/ CurrentDatabaseDependent Tables (T)/Stored Procedure (SP) inSQL Server
ExecMastersp_MSSQLDMO80_version
ExecMastersp_MSSQLDMO70_version
ExecMastersp_Msdbuserpriv
ExecMastersp_MSdbuseraccess
SelectMastersysprocesses
Privileges for specific data sourcesThe following table specifies whether Select/Execute permissions are requiredon the System Tables/Stored Procedures/Views/Database in theMaster/Current/msdb database.
Note: You require sysadmin rights to query the SQL-DMO SERVERS data source.The xp_regread stored procedure of the SQL-DMOSERVERSdata source requiresthe user to be a member of the sysadmin role.
19Privileges for SQL ServerMinimum required privileges to query an SQL Server database
Table 2-2 Minimum required privileges for all the data sources
Rights on thedependentdatabaseobject
Master/Current/msdbdatabase
Dependent Tables (T)/ViewsStored Procedure (SP)/Database in SQL Server
SQLServerversion
SQL-DMO/SystemTables,andSupporteddatasources
Select
Select
Select
Current
Master
Master
sysusers
syslogins
sysdevices
2005 and2008
SQL-DMO
Datasource:BackupDevices
Select
Select
Exec
Master
Master
Master
configurations
spt_values
xp_msver
2005 and2008
SystemTables
Datasource:Configuration
Select
Select
Select
Select
Msdb
Msdb
Msdb
Msdb
Backupset
Backupmediaset
Backupmediafamily
Backupfile
2005 and2008
SystemTables
Datasource:DatabaseBackups
Select
Select
Exec
Exec
Select
Select
Current
Master
Master
Master
Current
Current
sysusers
syslogins
sp_MSdbuserpriv
sp_MSdbuseraccess
sysfilegroups
sysfiles
2005 and2008
SQL-DMO
Datasource:DatabaseFileGroups
Select
Select
Exec
Exec
Select
Select
Current
Master
Master
Master
Current
Current
sysusers
syslogins
sp_MSdbuserpriv
sp_MSdbuseraccess
sysfilegroups
sysfiles
2005 and2008
SQL-DMO
Datasource:DatabaseFiles
Privileges for SQL ServerMinimum required privileges to query an SQL Server database
20
Table 2-2 Minimum required privileges for all the data sources (continued)
Rights on thedependentdatabaseobject
Master/Current/msdbdatabase
Dependent Tables (T)/ViewsStored Procedure (SP)/Database in SQL Server
SQLServerversion
SQL-DMO/SystemTables,andSupporteddatasources
Select
Select
Exec
Exec
Select
Current
Master
Master
Master
Master
sysusers
syslogins
sp_MSdbuserpriv
sp_MSdbuseraccess
sysfilegroups
2005 and2008
SQL-DMO
Datasource:DatabaseOptions
Select
Select
Select
Exec
Select
Select
Select
Select
Select
Select
Master
Master
Master
Master
Master
Current
Current
Current
Current
Current
sysdatabases
syslogins
sysusers
xp_msver
spt_values
server_permissions
database_permissions
database_principals
server_principals
schemas
2005 and2008
SystemTables
Datasource:DatabasePermissions
Select
Select
Select
Select
Select
Exec
Current
Current
Current
Current
Master
Master
database_permissions
database_principals
all_objects
schemas
spt_values
xp_msver
2005 and2008
SystemTables
Datasource:DatabaseRolePermissions
21Privileges for SQL ServerMinimum required privileges to query an SQL Server database
Table 2-2 Minimum required privileges for all the data sources (continued)
Rights on thedependentdatabaseobject
Master/Current/msdbdatabase
Dependent Tables (T)/ViewsStored Procedure (SP)/Database in SQL Server
SQLServerversion
SQL-DMO/SystemTables,andSupporteddatasources
Select
Select
Exec
Select
Select
Exec
Exec
Exec
Exec
Current
Master
Master
Current
Current
Master
Master
Master
Master
sysusers
syslogins
sp_helprole
sysprotects
sysobjects
sp_helprolemember
sp_dbfixedrolepermission
sp_MSdbuserpriv
sp_MSdbuseraccess
2005 and2008
SQL-DMO
Datasource:DatabaseRoles
Select
Select
Exec
Exec
Exec
Exec
Select
Current
Master
Master
Master
Master
Master
Current
sysusers
syslogins
sp_MSdbuserpriv
sp_MSdbuseraccess
sp_dbcmptlevel
sp_helprolemember
sysusers
2005 and2008
SQL-DMO
Datasource:DatabaseUsers
Select
Select
Master
Master
databases
dbo.spt_values
2005 and2008
SystemTables
Datasource:Databases
Privileges for SQL ServerMinimum required privileges to query an SQL Server database
22
Table 2-2 Minimum required privileges for all the data sources (continued)
Rights on thedependentdatabaseobject
Master/Current/msdbdatabase
Dependent Tables (T)/ViewsStored Procedure (SP)/Database in SQL Server
SQLServerversion
SQL-DMO/SystemTables,andSupporteddatasources
Select
Select
Exec
Exec
Exec
Exec
Exec
Exec
Exec
Exec
Current
Master
msdb
msdb
msdb
msdb
msdb
Master
msdb
msdb
sysusers
syslogins
sp_help_category
sp_help_alert
sp_get_sqlagent_properties
sp_help_job
sp_help_operator
xp_servicecontrol
sp_help_targetservergroup
sp_help_targetserver
2005 and2008
SQL-DMO
Datasource: JobServer
Select
Select
Exec
Exec
Exec
Exec
Current
Master
msdb
msdb
msdb
msdb
sysusers
syslogins
sp_help_job
sp_get_job_alerts
sp_help_jobschedule
sp_help_jobstep
2005 and2008
SQL-DMO
Datasource: JobServer Jobs
Select
Select
Exec
Exec
Current
Master
msdb
msdb
sysusers
syslogins
sp_help_job
sp_help_jobstep
2005 and2008
SQL-DMO
Datasource: JobSteps
Select
Select
Select
Exec
Current
Master
Master
Master
sysusers
syslogins
sysservers
sp_helplinkedsrvlogin
2005 and2008
SQL-DMO
Datasource:LinkedServers
23Privileges for SQL ServerMinimum required privileges to query an SQL Server database
Table 2-2 Minimum required privileges for all the data sources (continued)
Rights on thedependentdatabaseobject
Master/Current/msdbdatabase
Dependent Tables (T)/ViewsStored Procedure (SP)/Database in SQL Server
SQLServerversion
SQL-DMO/SystemTables,andSupporteddatasources
Select
Select
Select
Select
Master
Master
Current
Master
sysservers
sysremotelogins
sysusers
syslogins
2005 and2008
SQL-DMO
Datasource:RemoteLogins
Select
Select
Select
Select
Exec
Current
Master
Master
Master
Master
sysusers
syslogins
sysservers
sysremotelogins
sp_MSdbuserpriv
2005 and2008
SQL-DMO
Datasource:RemoteServers
Select
Select
Exec
Current
Master
Master
sysusers
syslogins
xp_instance_regread
2005 and2008
SQL-DMO
Datasource:ServerIntegratedSecurity
Select
Select
Exec
Master
Master
Master
syslogins
spt_values
xp_msver
2005 and2008
SystemTables
Datasource:ServerLogins
Select
Select
Exec
Exec
Current
Master
Master
Master
sysusers
syslogins
sp_helpsrvrole
sp_helpsrvrolemember
2005 and2008
SQL-DMO
Datasource:ServerRoles
Privileges for SQL ServerMinimum required privileges to query an SQL Server database
24
Table 2-2 Minimum required privileges for all the data sources (continued)
Rights on thedependentdatabaseobject
Master/Current/msdbdatabase
Dependent Tables (T)/ViewsStored Procedure (SP)/Database in SQL Server
SQLServerversion
SQL-DMO/SystemTables,andSupporteddatasources
Select
Select
Exec
Exec
Select
Select
Select
Exec
Select
Select
Select
Exec
Exec
Exec
Exec
Exec
Exec
Exec
Exec
Current
Master
Master
Master
Master
Master
Master
Master
Master
Master
Master
Master
Master
Master
Master
Master
Master
Master
Master
sysusers
syslogins
sp_MSdbuserpriv
xp_regread
sysdevices
sysconfigures
syscurconfigs
sp_MSdbuseraccess
syslanguages
sysservers
fn_helpcollations
xp_msver
sp_helpsort
xp_instance_regenumvalues
xp_instance_regread
sp_server_info
xp_loginconfig
sp_helpsrvrole
xp_servicecontrol
2005 and2008
SQL-DMO
Datasource:Servers
25Privileges for SQL ServerMinimum required privileges to query an SQL Server database
Table 2-2 Minimum required privileges for all the data sources (continued)
Rights on thedependentdatabaseobject
Master/Current/msdbdatabase
Dependent Tables (T)/ViewsStored Procedure (SP)/Database in SQL Server
SQLServerversion
SQL-DMO/SystemTables,andSupporteddatasources
Select
Select
Select
Select
Select
Select
Select
Select
Select
Select
Select
Exec
Current
Current
Current
Current
Current
Current
Current
Master
Current
Current
Current
Master
all_objects
procedures
sql_modules
database_principals
schemas
syscomments
assembly_modules
spt_values
objects
indexes
sysdepends
xp_msver
2005 and2008
SystemTables
Datasource:StoredProcedures
Privileges for SQL ServerMinimum required privileges to query an SQL Server database
26
Table 2-2 Minimum required privileges for all the data sources (continued)
Rights on thedependentdatabaseobject
Master/Current/msdbdatabase
Dependent Tables (T)/ViewsStored Procedure (SP)/Database in SQL Server
SQLServerversion
SQL-DMO/SystemTables,andSupporteddatasources
For SQL Server2008, you musthave any of thefollowingpermissions:
■ ControlServer
■ Alter anyServerAudit
■ Alter anyDatabaseAudit
■ DBO role
For SQL Server2008 R2, youmust have anyof the followingpermissions:
■ ControlServer
■ View ServerState
■ View AuditState
■ Alter anyAudit
■ DBO role
Master
Master
Master
Master
database_audit_specification_details
database_audit_specifications
server_audits
server_file_audits
2008SystemTables
Datasource:DatabaseAuditSpecification
27Privileges for SQL ServerMinimum required privileges to query an SQL Server database
Table 2-2 Minimum required privileges for all the data sources (continued)
Rights on thedependentdatabaseobject
Master/Current/msdbdatabase
Dependent Tables (T)/ViewsStored Procedure (SP)/Database in SQL Server
SQLServerversion
SQL-DMO/SystemTables,andSupporteddatasources
For SQL Server2008, you musthave any of thefollowingpermissions:
■ ControlServer
■ Alter anyServerAudit
■ Alter anyDatabaseAudit
■ DBO role
For SQL Server2008 R2, youmust have anyof the followingpermissions:
■ ControlServer
■ View ServerState
■ View AuditState
■ Alter anyAudit
■ DBO role
Master
Master
server_audits
server_file_audits
2008SystemTables
Datasource:ServerAudits
Privileges for SQL ServerMinimum required privileges to query an SQL Server database
28
Table 2-2 Minimum required privileges for all the data sources (continued)
Rights on thedependentdatabaseobject
Master/Current/msdbdatabase
Dependent Tables (T)/ViewsStored Procedure (SP)/Database in SQL Server
SQLServerversion
SQL-DMO/SystemTables,andSupporteddatasources
For SQL Server2008, you musthave any of thefollowingpermissions:
■ ControlServer
■ Alter anyServerAudit
■ Alter anyDatabaseAudit
■ DBO role
For SQL Server2008 R2, youmust have anyof the followingpermissions:
■ ControlServer
■ View ServerState
■ View AuditState
■ Alter anyAudit
■ DBO role
Master
Master
Master
Master
database_audit_specification_details
database_audit_specifications
server_audits
server_file_audits
2008SystemTables
Datasource:ServerAuditSpecification
29Privileges for SQL ServerMinimum required privileges to query an SQL Server database
Privileges for SQL ServerMinimum required privileges to query an SQL Server database
30
Privileges for Oracle
This chapter includes the following topics:
■ Trust requirement to query an Oracle database
■ Minimum required privileges to query an Oracle database
■ Using sudo functionality for querying Oracle UNIX targets
Trust requirement to query an Oracle databaseEnsure that there is a domain trust relationship if the CCS Manager in the datacollector role, and the target computers forOracle are located in different domains.You must have a one way trust from the CCS Manager domain to the targetcomputer domain. CCS Manager must be able to login to the target computer, inorder to perform data collection using the minimum privileges mentioned in thisdocument.
Note:The trust requirementsmentioned in this document are applicable as of thecurrent release of Control Compliance Suite 11.x. Symantec continues toinvestigate theopportunity to enable product functionalitywith the least privilegesand trust requirements as an on-going effort.
See “Minimum required privileges to query an Oracle database” on page 31.
Minimum required privileges to query an Oracledatabase
CCS requires certain minimum rights on the databases and the operating systemon which the queries report.
3Chapter
Note: If your organization has specific roles for aOracle DatabaseAdministrator,Symantec recommends that the DBA enters the Oracle DB Admin privilegeswherever required.
The Oracle DB Admin privileges may be mandated by the Oracle application. TheCCS Administrator does not require to have a Oracle DB Admin role.
See “Privileges for database-related queries” on page 32.
See “Privileges for platform-specific queries” on page 33.
See “Privileges on views to query database-related data sources” on page 33.
Privileges for database-related queriesThe credential user needs certain privileges to run queries on database-relateddata sources.
For information on specific SELECT privileges to query database-related datasources, refer to Appendix B: SELECT Privileges.
ForOracleDatabaseVersion 9i and later, you can provide the following privileges:
Table 3-1 Privileges required for Oracle Database Version 9i and later
DescriptionPrivilege
Allows access to the required data dictionaryobjects.
SELECT ANY DICTIONARY
Allows access to theSYSTEM.PRODUCT_USER_PROFILEsynonym, which is used for reporting in theSQL*Plus Security data source.
SELECT ONSYSTEM.PRODUCT_USER_PROFILE
For Oracle Database Version 8i, you can provide the following privileges:
Table 3-2 Privileges required for Oracle Database Version 8i and later
DescriptionPrivilege
Allows access to the required "DBA_" viewsand the V$ dynamic performance views.
SELECT_CATALOG_ROLE
Allows access to theSYSTEM.PRODUCT_USER_PROFILEsynonym, which is used for reporting in theSQL*Plus Security datasource.
SELECT ONSYSTEM.PRODUCT_USER_PROFILE
Privileges for OracleMinimum required privileges to query an Oracle database
32
Note: Oracle 8i does not have SELECT ANY DICTIONARY privilege and SELECTANY TABLE PRIVILEGE is not useful if O7_DICTIONARY_ACCESSIBILITY is setto false.
The following privileges grant access to the dictionary objects that are requiredfor reporting on Database Audit Trail datasource:
■ SELECT ON SYS.OBJAUTH$
■ SELECT ON SYS.OBJ$
■ SELECT ON SYS.USER$
■ SELECT ON SYS.COL$
■ SELECT ON SYS.TABLE_PRIVILEGE_MAP
ForOracle 8i, the SELECTprivilegesmust be granted on individual data dictionaryobjects becauseOracle 8i doesnot support theSELECTANYDICTIONARYprivilege.Also, the SELECT ANY TABLE privilege does not allow access to data dictionaryobjects when the O7_DICTIONARY_ACCESSIBILITY parameter is set to FALSE.
Privileges for platform-specific queriesTo obtainWindows platform-specific information, the credentials usermust haveadministrator privileges on the Windows computer.
Youmust have root access privileges for the computer onwhich youwant to installthe CCS Agent for UNIX for Oracle data collection. The CCS Agent for UNIX isinstalled only under root account credentials. Communication between the CCSManager and the CCS Agent uses TCP port 5600.
Privileges on views to query database-related data sourcesSELECT privileges are required on certain views to query database-related datasources.
Table B-1 lists the viewnames that require SELECTprivileges and the data sourcesthat contain these views.
Table 3-3 Data sources and the associated Views
View nameDatasource name
DBA_CONTEXTDatabase Application Contexts
DBA_AUDIT_TRAILDatabase Audit Trail
33Privileges for OracleMinimum required privileges to query an Oracle database
Table 3-3 Data sources and the associated Views (continued)
View nameDatasource name
DBA_POLICIESDatabase Fine Grained Access ControlPolicies
DBA_FGA_AUDIT_TRAILDatabase Fine Grained Auditing Audit Trail
V$SYSTEM_PARAMETER2Database Initialization Parameters
DBA_DB_LINKSDatabase Links
DBA_OBJ_AUDIT_OPTSDatabase Object Auditing
SYS.OBJAUTH$, SYS.OBJ$, SYS.USER$,TABLE_PRIVILEGE_MAP, DBA_ROLES,DBA_OBJECTS, SYS.COL$C
Database Object Privilege Assignments
DBA_OBJECTSDatabase Objects
DBA_POLICY_CONTEXTSDatabase Policy Contexts
DBA_POLICY_GROUPSDatabase Policy Groups
DBA_PRIV_AUDIT_OPTSDatabase Privilege Auditing
DBA_PROFILESDatabase Profiles
DBA_RSRC_CONSUMER_GROUPSDatabase Resource Consumer Groups
V$RESOURCE_LIMITDatabase Resource Limits
DBA_ROLE_PRIVS, DBA_ROLESDatabase Role Assignments
DBA_ROLESDatabase Roles
V$SESSIONDatabase Sessions
DBA_STMT_AUDIT_OPTSDatabase Statement Auditing
DBA_SYS_PRIVS, DBA_ROLESDatabase System Privilege Assignments
DBA_COMMON_AUDIT_TRAILDatabase Uniform Audit Trail
DBA_TS_QUOTASDatabase User Tablespace Quotas
PROXY_USERSDatabase Users DBA_USERS
V$DATABASE ,V$INSTANCE,GLOBAL_NAME,V$VERSION
Database and Instance Information
SYSTEM.PRODUCT_USER_PROFILESQL*Plus Security
Privileges for OracleMinimum required privileges to query an Oracle database
34
Table 3-3 Data sources and the associated Views (continued)
View nameDatasource name
v$system_parameter2, v$controlfile,v$datafile, v$logfile, V$tempfilev$archive_dest
UNIX and LinuxDatabase File andDirectoryPermissions
v$system_parameter2, v$controlfile,v$datafile, v$logfile, V$tempfilev$archive_dest
Windows Database File and FolderPermissions
Using sudo functionality for querying Oracle UNIXtargets
Though CCS requires only minimum privileges for data collection, in some casesyou may require to query targets using higher privileges. The Sudo functionalitypermits you to execute a command on the target computer, as a super user, oranother user. For agent-less raw data collection on Oracle UNIX targets, you canuse the Oracle sudo (superuser do) functionality to run queries in the context ofa super user.
To use the Sudo functionality:
■ Ensure that the sudo programmust be installed on theUNIX target computer,on which you want to use the sudo functionality.
■ In the sudoers file, list the user accounts you will use to run the commands.Users whose credentials are added in the credentials database must havecorresponding user accounts listed in the sudoers file. The sudoers file islocated in the /etc directory of the UNIX target computer.
If you are the invoking user and a root user, and if the target user is the sameas the invoking user, no password is required. However, if the invoking userand the target user are different, you must specify a password to executecommands on the target computer.See “Example of the sudoers file” on page 38.
■ Disable password prompt in the sudoers file.
See “Disabling password prompt in the sudoers file” on page 36.
■ In thebvAgentlessConfig.ini file, enable the sudooptionmust by configuringthe SupportsSudo parameter. The bvAgentlessConfig.ini file is located inthe <INSTALL_DIR>\Symantec\CCS\Reporting and
Analytics\DPS\control\Unix\ConfigFilesfolder of the CCS Manager.
35Privileges for OracleUsing sudo functionality for querying Oracle UNIX targets
See “Configuring the SupportsSudo parameter in the bvAgentlessConfig.inifile” on page 36.
■ In the ExecutionContext.ini file, prefix theword sudo before the commandsof a query, to run the queries in the context of a super user. TheExecutionContext.ini file is located in the<INSTALL_DIR>\Symantec\CCS\Reporting and
Analytics\DPS\control\Unix\ConfigFilesfolder of the CCS Manager.
See “Optimizingqueries using sudo in theExecutionContext.ini file”onpage37.
Disabling password prompt in the sudoers fileTo be able to use sudo for running queries in the context of a super user, you canadd the following in the sudoers file to disable password prompt for everycommand:
<name> ALL=NOPASSWD: ALL
where, <name> is the native user, whose credentials are specified in the credentialdatabase.
You may encounter the following issues if the password prompt is not disabled,and certain commands get blocked by not specifying a password:
■ Special values for certain commands such as hostname, may return differentvalues.
■ If the uname command is blocked, validation of agent-less targets may failsand the data sources will not return data.
■ Data sources may return incomplete data.
See “Example of the sudoers file” on page 38.
See “Configuring the SupportsSudo parameter in the bvAgentlessConfig.ini file”on page 36.
See “Optimizing queries using sudo in the ExecutionContext.ini file” on page 37.
See “Using sudo functionality for querying Oracle UNIX targets ” on page 35.
Configuring the SupportsSudo parameter in the bvAgentlessConfig.inifile
To be able to use sudo for running queries in the context of a super user, youmustenable the sudo option by configuring the SupportsSudo parameter in thebvAgentlessConfig.ini file.
The parameter and its value is as follows:
Privileges for OracleUsing sudo functionality for querying Oracle UNIX targets
36
SupportsSudo=<value>
Where, <value> is true or false.
The default value is false, which means the use of sudo is disabled by default.
To enable sudo for running queries on UNIX targets, specify the value as true.You must also specify the FQDN of the UNIX target computer before theSupportsSudo parameter.
For example,
[testcomputer.example.com]
SupportsSudo=true
Where, [testcomputer.example.com] is the FQDN of the UNIX target computer.
Once sudo is enabled in the bvAgentlessConfig.ini file, you can use theExecutionContext.ini file for optimizing queries by prefixing the word sudobefore the commands specified in the ExecutionContext.ini file.
See “Disabling password prompt in the sudoers file” on page 36.
See “Optimizing queries using sudo in the ExecutionContext.ini file” on page 37.
See “Using sudo functionality for querying Oracle UNIX targets ” on page 35.
Optimizing queries using sudo in the ExecutionContext.ini fileTo be able to use sudo for running queries in the context of a super user, youmustprefix the word sudo before the commands of the query specie in theExecutionContext.ini file.
Following table lists the parameters which you can configure to run commandsusing sudo:
Table 3-4 Parameters to be configured for running commands using sudo
DescriptionParameter
Specify the value as true if you want to run all commands of aquery on the target computer using sudo.
If you want to run only specific commands of a query using sudo,then specify the value as false.
ApplyPrefixForAll
37Privileges for OracleUsing sudo functionality for querying Oracle UNIX targets
Table 3-4 Parameters to be configured for running commands using sudo(continued)
DescriptionParameter
If you have specified the value as true for the ApplyPrefixForAllparameter, you can specify if any commands must be run withoutsudo.
If you have specified the value as false for the ApplyPrefixForAllparameter, you can specify if any commandsmust be runwith sudo.In this case the word sudo must be prefixed to each command..
Default
Specify for which platforms the queries must be run using sudo.<target platform>
AIX, LINUX, SunOS,HP-UX
Specify for which targets the queries must be run using sudo. Thename can be the name of the target computer as displayed in theCCS console, or the IP address of the target computer
Target
See “Disabling password prompt in the sudoers file” on page 36.
See “Configuring the SupportsSudo parameter in the bvAgentlessConfig.ini file”on page 36.
See “Using sudo functionality for querying Oracle UNIX targets ” on page 35.
Example of the sudoers fileThis is an example of the contents of the sudoers file is located in the /etcdirectory of the UNIX target computer. This example contains sampleconfigurations required to use the sudo functionality asmentioned in the sectionUsing sudo functionality for querying Oracle UNIX targets.
# User alias specification
##
User_Alias UNIX_USERS = unix1, unix2, unix3
User_Alias BV_CONTROL_USERS = bvunix1, bvunix2, bvunix3
##
# Runas alias specification
Defaults:UNIX_USERS !authenticate
Defaults:BV_CONTROL_USERS !authenticate
Privileges for OracleUsing sudo functionality for querying Oracle UNIX targets
38
##
Runas_Alias SUPER_USERS = root
Defaults logfile=/var/log/sudolog
##
# Cmnd alias specification
##
Cmnd_Alias APPLICATIONS = /usr/sbin/named
Cmnd_Alias AIX_ADMINCMDS = /usr/sbin/lsps, /usr/sbin/lsattr
Cmnd_Alias ADMINCMDS = /usr/sbin/prtconf, /sbin/runlevel, ulimit,
AIX_ADMINCMDS,
Cmnd_Alias NETWORKCMDS = /sbin/ifconfig, /usr/local/bin/nslookup,
inetadm -p
Cmnd_Alias FILECMDS = /bin/cat, /bin/date '+%Z', /usr/bin/strings
-n, \
/usr/bin/diff, /usr/bin/cmp, /usr/bin/find, \
/bin/echo, /usr/bin/file, /bin/df -P, \
/usr/bin/cksum, /bin/ls -la, /bin/ls -lad, \
/bin/ls -lac, /bin/ls -lau
#Cmnd_Alias COMMONCMDS = /usr/bin, /bin, /usr/local/bin
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias SYSADMCMD = /usr/lib/sendmail
Cmnd_Alias ACTIVEADMCMDS = /usr/sbin/adduser
UNIX_USERS ALL = (SUPER_USERS) APPLICATIONS, NETWORKCMDS, ADMINCMDS,
FILECMDS, !SU, !ACTIVEADMCMDS,
!SYSADMCMD, NOPASSWD: ALL
BV_CONTROL_USERS ALL = NOPASSWD: ALL
See “Using sudo functionality for querying Oracle UNIX targets ” on page 35.
See “Disabling password prompt in the sudoers file” on page 36.
39Privileges for OracleUsing sudo functionality for querying Oracle UNIX targets
Privileges for OracleUsing sudo functionality for querying Oracle UNIX targets
40