DATABASE SECURITY AND COMPLIANCE. FortiDB Handbook VERSION

Size: px

Start display at page:

Download "DATABASE SECURITY AND COMPLIANCE. FortiDB Handbook VERSION"

Brianne Briggs
5 years ago
Views:

1 DATABASE SECURITY AND COMPLIANCE FortiDB Handbook VERSION

FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com http://cookbook.

2 FORTINET DOCUMENT LIBRARY FORTINET VIDEO GUIDE FORTINET BLOG CUSTOMER SERVICE & SUPPORT FORTIGATE COOKBOOK FORTINET TRAINING SERVICES FORTIGUARD CENTER FORTICAST CLI REFERENCE END USER LICENSE AGREEMENT FEEDBACK Friday, March 17, 2017 FortiDB Handbook 1st Edition

TABLE OF CONTENTS Introduction 15 What s new 16 FortiDB tutorials 19 Tutorial: Generating a vulnerability assessment (VA) report 19 Tutorial: Monitoring a database table using the TCP/IP sniffer 23

3 TABLE OF CONTENTS Introduction 15 What s new 16 FortiDB tutorials 19 Tutorial: Generating a vulnerability assessment (VA) report 19 Tutorial: Monitoring a database table using the TCP/IP sniffer 23 Tutorial: Monitoring a database table using the native auditing feature 27 Tutorial: Monitoring changes to metadata 30 Tutorial: Generating PCI, SOX, and HIPAA compliance reports 33 Installation (software-only) 36 System requirements 36 Preparing to install 37 Configuring the FortiDB repository database 38 Configuring a PostgreSQL repository 38 Configuring an Oracle repository 39 Configuring an Microsoft SQL Server repository 40 UNIX/Linux installation 42 Windows installation 43 Confirming the installation 43 Starting or stopping FortiDB 43 Installing a new license 44 Managing disk space 44 Useful directories, files, and folders 45 Log files for troubleshooting 46 General logs 46 Tomcat logs 46 Upgrading FortiDB 47 How to set up your FortiDB 48 Registering your FortiDB 48 Planning the network topology for database activity monitoring (DAM) 48 Connecting to the web UI and CLI 49 Updating the firmware 49 Upgrading the firmware 50 Installing FortiDB firmware 51 Changing the admin account password 53

4 Setting the system time 54 Configuring the network settings 55 Configuring network settings using the web UI 56 Configuring network settings using the CLI 57 Backups 59 Administrators 60 Configuring permissions 61 Privileges by license type (software-only FortiDB) 63 Viewing and exporting an administrator report 64 FortiMonitor administrator 66 Advanced/optional system settings 67 System information and settings 67 Changing the FortiDB host name 68 Global configuration 68 Assessment properties 69 Notification properties 72 Reporting properties 74 User Profile/Security properties 74 Target properties 75 LDAP Server properties 77 Monitor properties 77 Connecting to target databases 79 Pre-configuration for monitoring target databases 79 Network requirements for monitoring using the TCP/IP sniffer 79 Oracle target database pre-configuration 80 Required privileges for monitoring or auditing Oracle databases 80 Configuring an Oracle database for PCI, SOX, and HIPAA policies 81 Enabling FortiDB to delete audit records 81 Oracle XML file agent installation and configuration (UNIX, Windows, AIX) 82 Monitoring encrypted Oracle traffic 83 Using the SYSLOG utility to collect audit data 84 MySQL target database pre-configuration 84 Required privileges for monitoring via SQL Trace 85 Sybase target database pre-configuration 86 Configuring the Sybase audit system and FortiDB database user 86 Configuring the Sybase Monitoring and Diagnostic (MDA) tables 87 DB2 target database pre-configuration 91 Users and privileges required by the DB2 agent 91 Configuring the DB2 database and installing the agent 92 Microsoft SQL Server target database pre-configuration 94 Database user account requirement 94 Privileges required by the FortiDB database user 94 Privileges for VA assessments, privilege summaries, and penetration tests 95 Privileges for monitoring data 102

5 Privileges for monitoring privileges 103 Privileges for monitoring metadata 104 Managing targets 105 Columns 105 Buttons and fields 105 Searching or filtering the target list 106 Adding (or modifying) a target connection 107 Configuring DB2 options 108 Configuring SSH connections to Oracle and DB2 databases 109 SSH environment requirements (software-only version) 110 Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX 111 Exporting target information 112 Importing targets 112 Managing target groups 113 Pre-defined target groups 114 Adding or modifying a target group 114 Auto-discovery 115 How to discover DB2 databases 115 How to discover Microsoft SQL Server 115 Running auto-discovery 115 Adding targets from auto-discovery 117 Vulnerability assessment (VA) policies 118 Types of VA policies 118 Updates to VA policies 118 Exporting and importing VA policies 118 VA policy version 119 VA policy groups 119 VA policy states 119 Keywords and user keywords for VA policies 120 Managing VA pre-defined policies 120 Importing pre-defined policies (appliance) 122 Importing pre-defined policies (software-only FortiDB) 123 OS-Level pre-defined policies 124 Setting an access control list (ACL) for minimally-privileged users 128 VA user-defined policies 130 Adding user-defined policies 131 Deleting user-defined policies 133 Exporting user-defined policies 133 Importing user-defined policies 134 VA policy groups 134 Adding VA policy groups 135 Modifying VA policy groups 136

6 Deleting VA policy groups 137 Penetration tests 137 Connection options for penetration tests 137 Files used for penetration tests 138 Configuring and running penetration test assessments 139 Data discovery policies and policy groups 141 Managing data discovery policies 142 Data discovery policy groups 143 Database Activity Monitoring (DAM) policies 144 Types of DAM policies 144 Managing DAM policies 145 Configuring policy information for a policy 146 Automatically generating alert policies 147 Data policies 148 Configuring a table policy 149 Configuring audit settings for a table policy 149 Configuring alert rules for a table policy 149 Table policy alert rules for different databases 153 Configuring a table and column policy 154 Configuring a session policy 155 Configuring audit settings for a session policy 155 Configuring alert rules for a session policy 155 Configuring a user policy 158 Configuring audit settings for a user policy 159 Configuring alert rules for a user policy 159 User policy alert rules for various databases 162 Configuring a database policy 164 Configuring a database query policy 164 Privilege policies 166 Oracle privilege policies 167 Microsoft SQL Server privilege policies 168 Sybase privilege policies 169 DB2 privilege policies 170 MySQL privilege policies 171 Metadata policies 172 Oracle metadata policies 173 Microsoft SQL Server metadata policies 173 Sybase metadata policies 174 DB2 metadata policies 174 MySQL metadata policies 175 PCI, SOX, and HIPAA alert policies 176 Configuring PCI, SOX and HIPAA policies 176 Selecting which tables FortiDB tracks for PCI, SOX and HIPAA reports (Object Audit Options) 177

7 Select users to audit for PCI and SOX reports (User Audit Options) 178 Alert and audit policy groups 179 Creating or modifying an alert or audit policy group 179 Adding policy groups to target database monitoring 180 Deleting a policy group 180 Vulnerability assessment 181 Adding or modifying assessments 181 Running assessments 182 Running an assessment immediately 182 Running an assessment at a specified date and time 182 Running scheduled assessments 182 Configuring assessment notifications 183 Notification OIDs for target-level assessments 184 Notification OIDs for Rule-Level Assessments 185 Selecting the type of report an assessment generates 187 Reviewing, deleting, and aborting assessment results 187 View VA global summary information 189 Assessment history 189 Assessments History tab 189 Scheduled Reports tab 189 Import or export assessment history 189 Viewing and exporting a privilege summary 190 DB-Type Distinctions 191 General differences 191 Filtering differences 192 Column and column value differences 192 Sensitive data discovery 193 Manage sensitive data discovery 193 Running sensitive data discovery 193 Viewing sensitive data discovery reports 193 Viewing VA and sensitive data discovery event logs 194 Database activity monitoring (DAM) 195 Managing target monitoring 195 Target monitoring configuration tabs and options 197 Configuring target database monitoring 198 Configuring monitoring using the TCP/IP sniffer (all database types) 199 Configuring Microsoft SQL Server monitoring 201 Configuring DB2 monitoring 202 Configuring Sybase monitoring 202 Configuring MySQL monitoring 203 Configuring Oracle monitoring 204 Adding alert and audit policies to monitoring 205 Adding policy groups to target monitoring 206

8 Sending alert notifications 207 FortiDB event to ArcSight data field mapping 208 Blocking invalid access while monitoring 209 Excluding policies from the Alert Policy settings (whitelist) 210 Displaying the history of issued audit commands 212 Oracle audit management 213 Statement options 213 Object options 213 Clearing audit settings 213 Audit management 214 Microsoft SQL Server audit management 214 Audited events 214 Audited filters 214 DB2 audit management 214 DB2 audit settings with syscat.auditpolicies 214 DB2 audit settings with syscat.audituse 215 Viewing alerts 215 Changing the status of and annotating alerts 217 Exporting the alert list as a report 217 Filtering and searching alerts 218 Exclude option 218 Configure criteria row 218 Multiple criteria rows 218 Alert details 218 Alert group 220 Add, edit, or delete an alert group 220 Pre-defined alert groups 220 Data filter for an alert group 220 Alerts summary 221 Alerts analysis 222 Viewing audit records (activity auditing results) 223 Filtering and searching the audit record list 224 Viewing audit record details 225 Audit group 225 Add, edit, or delete an audit group 225 Pre-defined audit groups 226 Data filter for an audit group 226 Activity profiling 226 Viewing status and summary information for activity profiling 227 Viewing and exporting activity profiling results 227 Source clients access list 228 Database tables access list 228 Exporting profiling results 228 SOX audit 229 Logs 230

9 Local monitoring log 230 Local audit trail 230 Viewing and managing the audit trail records 231 Examples of audit trail records 232 Reports 233 Vulnerability assessment (VA) reports 233 DAM reports 233 Report files that FortiDB saves to disk 234 Other reports you can export 234 Pre-defined VA reports 234 Assessment reports 235 Statistics tables 235 Vulnerabilities 235 Score report and trend report 235 Policy reports 236 Sensitive data discovery reports 236 User-defined VA reports 236 Managing user-defined reports 237 General tab 237 Columns tab 237 Grouping tab 237 Filtering tab 237 Export options 237 Viewing scheduled VA reports 238 Pre-defined DAM reports 238 User-defined DAM reports 239 Report management 239 Filtering report data 240 Data time range 240 Records limit 240 Custom data filters 240 Configuring data displays 241 Data table view 241 Adding analysis charts and statistics tables to reports 241 Schedule and notification 241 Scheduling reports 242 notification for scheduled reports 242 PCI, SOX, and HIPAA reports 242 General steps for generating PCI, SOX, and HIPAA reports 245 Report: Abnormal Termination of Database Activity 245 COBIT objectives 245 Setup requirements 246 Report columns 246 Report: Abnormal or Unauthorized Changes to Data 246 COBIT objectives 246 Setup requirements 247

10 Report columns 247 Report: Abnormal Use of Service Accounts 247 COBIT objectives 247 Setup requirements 247 Report columns 248 Report: End of Period Adjustments 248 COBIT objectives 248 Setup requirements 248 Report columns 248 Report: History of Privilege Changes 249 COBIT objectives 249 Setup requirements 249 Report columns 249 Report: Verification of Audit Settings 250 COBIT objectives 250 Setup requirements 250 Report columns 250 Activity Profiling Reports 251 Archiving audit data 253 Archiving example 253 Archiving strategy 254 Archiving data 254 Using the command line interface (CLI) 257 Connecting to the CLI 258 Command syntax 259 Specifying file names and locations in commands 259 Entering spaces in a command strings 259 Entering quotation marks in strings 259 Entering a question mark (?) in a string 259 Special characters that are not permitted in commands 259 Specifying IP address formats in commands 259 Notation 260 Tips & tricks 262 Help 262 Completing commands automatically 262 Recalling commands 262 Editing commands 262 Breaking a long command 263 Abbreviating commands 263 Overview of commands 264 config 268 config system admin setting 268 Syntax 268 Example 268 config system backup all-setting 269

11 Syntax 269 Example 270 config system debug-filter 270 Syntax 270 config system dns 271 Syntax 271 Example 271 config system global 271 Syntax 271 Example 272 config system interface 272 Syntax 272 Example 273 config system mapping 273 Syntax 273 Examples 274 config system ntp 275 Syntax 275 config system raid 275 Syntax 275 Implementing RAID 5 on FortiDB 2000B 276 Implementing RAID on FortiDB 3000B 276 config system route 277 Syntax 277 execute 278 execute backup all-settings 278 Syntax 279 Example 279 execute backup configurations 279 Syntax 279 Example 280 execute backup fd-tcpdump 280 Syntax 280 Example 281 execute backup-remove fd-archive 281 Syntax 281 Example 281 execute backup-remove fd-report 282 Syntax 282 Example 282 execute backup-remove fd-tcpdump 282 Syntax 283 Example 283 execute date 283 Syntax 283 Example 284 execute format disk 284 Syntax 284

12 execute generate certificate 284 Syntax 284 execute ping 285 Syntax 285 Example 285 execute raid rebuild 285 Syntax 285 execute reboot 285 Syntax 285 execute reset 285 Syntax 286 Example 286 execute restart 286 Syntax 286 execute restore all-settings 286 Syntax 286 Example 287 execute restore configurations 287 Syntax 287 Example 287 execute restore fd-archive 288 Syntax 288 Example 288 execute shutdown 288 Syntax 288 execute time 288 Syntax 289 Example 289 execute top 289 Syntax 289 execute traceroute 290 Syntax 290 Example 290 show 291 show system admin setting 291 Syntax 291 show system backup all-settings 291 Syntax 291 show system dns 292 Syntax 292 Example 292 show system global 292 Syntax 292 show system interface 292 Syntax 292 Example 292 show system ntp 293

13 Syntax 293 Example 293 show system route 293 Syntax 293 Example 293 get 294 Example 294 set 295 Example 295 diagnose 296 diagnose counter memory 297 Syntax 297 diagnose counter misc 297 Syntax 297 diagnose counter packet 297 Syntax 297 diagnose counter parser 298 Syntax 298 diagnose counter session 298 Syntax 298 diagnose debug application control basic 298 Syntax 298 diagnose debug application housekeep basic 299 Syntax 299 diagnose debug application parser basic 299 Syntax 299 diagnose debug application parser packet 299 Syntax 299 diagnose debug application sniffer abnormal 300 Syntax 300 diagnose debug application sniffer basic 300 Syntax 300 diagnose debug application sniffer block-ip 300 Syntax 300 diagnose debug application sniffer block-session 301 Syntax 301 diagnose debug application sniffer ip-reassemble 301 Syntax 301 diagnose debug application sniffer malformed-packet 301 Syntax 301 diagnose debug application sniffer packet 302 Syntax 302 diagnose debug application sniffer tcp-reassemble 302 Syntax 302 diagnose log show tail remove 302 Syntax 303

14 Example 303 diagnose mapping debug 303 Syntax 303 diagnose mapping reset 303 Syntax 303 diagnose mapping status 304 Syntax 304 diagnose system coredump check 304 Syntax 304 Example 304 diagnose system coredump export 304 Syntax 304 Example 305 diagnose system export fd_log 305 Syntax 305 Example 306 diagnose system raid list 306 Syntax 306 diagnose tcpdump start stop 306 Syntax 306 Example 307 diagnose tcpdump status 307 Syntax 307 Example 307 diagnose network interface list 307 Syntax 308 diagnose network interface detail 308 Syntax 308 Example 308

15 Introduction Introduction Welcome, and thank you for selecting Fortinet products for your network. FortiDB software is a comprehensive database security and compliance platform that helps large enterprises and cloud-based service providers protect their databases and applications from internal and external threats. Its flexible policy framework allows you to quickly and easily implement internal IT control frameworks for database activity monitoring, IT audit and regulatory compliance. 15

16 What s new What s new The following features are new or have changed since FortiDB 5.1. For upgrade information, see the release notes available with the firmware and Updating the firmware on page 49. FortiDB Patch release only. FortiDB Disk partitioning requirement If upgrading from a version older than 5.1.8, you MUST repartition the hard disk to ensure FortiDB works properly. Support "Flashback" for oracle XML agent Two metadata DAM alert policies have been added in Oracle XML agent mode to cover the flashback table and the flashback database. Update SqbaseIQ for VA Twelve (12) VA policies have been added for SybaseIQ. MongoDB VA SSL connection support Support for SSL connection has been added to MongoDB VA. MongoDB VA YAML-type configuration file support Support for YAML-type configuration file has been added to MongoDB VA. FortiDB Fix for glibc vulnerability This release fixes a bug in the glibc open source library that made the product vulnerable to denial of service and other types of attacks (CVE ). Software support for FortiDB 1000B FortiDB and higher software is not supported on model 1000B. Software version support This release is supported on hardware versions of the product only. (The glibc vulnerability (CVE ) vulnerability does not affect the software versions of the product.) FortiDB Vulnerability assessment (VA) for MongoDB and Oracle 12c FortiDB now supports VA for MongoDB version 2.6 and Oracle 12c. DAM using the TCP/IP sniffer supports Microsoft SQL RPC variables and commands FortiDB can now match DAM policies by parsing values generated by remote call procedure (RPC) operations generated by rightclicking in client-side database tools (for example, SQL Studio) and translating SQL commands beginning with 'rpc executesql' to standard SQL commands. Reconnect when target is offline and send notification When a target is offline, FortiDB now makes up to 5 attempts to reconnect. FortiDB sends an notification to an administrator if a connection fails. Disk usage detection and reserve FortiDB now reserves 1% of free disk space to help prevent system crashes. FortiDB Oracle 12c support for DAM For Oracle 12c, FortiDB now supports Database Activity Monitoring (DAM) using both the TCP/IP packet sniffer and native, audit-based data collection methods. Support for Oracle syslog data collection Oracle syslog data collection is now available when you use sniffer-based data collection. 16

17 What s new For more information, see Using the SYSLOG utility to collect audit data on page 84. Fdbagent supports AIX and Linux 6 For DAM, you can now use the Oracle XML file agent or DB2 agent to monitor databases installed on AIX 6 and Linux 6. Monitor synonyms You can now monitor synonyms (an alternative name for a database element such as a table, view, sequence, or procedure) on Oracle databases. PostgreSQL support for DAM DAM can now monitor PostgreSQL databases when you use sniffer-based data collection. Configuration backup via CLI You can now back up your FortiDB configuration using CLI commands, without backing up audit and other data. For more information, see execute backup configurations on page 279. Security enhancements A number of security enhancements have been added to address current threats and SSL-related issues. Support for Microsoft SQL RPC (remote procedure call) in native audit mode FortiDB now supports RPC (remote procedure call) when it monitors a Microsoft SQL Server database using the native auditing featuring. DB2 version 10.x support for both VA and DAM DAM and VA now support newer versions of IBM DB2. Troubleshooting enhancements FortiDB now provides more CLI commands that retrieve diagnostic data. For more information, see diagnose system coredump check on page 304 and diagnose system coredump export on page 304. FortiDB HIPAA compliance reports In addition to SOX and PCI reports, FortiDB now has pre-defined HIPAA (Health Insurance Portability and Accountability Act) reports to help customers meet regulatory requirements. See PCI, SOX, and HIPAA reports on page 242. SQL string detection in Alert policies You can now specify a SQL string to detect in a Table and Column DAM alert policy. This is useful for detecting attacks that use SQL injection. See Configuring a table and column policy on page 154. Support for encrypted Oracle traffic for database activity monitoring (DAM) FortiDB now can monitor encrypted Oracle traffic in sniffer mode. See Monitoring encrypted Oracle traffic on page 83. Exclude policies from vulnerability assessment (VA) scans You can now exclude policies from VA scans of specific targets. This feature allows you to scan databases with different policy sets without creating new scans for each case. See Adding or modifying assessments on page 181. Sysbase IQ support for VA FortiDB now supports SybaseIQ for VA. (Penetration test and DAM are not supported.) See Adding (or modifying) a target connection on page 107. Performance enhancement FortiDB now has an internal alert policy pre-filter that speeds up alert data processing. 17

18 What s new FortiDB Tomcat upgrade Tomcat (one of FortiDB s internal components) has been upgraded to eliminate vulnerabilities found in the older version. Mitigate vulnerability related to Bash (CVE ) FortiDB used Bash to allow access to the shell in its debug builds. It has been replaced to eliminate the CVE vulnerability. FortiDB Support for SQL Server 2014 VA You can now scan the latest MS SQL server platform for vulnerabilities. TCP/IP sniffer optimized for better performance and stability Throughput and performance for the snifferbased data collection method has been improved. Enhanced diagnose mode FortiDB has a new command set that allows you to troubleshoot more efficiently. See Using the command line interface (CLI) on page 257. Security enhancements Enhanced protection for Cross Frame Scripting (XSS), and cache control to prevent data from being saved by the browser. FortiDB Internal message queuing mechanism enhancement The internal message queuing mechanism was upgraded. This improves the stability of data collection in high transaction volume environments. Support for online context in help FortiDB now supports online context in Help. This allows more comprehensive searches and more up to date information for end-users. Support for partitions larger than 2TB in FortiDB 3000D The large partition size enables more efficient audit data storage in the 3000D appliances. For information on adjusting the RAID level for the FortiDB 3000D and other models, see config system raid on page notification enhancement This enhancement alleviates the problems associated with configuring reports in the notification section of the Monitor setup. FortiDB No design changes. Bug fixes only. FortiDB Support for FortiDB-1000D appliance FortiDB-1000D is a stronger, faster platform supporting up to 30 databases that replaces the FortiDB-1000C. tcpdump FortiDB now includes tcpdump, a packet analyzer that you access using the command-line interface (CLI). The tcpdump provides a reliable way for FortiDB deployments that use the TCP/IP sniffer to collect traffic data for troubleshooting purposes. 18

19 FortiDB tutorials Tutorial: Generating a vulnerability assessment (VA) report FortiDB tutorials Use the FortiDB tutorials to quickly create a basic, working assessment and monitoring configuration for your environment and familiarize yourself with the web UI. For initial installation instructions (for the software-only version) and initial product configuration, see Installation (software-only) on page 36 and How to set up your FortiDB on page 48. Tutorial: Generating a vulnerability assessment (VA) report Tutorial: Monitoring a database table using the TCP/IP sniffer Tutorial: Monitoring a database table using the native auditing feature Tutorial: Monitoring changes to metadata Tutorial: Generating PCI, SOX, and HIPAA compliance reports Tutorial: Generating a vulnerability assessment (VA) report The following example FortiDB configuration provides step-by-step instructions for creating a vulnerability assessment (VA) report for an Oracle target database. To complete this example, the Oracle target database requires the following privileges: CREATE SESSION SELECT_CATALOG_ROLE SELECT ON: SYS.AUDIT$ SYS.REGISTRY$HISTORY SYS.USER$ SYS.LINK$ SYSTEM.SQLPLUS_PRODUCT_PROFILE For requirements for other types of target databases, see Privileges for VA assessments, privilege summaries, and penetration tests on page 95. Use the following steps to complete this tutorial: Create a FortiDB administrator Create a target Create a target group Run a vulnerability assessment of the target group View the assessment results as a report 19

20 Tutorial: Generating a vulnerability assessment (VA) report FortiDB tutorials Create a FortiDB administrator The FortiDB admin account is required for administrative tasks related to vulnerability assessment (VA) (for example, making backups and creating new accounts). However, for general VA tasks, Fortinet recommends that you create additional administrators with appropriate roles to allow you to separate duties. 1. Log in to FortiDB using the following credentials: User Name Password admin fortidb1!$ 2. In the navigation menu (on the left side of the web UI), click Administration to expand it, and then click Administrators. 3. On the Administrators page, click Add. 4. On General tab, enter information in the fields marked with an asterisk (*). For this example, for User Name, enter vauser. For Password, enter fdb! On the Roles tab, for Available Roles, select the following options, and then click to add them to the Assigned Roles list: Target Manager Operations Manager Report Manager 6. Click Save. 7. To log out the admin user, click (Logout icon) at the top-right of the screen. Create a target A target specifies a database for FortiDB to assess. 1. Log in to FortiDB as the vauser user and the password fdb!23. Because vauser cannot view or create other users, Administration is not displayed in the navigation menu. 2. In the navigation menu, go to Target Database Server > Targets. 3. On the Targets page, click Add. 4. On the General tab, enter the following information. For this example, the target is an Oracle database: Name Type DB Host Name/IP vatarget Oracle The IP address or name of the machine where the database is located (for example, test_machine or ) 20

21 FortiDB tutorials Tutorial: Generating a vulnerability assessment (VA) report Port The number of the port the database uses; the default port is 1521 DB Name User Name Password The name of the database (for example, orcl) The database user name The password for the database user 5. To verify that the connection parameters are correct, click Test Connection. The message Success is displayed at the top of the page. 6. Click Save. The vatarget item is displayed in the list of targets. Create a target group You configure FortiDB to assess target groups, not individual targets. A target group can consist of one or more targets. 1. In the navigation menu, click Target Database Server > Target Groups. 2. On the Target Groups page, select Add. 3. On the Targets page, for Group Name, enter a name for your group. For this example, enter mygroup. 4. To filter the list of targets, select the following values: Column Operator Value Name Contains All or part of the name of the target (for example, vatarget or targ) 5. Click Search. 6. Ensure that only the target you created (vatarget) is displayed in the list, and then, to the right of the Group Name field, click Save Group. 7. To verify that the target group you created is in the list of target groups, click Target Database Server > Target Groups. Run a vulnerability assessment of the target group 1. In the left-side menu, go to Vulnerability Assessment > Assessments. 2. On the Assessments page, click Add. 3. For Assessment Name, enter a name for your new assessment. For this example, enter myscan. 4. To add a target group to your assessment, on the Assessment page, click the Targets tab. 5. In the Available Target Groups list, select mygroup (the target group that you just created), and then select to move mygroup to the Assigned Target Groups list. 6. To add FortiDB policies to your assessment, click the Policies tab. 21

22 Tutorial: Generating a vulnerability assessment (VA) report FortiDB tutorials 7. In the Available Policy Groups list, select Oracle Policy Group, and then select to move Oracle Policy Group name to the Assigned Policy Groups list. When you select a policy group in the Available Policy Groups or Assigned Policy Groups list, the group s policies are displayed in the Active Policies list. Although you can select items in the Active Policies list, you cannot use this list to select policies to execute. 8. Click Save. On the Assessments page, the myscan assessment is displayed. 9. To run your newly created assessment, select the check box for the myscan item, and then click Run. In this example, you run the assessment manually and view the results in the web UI. However, FortiDB also allows you to schedule assessments and configure and SNMP-trap notifications of assessment results. (See Running an assessment at a specified date and time on page 182 and Sending alert notifications on page 207.) After approximately a minute, a stop date and time is displayed in the Last Run Time column of the myscan item. View the assessment results as a report FortiDB provides several pre-defined reports that can help you analyze your assessments. This example uses the Target Summary Failed Report to view the assessment results. This report summarizes failed policies by number and type. 1. In the navigation menu, go to Report > Pre-Defined VA Reports. 2. On the Pre-Defined Reports page, click Target Summary Failed Report. 3. On the Vulnerability Assessment Target Summary Failed Report page, select the following values: Assessment Name Assessment Time Target myscan A date and time when FortiDB ran myscan The target group associated with myscan (for this example, vatarget) On the Target Information tab, the parameters of the selected assessment are displayed. 4. Click the Preview Report tab. After FortiDB complies it, the report is displayed. 5. To view your report in another formats, at the bottom of the page, for Export as, select one of the following formats, and then click Export: PDF (.pdf) Excel (.xls) 22

23 FortiDB tutorials Tutorial: Monitoring a database table using the TCP/IP sniffer Tab (.txt) (tab-delimited) CSV (.csv) (comma-separated values) Administrators Connecting to target databases Adding or modifying a target group Vulnerability assessment (VA) policies Adding or modifying assessments Reports Tutorial: Monitoring a database table using the TCP/IP sniffer You can configure FortiDB to use a TCP/IP packet sniffer to monitor specific tables in a database and generate alerts based on policies you specify. For example, you can configure FortiDB to generate alerts when it detects security violations or suspicious database users. You can then use the alert information to generate a report. Database activity monitoring (DAM) using the TCP/IP sniffer is only available with FortiDB appliance. DAM does not work for the software version of FortiDB. This example configures FortiDB to monitor an Oracle database. Before you start the tutorial, ensure that the database has the required configuration. For details, see Oracle target database pre-configuration on page 80. The TCP/IP sniffer for DAM requires the following network environment and connections: The database server and clients use the TCP/IP protocol and all database activity takes place on the LAN. The network switch that FortiDB and the database server are connected to supports the port mirroring feature. One of the FortiDB ethernet ports is connected to the switch s mirror port (also known as SPAN port). This port allows FortiDB to receive copies of all network traffic that is associated with the database. Create a target A target specifies a database for FortiDB to monitor. 1. Log in to FortiDB using the following credentials (the default values): User Name Password admin fortidb1!$ All DAM tasks require the user to log in as admin. 23

24 Tutorial: Monitoring a database table using the TCP/IP sniffer FortiDB tutorials 2. In the navigation menu, go to Target Database Server > Targets. 3. On the Targets page, click Add. 4. On the General tab, enter the following information. For this example, the target is an Oracle database: Name Type DB Host Name/IP damtarget Oracle The IP address or name of the machine where the database is located (for example, test_machine or ) Port The number of the port the database uses; the default port is 1521 DB Name User Name Password DB Activity Monitoring The name of the database (for example, orcl) The database user name The password for the database user Select Allow. 5. To verify that the connection parameters are correct, click Test Connection. The message Success is displayed at the top of the page. 6. Click Save. The damtarget item is displayed in the list of targets. Configure an alert policy for a database table 1. In the navigation menu, click DB Activity Monitoring > Monitoring Management. Your target database is listed on the Target Monitoring Management page. 2. Click damtarget (the name of the target you created). 3. On the General tab, use the following values to complete the Audit Configuration settings: Collection Method TCP/IP Sniffer Version The database version (9, 10g, 11g, 12c) Sniffer on Port Enable Activity Auditing Log All Enable Activity Profiling The FortiDB appliance port that is connected to the switch's mirror port Selected Selected Selected When you create a target monitoring configuration, selecting Enable Activity Auditing, Log All, or Enable Activity Profiling is optional. 4. Click Save. 24

25 FortiDB tutorials Tutorial: Monitoring a database table using the TCP/IP sniffer 5. Click the Alert Policies tab. 6. At the bottom-left of the page, for Data Policies, select Table, and then click Add. 7. On the Target Monitor:<target name> page, configure a table policy using the following values: Policy Name Description Enable Create new policy group for policy check box Severity Enter a policy name or use the default name Enter an optional description Selected Selected Informational (the default) or other value When you create a table policy, selecting Enable or Create new policy group for policy check box is optional. 8. Beside Audit Settings, click the triangle icon to view the settings, and then select Browse Object by Target. 9. For Schema, select a schema to use (for example, SCOTT). 10. In the Tables list, select a table to monitor (for example, EMP). To select multiple tables, click a table, and then Shift-click another table in the list. All tables between the two tables are selected. 11. Under Audit Actions, select Read, Write, or both. 12. Click > (right arrow) to move the selected tables and their Audit Action settings to the Selected Objects table. 13.Move any other tables you want to monitor to the Selected Objects table. 14. Beside Alert Rule, click the triangle icon to view the settings. 15.Select Issue alert if ANY of the enabled rules are triggered. 16. Select Security Violation (selected by default). 17. Select Suspicious Database Users, and then click the triangle icon beside it to view additional settings. 18.Select one or more user names, and then click > (right arrow) to move them to the Selected users list. 19. Select Alert any successful access if the database matches a selected entry. 20. Select Save. On the Alert Policies tab, the new policy is listed. The green up-arrow in the Status column indicates that the policy is enabled. Confirm the policy group was created and start monitoring 1. Click the Alert Policy Groups tab. 25

26 Tutorial: Monitoring a database table using the TCP/IP sniffer FortiDB tutorials 2. In Selected Policy Groups, confirm that FortiDB created a policy group based on the alert policy that you created. 3. In Selected Policy Groups, select the new policy group, and then confirm that the alert policy that you created is displayed in the Selected Policy Group contents list. 4. To start monitoring the database, click the General tab, and then click Start Monitoring. Monitor Status displays Starting and then Running. View alerts generated by the policy and export them as a report 1. Using a database client-side application, execute one or more SQL statements that generate alerts. 2. To view alerts, click DB Activity Monitoring > Security Alerts. 3. In the Security Alerts list, click an item to display its details under Alert Details (below the list). To hide the alert details, beside Alert Details, click the triangle icon. 4. To create a customized report, click Report > User-Defined DAM Reports, and then select Add. 5. On the General tab, for Name, enter a name for the report. Optionally, for Description, enter a short description for the report. 6. Click the Table View tab 7. In the Available Columns list, select columns to include in the report, and then click >> (right arrows) to add the selected columns to the Columns in Report list. 8. Click Save. 9. On the User-Defined Alert Reports page, in the list of reports, select the report you just created, and then click Run. 10.After FortiDB has run the report, beside the report name, click [+] (plus sign). A list of items with names created from the report name and run times is displayed. 11.Click a run report item to view the report. 12.To export the report, click one of the following file format icons: PDF TXT (tab-delimited) XLS (Excel) CSV (comma-separated values) Your browser prompts you to download a file of the specified format. View activity auditing and profiling 1. To view activity auditing, go to DB Activity Monitoring > Activity Auditing. Database activity events for the specified dates are displayed. 2. Click an event to display its details under Activity Event Details (below the list). 3. To check activity profiling, click DB Activity Monitoring > Activity Profiling. 26

27 FortiDB tutorials Tutorial: Monitoring a database table using the native auditing feature The Target DB Activity Profiling page lists the profiling status and summary information for the targets that FortiDB is monitoring. 4. To view details, click the name of the target. Connecting to target databases Configuring monitoring using the TCP/IP sniffer (all database types) Data policies Viewing alerts User-defined DAM reports Viewing audit records (activity auditing results) Activity profiling Tutorial: Monitoring a database table using the native auditing feature You can configure FortiDB to use your database s auditing features to monitor specific database tables and generate alerts based on policies you specify. For example, you can configure FortiDB to generate alerts when it detects security violations or suspicious database users. You can then use the alert information to generate a report This example configures FortiDB to monitor an Oracle database. Before you start the tutorial, ensure that the database has the required configuration. For details, see Oracle target database pre-configuration on page 80. FortiDB can use several different methods to collect information from the monitoring process. The value of your database s audit_trail parameter determines which collection method you use. For this example, because the value of audit_trail is db, extended, the collection method is DB, EXTENDED. For a description of other collection methods, see Configuring Oracle monitoring on page 204. Create a target A target specifies a database for FortiDB to monitor. 1. Log in to FortiDB using the following credentials (the default values): User Name Password admin fortidb1!$ All DAM tasks require the user to log in as admin. 2. In the navigation menu, go to Target Database Server > Targets. 3. On the Targets page, click Add. 4. On the General tab, enter the following information. For this example, the target is an Oracle database: Name dam2target 27

28 Tutorial: Monitoring a database table using the native auditing feature FortiDB tutorials Type DB Host Name/IP Oracle The IP address or name of the machine where the database is located (for example, test_machine or ) Port The number of the port the database uses; the default port is 1521 DB Name The name of the database (for example, orcl) User Name Password DB Activity Monitoring The database user name The password for the database user Select Allow. 5. To verify that the connection parameters are correct, click Test Connection. The message Success is displayed at the top of the page. 6. Click Save. The dam2target item is displayed in the list of targets. Configure an alert policy for a database table 1. In the navigation menu, click DB Activity Monitoring > Monitoring Management. Your target database is listed on the Target Monitoring Management page. 2. Click damtarget (the name of the target you created). 3. On the General tab, confirm that the following default Audit Configuration values are selected: Collection Method Polling Frequency DB, EXTENDED 60 (default value) 4. To test the collection method, click Test. The message "Success" is displayed the top of the page. 5. Click the Alert Policies tab. 6. At the bottom-left of the page, for Data Policies, select Table, and then click Add. 7. On the Target Monitor:<target name> page, configure a table policy using the following values: Policy Name Description Enable Enter a policy name or use the default name Enter an optional description Selected 28

29 FortiDB tutorials Tutorial: Monitoring a database table using the native auditing feature Create new policy group for policy check box Severity Selected Informational (the default) or other value When you create a table policy, selecting Enable or Create new policy group for policy check box is optional. 8. Beside Audit Settings, click the triangle icon to view the settings, and then select Browse Object by Target (the default value). 9. For Schema, select a schema to use (for example, SCOTT). 10. In the Tables list, select a table to monitor (for example, EMP). To select multiple tables, click a table, and then Shift-click another table in the list. All tables between the two tables are selected. 11. Under Audit Actions, select Read, Write, or both. 12. Click > (right arrow) to move the selected tables and their Audit Action settings to the Selected Objects table. 13.Move any other tables you want to monitor to the Selected Objects table. 14.Select Issue alert if ANY of the enabled rules are triggered. 15. Select Security Violation (selected by default). 16. Select Suspicious Database Users, and then click the triangle icon beside it to view additional settings. 17.Select one or more user names, and then click > (right arrow) to move them to the Selected users list. 18. Select Alert any successful access if the database matches a selected entry. 19. Select Save. On the Alert Policies tab, the new policy is listed. The green up-arrow in the Status column indicates that the policy is enabled. Confirm the policy group was created and start monitoring 1. Click the Alert Policy Groups tab. 2. In Selected Policy Groups, confirm that FortiDB created a policy group based on the alert policy that you created. 3. In Selected Policy Groups, select the new policy group, and then confirm that the alert policy that you created is displayed in the Selected Policy Group contents list. 4. To start monitoring the database, click the General tab, and then click Start Monitoring. Monitor Status displays Starting and then Running. View alerts generated by the policy and export them as a report 1. Using a database client-side application, execute several SQL statements that generate alerts. 2. To view alerts, click DB Activity Monitoring > Security Alerts. 29

30 Tutorial: Monitoring changes to metadata FortiDB tutorials 3. In the Security Alerts list, click an item to display its details under Alert Details (below the list). To hide the alert details, beside Alert Details, click the triangle icon. 4. To create a customized report, click Report > User-Defined DAM Reports, and then select Add. 5. On the General tab, for Name, enter a name for the report. Optionally, for Description, enter a short description for the report. 6. Click the Table View tab. 7. In the Available Columns list, select columns to include in the report, and then click >> (right arrows) to add the selected columns to the Columns in Report list. 8. Click Save. 9. On the User-Defined Alert Reports page, in the list of reports, select the report you just created, and then click Run. 10.After FortiDB has run the report, beside the report name, click [+] (plus sign). A list of items with names created from the report name and run times is displayed. 11.Click a run report item to view the report. 12.To export the report, click one of the following file format icons: PDF TXT (tab-delimited) XLS (Excel) CSV (comma-separated values) Your browser prompts you to download a file of the specified format. Connecting to target databases Data policies Viewing alerts User-defined DAM reports Tutorial: Monitoring changes to metadata You can configure FortiDB to use your database s auditing features to monitor for metadata changes and generate alerts based on the policies you specify. For example, you can configure FortiDB to generate alerts when database tables or columns are created, deleted, or modified. You can then use the alert information to generate a report. This example configures FortiDB to monitor an Oracle database. Before you start the tutorial, ensure that the database has the required configuration. For details, see Oracle target database pre-configuration on page 80. FortiDB can use several different methods to collect information from the monitoring process. The value of your database s audit_trail parameter determines which collection method you use. For this example, because the value of audit_trail is db, extended, so the collection method is DB, EXTENDED. 30

31 FortiDB tutorials Tutorial: Monitoring changes to metadata For a description of other collection methods, see Configuring Oracle monitoring on page 204. Create a target A target specifies a database for FortiDB to monitor. 1. Log in to FortiDB using the following credentials (the default values): User Name Password admin fortidb1!$ All DAM tasks require the user to log in as admin. 2. In the navigation menu, go to Target Database Server > Targets. 3. On the Targets page, click Add. 4. On the General tab, enter the following information. For this example, the target is an Oracle database: Name Type DB Host Name/IP dam3target Oracle The IP address or name of the machine where the database is located (for example, test_machine or ) Port The number of the port the database uses; the default port is 1521 DB Name User Name Password DB Activity Monitoring The name of the database (for example, orcl) The database user name The password for the database user Select Allow. 5. To verify that the connection parameters are correct, click Test Connection. The message Success is displayed at the top of the page. 6. Click Save. The dam3target item is displayed in the list of targets. Configure an alert policy for metadata 1. In the navigation menu, click DB Activity Monitoring > Monitoring Management. Your target database is listed on the Target Monitoring Management page. 2. Click dam3target (the name of the target you created). 3. On the General tab, confirm that the following default Audit Configuration values are selected: 31

32 Tutorial: Monitoring changes to metadata FortiDB tutorials Collection Method DB, EXTENDED Polling Frequency To test the collection method, click Test. The message "Success" is displayed the top of the page. 5. Click the Alert Policies tab. 6. Locate the policy item Tables, which has a Type value of (metadata policy icon), and then select by selecting its check box. 7. Click Enable. Under Status, a green icon with an arrow is displayed. Start monitoring 1. To start monitoring the database, click the General tab, and then click Start Monitoring. Monitor Status displays Starting and then Running. 2. If the message "NEED_RECONFIGURE" is displayed, click the Alert Policies tab, and then click the Reconfigure* button. View alerts generated by the policy and export them as a report 1. Using a database client-side application, execute several SQL statements that generate alerts. For example, execute the following SQL statements: create table table1 (column1 int, column2 char); drop table table1; 2. To view alerts, click DB Activity Monitoring > Security Alerts. 3. In the Security Alerts list, click an item to display its details under Alert Details (below the list). To hide the alert details, beside Alert Details, click the triangle icon. 4. To change the alert status from "Unacknowledged" to "Acknowledged", do the following: a. Select the check box(es) of the alerts to change, and then select "Acknowledged" in the Status dropdown list. b. Click Apply. The color of the status icon changes. 5. To create a customized report, click Report > User-Defined DAM Reports, and then select Add. 6. On the General tab, for Name, enter a name for the report. Optionally, for Description, enter a short description for the report. 7. Click the Table View tab. 8. In the Available Columns list, select columns to include in the report, and then click >> (right arrows) to add the selected columns to the Columns in Report list. 9. Click Save. 32

33 FortiDB tutorials Tutorial: Generating PCI, SOX, and HIPAA compliance reports 10.On the User-Defined Alert Reports page, in the list of reports, select the report you just created, and then click Run. 11.After FortiDB has run the report, beside the report name, click [+] (plus sign). A list of items with names created from the report name and run times is displayed. 12.Click a run report item to view the report. 13.To export the report, click one of the following file format icons: PDF TXT (tab-delimited) XLS (Excel) CSV (comma-separated values) Your browser prompts you to download a file of the specified format. Connecting to target databases Metadata policies Viewing alerts User-defined DAM reports Tutorial: Generating PCI, SOX, and HIPAA compliance reports You can configure FortiDB to monitor a database and generate alerts based on the following regulatory compliance standards: Sarbanes-Oxley Act (SOX) Payment Card Industry Data Security Standard (PCI DSS) Health Insurance Portability & Accountability Act (HIPAA) This example configures a Microsoft SQL Server database. Before you start the tutorial, ensure that the database has the required configuration. For more information, see Microsoft SQL Server target database preconfiguration on page 94. Create a target A target specifies a database for FortiDB to monitor. 1. Log in to FortiDB using the following credentials (the default values): User Name Password admin fortidb1!$ 2. In the navigation menu, go to Target Database Server > Targets. 3. On the Targets page, click Add. 33

34 Tutorial: Generating PCI, SOX, and HIPAA compliance reports FortiDB tutorials 4. On the General tab, enter the following information. For this example, the target is a Microsoft SQL Server database: Name Type DB Host Name/IP dam_pci_sox Microsoft SQL Server The IP address or name of the machine where the database is located (for example, test_machine or ) Port The number of the port the database uses; the default port is 1433 Connect At DB Name User Name Password DB Activity Monitoring Server Level (default) The name of the database. Because this target connects at the server level, the database name is master and you cannot change it. The database user name The password for the database user Select Allow. 5. To verify that the connection parameters are correct, click Test Connection. The message Success is displayed at the top of the page. 6. Click Save. The dam_pci_sox item is displayed in the list of targets. Add the PCI, SOX, and HIPAA policy groups to the target 1. In the navigation menu, click DB Activity Monitoring > Monitoring Management. 2. Click dam_pci_sox (the name of the target you created). 3. On the General tab, confirm that the following default Audit Configuration values are selected: Collection Method Trace Folder Polling Frequency SQL Trace Enter the full path of the existing trace folder (for example, C:\SQLTrace) 60 (default) 4. To test the collection method, click Test. The message "Success" is displayed the top of the page. 5. Click the Alert Policy Groups tab. 6. Select PCI Policies and click >> (right arrows) to move the item to the Selected Policy Groups list. 7. Select Sox Policies and click >> (right arrows) to move the item to the Selected Policy Groups list. 8. Select HIPAA Policies and click >> (right arrows) to move the item to the Selected Policy Groups list. 34

35 FortiDB tutorials Tutorial: Generating PCI, SOX, and HIPAA compliance reports 9. Click Save. Start monitoring To start monitoring the database, click the General tab, and then click Start Monitoring. Monitor Status displays Starting and then Running. Configure and export PCI and SOX reports 1. Using a database client-side application, execute several SQL statements that generate data. For example, to generate data that is captured in a History of Privilege Changes report, execute SQL statements that change privileges. 2. To create a PCI compliance report, click Report > PCI Reports. 3. For this example, select PCI - Successful/Unsucessful Database Logins. 4. On the Generate Audit PCI Report page, configure the report using the following values: Export as W/P Reference PDF (default) Enter the work paper reference value, if required. This value is a tracking mechanism customers can use to identify and place controls around reports. Date Range Enter start and end dates for report (click the calendar icons to select dates using the date picking tool) 5. Confirm that the target database is displayed in the Targets list. If there is no data, the database name does not appear in the box. 6. In the bottom-right corner of the page, select Export. Your browser downloads the report file. 7. Repeat the compliance report steps to generate the following report types: Sox Report: History of Privilege Changes. HIPAA Report: Privilege Changes Connecting to target databases PCI, SOX, and HIPAA alert policies PCI, SOX, and HIPAA reports 35

36 Installation (software-only) System requirements Installation (software-only) The software-only version of FortiDB allows you to install FortiDB on hardware that you provide. FortiDB software runs as a web application and uses Tomcat as the application server. You can install it on either Windows or UNIX (Solaris, AIX, Linux) platforms. FortiDB uses one of the following repositories for its internal data: Apache Derby PostgreSQL Oracle Microsoft SQL Server The Apache Derby database is included with the FortiDB software. No manual setup is required. Because the software-only version of FortiDB cannot monitor databases using the TCP/IP sniffer, the softwareonly version does not support the activity auditing and profiling features. System requirements To ensure both security and performance, install FortiDB on a dedicated computer that does not run any other memory or processor-intensive applications. Start with a clean installation of the operating system that has a minimum number of services running. For a list of currently supported hardware and software, see the Supported Hardware section of the Release Notes for your version of FortiDB. Requirement Disk space Details 300 MB of free disk space (minimum) Additional space is required for the repository database, log files, reports and archives. Memory Processor A minimum of 2048 MB of system memory, 1024 MB of which are dedicated to the FortiDB application Windows and Linux: Intel-based platforms configured with one or more P4 (or higher) processors Solaris: SPARC-based platform configured with one or more processors These are minimum disk space and memory requirements. For optimal performance, consult with a FortiDB representative for recommendations that are best suited to your individual situation. 36

37 Preparing to install Installation (software-only) Preparing to install Before you install FortiDB, ensure you have the following information: Prerequisite Details Notes User account for FortiDB installation Windows: An Administrator-level account Linux or Solaris: A non-root user account Location for FortiDB DB type for your repository database You can install FortiDB in any directory. Do not choose a path with a a name that contains one or more spaces. For example, because there is a space between Program and Files, do not use C:\Program Files\FortiDB. Derby, Microsoft SQL Server, Oracle, or PostgreSQL If you choose a location where a previous version of FortiDB exists, the installation process upgrades the current installation. The FortiDB installation process installs the compatible Derby database with the required configuration. For Microsoft SQL Server, Oracle, and PostgreSQL, configure your repository database before you install FortiDB. See Configuring the FortiDB repository database on page 38. Name of host machine for repository database Port number for repository database The hostname or IP address for the machine where the repository database resides An available port number above

38 Installation (software-only) Configuring the FortiDB repository database Prerequisite Details Notes Database name/sid for repository database Username for repository database user Password for repository database user account Application Server HTTP Port Number Application Server HTTPS Port Number Application Server Shutdown Port Number The name (or SID) of the repository database The account name of the repository database user The password for repository database user An available port number above 1024 An available port number above 1024 An available port number above 1024 Configuring the FortiDB repository database When you use Derby for the FortiDB repository database, no configuration is required. For all other database types, follow the configuration instructions in this section. For all repository types except Derby, verify that your character-encoding setting is UTF-8. Do not use the FortiDB application to monitor or audit its own repository database. To ensure best performance, do not install FortiDB and its repository database on the same computer. You cannot install the Derby repository that is included with FortiDB software on the same computer as FortiDB. Configuring a PostgreSQL repository Configuring an Oracle repository Configuring an Microsoft SQL Server repository Configuring a PostgreSQL repository When you use a PostgreSQL 8.x repository, FortiDB requires a language pack for its archive feature. 38

39 Configuring the FortiDB repository database Installation (software-only) 1. Create a database to use for the FortiDB repository (for example, fortidb ) with UTF-8 encoding. Make note the following information, which is required for FortiDB installation: Database name User name Password 2. To create the language pack plpgsql, execute the following command: createlang -h d <database_name> -U <database_user> plpgsql where: <database_name> is the name of the database <database_user> is the name of the database user 3. To verify that the language pack is installed properly, execute the following command: psql -U <database_user> -c "select * from pg_language" where: <database_user> is the name of the database The row plpgsql is displayed in the pg_language table. Configuring an Oracle repository 1. Create a tablespace for FortiDB with the following values: Block Size (B) Total SGA size Total PGA size Segment Space Management Extent Management Minimum 16K Minimum 500MB Minimum 100MB AUTO (Automatic) LOCAL 2. Create a user for FortiDB that has the following privileges: CREATE SESSION CREATE TABLE CREATE SEQUENCE UNLIMITED QUOTA for the FortiDB tablespace. 3. Make any changes to your configuration that can reduce the risk of competition for input/output resources (I/O contention). For example, put your database and log files on separate disks. 4. Create a datafile for the FortiDB tablespace. For example: 39

40 Installation (software-only) Configuring the FortiDB repository database File Name File Directory Tablespace File Size AUTOEXTEND FORTIDB.DBF C:\oralce\product\10.2.0\oradata\orcl\ FORTIDB 500M ON (automatically extends datafile when it is full) Here is an example of the parameters in init.ora (for Oracle 10g): *.db_name='fortidb' *.db_block_size=8192 *.sga_target=584m *.pga_aggregate_target=194m *.db_create_file_dest='/home/oracle/product/10.2.0/db_1/oradata/fdb' *.db_recovery_file_dest='/home/oracle/product/10.2.0/db_1/flash_recovery_area' *.db_recovery_file_dest_size=2g *.undo_management='auto' *.undo_tablespace='undotbs1' *.audit_file_dest='/home/oracle/product/10.2.0/db_1/admin/fdb/adump' *.user_dump_dest='/home/oracle/product/10.2.0/db_1/admin/fdb/udump' *.core_dump_dest='/home/oracle/product/10.2.0/db_1/admin/fdb/cdump' *.background_dump_dest='/home/oracle/product/10.2.0/db_1/admin/fdb/bdump' *.compatible=' ' *.control_files='/home/oracle/product/10.2.0/db_1/oradata/fdb/control01.ctl' *.db_file_multiblock_read_count=16 *.job_queue_processes=10 *.open_cursors=300 *.processes=150 Configuring an Microsoft SQL Server repository This procedure illustrates how to configure a repository using Microsoft SQL Server 2008 Management Studio. The user ID and schema name must have the same name as the FortiDB repository. Create a SQL database 1. Log in as sa. 2. Right-click Databases. 3. Click New Database. 4. For the database name, enter fortidb. 5. Configure the database using the following values: Initial data-file size 300 MB (minimum) 40

41 Configuring the FortiDB repository database Installation (software-only) Initial log-file size Collation value 20 MB (minimum) A value that supports case-sensitivity The characters CS in a collation value indicate that it is casesensitive. For example, the collation value SQL_Latin1_General_ CP1_CS_AS is for U.S. English systems and is case-sensitive. 6. Click OK. Create a SQL login 1. Go to Security. 2. Right-click Logins. 3. Click New Login. 4. For Login name, enter fortidb. 5. Select SQL Server authentication, and then enter and confirm a password. 6. Clear Enforce password expiration. 7. For Default database, select fortidb. 8. On the User Mapping page, for Users mapped to this login, select fortidb. In the User column for the fortidb list item, fortidb is displayed. 9. Select the fortidb item in the list of users, and then, for Database role membership for: fortidb, select db_owner. 10. Click OK. Create the fortidb schema Ensure that the schema uses the same name as login name that you created in the previous step. 1. Log in using the user (fortidb) and password. 2. Go to Databases > fortidb > Security. 3. Right-click Schemas, and then select New Schema. 4. For both Schema name and Schema owner, enter fortidb. 5. Click OK. 6. Go to Databases > fortidb > Security > Users. 7. Right-click the fortidb user, and then click Properties. 8. For Default schema field, enter fortidb. 9. Click OK. 41

42 Installation (software-only) UNIX/Linux installation Verify that the login is mapped to the correct schema and user 1. Log in as sa. 2. Go to Security > Logins. 3. Right-click fortidb, and then select Properties. 4. On the User Mapping page, verify that fortidb is both the user and default schema value for the fortidb item. UNIX/Linux installation You install FortiDB software on Unix and Linux using a console user interface, or command-line interface (CLI). You can use a non-root user account to install FortiDB on the following operating systems: Solaris AIX Linux installations that use an Oracle repository database To install FortiDB on UNIX/Linux, the following hardware and operating system are required: Solaris with SPARC-based platform 64-bit Linux system with Intel-based platform, and 2.6 kernel For detailed platform requirements, see the release notes for your version of FortiDB. Obtain one of the following FortiDB installer files: Solaris Linux (without RPM Package Manager) Unix fdb-install-{version}-solaris-sparc.bin fdb-install-{version}-linux-x64.bin fdb-install-{version}-unix.bin Execute the installer file supplied using the following command: sh <installer file> For Linux installations that use RPM Package Manager, do the following: Obtain the FortiDB installer file fdb-install-{version}-linux-x64.rpm Execute the installer file using the following command: rpm -ivh <installer file> To install FortiDB on other UNIX systems like AIX, install the Java Runtime Environment version 1.6 or higher first, and then update FortiDB startup script. For details, please refer to the release notes for your version of FortiDB or contact Fortinet. 42

43 Windows installation Installation (software-only) Confirming the installation Windows installation For detailed information on Windows installation requirements, see the release notes for your version of FortiDB. To install FortiDB on Windows, you use the graphical user interface (GUI) and an Administrator account. Obtain one of the following FortiDB installer files: Windows 64-bit Windows 32-bit fdb-install-{version}-windows-x64.exe fdb-install-{version}-windows-x86.exe Log in as a user with administrator privileges, run the installer, and then follow the instructions provided by the installer. Use the Add/Remove Programs control panel to uninstall FortiDB. Confirming the installation Confirming the installation To test whether your installation was successful, enter the following URL in your browser: where: fortidb_ip is FortiDB host name or IP address port_int is the port number on which the application server listens If your installation is successful, the login page is displayed. The default administrator user name is admin and the default password is fortidb1!$. After you log in successfully, go to Administration > Administrators to change the password for the admin account.for more information on changing passwords, see Changing the admin account password on page 53. Starting or stopping FortiDB In some situations, it is necessary to start and or stop FortiDB manually. For example, when you update or replace your FortiDB license file, or reboot UNIX. 43

44 Installation (software-only) Installing a new license When FortiDB stops, it saves state information in the internal database. When log in again, it retrieves this information and reopens the databases that were open at the time of the shutdown. Since state information is periodically saved during your session, FortiDB can restore most of the state, even if it goes down due to a power failure or similar problem. To manually start FortiDB on Windows Do one of the following: Execute the <FortiDB install directory>\bin\start.bat batch file. Click Start > Programs > FortiDB > Start FortiDB. To manually start FortiDB on UNIX Use the <FortiDB install directory>/bin/start script. To manually stop FortiDB on Windows Do one of the following: Execute the <FortiDB install directory>\bin\stop.bat batch file. Click Start > Programs > FortiDB > Stop FortiDB. To manually stop FortiDB on UNIX Use the <FortiDB install directory>/bin/stop script. Installing a new license FortiDB requires a license key in order to operate and ships with a temporary one. In some cases, a notice warning you that your license is about to expire is displayed about two weeks before your license expires. If this happens, contact your Fortinet sales representative to extend the license. To install a new license For information on starting and stopping FortiDB, see Starting or stopping FortiDB on page Stop FortiDB. 2. In <FortiDB install directory>/conf, replace license.properties with the new license file. 3. Restart FortiDB. Managing disk space FortiDB log, archive, and report files all consume disk space. To help conserve disk space, you can backup, delete, and restore these files, as required. 44

45 Useful directories, files, and folders Installation (software-only) Useful directories, files, and folders Log files for troubleshooting Useful directories, files, and folders The folders that the FortiDB installation directory contains include the following: FortiDB directories Directory <FortiDB install directory>/bin <FortiDB install directory>/conf <FortiDB install directory>/data/archives/va <FortiDB install directory>/data/reports <FortiDB install directory>/doc <FortiDB install directory>/etc/conf/pentest <FortiDB install directory>/etc/snmp <FortiDB install directory>/logs <FortiDB install directory>/tomcat/logs <FortiDB install directory>/uninstall Contents Utility files, including the files that allow you to manual start and stop FortiDB Your license file, encryption-key files, installationproperties file, and report logo files Vulnerability assessment archive files Report files Administration, Quick Start, and Installation Guides Files related to penetration tests SNMP-trap dictionary file for FortiDB Error and other log files Log files for the Tomcat application server Uninstall executable file The files that the FortiDB installation directory contains include the following: FortiDB files and folders File or folder name <FortiDB install directory>/conf/license.properties Description Specifies the length of, and number of targetdatabases allowed during, the FortiDB license period 45

46 Installation (software-only) Log files for troubleshooting File or folder name <FortiDB install directory>/conf/.keyfile <FortiDB install directory>/conf/.keystore <FortiDB install directory>/conf/reportlogos <FortiDB install directory>/etc Description Needed for the encryption of passwords and assessment archives Needed for target-database connections involving SSH Vontains images for report logos Contains: Pentest dictionary and db-type-specific files XML files with samples of information that can be imported from a target-database FortiDB-specific MIB file for SNMP notifications <FortiDB install directory>/etc/templates server.xml (for internal FortiDB use only) Managing disk space Log files for troubleshooting Log files for troubleshooting FortiDB produces the following log files that are useful for troubleshooting and can help Fortinet Technical Support to assist you: General logs <FortiDB install directory>/logs/*.log <FortiDB install directory>/tomcat/logs/*.log Tomcat logs You can troubleshoot installation problems by reviewing information in Tomcat log files that are located in the following directories: <FortiDB install directory>/logs <FortiDB install directory>/tomcat/logs <FortiDB install directory>/tomcat/webapps/fortidb/web-inf/logs Useful directories, files, and folders 46

47 Upgrading FortiDB Installation (software-only) Upgrading FortiDB For supported upgrade versions, see the release notes for your version of FortiDB. To upgrade from an earlier version of FortiDB 1. Backup your repository database. This step is optional, but recommended. 2. Shut down your existing FortiDB process or service. For detailed steps, see Starting or stopping FortiDB on page Execute the FortiDB installer file. For detailed information, see UNIX/Linux installation on page 42 or Windows installation on page Specify the directory that contains your existing FortiDB installation as the destination directory. 5. Follow the subsequent instructions to complete upgrade installation, follow the remaining steps provided for an initial installation. 47

48 How to set up your FortiDB Registering your FortiDB How to set up your FortiDB The basic setup instructions include information on planning network connections for FortiDB, connecting to the web UI or command line interface, and ensuring you have the latest version of the firmware (for appliance versions). After the inital set up is complete, for example configurations for assessing and monitoring databases, see FortiDB tutorials on page 19. Planning the network topology for database activity monitoring (DAM) Connecting to the web UI and CLI Updating the firmware Changing the admin account password Setting the system time Configuring the network settings Registering your FortiDB Before you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site: Many Fortinet customer services such as firmware updates, technical support, and FortiGuard services require product registration. For more information, see the Fortinet Knowledge Base article Registration Frequently Asked Questions. Planning the network topology for database activity monitoring (DAM) Database activity monitoring (DAM) using the TCP/IP sniffer (also known as packet capture or network analyzer) is available for the appliance version of FortiDB only. It provides functions like policy-based activity auditing, activity profiling, and security alerts. To use DAM with the TCP/IP sniffer, connect one or more of your FortiDB appliance's ports to the SPAN port of the switch that is connected to your database server. This configuration allows the appliance to monitor all traffic passing to and from the server. Tutorial: Monitoring a database table using the TCP/IP sniffer 48

49 Connecting to the web UI and CLI How to set up your FortiDB Connecting to the web UI and CLI The default IP address and subnet of port1 is / To connect to the appliance's web UI on port1, for example, go to To connect to the appliance's CLI, connect your computer s serial communications (COM) port to the FortiDB appliance s console port. Use terminal emulation software to connect with the appliance using the following configuration: Serial line to connect to COM1 (or, if your computer has multiple serial ports, the name of the connected serial port) Speed (baud) 9600 Data bits 8 Stop bits 1 Parity Flow control None None The default administrator account name and password is admin and fortidb1!$. Changing the admin account password Updating the firmware Your new FortiDB appliance ships with the latest operating system (firmware). However, if Fortinet has released a new version since it shipped your appliance, install the new firmware before you continue the installation. Fortinet periodically releases FortiDB firmware updates with enhancements and to address issues. Before you can download firmware updates for your FortiDB appliance, you must first register it with Fortinet Technical Support. For details, go to or contact Fortinet Technical Support. FortiDB firmware is available for download at: New firmware can also introduce new features which you must configure for the first time. For late-breaking information specific to the firmware release version, see the release notes for the release. When you update the firmware image, FortiDB keeps existing data and configuration. However, Fortinet recommends that you back up all FortiDB data and configuration settings before you upgrade. The backup operation safeguards data and configuration settings in case power is lost during the upgrade. For information on backup and restore procedures, see Backups on page

50 How to set up your FortiDB Updating the firmware Upgrading the firmware Installing FortiDB firmware Upgrading the firmware When installing firmware, FortiDB keeps existing data and configuration. If you want to reset all device settings and configuration and delete log data on the hard drive, the execute format disk CLI command. For details, see execute format disk on page 284. To upgrade your firmware using the web UI 1. Download the firmware image file to your management computer. For FortiDB appliances with a valid technical support contract, you can download firmware images from the Fortinet Technical Support web site, 2. Log in as admin. 3. Go to System > System Information. 4. Under System Information, in the Firmware Version information, click Update. 5. Do one of the following to select the firmware image file: Enter the path and file name of the file. Click Choose File to navigate to and select the file. 6. Click Update. After your browser uploads the firmware image file, FortiDB upgrades to the new firmware version, and then restarts. This process takes a few minutes. To upgrade your firmware using the CLI When you upgrarding the firmware using the CLI, FortiDB requires a TFTP or FTP server that it can connect to. 1. Start the FTP or TFTP server. 2. Copy the new firmware image file to the FTP or TFTP server. 3. Log in to the CLI as admin. 4. Verify that FortiDB can connect to the FTP or TFTP server. For example, if the IP address of the TFTP server is , enter the following command: execute ping Enter the following command to copy the firmware image from the TFTP server to FortiDB: execute restore image ftp <filename> <ftp_ip> execute restore image tftp <filename> <tftp_ip> where: 50

51 Updating the firmware How to set up your FortiDB <filename> is the name and location of the firmware image file <ftp_ip> or <tftp_ip> is the IP address of the FTP or TFTP server. For example, if the firmware image file name is image.out and the IP address of the FTP or TFTP server is , enter: execute restore image tftp image.out FortiDB responds with the following message: 6. Type y. This operation will replace the current firmware version! Do you want to continue? (y/n) FortiDB downloads the firmware image file, upgrades to the new firmware version, and then restarts. This process takes a few minutes. 7. Reconnect to the CLI. 8. To confirm that the new firmware image is successfully installed, enter: get system status Updating the firmware Installing FortiDB firmware Installing FortiDB firmware You can use the boot loader menu to install a specific firmware image and reset FortiDB to default settings. Use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware version. This procedure reverts the FortiDB system to its factory default configuration. Installing a specific firmware image requires you to connect to the CLI using the FortiDB console port and a RJ-45 to DB-9 or null-modem cable. A TFTP server that you can connect from the FortiDB interface and that is on the same subnet as the internal interface is also required. To install firmware using boot loader menu 1. Connect to the FortiDB CLI through your console port. 2. To get and copy your current network settings for reference, execute the following command: show The process of installing a new image resets your network settings to the factory defaults. To access the web-based manager, re-configure network settings. 3. Verify that the TFTP server is running. 4. Copy the new firmware image file to the TFTP server. 51

52 How to set up your FortiDB Updating the firmware 5. Verify that the internal interface is connected to the same network as the TFTP server. To test the connection, enter the following command: execute ping <tftp_ip_address> 6. Enter the following command to restart FortiDB: execute reboot The FortiDB system responds with the following message: This operation will reboot the system! Do you want to continue? (y/n) 7. Type y to display the boot loader menu. As the FortiDB system starts, a series of system startup messages is displayed. When one of the following messages appears: Press any key to display configuration menu... Immediately press any key to interrupt the system startup. You have only 3 seconds to press any key. After 3 seconds, FortiDB reboots and you must log in and repeat the execute reboot command. If you successfully interrupt the startup process, one of the following messages appears: [G]: Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default [C]: Configuration and information [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,B,C,Q,or H: 8. Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [ ]: 9. Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [ ]: 10.Type an IP address that FortiDB can use to connect to the TFTP server. The IP address can be any IP address that is valid for the network the interface is connected to. Verify that you do not enter the IP address of another device on this network. The following message appears: Enter firmware image file name [image.out]: 11. Enter the firmware image file name (and location) and press Enter. 52

53 Changing the admin account password How to set up your FortiDB The TFTP server uploads the firmware image file to the FortiDB unit. Some unit models may display the following message: 12. Type D. Save as Default firmware/backup firmware/run image without saving:[d/b/r] FortiDB installs the new firmware image and restarts. The installation can take a few minutes to complete. If the installation is successfully, the FortiDB CLI prompt is displayed. 13. Configure your network settings. To configure your network settings, please refer to Configuring network settings using the CLI on page 57. Updating the firmware Upgrading the firmware Changing the admin account password 1. Log in to the FortiDB web UI. 2. Select the Change Password link at the top of any page. 3. Enter your current password and new password, and then confirm your new password. When you create a password, use the following rules: Category Mandatory Length Description By default, no mandatory length is set. Mandatory contents At least one number Prohibited contents Spaces For information on setting the minimum length, see User Profile/Security properties on page 74. At least one special character from the following set:!@#$%^&*()_+ ~-=\` {}[]:";'<>?,./ User name User name reversed For example, wru2rxy? is a valid password. 4. Click OK. Administrators 53

54 How to set up your FortiDB Setting the system time Setting the system time Setting the system time ensure correct report time ranges, scheduling, and logging. To set the system time using the web UI 1. In the left-side navigation menu, click System > System Information. 2. In the System Time information, click Change. The Time Settings page is displayed. 3. Use the following options to change the time settings: Refresh Time Zone Updates the display with the current FortiDB system date and time. Select the FortiDB unit's time zone. Select Automatically adjust clock for daylight saving changes to automatically switch the clock between daylight saving time and standard time. Note: Changes to the time zone setting do not take affect until after you reboot FortiDB. Set Time Synchronize with NTP Server Sets the FortiDB system date and time using the values you specify for Year, Month, Day, Hour, Minute and Second. Configures FortiDB to automatically update its system date and time using an NTP server. For Server, enter the IP address or domain name of an NTP server. To find an NTP server that you can use, go to For Sync Interval, specify how often the FortiDB unit synchronizes its time with the NTP server, in minutes. For example, to synchronize its time once a day, enter Select OK. To set the system time using the CLI 1. To set the time zone, execute the following command: where: config system global set daylightsavetime {enable disable} set timezone <timezone_number> end 54

55 Configuring the network settings How to set up your FortiDB {enable disable} specifies whether FortiDB automatically switches to daylight savings time <timezone_number> is a number that specifies the time zone (enter? to list time zones and their numbers) For example, to turn daylight saving time and chooses the Eastern timezone for US & Canada: config system global set daylightsavetime enable set timezone 12 end 2. To set a network protocol (NTP) server, execute the following command: where: config system ntp set server <server_ip> set status {enable disable} end set sync_interval <minutes> end <server_ip> is the IP address or fully qualified domain name of the NTP server {enable disable} specifies whether the server is enabled <minutes> is a value in minutes that specifies how often the FortiDB system synchronizes its time with the NTP server For example: config system ntp set server set status enable end set sync_interval 120 end For information on manually setting the time using the CLI, see execute time on page 288. System information and settings Configuring the network settings You can configure the FortiDB unit to operate in your network using either the web UI Network Configuration page or the CLI. These basic network settings include interfaces, DNS settings and static routes. You can use either of the following formats to specify IP address/networkmask pairs: Dotted-decimal (for example, / ) Bit representation (for example, /24) 55

56 How to set up your FortiDB Configuring the network settings Configuring network settings using the CLI Configuring network settings using the web UI To configure the network interfaces using the web UI 1. Go to System > Network Setting. On Network Configuration page, the Interfaces tab displays the current configuration of the network interfaces. Interface Device IP/Netmask Access The name of the network interface on the FortiDB unit. The IP address and network mask configured for the interface. A list of the administrative access methods available on the interface. Status A green arrow indicates that the network interface is up. Select the edit button to disable the port. A red arrow indicates the interface is down. Select the edit button to enable the port. Modify Select the edit button to change the interface settings. 2. For the interface you want to configure, in the Modify column, click (edit icon). 3. Configure the following options: Enable check box Interface Name Device IP/Netmask Access Specifies whether the interface is enabled or disabled Cannot be changed Enter an IP address and network mask (for example, / ) Select the methods of administrative access that are available on this interface. HTTP allows HTTP connections to the FortiDB. HTTP connections are not secure and can be intercepted by a third party. HTTPS allows secure HTTPS connections to the FortiDB. PING allows FortiDB to respond to ICMP pings, which are useful for testing connectivity. SSH allows SSH connections to the FortiDB CLI. TELNET allows Telnet connections to the FortiDB CLI. Telnet connections are not secure, and can be intercepted by a third party. 56

57 Configuring the network settings How to set up your FortiDB 4. Select the Save button to save the interface settings. To configure DNS using the web UI You can configure primary and secondary DNS servers to provide the name resolution required by FortiDB features. 1. Go to System > Network Setting, and then click the DNS tab. 2. Enter an IP address for a primary and secondary DNS server. 3. To save and apply the DNS settings, click the Apply button. To configure static routes using the web UI To forward packets from FortiDB to the default gateway through a specified interface, you add a default static route entry. For example, to allow FortiDB to access Internet in your private subnet, add a static route with a destination address of / and specify the gateway address to forward the packet to. 1. Go to System > Router. The Static Route page displays the current static routes configuration. Destination IP/Netmask Gateway Interface The destination IP address and netmask for packets that FortiDB sends to. The IP address of the router where FortiDB forwards packets. The name of the FortiDB interface through which intercepted packets are received and sent. Modify Click (edit icon) to change the route settings. Click (delete icon) to deleting the route. 2. Cick Add, and then configure the following options: Destination IP/Netmask Enter the destination IP address and netmask of packets that FortiDB intercepts. Enter / to specify any and all destinations. Gateway Interface Enter the IP address of the next-hop router that FortiDB routes traffic to. Select the FortiDB network interface for incoming and outgoing packet traffic. 3. Click Save. Configuring network settings using the CLI For details about each command, see Overview of commands on page To set the IP address and netmask of a network interface, execute the following command: 57

58 How to set up your FortiDB Configuring the network settings where: config system interface edit {port1 port2 port3 port4 } set ip <ip_address> <netmask> set allowaccess {http https ping ssh telnet} end {port1 port2 port3 port4 } is the network interface <ip_address> is the interface IP address <netmask> is the interface netmask {http https ping ssh telnet} specifies the types of administrative access that are permitted For example: config system interface edit port1 set ip set allowaccess ping https ssh end 2. To set the DNS servers, execute the following command. The secondary DNS server is optional: config system dns set primary <dns_server_ip> set secondary <dns_server_ip> end where <dns_server_ip> is the IP address of the primary or secondary DNS server. For example: config system dns set primary set secondary end 3. To create a static route, execute the following command: where: config system route edit <seq_num> set device <port> set gateway <gateway_ip> end <seq_num> is an unused routing sequence number (numbering starts at 1) <port> is the port for this route <gateway_ip> is the default gateway IP address for the network For example: config system route edit 1 set device port1 set gateway end 58

59 Backups Backups A configuration backup file allows you to reset FortiDB to its default configuration, if required. When you update the firmware image, FortiDB keeps existing data and configuration. However, Fortinet recommends that you back up all FortiDB data and configuration settings before you upgrade. The backup operation safeguards data and configuration settings in case power is lost during the upgrade. You should also back up the configuration before you use the execute format disk CLI command, which resets all device settings and configuration and deletes log data on the hard drive. Always backup the configuration before installing firmware or when you reset FortiDB to factory defaults. To back up your configuration settings using the CLI Backing up data and the current configuration using the CLI requires an FTP server. 1. Log into the CLI. For more information, see Connecting to the web UI and CLI on page Enter the following command to back up your local database, system-configuration settings, archives and reports: execute backup all-settings <ftp server> <filepath> <username> <password> [cryptpasswd] For details on this command, see execute backup all-settings on page After successfully backing up your configuration files from the CLI, proceed with upgrading FortiDB firmware. To restore your configuration settings using the CLI The following steps restore your FortiDB configuration settings using the CLI. 1. Log into the CLI. 2. Enter the following command to copy the backup configuration settings to restore the file on the FortiDB unit: execute restore all-settings <ftp server> <filepath> <username> <password> [crptpasswd] This operation replaces your current settings and requires you to reboot FortiDB. For details about backup and restore using the CLI, see execute backup all-settings on page 278 and execute restore all-settings on page 286. Use the show shell command to verify your settings are restored, or log into the web-based manager. 59

60 Administrators Administrators The Administrators page allows you to add, delete, enable and disable FortiDB administration users. You can display administrators by roles using the View By Role dropdown list. Column <selection check box> Description Selects an administrator to modify or delete. Select column heading to select all administrators. <status> indicates an enabled administrator. An administrator who has the Security Administrator role can enable an account at any time indicates a disabled administrator. An administrator who has the Security Administrator role can disable an account at any time. indicates a locked administrator account. FortiDB locks out an account after unsuccessful login attempts User Name First Name Last Name Address The FortiDB user name for the administrator The user's first name The user's last name The user's address To add or modify an administrator When you add FortiDB administrators, you assign them one or more roles. The built-in FortiDB roles determine which FortiDB operations the administrator can perform. 1. Go to Administration > Administrators. 2. Do one of the following: To create an administrator, click Add. To edit the settings for an existing administrator, click the appropriate user name. 3. On the General tab, for User Authentication Type, select one of the following options: Normal LDAP Specifies an administrator that FortiDB authenticates using the password in the administrator settings Specifies an administrator that FortiDB authenticates by connecting to the LDAP server specified in Global Configuration 4. Complete or edit the remaining General tab settings as required. Settings marked with an asterisk (*) are mandatory. 5. If you are creating a new user and do not want the administrator to be able to log in after you save its settings, select Set user status as "disabled" immediately. 60

61 Configuring permissions Administrators To disable an existing user, on the Administrators page, select the check box to the left of the administrator, and then click Disable. 6. Click the Roles tab, and then, in the Available Roles list, select one or more items. Click >> (right arrows) to add selected items to the Assigned Roles list. To unassign roles, select the role in the Assigned Roles list and click << (left arrows). For a description of the roles, see Configuring permissions on page Click the Targets tab, and then do one of the following: Select Manage All Targets. Select Manage Limited Targets, select one or more of the items in the Available Targets list, and then click >> (right arrows) to add the selected items to the Assigned Targets list. To unassign targets, select the target in the Assigned Targets list and click << (left arrows). The targets that an administrator can manage also depends on its role. For example, to edit any target, an administrator requires the Target Manager role. 8. Click Save. Configuring permissions Privileges by license type (software-only FortiDB) Viewing and exporting an administrator report Configuring permissions The FortiDB roles allow you to assign privileges to administrators. For information on assigning roles to administrators, see To add or modify an administrator on page 60. If you are using the software-only version of FortiDB, the privileges that are available depends on the FortiDB license. For more information, see Privileges by license type (software-only FortiDB) on page

62 Administrators Configuring permissions Administrator privileges by role Role Privileges Operations Manager Review target-database connection information. Review target group connection information View pre-defined policies and user-defined policies View DAM Policies (Data, Metadata, Privilege, PCI, SOX, and HIPAA policies) Create, modify, delete, and run assessments Start/Stop monitoring View DAM Alerts Read results of FortiDB-shipped reports Read results of Custom reports Perform penetration tests View the Privilege Summary Policy Manager Import/export and enable/disable pre-defined policies (pre-defined policies) for VA Import/export and enable/disable Metadata, Privilege, PCI, SOX, and HIPAA policies for DAM Import/export and enable/disable user-defined policies for VA and Data Policies for DAM Add policy groups for VA and DAM Create, modify and delete user-defined policies for VA and Data Policies for DAM Report Manager Review target-database connection information. Review target group connection information Review Assessment settings Read results of FortiDB-shipped reports Generate DAM PCI, SOX, and HIPAA compliance reports Read results of Custom reports View the Privilege Summary Security Administrator Create, modify, delete, and enable/disable FortiDB users Configure and modify user-role assignments View the Entitlement report 62

63 Privileges by license type (software-only FortiDB) Administrators Role Privileges System Administrator Import/export and enable/disable pre-defined policies (pre-defined policies) Import/export and enable/disable user-defined policies Archive and restore assessment results Change system properties Enable/View Audit trail Target Manager Create, modify, and delete and import/export connections to target databases Create, modify, and delete target groups Perform Auto Discovery of target databases Review Assessment settings Review the Privilege Summary Administrators Privileges by license type (software-only FortiDB) Viewing and exporting an administrator report Privileges by license type (software-only FortiDB) For the software-only version of FortiDB, the type of license that you use determines which privileges are available. Privileges by license type License Type Privileges VA Only Policy Manager: View/Modify VA policies Operations Manager: Create, modify, delete, and run assessments Report Manager: Generate VA reports Target Manager: All privileges for this role enabled System Administrator: All privileges privileges for this role enabled Security Administrator: All privileges for this role enabled 63

64 Administrators Viewing and exporting an administrator report License Type DAM Only Privileges Policy Manager: View/Modify DAM policies Operations Manager: start/stop monitoring, view DAM Alerts, view/edit DAM Alert Groups Report Manager: Generate DAM reports Target Manager: All privileges for this role enabled System Administrator: All privileges for this role enabled Security Administrator: All privileges for this role enabled VA and DAM All privileges for the different roles enabled Administrators Configuring permissions Viewing and exporting an administrator report Viewing and exporting an administrator report The Entitlement Report tab displays all FortiDB administrators, their account status, and their roles. To sort the entitlement report, click any column header. The header is used as your sort key. For example, to sort by status value, click Status. The sorted result is preserved when you export a report. To export the entitlement report as a PDF, Excel, comma-delimited, or tab-delimited file, for Export as, select a format and then click Export. Entitlement Report tab Column Status Description indicates an enabled administrator indicates a disabled administrator indicates a locked administrator Username First Name Displays the user name from the Administrator tab Displays the first name from the Administrator tab 64

65 Viewing and exporting an administrator report Administrators Column Last Name Other Description Displays the last name from the Administrator tab Displays other information specified for administrator System Administrator role indicates that the user is assigned the role. indicates that the user is not assigned the role. Security Administrator role indicates that the user is assigned the Security Administrator role. indicates that the user is not assigned the Security Administrator role. Target Manager role indicates that the user is assigned the role. indicates that the user is not assigned the role. Policy Manager role indicates the user has the Policy Manager role. indicates the user does not have the Policy Manager role. Operations Manager role indicates the user has the Operations Manager role. indicates the user does not have the Operations Manager role. Report Manager role indicates the user has the Report Manager role. indicates the user does not have the Report Manager role. Administrators Configuring permissions Privileges by license type (software-only FortiDB) 65

66 Administrators FortiMonitor administrator FortiMonitor administrator You can configure FortiDB to collect audit and alert data for FortiMonitor and transmit it via SSH File Transfer Protocol (SFTP). To enable FortiMonitor integration with FortiDB, create a FortiDB administrator with the name fortisiem. Ensure that the fortisiem administrator password and the FortiMonitor password that the FortiDB FTP server uses are the same. By default, FortiMonitor uses the password fortidb1!$ for the FortiDB FTP server. Because FortiDB ignores any settings for this administrator other than the name and password, you can enter any value for the other mandatory administrator settings. For information on additional FortiMonitor settings for FortiDB, see config system mapping on page

67 Advanced/optional system settings System information and settings Advanced/optional system settings The System Information page displays basic information and settings for the FortiDB appliance, including the setting that allows you to view and change the FortiDB host name. The Global Configuration page allows you to change general assessment and monitoring settings. For example, you can specify settings that are used for any assessment that FortiDB performs. System information and settings Changing the FortiDB host name Global configuration System information and settings The System Information page displays basic information and settings for the FortiDB appliance. FortiDB administrators have access profiles that permit read and write access for maintenace tasks and change the FortiDB firmware. Item Host Name Firmware Version Serial Number System Time Uptime Description The name of the host name of FortiDB. For details on changing the name, see Changing the FortiDB host name on page 68. The version of the firmware installed on the FortiDB unit. Click Update to upload a new version of the firmware. For details on updating the firmware, see Updating the firmware on page 49. The serial number of the FortiDB unit. The serial number is specific to the FortiDB unit and does not change with firmware upgrades. Use this number to register your FortiDB appliance with Fortinet. The current time according to the FortiDB internal clock. Click Change to change the time. For details on changing the time, see Setting the system time on page 54. The time in days, hours, and minutes since the FortiDB was last started or rebooted. The RAID information. Hard Disk RAID Check your hardware specification for RAID support For raid creation and information, see config system raid on page

68 Changing the FortiDB host name Advanced/optional system settings Changing the FortiDB host name 1. In the navigation menu, go to System > System Information. 2. Under System Information, in the Host Name information, click Change. The Edit Host Name dialog box is displayed. 3. For Host Name field, enter the new host name. 4. Click OK. The new host name is displayed in the Host Name field. System information and settings Global configuration The Global Configuration page allows you to change FortiDB system property values using the following tabs. To make changes to the global properties, log in as an administrator who is assigned the System Administrator role. Tab All Assessment Notification Reporting User profile/security Target LDAP Server Monitor Description Displays properties as read-only. Select a tab to add or change property values. Properties related to assessment Properties related to , SNMP and Syslog Properties related reports generation Properties related to user profile and security Properties for additional JDBC settings for each database type Properties related LDAP server for user authentication A property that specifies the number of the records that each SOX Audit File contains To restore the default values of global properties, on the appropriate tab, select one or more items using their checkbox, and then click Restore Defaults(s). 68

69 Advanced/optional system settings Global configuration You cannot restore default values for the properties on the LDAP and Monitor tabs. Assessment properties Notification properties Reporting properties User Profile/Security properties Target properties LDAP Server properties Monitor properties Assessment properties Property Description Default Enable Localhost Auto Discovery Enables FortiDB to run auto discovery on the machine where the FortiDB application resides. Valid values are true or false. false Number of Concurrent Assessments Total number of assessments which can run simultaneously. The optimum value of this parameter depends on your environment but tuning this parameter affects assessment performance and CPU usage by FortiDB. Note: Assuming that each assessment has at least one target database, the value of Number of Concurrent Assessments can never exceed the Number of Concurrent Target Assessments value. 5 69

70 Global configuration Advanced/optional system settings Property Description Default Number of Concurrent Target Assessments Total number of target databases that can be assessed simultaneously during assessments. The optimum value of Number of Concurrent Target Assessments depends on your environment, but tuning this parameter affects assessment performance and CPU usage by FortiDB. Note: Assuming that each assessment has at least one target database, the value of Number of Concurrent Assessments can never exceed the Number of Concurrent Target Assessments value. 20 SSH Key File (appliance version) MSSQL Server Level Exclusions Sybase Server Level Exclusions For Oracle OSVA and DB2 databases only, the file that contains the private key used for all SSH connections. Click Browse to select your SSH key file, and then click Save. You can upload an RSA or DSA private key file type. If you upload a key file and a key file already exists in the appliance, FortiDB replaces the old key with the new key. Uploaded key files are renamed id_rsa or id_dsa, depending on the type of key that was uploaded. Warning: If you click Restore Default(s) and then Save button, FortiDB deletes your key file. Please keep a copy of the file in a safe place. A comma-separated list of databases that FortiDB does not scan when it performs a Server Level scan of a Microsoft SQL database. A comma-separated list of databases that FortiDB does not scan when it performs a Server Level scan of a Sybase database. - model,tempdb,pubs,msdb,northwind model, tempdb, pubs2, pubs3,jpubs, sybsyntax,sybsecurity,sybsystemdb, sybsystemprocs 70

71 Advanced/optional system settings Global configuration Property Description Default Enable Pen Test When set to true, the penetration test (pentest) capability is enabled. When set to false, the pentest capability is disabled. For more information on penetration tests, see Penetration tests on page 137. false Enable Pen Test For All Users in Database (software-only version) Pen Test Method Specifies whether FortiDB uses the user names in <dbtype>user.txt. For more information on the file, see Files used for penetration tests on page 138 Specifies the method that FortiDB uses to connect to databases to perform penetration tests (pentests). Caution: If the penetration test login attempts are unsuccessful, the database may prevent any users, including valid users, from logging in. Valid values are: 1 - FortiDB logs in to your target databases to perform pentests.(login method) 2 - FortiDB uses the hash-based method. A 'hash' is the value obtained after encrypting a clear-text string. 3 - FortiDB attempts the best available method. FortiDB uses the hash-based method is available. For more information on these methods, see Connection options for penetration tests on page 137 true 3 (hybrid) 71

72 Global configuration Advanced/optional system settings Property Description Default Specifies either the default password dictionary or a file that contains the passwords to check when the penetration test uses the Dictionary policy. Click Choose File to select your dictionary file, and then click Save button to complete your selection. Pen Test Password Dictionary FortiDB does not display the name of the uploaded file. To restore the default dictionary, select the Pen Test Password Dictionary item, click Restore Default(s), and then click Save. Your dictionary file is deleted. Note: When you restore the default dictionary by checking the checkbox, and selecting Restore Default(s) and then Save, FortiDB deletes your dictionary file. For more information on the password dictionary file, see Files used for penetration tests on page 138. Auto-discovery Adding or modifying assessments Configuring SSH connections to Oracle and DB2 databases Adding (or modifying) a target connection Penetration tests Notification properties Property Description Default Server Host Name Server Port The SMTP server hostname or IP address. If no value is specified, FortiDB does not send notifications. The server port number associated with Server Host Name. <no value> 25 72

73 Advanced/optional system settings Global configuration Property Description Default Server User Name The user name associated with Server Host Name. The user name and password are required if the server requires authentication to send Server Password SNMP Community String The password associated with Server Host Name. The user name and password are required if the server requires authentication to send . The SNMP community name. - public SNMP Receiver Host The SNMP receiver host name. If no value is specified, FortiDB cannot send SNMP-trap notifications. - SNMP Receiver Port The SNMP receiver port number. 162 Syslog Receiver Host The Syslog receiver host name or IP address. If no value is specified, FortiDB cannot send Syslog notifications. - Syslog Receiver Port The Syslog receiver port number. 514 ArcSight Syslog Receiver Host The ArcSight Syslog receiver host name or IP address. partner.arcsight.com ArcSight Syslog Receiver Port The ArcSight Syslog receiver port number. 514 From Address The address FortiDB uses in the 'From' field in notification. - Sending alert notifications 73

74 Global configuration Advanced/optional system settings Reporting properties Property Description Default Company Name The company name to display on VA reports. Fortinet An image file that is included in the layout of generated reports. Company Logo DAM Report Encoding Click Choose File to select the image file, and then click Save. FortiDB places the image file that you select in <FortiDBinstall directory>/conf/reportlogo. The charactor encoding that FortiDB uses when it generates DAM reports. - UTF-8 Reports User Profile/Security properties Property Description Default Idle Account Expiration The number of days an administrator account can be inactive before FortiDB locks the account. When the value is -1 (the default), FortiDB does not lock administrator accounts because of inactivity. This expiry mechanism does not apply to the admin account. An administrator that is assigned the Security Administrator role can unlock an expired account

75 Advanced/optional system settings Global configuration Property Description Default Max Number of Failed Login Attempts Days Until Password Expiration The number of login attempts FortiDB allows before it locks an administrator account. When the value is -1 (the default), FortiDB allows an unlimited number of login attempts. This limitation does not apply to the admin account. The number of days that a password remains valid. After the password expires, administrators are required to change their password. FortiDB displays messages to warns administrators that their password is going to expire. When the value is -1 (the default), passwords do not expire Minimum Password Length Enable Local Audit Trail The minimum length of an administrator password. When the value is -1 (the default), passwords can be any length. To be valid, passwords are required to have the minimum number of characters and satisfy all other rules for passwords. For more information, see Changing the admin account password on page 53. When the value is true, the FortiDB local audit trail is enabled. When the value is false, the local audit trail is disabled. For more information on the local audit trail, see Local audit trail on page false Administrators Local audit trail Target properties FortiDB uses JDBC to connect to target databases. You can configure the JDBC settings for a target using the Target page General tab. (For more information, see Adding (or modifying) a target connection on page 107.) 75

76 Global configuration Advanced/optional system settings If you do not specify JDBC settings on the General tab, FortiDB uses the values of the following properties: Property Additional Oracle JDBC Settings Description A list of one or more key-value pairs to use for Oracle database connections. Use a semicolon to separate list entries. A list of one or more key-value pairs to use for Microsoft SQL database connections. Additional SQL Server JDBC Settings Use a semicolon to separate list entries. If you use NTLM version 2 authentication, in the list, enter usentlmv2=true. In some cases, for Microsoft SQL server, ForceEncryption is set to No. To force the server to use SSL encryption, in the list, enter SSL=require. Additional Sybase JDBC Settings Enter one or more additional key-value pairs to use for Sybase database connections. Use a semicolon to separate list entries. To use a Sybase Encrypted Password connection (in Sybase server, set net password encryption reqd to 1 or 2), enter: ENCRYPT_PASSWORD=true;RETRY_WITH_NO_ ENCRYPTION=true; JCE_PROVIDER_ CLASS=org.bouncycastle.jce.provider.BouncyCastleProvider To support an SSL-encrypted connection to the Sybase database, enter the following: SYBSOCKET_ FACTORY=com.fortinet.fortidb.target.internal.connection.SybaseSSL Note: Database activity monitoring (DAM) using the TCP/IP sniffer is not available when FortiDB connects to Sybase using SSL. Additional DB2 JDBC Settings Additional MySQL JDBC Settings A list of one or more key-value pairs for DB2 database connections. Use a semicolon to separate list entries. A list of one or more additional key-value pairs for MySQL database connections. Use a semicolon to separate list entries. Adding (or modifying) a target connection 76

77 Advanced/optional system settings Global configuration LDAP Server properties The LDAP Server properties specify the server that authenticates FortiDB administrators when User Authentication Type is LDAP. Click Test Connection to test the LDAP server configuration. Property Description Default Server Name/IP LDAP server name or IP address - Port LDAP server port 389 Common Name Identifier Name of user identifier in LDAP user path. For example, if the path to the user is cn=username,ou=dept,dc=com, enter cn. If the user path is un=username,ou=dept,dc=com, enter un. Distinguished Name Bind Type Use Secure Connection(SSL) Distinguished name of LDAP user, which identifies its unique path. For example, if the path to the user is cn=username,ou=dept,dc=com, enter ou=dept,dc=com. LDAP authentication type. Valid values are none or Simple. Use SSL for secure connection. Valid values are True or False. - Simple False Administrators Monitor properties Property Records contained by single Compliance Audit File Description The number of the records that each Compliance Audit File contains. Enter a value between 100,000 and 400,

78 Global configuration Advanced/optional system settings SOX audit 78

79 Connecting to target databases Pre-configuration for monitoring target databases Connecting to target databases To allow FortiDB to assess and monitor your databases, you first pre-configure the target database, and then configure the connection between FortiDB and the database. FortiDB can also look for databases on the network automatically. Pre-configuration for monitoring target databases Privileges required by the FortiDB database user Adding (or modifying) a target connection Managing target groups Auto-discovery Pre-configuration for monitoring target databases The pre-configuration that is required for target databases is determined by the type of database and the method that FortiDB uses for monitoring. Network requirements for monitoring using the TCP/IP sniffer Oracle target database pre-configuration Microsoft SQL Server target database pre-configuration Sybase target database pre-configuration DB2 target database pre-configuration MySQL target database pre-configuration Network requirements for monitoring using the TCP/IP sniffer For more information about the TCP/IP sniffer, see Tutorial: Monitoring a database table using the TCP/IP sniffer on page 23. Your target database and its clients connect via TCP/IP protocols. Both FortiDB and the target databases are connected to the same switch. FortiDB is connected to the switch's mirroring (SPAN) port. For example: port1 on FortiDB and the machines of FortiDB administrators are connected to a LAN, which is also the LAN that the target databases use for management connections. port2 on FortiDB is connected to the switch's mirror port, where it receives copies of all network traffic associated with the target databases. Configuring monitoring using the TCP/IP sniffer (all database types) 79

80 Pre-configuration for monitoring target databases Connecting to target databases Oracle target database pre-configuration Required privileges for monitoring or auditing Oracle databases To prepare for database monitoring, ensure the FortiDB database user has the following privileges: Policy type Data Required privileges For DB, EXTENDED and XML File Agent collection methods: CREATE SESSION SELECT_CATALOG_ROLE DELETE_CATALOG_ROLE AUDIT ANY AUDIT SYSTEM SELECT SYS.AUD$ SELECT on the monitored tables or SELECT ANY TABLE For TCP/IP Sniffer collection method (privileges required for browsing database to define data policy): CREATE SESSION SELECT_CATALOG_ROLE SELECT on the monitored tables or SELECT ANY TABLE Privilege CREATE SESSION SELECT_CATALOG_ROLE DELETE_CATALOG_ROLE AUDIT SYSTEM Metadata CREATE SESSION SELECT_CATALOG_ROLE For activity auditing: CREATE SESSION AUDIT SYSTEM SELECT_CATALOG_ROLE To grant privileges to your database user, use a GRANT statement. For example: GRANT SELECT_CATALOG_ROLE TO username GRANT DELETE_CATALOG_ROLE TO username Configuring an Oracle database for PCI, SOX, and HIPAA policies Enabling FortiDB to delete audit records Oracle XML file agent installation and configuration (UNIX, Windows, AIX) 80

Connecting to target databases Pre-configuration for monitoring target databases Adding (or modifying) a target connection Configuring Oracle monitoring Configuring an Oracle database for PCI, SOX,

To avoid this problem, you can execute "create trigger" commands. 1.

81 Connecting to target databases Pre-configuration for monitoring target databases Adding (or modifying) a target connection Configuring Oracle monitoring Configuring an Oracle database for PCI, SOX, and HIPAA policies Regulatory compliance policies capture all types of activities and store the data in FortiDB's repository. In some cases, this information does not appear in alerts as expected. To avoid this problem, you can execute "create trigger" commands. 1. On your Oracle target database, add a file that contains the following script: CREATE OR REPLACE TRIGGER FORTIDB_get_application AFTER LOGON ON DATABASE WHEN (user!= 'SYS') DECLARE l_program VARCHAR2(50); l_computer VARCHAR2(50); BEGIN SELECT substr(program, 1, 43), substr(computer, 1, 20) INTO l_program, l_computer FROM v$session WHERE audsid = sys_context('userenv','sessionid'); dbms_session.set_identifier(l_program ':' l_computer); EXCEPTION WHEN OTHERS THEN ROLLBACK; END; / 2. Log into your Oracle instance as sys as sysdba. 3. Execute the file. PCI, SOX, and HIPAA alert policies Enabling FortiDB to delete audit records To delete audit records from the SYS.AUD$ table, the FortiDB database user requires delete privileges on the SYS.AUD$ table. Because the SYS.AUD$ contains all audit records, when FortiDB deletes audit records, it deletes all audit records, not only the audit records generated for FortiDB monitoring. Therefore, grant this privilege to the FortiDB user only if you understand the implications. Use the following statement to grant the FortiDB user delete privileges on the SYS.AUD$ table: grant delete on SYS.AUD$ to <username> For more information on deleting audit records, see Oracle audit management on page 213. Adding (or modifying) a target connection 81

82 Pre-configuration for monitoring target databases Connecting to target databases Oracle XML file agent installation and configuration (UNIX, Windows, AIX) You can use FortiDB's Oracle XML file agent to monitor multiple Oracle databases. When it is active, the agent periodically transmits Oracle's audit log data to FortiDB for further processing. To configure and run the Oracle XML file agent 1. Obtain login credentials for a user that has read and write access for the Oracle database audit log directories that you want to monitor. Using the SQL*Plus utility, run show parameters audit_file_dest to view the location of the Oracle database audit directory. If Oracle is installed on Windows, ensure that the user is a member of the Administrators group. You can remove the user from this group after installation is complete. 2. Ensure that Java Virtual Machine (JVM) 1.6 or greater is installed, the JAVA_HOME environment variable is correctly configured, and that the bin directory is first on the execution path. 3. Complete the Oracle target database pre-configuration. See Oracle target database pre-configuration on page Configure a target that connects to the Oracle database. See Adding (or modifying) a target connection on page As the user with the credentials specified earlier, log in to the machine where the Oracle database is located, and then unpack a copy of the FortiDB Oracle XML file agent installer into a directory. 6. Copy the agent.properties.sample file from agent's doc directory to the agent's conf directory, and then change the file name to agent.properties. 7. Open the agent.property file in a text editor and edit the following values: Parameter Description Required? agenttype Enter ORA_XML. Yes brokeraddress brokerport agentdbaddress Enter IP address or resolvable host name for FortiDB. Enter the port FortiDB uses to listen for transmissions from the agent. The default value is Enter the IP address of the target database. Use the same value that is specified by the target configuration (General tab). Yes No Yes 82

83 Connecting to target databases Pre-configuration for monitoring target databases Parameter Description Required? agentdbport pollinginterval Enter the listening port on the target database. Use the same value that is specified by the target configuration (General tab). Enter a positive integer that specifies the polling interval in milliseconds. For the Oracle XML file agent, the default value is (60 seconds). Yes No removeauditfile Not used for Oracle databases. No 8. If Oracle is installed on Windows, do the following: a. In the agent's bin directory, execute the following command: b. fdbagent install c. In the Windows Services Control Panel, configure the FortiDB Database Monitoring Agent to run using the same login credentials that you used to unpack the FortiDB agent installation file. 9. To start the FortiDB agent, do one of the following: For Windows, Linux, or Solaris: In the agent's bin directory, execute the following command: $ fdbagent start To stop the agent, execute the following command: $ fdbagent stop For other platforms (for example, AIX): In the agent's bin directory, execute the following command: $ nohup./fdbagentapp & 10. Configure target monitoring for the database where the agent is installed. For detailed instructions, see Configuring Oracle monitoring on page 204. Monitoring encrypted Oracle traffic FortiDB can monitor encrypted Oracle database activity using its TCP/IP sniffer. To make the database s SSL configuration compatible with FortiDB DAM, ensure that Advanced Security is enabled and generate the security credentials using Oracle Wallet Manager. In addition, ensure the cipher suite RSA 3DES_EDE_CBC SHA and one or more of the following cipher suites are enabled in the SSL configuration for the Oracle client: AES_256_CBC_SHA AES_128_CBC_SHA RSA_DES_CBC_SHA 83

84 Pre-configuration for monitoring target databases Connecting to target databases RSA_RC4_128 SHA RSA RC4_128 MD5 When you configure monitoring using the TCP/IP sniffer, you upload to FortiDB the self-signed certificate that you exported from the Oracle server wallet manager and imported into the wallet manager on the Oracle client machine. Depending on your SSL configuration, the certificate information is stored in PKCS #12 or X.509 format. See Configuring monitoring using the TCP/IP sniffer (all database types) on page 199. Using the SYSLOG utility to collect audit data If required, you can configure the Oracle auditing feature to use the SYSLOG utility to write audit records to the system audit log. In SQL*Plus, you can use the show parameter audit command to view the current audit option values. To enable SYSLOG data collection, set the audit options in the following table to the specified values: Parameter audit_file_dest audit_sys_operations audit_syslog_level audit_trail Value Specify the operating system directory into which the audit trail is written. TRUE LOCAL1.DEBUG OS MySQL target database pre-configuration To set the MySQL general log table 1. To add the required parameters to server configuration file, go to the %MYSQL_HOME directory, open my.cnf (for UNIX) or my.ini (for Windows) in a text editor, and then add the following parameters under [mysqld]: general_log=1 log_output=table 2. Restart the MySQL database. 3. To change the definition of the mysql.general_log table, use the following command to change the storage engine to MyISAM: mysql> SET GLOBAL general_log = 'OFF'; mysql> ALTER TABLE mysql.general_log ENGINE = MyISAM; mysql> SET GLOBAL general_log = 'ON'; 4. To view the definition of the mysql.general_log table, use the following SQL command: mysql> show create table mysql.general_log; The structure of the log table is displayed. For example: 84

85 Connecting to target databases Pre-configuration for monitoring target databases Table Create Table general_log CREATE TABLE `general_log` ( `event_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, `user_host` mediumtext NOT NULL, `thread_id` int(11) NOT NULL, `server_id` int(11) NOT NULL, `command_type` varchar(64) NOT NULL, `argument` mediumtext NOT NULL ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='General log' To verify that the database is logging data, use the following command: mysql> select * from mysql.general_log; Logging data is displayed. For example: event_time user_host thread_id server_ id command_type argument :44:23 localhost [ ] 1 0 Connect root@localhost on mysql :44:23 localhost [ ] 1 0 Query limit :44:37 localhost [ ] 1 0 Query show create table general_log :45:19 localhost [ ] 1 0 Query set global general_log='off' :46:18 localhost [ ] 1 0 Query select * from mysql.general_log rows in set (0.00 sec) Configuring MySQL monitoring Required privileges for monitoring via SQL Trace The following privileges are required when you monitor a Microsoft SQL Server database using the SQL Trace collection method and privilege and metadata policies. 85

86 Pre-configuration for monitoring target databases Connecting to target databases Policy type Privileges Required privileges SELECT on: sys.columns sys.database_role_members sys.database_permissions sysobjects sys.database_principals sys.sql_logins EXECUTE on: sp_helpsrvrolemember SELECT on: Metadata information_schema.columns sysindexes sysobjects information_schema.routines sys.objects obj sys.sql_modules information_schema.views Adding (or modifying) a target connection Configuring Microsoft SQL Server monitoring Sybase target database pre-configuration FortiDB s database activity monitoring (DAM) features require you to pre-configure a Sybase target database but not a Sybase IQ database. For Sybase IQ databases. FortiDB supports vulnerability assessment only, and not DAM. Therefore, Sybase IQ targets do not require pre-configuration. Configuring the Sybase audit system and FortiDB database user To create the sybsecurity database Execute the following command. The physname parameter specifies the sybase path (in this example, C:\sybase\data\): disk init name = "auditdev", physname = "C:\sybase\data\sybaud.dat", size = 5120 go disk init name = "auditlog", physname = "C:\sybase\data\sybaudlog.dat", size = 1024 go create database sybsecurity on auditdev log on auditlog go 86

87 Connecting to target databases Pre-configuration for monitoring target databases To install the installsecurity script The installsecurity SQL script contains all required stored procedures and audit tables. 1. Go to the scripts directory. For example, $SYBASE/ASE-15_0/scripts. 2. Execute the following command: isql -Usa -P<password> < instsecu 3. Restart the database. To grant the mon_role role to the FortiDB database user To grant the mon_role role to the FortiDB database user, use the following script: grant role mon_role to <username> The mon_role role is applied the next time the user logs in. If you are currently logged in with that account, log out and log in again to allow the new privileges to take effect. Configuring the Sybase Monitoring and Diagnostic (MDA) tables Adding (or modifying) a target connection Configuring Sybase monitoring Configuring the Sybase Monitoring and Diagnostic (MDA) tables To set the size of tempdb for MDA For best results, ensure the temporary database (tempdb) has more than 100MB of free space. 1. Connect to the master database as the sa user. 2. Check the size of tempdb. For example, execute the following command: sp_helpdb go name db_size owner dbid created status master 13.0 MB sa 1 Dec 07, 2007 mixed log and data model 4.0 MB sa 3 Dec 07, 2007 mixed log and data sybmgmtdb 75.0 MB sa 4 Dec 07, 2007 select into/bulkcopy/pllsort, trunc log on chkpt, mixed log and data sybsystemdb 3.0 MB sa Dec 07, 2007 mixed log and data sybsystemprocs MB sa Dec 07, 2007 trunc log on chkpt, mixed log and data tempdb 4.0 MB sa 2 Nov 11,

88 Pre-configuration for monitoring target databases Connecting to target databases select into/bulkcopy/pllsort, trunc log on chkpt, mixed log and data text_db 5.5 MB sa 5 Dec 07, 2007 trunc log on chkpt, mixed log and data 3. Allocate an appropriate amount of disk space to tempdb. For example, to allocate 500 MB, which is pages, execute the following command: disk init name = "tempdb_data01", physname = "/export/home/sybase/data/tempdb_data01.dat", size = go 4. Allocate disk space on the new device to tempdb. For example, execute the following command: alter database tempdb on tempdb_data01 = 500 go Extending database by pages (500.0 megabytes) on disk tempdb_data01 To configure the login trigger for session policies Login triggers execute a specified stored procedure every time a user logs in. 1. Drop any existing FortiDB_audit table. For example, to drop the table FortiDB_audit, use the following command: drop table master.dbo.fortidb_audit go 2. Create a table to store login information in. For example, to create the table FortiDB_audit in the master database, use the following command: create table master.dbo.fortidb_audit ( spid smallint, kpid int, suid int, loginname varchar(30), dbusername varchar(30), dbid smallint, dbname varchar(30), program_name varchar(30) null, hostprocess varchar(30) null, ipaddr varchar(64) null, loggedindatetime datetime ) go 3. Create a procedure for the login trigger. For example, to create the procedure login_proc, use the following script: use master go drop procedure login_proc go 88

89 Connecting to target databases Pre-configuration for monitoring target databases create procedure login_proc as begin insert into master.dbo.fortidb_audit select S.spid, S.kpid, S.suid, suser_name(), user_name(), S.dbid, db_name(), S.program_name, S.hostprocess, S.ipaddr, S.loggedindatetime from master.dbo.sysprocesses S where S.spid end go 4. Create the login trigger. For example, use the following command: sp_logintrigger 'master.dbo.login_proc' go Global login trigger updated. If sp_logintrigger is not installed, recreate the master database procedures. For example, for UNIX, execute the following script: isql -Usa -P<password> -i$sybase/ase-15_0/scripts/installmaster For Windows, execute the following script: isql -Usa -P<password> -i$sybase/ase-15_0/scripts/installmstr If you need to drop the global trigger, execute: sp_logintrigger 'drop' go 5. Grant permission to execute login_proc to public. For example: grant execute on dbo.login_proc to public go To set the MDA parameters 1. Configure MDA parameters. For example, for Linux, use the following commands (for Windows, enter "go" for each execution): sp_configure "enable cis", 1 sp_addserver loopback, (not required for or later) set cis_rpc_handling on (not required for or later) 89

90 Pre-configuration for monitoring target databases Connecting to target databases exec loopback...sp_who (note: 3 dots) sp_configure "errorlog pipe active", 1 sp_configure "deadlock pipe active", 1 sp_configure "wait event timing", 1 sp_configure "process wait events", 1 sp_configure "object lockwait timing", 1 go For the monsysstatement table: sp_configure "statement statistics active",1 sp_configure "statement pipe max messages",30000 sp_configure "per object statistics active",1 sp_configure "statement pipe active",1 go For the monsyssqltext table: sp_configure "max SQL text monitored", 8192 sp_configure "SQL batch capture", 1 sp_configure "sql text pipe max messages", sp_configure "sql text pipe active", 1 go Additional parameter values to set: sp_configure "max memory", sp_configure "event buffers per engine", 2000 sp_configure "plan text pipe max messages", 100 sp_configure "errorlog pipe max messages", sp_configure "deadlock pipe max messages", 100 go 2. Restart the database. 3. To configure the monitoring table to collect data, use the following command: sp_configure "enable monitoring", 1 go To connect to the Sybase database and clear the MDA buffer Clear the MDA buffer only after the FortiDB database user has made an initial connection to the database. 1. Connect to the Sybase database that you have configured for monitoring by FortiDB. See Adding (or modifying) a target connection on page To clear the MDA buffer, use the following commands: select top 1 * from dbo.monsyssqltext go select top 1 * from dbo.monsysstatement go Configuring the Sybase audit system and FortiDB database user Adding (or modifying) a target connection 90

91 Connecting to target databases Pre-configuration for monitoring target databases Configuring Sybase monitoring DB2 target database pre-configuration Users and privileges required by the DB2 agent The FortiDB DB2 agent periodically sends a request to the DB2 database to transmit its audit data to a file system location that belongs to the agent s temporary directory. The agent then transmits the audit files to the FortiDB repository You can also configure the agent to remove the audit data from the DB2 database. To perform these tasks, the FortiDB DB2 agent requires read and write access to the audit data files. To give the agent this access, you configure it to run using the login credentials of the database instance owner (which are the credentials used to run the DB2 server). In addition, to install the agent on Windows, the database user that runs the DB2 agent is required to be a member of the DB2ADMINS user group. You can remove the user from this group after installation is complete. Required DB2 users Purpose Required privileges DB2 instance owner DB2 instance owner Default DB2 instance owner privileges FortiDB DB2 database user DB2 user for installing and running the agent Connects FortiDB to the DB2 target database Runs the DB2 agent Security administration authority (SECADM), which is required to configure and manage database auditing For databases installed on Windows: DB2 instance owner Membership in DB2ADMNS or DB2USERS user group DB2 instance owner For installing on Windows, be a member of the DB2ADMNS user group Configuring the DB2 database and installing the agent Adding (or modifying) a target connection Configuring DB2 monitoring 91

92 Pre-configuration for monitoring target databases Connecting to target databases Configuring the DB2 database and installing the agent To configure the DB2 target database to work with the DB2 agent 1. If the database already has an audit configuration, to reset the instance level audit, use the following command: db2audit configure reset 2. To start the audit facility administrator tool, use the following command: db2audit start 3. To configure the audit facility to audit for failed logins, use the following command: db2audit configure scope context status failure 4. To set the size of the audit buffer, use the following command: db2 update dbm cfg using AUDIT_BUF_SZ The default audit buffer is 0 (no setting). 5. To grant security administration authority (SECADM) to the user FortiDB uses to connect to the database, use the following command: db2=> GRANT SECADM ON DATABASE TO USER <user name> where <user name> is the user name specified by the target configuration (General tab). For Windows, the FortiDB connection user needs to belong to the DB2ADMNS or DB2USERS group. For UNIX, AIX, or Linux, the FortiDB connection user does not need to be an instance owner. By default, the db2admin user does not have the SECADM authority. To configure and run the DB2 agent 1. Ensure that Java Virtual Machine (JVM) 1.6 or greater is installed, the JAVA_HOME environment variable is correctly configured, and that the bin directory is first on the execution path. 2. Obtain a copy of the FortiDB agent installer. For information on obtaining the installer, contact Fortinet technical support. 3. Ensure that the DB2 target database has the required configuration. See To configure the DB2 target database to work with the DB2 agent on page As the database user that runs the agent, log in to the machine where the DB2 database is located, and then unpack a copy of FortiDB agent installer to a directory. For information on the premissions this user requires, see Users and privileges required by the DB2 agent on page

93 Connecting to target databases Pre-configuration for monitoring target databases 5. Copy the agent.properties.sample file from <agent install directory>/doc to <agent install directory>/conf, and then change the file name to agent.properties. 6. Using a text editor, change the agent.properties.sample properties to the following values: Parameter Description Required? agenttype Enter DB2. Yes brokeraddress brokerport agentdbaddress agentdbport pollinginterval removeauditfile Enter the IP address or resolvable host name for FortiDB. Enter the port FortiDB uses to listen for transmissions from the agent. The default value is Enter the IP address of the target database. Use the same value that is specified by the target configuration (General tab). Enter the listening port on the target database. Use the same value that is specified by the target configuration (General tab). Enter the listening port on the target database. Use the same value that is specified by the target configuration (General tab). Enter true or false. To remove DB2 audit file outputs after the agent sends them to FortiDB, enter true (the default value). Yes No Yes Yes No No 7. To install the DB2 agent, go to <agent install directory>/bin, and then execute the following command: DB2AgentSetup 8. If DB2 is installed on Windows, do the following: a. In <agent install directory>/bin, execute the following command: b. fdbagent install c. In the Windows Services Control Panel (for example, in Start > Control Panel > Administrative Tools), configure the FortiDB Database Monitoring Agent to run using the same login credentials that you used to unpack the FortiDB agent installation file. 9. To start the FortiDB agent, do one of the following: For Windows, Linux, or Solaris: In <agent install directory>/bin, execute the following command: $ fdbagent start 93

94 Privileges required by the FortiDB database user Connecting to target databases To stop the agent, execute the following command: $ fdbagent stop For other platforms (for example, AIX): In <agent install directory>/bin, execute the following command: $ nohup./fdbagentapp & 10. To confirm that the audit data path and audit archive path are correct, execute the following command: db2audit describe The audit settings are displayed. For example: DB2 AUDIT SETTINGS: Audit active: "TRUE" Log audit events: "FAILURE" Log checking events: "FAILURE" Log object maintenance events: "FAILURE" Log security maintenance events: "FAILURE" Log system administrator events: "FAILURE" Log validate events: "FAILURE" Log context events: "FAILURE" Return SQLCA on audit error: "FALSE " Audit Data Path: "C:\DB2\fdbagent\bin\..\tmp\db2audit\flush\" Audit Archive Path: "C:\DB2\fdbagent\bin\..\tmp\db2audit\archive\" AUD0000I Operation succeeded. 11. Configure target monitoring for the database where the agent is installed. For detailed instructions, see Configuring DB2 monitoring on page 202. Users and privileges required by the DB2 agent Microsoft SQL Server target database pre-configuration Database user account requirement To monitor a Microsoft SQL Server database, FortiDB requires a database user that is a member of the sysadmin server role. Use the following query to add a databaser user that is a member of sysadmin: sp_addsrvrolemember 'username', 'sysadmin' Adding (or modifying) a target connection Privileges required by the FortiDB database user When you configure a target that allows FortiDB to connect to a target database, you specify a database user. This user requires specific privileges to allow it to perform assessments or monitor database activity. 94

95 Connecting to target databases Privileges required by the FortiDB database user To grant privileges to the FortiDB user, use the GRANT statement. For example: GRANT SELECT_CATALOG_ROLE TO <username> GRANT SELECT ON dbo.syscolumns TO <username> GRANT SELECT ON SYSIBM.SYSCOLAUTH TO <username> GRANT ROLE SSO_ROLE TO <username> For Microsoft SQL Server, use the following command to add a login as a member of sysadmin: sp_addsrvrolemember '<user name>', 'sysadmin' Privileges for VA assessments, privilege summaries, and penetration tests Privileges for monitoring data Privileges for monitoring privileges Privileges for monitoring metadata Adding (or modifying) a target connection Privileges for VA assessments, privilege summaries, and penetration tests The FortiDB database user for a target database requires the following privileges to run assessments and related tasks: Task Required privileges DB2 CREATE TABLE SELECT on the following SYSIBM tables: Run VA Assessment (except penetration test) SYSCOLAUTH SYSDBAUTH SYSINDEXAUTH SYSPLANAUTH SYSSCHEMAAUTH SYSTABAUTH SYSTBSPACEAUTH 95

96 Privileges required by the FortiDB database user Connecting to target databases Task View a Privilege Summary Required privileges SELECT on the following SYSCAT tables: COLAUTH DBAUTH INDEXAUTH PACKAGEAUTH SCHEMAAUTH TABAUTH TBSPACEAUTH SELECT on the following SYSIBM tables: SYSCOLAUTH SYSDBAUTH SYSINDEXAUTH SYSPLANAUTH SYSSCHEMAAUTH SYSTABAUTH SYSSYSTABLESPACES SYSTBSPACEAUTH SYSUSERAUTH SELECT on the following SYSCAT tables: Run Penetration Test COLAUTH DBAUTH INDEXAUTH PACKAGEAUTH SCHEMAAUTH TABAUTH TBSPACEAUTH SELECT on the following SYSIBM tables: SYSCOLAUTH SYSDBAUTH SYSINDEXAUTH SYSPLANAUTH SYSSCHEMAAUTH SYSTABAUTH SYSTBSPACEAUTH SYSUSERAUTH Microsoft SQL Server

97 Connecting to target databases Privileges required by the FortiDB database user Task Required privileges SELECT on: Run VA assessment (except penetration test) MASTER.DBO.SPT_VALUES MASTER.DBO.SYSALTFILES MASTER.DBO.SYSDATABASES MASTER.DBO.SYSLOGINS MASTER.DBO.SYSXLOGINS SYSCOLUMNS SYSMEMBERS SYSOBJECTS SYSPROTECTS SYSUSERS EXECUTE on: MASTER.DBO.XP_CMDSHELL MASTER.DBO.XP_INSTANCE_REGENUMVALUES MASTER.DBO.XP_INSTANCE_REGREAD MASTER.DBO.XP_LOGINCONFIG MASTER.DBO.XP_LOGININFO MASTER.DBO.XP_REGENUMVALUES MASTER.DBO.XP_REGREAD The database user requires the MS-SQL sysadmin following policies in assessments: role to use the DVA MSSQL password field empty DVA MSSQL password is the same as login name View a Privilege Summary For each individual MS-SQL 2000 database you want to connect to, SELECT on: MASTER.DBO.SYSDATABASES (for MS-SQL 2000 server-level connections) SYSMEMBERS SYSOBJECTS SYSPROTECTS SYSUSERS 97

98 Privileges required by the FortiDB database user Connecting to target databases Task Required privileges SELECT on: Run Penetration Test MASTER.DBO.SYSDATABASES (for MS-SQL 2000 server-level connections) MASTER.DBO.SYSXLOGINS SYS.DATABASE_ROLE_MEMBERS SYSMEMBERS SYSOBJECTS SYSPROTECTS SYSUSERS (for each individual MS-SQL 2000 database you want to connect to) Microsoft SQL Server 2005 or

99 Connecting to target databases Privileges required by the FortiDB database user Task Required privileges SELECT on: MASTER.DBO.SPT_VALUES MASTER.DBO.SYSALTFILES MASTER.DBO.SYSDATABASES MASTER.DBO.SYSLOGINS MASTER.DBO.SYSXLOGINS SYS.COLUMNS SYS.MEMBERS SYS.OBJECTS SYS.PROTECTS SYS.USERS EXECUTE on: Run VA Assessment (except penetration test) MASTER.DBO.XP_CMDSHELL MASTER.DBO.XP_INSTANCE_REGENUMVALUES MASTER.DBO.XP_INSTANCE_REGREAD MASTER.DBO.XP_LOGINCONFIG MASTER.DBO.XP_LOGININFO MASTER.DBO.XP_REGENUMVALUES MASTER.DBO.XP_REGREAD The database user requires the MS-SQL sysadmin following policies in assessments: role to use the DVA MSSQL password field empty DVA MSSQL password is the same as login name DVA MSSQL List database logins that are part of the local Administrators group DVA MSSQL Verify SQL Server not run as local System Administrator DVA MSSQL Default Microsoft SQL Listener Port Report View Privileges Summary SELECT on: MASTER.SYS.DATABASES (for Microsoft SQL 2005 Server server-level connections) For each individual Microsoft SQL 2005 Server database that you want to connect to, SELECT on: SYS.DATABASE_PERMISSIONS SYS.DATABASE_PRINCIPALS SYS.DATABASE_ROLE_MEMBERS SYS.OBJECTS 99

100 Privileges required by the FortiDB database user Connecting to target databases Task Required privileges SELECT on: Run Penetration Test MASTER.SYS.DATABASES (for Microsoft SQL 2005 Server server-level connections) SYS.DATABASE_PERMISSIONS SYS.DATABASE_PRINCIPALS (for each individual Microsoft SQL 2005 Server database that you want to connect to) SYS.DATABASE_ROLE_MEMBERS SYS.OBJECTS SYS.SQL_LOGINS Oracle CREATE SESSION SELECT_CATALOG_ROLE Run VA Assessment (except penetration test) SELECT on: SYS.AUDIT$ SYS.LINK$ SYS.REGISTRY$HISTORY (Oracle 10g only) SYS.USER$ SYSTEM.SQLPLUS_PRODUCT_PROFILE View Privilege Summary SELECT on: ALL_USERS DBA_COL_PRIVS DBA_ROLE_PRIVS DBA_ROLES DBA_SYS_PRIVS DBA_TAB_PRIVS SELECT on: Run Penetration Test ALL_USERS DBA_COL_PRIVS DBA_ROLE_PRIVS DBA_ROLES DBA_SYS_PRIVS DBA_TAB_PRIVS SYS.USER$ Sybase and Sybase IQ 100

101 Connecting to target databases Privileges required by the FortiDB database user Task Required privileges SSO_ROLE If the Sybase server is using SybSecurity: Run VA Assessment (except for penetration test) On the MASTER database, add the FortiDB user to the database and grant it SELECT permission on the following tables: SYSSRVROLES SYSLOGINROLES SYSSECMECHS SYSDATABASES (AUDFLAGS column) SYSLOGINS (AUDFLAGS column) On any user-defined databases, add the FortiDB user to the database and grant it SELECT permission on the following table: SYSUSERS If the Sybase server is not using SybSecurity, grant the database user SELECT permission on the following tables: SYSSRVROLES SYSLOGINROLES SYSSECMECHS SYSDATABASES (AUDFLAGS column) View a Privilege Summary For each individual database you want to connect to, grant SELECT on: MASTER.DBO.SYSDATABASES (for server-level connections) SYSOBJECTS SYSPROTECTS SYSUSERS Grant SELECT on: Run Penetration Test MASTER.DBO.SYSDATABASES (for server-level connections) SYSOBJECTS SYSPROTECTS SYSUSERS (for each individual database that you want to connect to) MySQL SELECT on: Run a VA Assessment (including penetration test) mysql.user mysql.db mysql.columns_priv mysql.tables_priv 101

102 Privileges required by the FortiDB database user Connecting to target databases Task View a Privilege Summary Required privileges SELECT on: `INFORMATION\_SCHEMA`.* mysql.user SHOW DATABASES Adding or modifying assessments Viewing and exporting a privilege summary Penetration tests Privileges for monitoring data To monitor data, the FortiDB user for your target database requires the following privileges: RDBMS Type Oracle Required Privilege(s) For DB, EXTENDED and XML File Agent collection methods: CREATE SESSION SELECT_CATALOG_ROLE DELETE_CATALOG_ROLE AUDIT ANY AUDIT SYSTEM SELECT SYS.AUD$ SELECT on the monitored tables or SELECT ANY TABLE For the TCP/IP Sniffer collection method (to support browsing database to define data policy): CREATE SESSION SELECT_CATALOG_ROLE SELECT on the monitored tables or SELECT ANY TABLE Microsoft SQL Server Sybase Member of sysadmin For the MDA collection method: No privilege is required for the MDA table For the TCP/IP Sniffer collection method (to support browsing database to define data policy): User who can browse database object 102

103 Connecting to target databases Privileges required by the FortiDB database user RDBMS Type Required Privilege(s) For the DB2 Agent collection method: DB2 SECADM privilege For the TCP/IP Sniffer collection method (to support browsing database to define data policy): User who can browse database object Data policies Configuring target database monitoring Privileges for monitoring privileges To monitor privileges, the FortiDB user for your target database requires the following privileges: RDBMS Type Required Privilege(s) Oracle CREATE SESSION SELECT_CATALOG_ROLE DELETE_CATALOG_ROLE AUDIT SYSTEM For the SQL Trace collection method: SELECT on: Microsoft SQL Server sys.columns sys.database_role_members sys.database_permissions sysobjects sys.database_principals sys.sql_logins EXECUTE on: sp_helpsrvrolemember For TCP/IP Sniffer and Net Agent collection methods: No privilege is required Sybase DB2 No privilege is required for the MDA table or TCP/IP Sniffer SECADM privilege for DB2 Agent No privilege is required for TCP/IP Sniffer 103

104 Privileges required by the FortiDB database user Connecting to target databases Privilege policies Configuring target database monitoring Privileges for monitoring metadata To monitor metadata, FortiDB target database users need the following privileges: RDBMS Type Required Privilege(s) Oracle CREATE SESSION SELECT_CATALOG_ROLE for use with auditing: CREATE SESSION AUDIT SYSTEM SELECT_CATALOG_ROLE For the SQL Trace collection method: SELECT on: Microsoft SQL Server information_schema.columns sysindexes sysobjects information_schema.routines sys.objects obj sys.sql_modules information_schema.views For the TCP/IP Sniffer and Net Agent collection methods: No privilege is required Sybase DB2 UDB No privilege is required for the MDA table or TCP/IP Sniffer SECADM privilege for DB2 Agent No privilege is required for TCP/IP Sniffer Metadata policies Configuring target database monitoring 104

105 Connecting to target databases Managing targets Managing targets To assess and monitor your databases using FortiDB, you first create connections to them. The completed configuration is called a target. Use the Targets page to organize your targets. Columns The Target page displays the following columns: Column Description Status (Connection status) indicates a target database for which the information is not complete indicates a target database for which the information is complete Name DB Name DB Host Name/IP Port DB Type Action User defined target connection name. Clicked to display the target configuration settings (General tab). The name of the target database Database host name or IP address the computer where the target database is located Port number to use for the connection One of the following types of databases: ORACLE, MSSQL, DB2, SYBASE, or MYSQL Click the Edit icon to modify the target, same as click the DB Name. Buttons and fields The Target page displays the following buttons and fields: Buttons and Fields View dropdown Search / New Group Add Delete Import Descriptions Filters the list of targets by database type Search the list of targets and, optionally, create a new target group using the search results Create a target Delete one or more selected targets Import targets using an XML-format file 105

106 Managing targets Connecting to target databases Buttons and Fields Export selected to XML Export all to XML Export all to PDF Descriptions Export selected targets as XML-format file Export all targets as XML-format file Export the target list as a PDF file Searching or filtering the target list Adding (or modifying) a target connection Exporting target information Searching or filtering the target list You can search the list of targets or to create a filtered list of targets that you can place in a named group. 1. Do one of the following: Click Target Database Server > Targets, and then click Search/New Group. Click Target Database Server > Target Groups, and then click Add. 2. For Column, Operator, and Value, select and enter values that specify the targets that you want in the list. To add additional filtering criteria, click + (plus sign) and complete the settings for the new row. Click - (minus sign) to delete a row. The value you enter for Value is case-sensitive. You cannot use the same Column value in multiple rows. For example, you cannot create a row for Location = 'London' and a row for Location = 'New York'. For example: Attribute Operator Value Return Possibilities Location Contains nd all databases in London Database Type Equals DB2 all DB2 databases 3. Click Search to apply the criteria. 4. Continue working with the filtered list, as required. For example, click the name of a target to edit its properties. To use the list to create a target group, enter a name and click Save Group. Managing targets Adding (or modifying) a target connection 106

107 Connecting to target databases Adding (or modifying) a target connection Adding (or modifying) a target connection 1. Go to Target Database Server > Targets. 2. Do one of the following: To create a target, click Add. To modify a target, click the name of a target database. 3. On the General tab, complete the following settings: Name Type Do not use spaces in the name. If you select Oracle, complete the settings on the SSH tab. If you select DB2, on the DB2 Options tab, do one of the following: Select SSH, and then complete the settings on the SSH tab. For more information on SSH tab settings, see Configuring SSH connections to Oracle and DB2 databases on page 109. Select an option other than SSH. For more information on these settings, see Configuring DB2 options on page 108. DB Host Name/IP Enter the DB host name or IP address of the computer where the target database is located. Port Enter the number of the port the database uses; the default port is 1521 Connect At Displayed for Microsoft SQL Server or Sybase only. Select Database Level or Server Level. Select Server Level to exclude the databases specified by the MSSQL Server Level Exclusions or Sybase Server Level Exclusions global properties. 107

108 Adding (or modifying) a target connection Connecting to target databases Additional JDBC Settings By default, the target uses the additional JDBC settings values that you set in the Target global properties. For more information on these properties, see Target properties on page 75. To use different values, enter one or more key-value pairs separated by a semicolon. For Microsoft SQL Server or Sybase databases only, you can also do the following: Microsoft SQL Server To support an SSL-encrypted connection, in SQL Server, set ForceEncryption to Yes. Then, for Additional JDBC Settings, enter SSL=require. (To connect without encryption, in SQL server, set ForceEncryption to No.) If you use NTLM version 2 authentication, enter usentlmv2=true. Sybase To support an SSL-encrypted connection, enter SYBSOCKET_ FACTORY=com.fortinet.fortidb.target.internal.connection.SybaseSS LSQL Note: Database activity monitoring (DAM) using the TCP/IP sniffer is not available when FortiDB connects to Sybase using SSL. DB Activity Monitorin g Select to monitor this database. 4. (Optional) Enter information on the Classification and Contact Info tabs. You can use this information to filter the list of targets when you search the list of targets or create target groups. 5. To test your connection, select Test Connection. 6. Click Save. Managing targets Configuring DB2 options Configuring SSH connections to Oracle and DB2 databases SSH environment requirements (software-only version) Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX Auto-discovery Configuring DB2 options When you configure a connection to a DB2 database, on the DB2 Options tab, for Retrieval Method, select one of the following options. After you have completed the required settings, click Test Connection to verify them.: 108

109 Connecting to target databases Adding (or modifying) a target connection SSH Select to configure FortiDB to connect to the database using Secure Shell (SSH), and then complete the settings on the SSH tab. For more information on the SSH tab, see Configuring SSH connections to Oracle and DB2 databases on page 109. Select to configure FortiDB to connect to the database using the output from DB2 commands. Then, complete the following settings: DB2 Level Command Use SQL query for connection db2level Output Enter the output of the db2level command (show DB2 service level command). dbm cfg Output Enter the output of the db2 get dbm cfg command (get database manager configuration command). Select to configure FortiDB to use a SQL query to connect to the DB2 server. To use this option, ensure that the FortiDB database user is granted EXECUTE permission on the stored procedure. Configuring SSH connections to Oracle and DB2 databases You can configure FortiDB to connect to Oracle and DB2 target databases using Secure Shell (SSH). If you are using the software-only version of FortiDB and connecting using SSH, additional configuration is required. For more information on these requirements, see SSH environment requirements (software-only version) on page 110. To configure a SSH connection 1. On the Target page, click the SSH tab. 2. Specify a port number. The default port is For Access Method, select one of the following values:. Password Implicit Key Pair Select to connect using the name of the database user and a password, and then enter the user information. Select to connect using the name of the database user and the SSH key file specified by the SSH Key File global property, and then enter the user name. 109

110 Adding (or modifying) a target connection Connecting to target databases Explicit Key Pair (software-only version) Select to connect using a private key and passphrase (if you provided one when you generated the key), and then complete the following settings: User Name Enter the FortiDB SSH user. Key Path Enter the directory on your SSH client computer where the private key is located. Then, in the specified directory, create the directory./ssh and copy the private key to it. Pass Phrase Enter an optional passphrase. You enter a passphrase when you generate a private key. 4. If you want to use the operating system vulnerability assessment (OSVA) feature and the target is an Oracle database running on Solaris or AIX, select Enable OSVA, and then compete the required settings. For more information on these settings, see Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX on page To test the connection, click Test SSH Connection. SSH environment requirements (software-only version) When you use the software-only version of FortiDB, the following SSH environment is required to allow FortiDB to connect to target databases using a SSH connection. In addition, for some Oracle databases, additional configuration is required to use the operating system vulnerability assessment (OSVA) feature. If you need help setting up a working SSH environment, contact your System Administrator. The target configuration SSH tab provides two Access Method options: Implicit Key Pair (key pair is specified by the SSH Key File global property) and Explicit Key Pair (the key pair information is specified on the SSH tab). For more information on the SSH tab, see Configuring SSH connections to Oracle and DB2 databases on page 109. Item Public Key handling Private Key handling SSH Client Location Description For either the Explicit Key Pair or Implicit Key Pair methods, use secure copy (SCP) to copy the public key that you generate on the SSH client to your SSH server. Then, append the key to the authorized_keys file located in the.ssh directory within the home directory of the FortiDB SSH user. For either the Explicit Key Pair or Implicit Key Pair methods, generate id_dsa or id_rsa private keys and copy them to the.ssh directory under user's home directory on the SSH client machine. In a Windows environment, the private key resides in the /.ssh directory under the user's home directories. The exact directory depends on the OS version. For example, C:\Documents and Settings\All Users. The SSH client runs on your FortiDB machine. 110

111 Connecting to target databases Adding (or modifying) a target connection Item SSH Server Location User account for SSH User Description The SSH server runs on your target database machine. To configure a SSH connection, a user account on your target database machine is required. In some cases, additional configuration is required for the FortiDB OS user that you created on a DB2 target database machine. DB2 Target Specific Instructions Operating system vulnerability assessment (OSVA) with Oracle targets For example, if the user is db2inst3 and you use the bash shell, add the following entry to your.bashrc file: if [ -f /home/db2inst3/sqllib/db2profile ]; then. /home/db2inst3/sqllib/db2profile fi If the target is an Oracle database on Solaris, to use the FortiDB operating system vulnerability assessment (OSVA) feature, specify the Home Directory, Owner, and owner's Group of your target database. For more information on these settings, see Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX on page 111. Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX If the target is an Oracle database running on Solaris or AIX, additional configuration is required to use the FortiDB operating system vulnerability assessment (OSVA) feature. For information on other SSH settings, see Configuring SSH connections to Oracle and DB2 databases on page 109. To enable operating system vulnerability assessment (OSVA) 1. On your target computer, ensure that the opatch command path is included in the $PATH environment variable. 2. On the SHH tab, select Enable OSVA, and then complete the following settings. If you do not have this information, contact your Oracle administrator: Operating System Home Directory Owner Group Select Solaris or AIX. Enter the Oracle home directory ($ORACLE_HOME). Enter the name of the Oracle owner. Enter the name of the Oracle user group. In most cases, it is dba or oinstall. 3. Click Save. 111

112 Exporting target information Connecting to target databases Exporting target information You can use the Targets page to export all targets or targets you select. You can also use the page to import targets using an XML format file. When you export target information in PDF format, the file contains only parts of the target information and you cannot use it to import targets. To export information for all targets as an XML or PDF file 1. On the Targets page, for View, select All. 2. Do one of the following: Click Export all to XML. Click Export all to PDF. To export one or more selected targets as an XML file 1. On the Targets page, do one of the following: For View, select a target group. Click Search/New Group and use the filters to search for targets. For information on using the filter options, see Searching or filtering the target list on page Do one of the following: Select the checkbox beside one or more target names, and then click Export selected to XML. Select the checkbox in the column heading to select all list items. Click Export all to XML. Managing targets Importing targets Importing targets You can use the Targets page to import target information in XML format. For example, you can import targets that you exported from another FortiDB appliance. When you export target information in PDF format, the file contains only parts of the target information and you cannot use it to import targets. To view an example of a file that you can import, export an existing target. The software-only version of FortiDB provides example files in the following directory: <FortiDB install directory>/etc/import-target Before you import a target, do the following: 112

113 Connecting to target databases Managing target groups Ensure that the target name is unique. If you import a target with the same name as an existing target, FortiDB overwrites the existing target information with the information in the imported file. Ensure that the file provides values for all required elements. If an imported XML file does not have all the required values, FortiDB displays it in the list of targets with an incomplete status icon. Do not change any encrypted values. For passwords, use clear text. FortiDB encrypts this text during the importing process. Do not change the value of <databasetype>. To import a target 1. In the navigation menu, go to Target Database Server > Targets. 2. Click Import. The Target Import page is displayed. FortiDB imports target information based on the value of Name. If the Name value already exists in the target list, FortiDB overwrites the existing target with the imported data. 3. Click Choose file, and then navigate to the file and select it. 4. Select Import. The following information is displayed. Column Name Results Complete Message Description The value of the <name> elements Indicates the status of the imported target: New, Updated, or Failed Indicates whether one or more required elements are missing a value Indicates the reason why Failed is displayed in the Results column 5. Click the Continue button to complete the import. Managing targets Exporting target information Managing target groups The Target Database Server > Target Groups page displays all pre-defined and user-defined target groups. Use it to complete the following tasks: 113

114 Pre-defined target groups Connecting to target databases To add a target group, select Add. For more information, see Adding or modifying a target group on page 114. To modify a target group, click its name. To delete a user-defined target group, select it, and then click Delete. You can select more than one target group for deletion. You can modify or delete a pre-defined target group. However, you cannot revert a target group to its original content or restore a target group you deleted. Pre-defined target groups Adding or modifying a target group Pre-defined target groups FortiDB provides the following pre-defined target groups: DB2 Database Group MySQL Database Group Oracle Database Group Microsoft SQL Server Database Group Sybase Database Group Sybase IQ Database Group MungoDB Database Group Managing target groups Adding or modifying a target group Adding or modifying a target group 1. On the navigation menu, go to Target Database Server > Targets. 2. Do one of the following: To create a target group, click Add. To modify a target group, click the name of the group. 3. On the Targets page, complete the required settings. For Group Name, enter or edit the name that is displayed in the list of target groups. For Description, enter an description. For example, your filtering or grouping criteria. To cancel the target group creation process, click Cancel. 114

115 Connecting to target databases Auto-discovery 4. Use the filtering options to display the targets you want in the group in the list of targets. For information on filtering the list, see Searching or filtering the target list on page Click Save Group. The new group is displayed in the Target Groups page. Managing target groups Pre-defined target groups Auto-discovery Auto-discovery facilitates the creation of target-database connections by searching your network for potential target databases. Auto-discovery scans for potential target databases according to your specified IP address range, database-type specification, and port numbers. How to discover DB2 databases How to discover Microsoft SQL Server Running auto-discovery Adding targets from auto-discovery How to discover DB2 databases When attempting to discover DB2 target databases: The FortiDB appliance must be able to connect to TCP port 523. If the connection fails, examine firewall policies, router rules, and other causes. The DB2 Administration Server (DAS) must be running. How to discover Microsoft SQL Server When attempting to discover Microsoft SQL Server target databases, in order to display the correct database version, verify that: Your SQL Server instance is running. Your SQL Server Browser service is running. Running auto-discovery This topic describes how to perform auto-discovery. 115

116 Auto-discovery Connecting to target databases To run auto-discovery, the FortiDB Administrator (the admin user that ships with FortiDB) or an administrator with the Target Manager role is required. 1. Go to Target Database Server > Auto Discovery of the left-side menu. 2. In order to discover a single database, enter the IP address in the From field and leave the To field blank. If you want to discover multiple databases, enter a range of IP addresses by using both the From field and To field. 3. Select the Add button. The discovered IP address(es) should be added to the list of IP addresses. In order to delete an IP address (or address range) already on the list, select the check box on the left of the IP address or range and select the Remove button 4. Specify database types to attempt discovery for and their respective port ranges to discover from the list. a. Select or clear the check box(es) on the left of the list. b. Add or edit the port ranges in the To and From fields. 5. Select one or more IP address rows and then select the Begin Discovery button. One of the following status messages will be displayed at the top of the screen. Status Running... No databases found Idle Meaning This status appears on the right side of the view header next to the "Status". The "processing" icon appears next to the page title. The Discovery Result page will display. There was no database of the specified IP address found. Has one of these meanings: User cancelled the auto-discovery process before completion. This is the status after Running... This is the status after No databases found To stop running auto-discovery before the process is complete, select Abort. 6. The Auto Discovery Results page is displayed. indicates that this database was discovered. indicates that this database was added to the targets list. 116

117 Connecting to target databases Auto-discovery Adding targets from auto-discovery This topic describes how to add target-database configuration to the Targets page from the Auto Discovery Results. 1. Run auto-discovery. 2. Mark the check box(es) next to the targets you want to add to your list of target databases. 3. Select the Add to Targets button at the bottom. 4. Go to the Targets page where you should see that the auto-discovered targets databases have been added to the Targets list. 117

118 Vulnerability assessment (VA) policies Vulnerability assessment (VA) policies Vulnerability assessment (VA) policies are best-practice business rules that FortiDB uses to assess databases. FortiDB has hundreds of pre-defined policies that address industry and governmental compliance requirements, as well as security best practices. Types of VA policies Managing VA pre-defined policies VA user-defined policies VA policy groups Types of VA policies You can use the following two types of policies for database vulnerability assessments: Pre-defined policies Fortinet adaptation of best practice database security policy. In addition to numerous database vulnerability policies, Fortinet also provides policies that help you perform OS-level assessments, such as making sure that your OS version is appropriate for the version of your target database. User-defined policies Customer or third-party adaptation of an industry or company-specific security policy. You create these types of policies using conventional or procedural SQL. You can use the policy groups that ship with FortiDB or create your own. Managing VA pre-defined policies VA user-defined policies Updates to VA policies Fortinet updates its policies several times a year with an XML file containing new or enhanced policies. Fortinet recommends that you import this list to keep your policies current. You can download the latest policies from FortiGuard Center. For more information, see Managing VA pre-defined policies on page 120. Exporting and importing VA policies If you want to move FortiDB policies to another computer, you can export the source from the FortiDB repository as XML files and then import them into the target FortiDB repository. Before you import policies, verify that the XML file contains the correct elements. FortiDB does not validate Database Type, Severity, and Classification when it imports policies. To view a sample of correct content, export one or more policies. 118

119 Vulnerability assessment (VA) policies Exporting user-defined policies Importing user-defined policies VA policy version The policy version tracks the following information: Pre-defined policies you imported and used for assessments. The policy version number is incremented when you import pre-defined policies updates. User-defined policies you updated. When you use the Modify User Defined Policy page to update a user-defined policy, FortiDB does not change the policy version number. To update the policy version number, export your user-defined policy, change the policy version number, and then import the policy. You cannot import a user-defined policy that has a policy number that is equal to or lower than the original policy number. When you restore data restored from an old archive (prior to FortiDB version 3.2.1), the data has the latest version of policies at the time you restored. Exporting user-defined policies Importing user-defined policies VA policy groups You add policies to assessments using policy groups. A policy group must contain at least one policy. FortiDB has the following pre-configured policy groups: DB2 Policy Group MySQL Policy Group Oracle Policy Group Pen Test Policy Group SQL Server Policy Group Sybase Policy Group Sybase IQ Policy Group VA policy groups VA policy states A FortiDB policy can have one of the following states: 119

120 Vulnerability assessment (VA) policies Managing VA pre-defined policies State and icon Description Enabled ( ) FortiDB is currently using this policy when it runs assessments. Disabled ( ) FortiDB is currently not using this policy when it runs assessments. ( ) The policy has been modified and FortiDB is currently using it when it runs Modified and Enabled assessments. Modified and Disabled ( ) The policy has been modified but FortiDB is not currently using it when it runs assessments. New and Enabled ( ) The policy is new and FortiDB is currently using it when it runs assessments. New and Disabled ( ) The policy is new but FortiDB is not currently using it when it runs assessments. Managing VA pre-defined policies Keywords and user keywords for VA policies Keywords are read-only, pre-defined policy keywords. User Keywords are keywords specified by you. You can use keywords to help you create policy groups. Adding user-defined policies Managing VA pre-defined policies Use the Pre-Defined Policies tab to manage pre-defined policies. To view only certain policies, you can use the View dropdown list at the top of the page. You can also import additional polices or updates to existing policies. The pre-defined policies list has the following columns: 120

121 Managing VA pre-defined policies Vulnerability assessment (VA) policies Columns Descriptions Status Enabled ( ) Disabled ( ) New and Enabled ( ) New and Disabled ( ) Modified and Enabled ( ) Modified and Disabled ( ) Name DB Type Pre-defined policy name Oracle, Sybase, DB2, Microsoft SQL Server, MySQL, or SYBASEIQ. User defined severity level. There are 5 levels of severity: Severity Classification Informational (default) Cautionary Minor Major Critical Unclassified, Configuration, Password, Privilege, Database server, Host System. To view policies in a specific policy group only, for View, select the name of the group. Click Search/New Group to create a new policy group. To enable or diable a policy, select the policy in the list and then click Enable or Disable. Click Import button to import new or updated policies into the FortiDB repository. Click Export to export the all policies in the current list as an XML file. To export pre-defined policies 1. In the navigation menu, go to Policy > VA Policies. 2. On the Pre-Defined Policies tab, for View, select All or a policy group you want to export. The state of the checkboxes next to the individual policies does not effect which policies FortiDB exports. FortiDB always exports all items in the current list. 3. Click Export. Your browser downloads the XML file. 121

122 Vulnerability assessment (VA) policies Managing VA pre-defined policies Importing pre-defined policies (appliance) Importing pre-defined policies (software-only FortiDB) OS-Level pre-defined policies Importing pre-defined policies (appliance) To keep your policy sets current and effective, you can use the the Fortinet Distribution Network (FDN) to import new and updated policies that FortiDB periodically offers its customers. 1. In the navigation menu, go to Policy > VA Policies. Alternatively, go to Policy > VA Policy Groups, and then click the name of a policy group. 2. Click Import. The Pre-Defined Policy Update page is displayed. 3. Do one of the following: To automatically disable any new or modified policies you import, select the Disable new and modified rules after import. To automatically enable any new or modified policies you import, clear the Disable new and modified rules after import. 4. Do one of the following: To use icons that identify whether a policy is new or modified with the imported policies, select Identify new and modified rules with icons. To use icons that do not indicate whether a policy is new or modified with the imported policies, clear Identify new and modified rules with icons. Fortinet recommends that you select Identify new and modified rules with icons. 5. Select Import Updates from FortiGuard Center. FortiDB connects to FortiGuard Center and downloads any updates. Then, a message like Updated 12 policies of 544 found in file is displayed. The downloaded update file contains all policies. However, FortiDB only updates modified policies. For example, in the sample message, the downloaded update file contains a total of 544 policies only 12 of which needed to be updated in your system. The other 532 policies in the update file are identical to those already in your system. Appliance users can also import policy updates by using the Select XML file to be uploaded field. After clicking the Browse button and selecting the xml file to upload, and select the Import button. 122

123 Managing VA pre-defined policies Vulnerability assessment (VA) policies Managing VA pre-defined policies Importing pre-defined policies (software-only FortiDB) Importing pre-defined policies (software-only FortiDB) You can import pre-defined policies (pre-defined policies) by uploading XML files containing these policies. Before performing this task, you may need to download one or more XML files from a designated FortiDB web or FTP site. This task includes importing those new and updated policies that FortiDB periodically offers its customers in order to keep their policy sets current and effective. 1. In the navigation menu, go to Policy > VA Policies. Alternatively, go to Policy > VA Policy Groups, and then click the name of a policy group. 2. Click Import. The Pre-Defined Policy Update page is displayed. 3. For Select XML file to be uploaded, click Choose File, and then navigate to and select the update file. 4. Do one of the following: To automatically disable any new or modified policies you import, select the Disable new and modified rules after import. To automatically enable any new or modified policies you import, clear the Disable new and modified rules after import. 5. Do one of the following: To use icons that identify whether a policy is new or modified with the imported policies, select Identify new and modified rules with icons. To use icons that do not indicate whether a policy is new or modified with the imported policies, clear Identify new and modified rules with icons. Fortinet recommends that you select Identify new and modified rules with icons. 6. Select Import. The policies are added to the list on the VA Policies page. Managing VA pre-defined policies Importing pre-defined policies (appliance) 123

124 Vulnerability assessment (VA) policies Managing VA pre-defined policies OS-Level pre-defined policies The FortiDB OS-Level pre-defined policies gather and evaluate information about the target database's operating system (OS). They use SSH and a client-side script that contains OS commands. To assess Oracle target computers using OS-Level pre-defined policies, see Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX on page 111. The OS-Level pre-defined policies require the following permissions: Guarded Item Description (proposed change) OSVA ORCL Oracle Critical Patches (opatch) SVA ORCL Oracle Owner- Login Check OSVA ORCL Oracle DBA- Group Check OSVA ORCL Oracle DBA- Group-Member List OSVA ORCL Oracle Process- Owner Check Purpose Returns: opatch version applied critical patch numbers Alerts if Oracle owner, which is specified on the FortiDB Database Connection GUI, is not in /etc/passwd. Alerts if dba is not in /etc/group file Returns a list of members of the dba group from /etc/passwd and /etc/group Alerts if Oracle process is being run by a non-oracle user such as root, or bin. Required Permissions Oracle 9i, 10g, 11g, 12c: The SSH user needs execute permission on opatch The SSH user's PATH variable should include the location of opatch Oracle 10g, 11g, 12c: The SSH user needs read, write, and execute permissions on opatch The SSH user needs read, write, and execute permissions on $ORACLE_ HOME/cfgtoollogs/opatch/lsin v The SSH user needs read permission on /etc/passwd with cat and grep commands The SSH user needs read permission on /etc/group with cat and grep command The SSH user needs read permission on /etc/passwd and /etc/group with cat and grep command The SSH user needs execute permission ps and grep command 124

125 Managing VA pre-defined policies Vulnerability assessment (VA) policies Guarded Item Description (proposed change) OSVA ORCL Oracle Excessive Directory & File Permissions Check OSVA ORCL Oracle Correct Directory/File Owner & Group Check Purpose Alerts if other permissions, on the Oracle Home directory (and its contents) specified on the Create/Modify Database Connection screen, include both read and write (and not execute) Alerts if files and directories under the Oracle Home directory specified on the Create/Modify Database Connection screen, do not have correct owner and group permissions. Exempt from this check are: $ORACLE_ HOME/bin/oracle $ORACLE_ HOME/bin/oradism $ORACLE_ HOME/bin/dbsnmp Required Permissions The SSH user needs other read and execute permissions on the $ORACLE_HOME directory. For example setup instructions, see Using Minimally-Privileged User with an ACL. The SSH user needs other read and execute permissions on the $ORACLE_HOME directory. For example setup instructions, see Using Minimally-Privileged User with an ACL. OSVA ORCL Oracle setuid/setgid File Check Alerts if setuid or setgid permissions are assigned to files and directories under the Oracle Home directory specified on the Create/Modify Database Connection screen. Exempt from this check are: $ORACLE_ HOME/bin/oracle $ORACLE_ HOME/bin/oradism $ORACLE_ HOME/bin/dbsnmp The SSH user needs other read and execute permissions on the $ORACLE_HOME directory. For example setup instructions, see see Using Minimally- Privileged User with an ACL. 125

126 Vulnerability assessment (VA) policies Managing VA pre-defined policies Guarded Item Description (proposed change) OSVA ORCL Oracle Database- Configuration-Change Check Purpose This policy checks if these database configuration files change between the previous and current assessments: init.ora spfle.ora Required Permissions The SSH user needs execute permission on ls for the $ORACLE_HOME/dbs/ directory The SSH user needs read permission on the $ORACLE_ HOME/dbs/ directory OSVA ORCL Oracle Network- Configuration-Change Check OSVA ORCL Oracle Installed- Operating-System Info OSVA ORCL Oracle External- Procedure Processes Running Check OSVA ORCL Oracle EXTPROC OSVA ORCL Oracle Missing- Listener-Password Check This policy check if network configuration files changed between between the previous and current assessments listener.ora tnsnames.ora sqlnet.ora Returns OS name and version Alert if external-procedure process is running on target server. Alerts if any EXTPROC settings are listed in listener.ora. For example: (SID_NAME = PLSExtProc) Alerts if a PASSWORD setting is missing in listener.ora. The SSH user needs execute permission for ls on the $ORACLE_ HOME/network/admin/ directory The SSH user needs read permission on the $ORACLE_ HOME/network/admin/ directory The SSH user needs execute permission for cat on the /etc/release file The SSH user needs read permission on the /etc/release file The SSH user needs execute permission for ps and grep The SSH user needs execute permission for cat on the listener.ora file The SSH user needs read permission on the listener.ora file The SSH user needs execute permission for cat on the listener.ora file The SSH user needs read permission on the listener.ora file 126

127 Managing VA pre-defined policies Vulnerability assessment (VA) policies Guarded Item Description (proposed change) OSVA ORCL Oracle Missing- Listener- ADMIN_RESTRICTIONS Check OSVA ORCL Oracle Default- Listener Check OSVA ORCL Oracle Default- Port (1521) Check OSVA ORCL Oracle Advanced- Listener-Security Settings Check Purpose Alerts if a ADMIN_ RESTRICTIONS setting is missing in listener.ora. Alerts if default LISTENER is set in listener.ora. Alerts if default PORT is set in listener.ora. Alerts if any Oracle Advanced Security settings are missing in sqlnet.ora. For example, the presence of the following would not cause an alert: SQLNET.ENCRYPTION_ SERVER = Requested Required Permissions The SSH user needs execute permission for cat on the listener.ora file The SSH user needs read permission on the listener.ora file The SSH user needs execute permission for cat on the listener.ora file The SSH user needs read permission on the listener.ora file The SSH user needs execute permission for cat on the listener.ora file The SSH user needs read permission on the listener.ora file The SSH user needs execute permission for grep the sqlnet.ora file The SSH user needs read permission on the sqlnet.ora file OSVA ORCL Oracle Configured Listener List Display all listener names The SSH user needs execute permission for cat on the listener.ora file The SSH user needs read permission on the listener.ora file 127

128 Vulnerability assessment (VA) policies Managing VA pre-defined policies Guarded Item Description (proposed change) OSVA ORCL Oracle Unencrypted Listener Password Check Purpose Alerts if password in listener.ora is unencrypted. Encrypted passwords should be 16 characters long and consist only of uppercase letters from A to F or numbers. For example, the following is an acceptably encrypted password and would not generate an alert: PASSWORDS_LISTENER = F56401ADBA6810DS Required Permissions The SSH user needs execute permission for cat on the listener.ora file The SSH user needs read permission on the listener.ora file Use your known_hosts file to give access to certain hosts only. Setting an access control list (ACL) for minimally-privileged users Setting an access control list (ACL) for minimally-privileged users To provide more secure access to target databases, create an access control list (ACL). For example, an ACL that enables a minimum-permission user to perform, via SSH, the OS-level operations used by the FortiDB OS-level pre-defined policies. In general, you create a user, belonging to the nobody group, on your target database machine. Then, use ACL to give that user only the specific permissions necessary to execute the OS-level pre-defined policies that you are interested in. The following examples grant the SSH user read and execute permissions on the $ORACLE_HOME directory, which is required by some operating system vulnerability assessment (OSVA) pre-defined policies. Example one: Set ACL on an Oracle 10g target server for OSVA ORCL Assume the SSH user is fortidb. $setfacl -m user:fortidb:rwx,mask:rwx $ORACLE_HOME/cfgtoollogs/opatch/lsinv 2. To confirm permissions: $getfacl $ORACLE_HOME/cfgtoollogs/opatch/lsinv 128

129 Managing VA pre-defined policies Vulnerability assessment (VA) policies This command returns something like the following response: # file: /export/home/ora1020/product/10.2.0/db_1/cfgtoollogs/opatch/lsinv # owner: ora1020 # group: oinstall user::rwx user:fortidb:rwx #effective:rwx <--- Please check it group::r-x #effective:r-x mask:rwx other:r-x Example two: Set ACL on an Oracle 9, 10g, 11g, or 12c target server for OSVA ORCL 01.06, 01.07, and This example describes how to set ACL on an Oracle 10g target server for OSVA ORCL In order to find the directories within $ORACLE_HOME for which the required permissions do not exist, execute the following, as the Oracle owner (see o_owner), on your target-database machine: $ find $ORACLE_HOME $ -type d $ -a $! -perm -o+rx $ -ls awk '{print $3,$11}' which might return something like: drwx /oracle/db1/apache/apache/conf/ssl.key drwxr-x--- /oracle/db1/.patch_storage 2. Using the File Access Control List program, grant the appropriate permissions to sshuser: $ setfacl -m user:sshuser:r-x,mask:r-x /oracle/db1/apache/apache/conf/ssl.key $ setfacl -m user:sshuser:r-x,mask:r-x /oracle/db1/.patch_storage 3. (Optionally) confirm that correct permissions were granted with: $ getfacl /oracle/db1/apache/apache/conf/ssl.key $ getfacl /oracle/db1/.patch_storage which would return something like: # file: /export/home/ora1020/product/10.2.0/db_1/.patch_storage # owner: ora1020 # group: oinstall user::rwx user:mitagaki:rwx #effective:r-- group::r-- #effective:r-- mask:r-- other: (Optionally) you can revoke permissions with: $ setfacl -d user:sshuser:r-x,mask:r-x oracle/db1/apache/conf/ssl.key $ setfacl -d user:sshuser:r-x,mask:r-x /oracle/db1/.patch_storage If you can not give read(r)/exec(x) permission to the directory, FortiDB VA will produce a "Permission denied" error on the report which you can ignore. 129

130 Vulnerability assessment (VA) policies VA user-defined policies OS-Level pre-defined policies VA user-defined policies On the Policies page, you can manage user-defined policies in the User-Defined Policies tab. Use the View list at the top of the page to filter the list. You can also import additional polices or updates to existing policies. Columns Descriptions Status Enabled ( ) Disabled ( ) New and Enabled ( ) New and Disabled ( ) Modified and Enabled ( ) Modified and Disabled ( ) Name DB Type User-defined policy name Oracle, Sybase, DB2, Microsoft SQL Server, MySQL or SYBASEIQ User defined severity level. There are 5 levels of severity: Severity Classification Informational (default) Cautionary Minor Major Critical Unclassified, Configuration, Password, Privilege, Database server, Host System. The View dropdown enables you to limit the policies that you view to only those within a certain policy group The button enables you to create a new policy group. The Add button enables you to create your own User-Defined policy. The Delete button enables you to delete the policies for which a check box has been checked. The Enable button enables you to activate the policies for which a check box has been checked. The Disable button enables you to deactivate the policies for which a check box has been checked. The Import button enables you to import new or updated policies into the FortiDB repository. The Export button enables you to export all policies on the screen as an XML file. 130

131 VA user-defined policies Vulnerability assessment (VA) policies Adding user-defined policies Deleting user-defined policies Exporting user-defined policies Importing user-defined policies Adding user-defined policies 1. Go to Policy> VA Policies of the left-side menu. 2. Select the User-Defined Policies tab. 3. Select the Add button. 4. Fill in the appropriate fields. Some of the fields to note are: Field Name ID SQL query Result Column Name(s) Descriptions Enter a unique designator that can include any character, including alphanumerics, special characters, and white spaces. Enter the query that will be used when this User-Defined Policy is applied during an assessment. Entries in this field are the column names referred to in the SQL query field. Multiple entries are delimited by semicolons. The names can either be actual column names in your query, like empno in 'SELECT empno FROM scott.emp' or aliases like enumber in 'SELECT empno AS " enumber" FROM scott.emp' Leading or trailing spaces in the alias expression must also be specified in this field for the column's values to appear in your report. For example, if there are two leading spaces in " enumber", include both spaces in the Result Column Name(s) value. You can use the '*' column wild card in your queries; however, you must separately specify the name of each column for which you want report results. If, for example, you use 'SELECT * FROM scott.emp' against an Oracle target database, you must enter "empno;ename;job;mgr;hiredate;sal;comm;deptno" in this field in order to get a report on all columns in scott.emp Note: Do not put spaces before or after the semicolons unless your aliased column names also have leading or trailing spaces, respectively. 131

132 Vulnerability assessment (VA) policies VA user-defined policies Field Name Result Column Label(s) Descriptions Entries in this field are the column names that you would like to see in your reports. Multiple entries are delimited by semicolons. Note: If you don't populate this field, your report's column headers will be the entries used for the Result Column Name(s) field. Keywords Entries in this field can be used when using a filter to create policy groups. 5. Select the Save button. Here is an Oracle example, which assumes you have access to the SCOTT schema: a. Create a policy with these entries: ID: unique designator Database type: Oracle SQL query: SELECT empno, ename from scott.emp Result Column Name(s): empno;ename Result Column Label(s): Employee Number;Employee Name Severity: Informational Classification: Unclassified b. Select Save to save myoracleudp1. c. Create a policy group, myudpgroup, containing the new policy. d. Create an assessment that runs against an Oracle target group and which uses myudpgroup. e. Run a Detailed (Pre-Defined) Report against your assessment and you should see several rows of Scan Results like this in the Informational Vulnerabilities section: Employee Number 7369 Employee Name: SMITH Here is another, slightly different, Oracle example, which uses column-name aliasing and, again, assumes you have access to the SCOTT schema: a. Create a policy with these entries: ID: can be any value Name: myoracleudp2 Database type: Oracle SQL query: SELECT empno as "EmpID", ename as "Worker" from scott.emp Result Column Name(s): EmpID;Worker Result Column Label(s): Employee Number;Employee Name Severity: Informational Classification: Unclassified b. Select the Save in order to save myoracleudp1. c. Create a policy group, myudpgroup, containing the new policy. d. Create an assessment that runs against an Oracle target group and which uses myudpgroup. e. Run a Detailed (Pre-Defined) Report against your assessment and you should see several rows of Scan Results like this in the Informational Vulnerabilities section: Employee Number 7369 Employee Name: SMITH 132

133 VA user-defined policies Vulnerability assessment (VA) policies VA user-defined policies Deleting user-defined policies Exporting user-defined policies Importing user-defined policies Deleting user-defined policies This topic describes how to delete user-defined policies. 1. Go to Policy > VA Policies of the left-side menu. 2. Select the User-Defined Policies tab. 3. Mark the check box(es) corresponding to the user-defined policy you want to delete. 4. Select the Delete button. VA user-defined policies Adding user-defined policies Exporting user-defined policies Importing user-defined policies Exporting user-defined policies This topic describes how to export user-defined policies. 1. Go to Policy > VA Policies of the left-side menu. 2. Select the User-Defined Policies tab. 3. In the View dropdown list, select All or a policy group you want to export. The checkboxes next to the individual policies have no effect when exporting. FortiDB exports all policies in the list regardless of whether the checkbox for an item is selected. 4. Select the Export button. 5. Save the XML file. VA user-defined policies Adding user-defined policies Deleting user-defined policies Importing user-defined policies 133

134 Vulnerability assessment (VA) policies VA policy groups Importing user-defined policies This topic describes how to import user-defined policies. 1. Go to Policy > VA Policies of the left-side menu. 2. Select the User-Defined Policies tab. 3. Select the Import button. 4. Enter the path to the XML file you want to import, or select the Browse button and select the XML file you want to import. To successfully import your policies, you mustincrease the value of the version attribute (for example, you must change from version="3" to version="4") which can be found in <VaPolicy> element. 5. Select or clear the Deactivate new and modified rules after import check box. If you select this, the new and modified rules after import are deactivated. If you clear this, the new and modified rules after import are activated. 6. Select or clear the Identify new and modified rules with icons check box. If you select this, you can identify new and modified rules with icons. If you clear this, you cannot identify new and modified rules with icons. 7. Select the Import button. VA user-defined policies Adding user-defined policies Deleting user-defined policies Exporting user-defined policies VA policy groups The Policy Groups page displays all policy groups with groups names and descriptions. Use the Policy Groups page to perform the following tasks: Add a new policy group by selecting Add. See Adding VA policy groups on page 135. Modify the policy group by selecting the group name. See Modifying VA policy groups on page 136 Delete policy groups by selecting the group check box, and click Delete. The following pre-defined policy groups are available: Groups/Policies DB2 Policy Group MySQL Policy Group Policies included DB2 policies MySQL policies 134

135 VA policy groups Vulnerability assessment (VA) policies Groups/Policies Oracle Policy Group SQL Server Policy Group Sybase Policy Group Policies included Oracle policies SQL Server policies Sybase policies Pen Test Policy Group Penetration tests on page 137 CIS Policy Group Sybase IQ Policy Group CIS benchmark policies Sybase IQ policies Adding VA policy groups Modifying VA policy groups Deleting VA policy groups Adding VA policy groups This topic describes the task of creating groups for predefined or user-defined policies by using filtering criteria. 1. Go to Policy > VA Policy Groups of the left-side menu. 2. Select the Add button. 3. On the subsequent Policies page, choose either the Pre-Defined Policies tab or the User-Defined Policies tab and then fill in the text boxes a. Use the Policy Type dropdown in order to create a group consisting of just pre-defined policies, userdefined policies, or both (All). b. Use the Group Name text box to enter a name that will show up in the saved policy-group list. Use the optional Description text box to describe your filtering/grouping criteria. c. To create a filtering condition, enter an Column on which you would like to filter, an Operator that associates the Column with a Value, and a Value that the Column must match. d. You can add or subtract, respectively, filtering criteria rows by selecting the + (plus) or - (minus) buttons. You cannot use the same Column in multiple rows. For example, you cannot establish a criteria that includes all the policies with a Severity of Minor and all the policies with a Severity of Major. In order to cancel creating a new policy-group filter and go back to the main Policies page, select the icon. Here are some examples of filtering criteria: 135

136 Vulnerability assessment (VA) policies VA policy groups Attribute Operator Value Return Possibilities Severity Equals Minor all policies with a Severity of Minor Database Type Equals DB2 all policies associated with DB2 databases 4. To test your filtering criteria, select the Apply button. 5. To save the group you created, select the icon. In order to modify an existing group, select the Name of the group on the Policy Groups page. VA policy groups Modifying VA policy groups Deleting VA policy groups Modifying VA policy groups This topic describes modifying the existing policy group. 1. Go to Policy > VA Policy Groups from the left-side menu. 2. In the Policy Groups page, click the name of a policy group that you want to modify. 3. Modify the policy name or description if necessary. 4. Select the Policy Type from the dropdown list (All, Pre-efined, or User) 5. To create a filtering condition, enter an Column on which you would like to filter, an Operator that associates the Column with a Value, and a Value that the Column must match. 6. You can add or subtract, respectively, filtering criteria rows by selecting the + (plus) or - (minus) buttons. You cannot use the same Column in multiple rows. For example, you cannot establish a criteria that includes all the policies with a Severity of Minor and all the policies with a Severity of Major. In order to cancel modifying the policy-group filter and go back to the main Policies page, select the icon. 7. To test your filtering criteria, select the Apply button. 8. Click to save. 136

137 Penetration tests Vulnerability assessment (VA) policies VA policy groups Adding VA policy groups Deleting VA policy groups Deleting VA policy groups This topic describes how to delete a policy group. 1. Go to Policy > VA Policy Groups of the left-side menu. 2. Check the check box(es) corresponding to the policy group(s) you want to delete. 3. Click the Delete button. VA policy groups Adding VA policy groups Modifying VA policy groups Penetration tests A penetration test (or pentest) examines your target databases for weak passwords. Like any other type of assessment, you can run pen tests either immediately or schedule them for a convenient time. FortiDB does not support penetration tests for Sybase IQ target databases. Connection options for penetration tests Files used for penetration tests Configuring and running penetration test assessments Connection options for penetration tests For penetration tests, FortiDB uses one of the following options to connect to target databases: Login The login connection method is available for all target database types. Hash-based A 'hash' is the value that is the result of encrypting a clear-text string. The hash-based method is a safer, offline approach, but it is available for Oracle and Microsoft SQL target databases only. If you use the hashbased method for Sybase or DB2 targets, FortiDB cannot apply any of the pentest polices, the assessment result is essentially empty, and no error is reported. Hybrid FortiDB uses the hash-based method if it is available (that is, when the database is Oracle or Microsoft SQL). Otherwise, it uses the login method. 137

138 Vulnerability assessment (VA) policies Penetration tests If the penetration test login attempts are unsuccessful, the database may prevent any users, including valid users, from logging in. Configuring and running penetration test assessments Files used for penetration tests Penetration test policies use username and password information stored in a set of text files to assess databases. For the Dictionary pen test policy, FortiDB allows you to select a password dictionary text file to use instead of the default dictionary. In addition, if you are using the software version of FortiDB, you can customize the other pentest policy text files. The custom files allow you to specify the usernames and passwords to use in the test instead of testing all database usernames. These files are <dbtype>default.txt and <dbtype>user.txt, where <dbtype> specifies the type of database using one of the following strings: ora for Oracle sql for MS-SQL db2 for DB2 syb for Sybase mysql for MySQL If you are using either the appliance or software version of FortiDB, you can use the Assessment properties to select an alternative password dictionary file. However, appliance version users cannot access or change the default dictionary.txt, <dbtype>default.txt and <dbtype>user.txt files. Policy name File Content evaluated Default Password <dbtype>default.txt All the username-password pairs in the file. The values in <dbtype>default.txt represent system accounts that ship with a RDBMS and their default passwords. For example, for Oracle, SYS, SYSTEM, and SCOTT, and for Microsoft SQL, SA. 138

139 Penetration tests Vulnerability assessment (VA) policies Policy name File Content evaluated Dictionary Number Following Username Same as Username Username Following Number Username Reversed <dbtype>user.txt, dictionary.txt <dbtype>user.txt <dbtype>user.txt <dbtype>user.txt <dbtype>user.txt The pairing of each username in the <dbtype>user.txt file with every password in dictionary.txt file. Note: When FortiDB executes the pentest Dictionary policy, it automatically adds the domain name to the password list. The paring of usernames in the file with a password created by adding one or more numbers to the end of the username. The pairing of usernames in the file with a password that is the same as the username. The pairing of usernames in the file with a password created by adding one or more number to the begining of the username. The pairing of usernames in the file with a password created by spelling the username backwords. Configuring and running penetration test assessments Configuring and running penetration test assessments To configure and run penetration testing against target databases 1. Ensure that the FortiDB database user specified in the target configuration for the database you want to test has the required privileges. For more information see Privileges for VA assessments, privilege summaries, and penetration tests on page In the navigation menu, go to Administration > Global Configuration, and then click the Assessment tab. 3. Complete the following settings: Enable Pen Test Select True. 139

140 Vulnerability assessment (VA) policies Penetration tests Enable Pen Test For All Users in Database (software-only version) When set to false, all pentest policies except Default Password test the database using the usernames in <dbtype>user.txt only. When set to true, the policies test using all database usernames. For information on creating the <dbtype>user.txt file, see step step 5. For more information on the file, see Files used for penetration tests on page 138. Pen Test Method Specify the method that FortiDB uses to connect to databases for penetration tests using one of the following values: 1 - Login method 2 - Hash-based method (available for Oracle or Microsoft SQL databases only) 3 - Hybrid method (FortiDB uses the hash-based method when it is available) For more information on these settings, see Connection options for penetration tests on page 137. Pen Test Password Dictionary Specify the file that contains the passwords that the Dictionary policy checks. If you do not select a file, the policy uses the default dictionary. The Browse button allows you to select a dictionary file. Click Save to complete your selection. FortiDB does not display the name of the uploaded file. To restore the default dictionary, select the Pen Test Password Dictionary item, click Restore Default(s), and then click Save. Your dictionary file is deleted. For software-only versions of FortiDB, for information on creating the dictionary.txt file, see step step 5. For more information on the password dictionary file, see Files used for penetration tests on page To make your pentest settings take effect, restart FortiDB. 5. For software version users: If you set Enable Pen Test For All Users in Database to false, copy the <dbtype>user.txt file from <FortiDB installation directory>/etc/conf/pentest to <FortiDB installation directory>/conf/pentest, where <dbtype> is the string that specifies the type of database to 140

141 Data discovery policies and policy groups Vulnerability assessment (VA) policies assess. Replace the system account and password values in the file with the values that you want the pentest policies to use (except the Default Password policy). For the oradefault.txt file, ensure that the system account and password values are in uppercase. If you want the Default Password policy to use a custom list of system accounts with default passwords instead of the default list, copy the <dbtype>default.txt file from <FortiDB installation directory>/etc/conf/pentest to <FortiDB installation directory>/conf/pentest, where <dbtype> is the string that specifies the type of database to assess. Replace the usernames and password values in the file with the values that you want the Default Password policy to use. For the orauser.txt file, ensure that the usernames and passwords are in uppercase. If you did not use the Pen Test Password Dictionary property to select a password dictionary file and want the Dictionary policy to use a custom dictionary, copy the dictionary.txt file from <FortiDB installation directory>/etc/conf/pentest to <FortiDB installation directory>/conf/pentest. Replace the password values in the file with the values that you want the Dictionary policy to use. For more information on the files, see Files used for penetration tests on page Go to Policy > VA Policy Groups, and then click Pen Test Policy Group. 7. To enable or disable pentest policies, select the checkbox for one or more polices, and then click Enable or Disable. 8. Optionally, to edit a policy, click the policy name, edit the settings, and then click Save. 9. Assign the Pen Test Policy Group to a new or existing assessment. For detailed instructions, see Adding or modifying assessments on page Run the assessment. For detailed instructions, see Running assessments on page Evaluate the results of your assessment. "Failed" means your passwords are weak and may not protect you from malicious login attempts. Connection options for penetration tests Files used for penetration tests Data discovery policies and policy groups The FortiDB sensitive data discovery feature uses the data discovery policies to search a target database for sensitive information located in tables and columns. You use data discovery policy groups to add these policies to the sensitive data discovery configuration for a target database. For information on running sensitive data discovery, see Sensitive data discovery on page

142 Vulnerability assessment (VA) policies Data discovery policies and policy groups Managing data discovery policies Go to Policy > Data Discovery Policies to perform data discovery policy tasks such as adding or enabling a policy. To edit a policy, click its name. To create a policy, click Add. The Data Discovery Policies and Edit Alert Policy pages display the following columns and settings. Column/settings Status (policy list only) Descriptions (enabled) (disabled) To enable or disable policies, select the checkbox for one or more policies, and then click Enable or Disable. Policy Name Policy Type Policy name Either BUILT_IN or USER_DEFINED. You cannot delete built-in policies. Specifies the type of data FortiDB searches for: Match Rule Column Name Pattern TEXT Simple text CREDIT_CARD 16-digit number address SSN 9-digit Social Insurance number (SSN) FortiDB searches for this criteria after any specified Column Name Pattern and Data Pattern criteria. Specifies the pattern FortiDB searches for in table column names. Can be a specific value or a regular expression. If left blank, FortiDB does not search table column names. Specifies the pattern FortiDB searches for in the first 40 rows of the database. Data Pattern Can be a specific value or a regular expression. If left blank or the value is.+ (decimal followed by plus sign), FortiDB does not search the sample set of rows. 142

143 Data discovery policies and policy groups Vulnerability assessment (VA) policies Column/settings (checkbox) If checked, either column name pattern or data pattern matched lead to result. Or, both matched lead to result. (edit policy only) Description (edit policy only) Descriptions Specifies whether search results include matches for either the value of Column Name Pattern and Data Pattern, or matches for both patterns. A description of the policy. To export a policy as an XML format file, select the checkbox for one or more policies, and then click Export. Your web browser downloads the file. To import a policy, click Import, use the file selection option to navigate to and select an XML format file, and then click Import. Data discovery policy groups You add data discovery policy groups to a target s Sensitive Data Discovery configuration to specify the types of data FortiDB searches for. Go to Policy > Data Discovery Policy Groups to manage data discovery policy groups. Click a group name to edit group or Add to add new group. To delete a group, select the check box for one or more groups, and then click Delete. Sensitive data discovery 143

144 Database Activity Monitoring (DAM) policies Types of DAM policies Database Activity Monitoring (DAM) policies Database activity monitoring policies specify the database activities that can generate security alerts or audit records. Types of DAM policies Managing DAM policies Types of DAM policies There are two types of DAM policies: Alert Policies that generate an alert when database activity violates a policy rule. Audit Policies that generate an audit record when FortiDB detects the database activity specified in the policy rules. FortiDB uses these policies only when it monitors target databases with the TCP/IP sniffer. The following sub-types are available for both alert and audit policies: Metadata Policies Pre-defined policies that generate alerts or audit logs when FortiDB detects metadata activity. Privilege Policies Pre-defined policies that generate alerts or audit logs when FortiDB detects privilege activity. Sys Operations Policy Pre-defined policy that generate alerts or audit logs when FortiDB detects SYS user operations. Data Policy Policies that you create to generate alert or audit logs when FortiDB detects data manipulation activity. The following table describes the differences between the two types of DAM policy. Used For Available With Types of Data Policies Alert Policy Generates an alert if an activity violates a policy rule All DAM collection methods Table Table and Column Session User Database Query Policy Audit Policy Logs the specified activity TCP/IP sniffer collection method only Database Table Table and Column Session User 144

145 Managing DAM policies Database Activity Monitoring (DAM) policies Data Policy Configuration Options PCI, SOX, and HIPAA Policies Severity Attribute Alert Policy "Read and Write" audit actions for Table, Table and Column "Alert Rule" for violations SQL query for "Database Query Policy" Yes Yes Audit Policy "Select/Insert/Update/Delete/Truncate" audit actions for Table "Select/Insert/Update/Delete" audit actions for Database, Table and Column No "Alert Rule" settings No No Managing DAM policies Data policies Privilege policies Metadata policies PCI, SOX, and HIPAA alert policies Alert and audit policy groups Managing DAM policies The DAM Alert Policy and DAM Audit Policy pages display all policies with status, policy name, and supported databases information. Use these pages to perform the following tasks: Use the Data Policies list at the bottom of the page to create a new policy (see Data policies on page 148). Modify the pre-defined policies by clicking the policy name (see Privilege policies on page 166, Metadata policies on page 172, PCI, SOX, and HIPAA alert policies on page 176, and PCI, SOX, and HIPAA alert policies on page 176). Delete user-defined policies by selecting the policy's check box, then clicking Delete. Filter the view by selecting an option from the View list. Navigate to the modifying the group page by clicking the Edit button. Search and create a new group page by clicking the Search / New Group button. The following table describes each icon in the policy table list. 145

146 Database Activity Monitoring (DAM) policies Managing DAM policies Columns Type Descriptions Data Policy: Table Policy monitors/audits suspicious reads and writes on specific tables Table and Column Policy monitors/audits suspicious reads and writes on specific table columns Session Policy monitors/audits suspicious session behavior User Policy monitors/audits suspicious reads and writes by specific users Database Policy(for Auditing) audits activities reads and writes on specific databases Database Query Policy(for Alert) queries database data value at intervals that you specify indicates a privilege policy indicates a metadata policy indicates a PCI, SOX, and HIPAA indicates the policy has a problem. Status indicates the policy is disabled. indicates the policy is enabled. Policy Name User defined policy name, or pre-defined name User configurable severity level (Not available for Audit Policy). There are 5 levels of severity: Informational (default) Severity Cautionary Minor Major Critical Supported Databases All, or specify database type, or have fixed setting for each database Configuring policy information for a policy When you add or edit a policy, complete the following settings under Policy Info: Policy Name Enter unique name for policy, duplicate with exist policy name is not allowed. Description Enter a description if necessary. Enable Select to enable the policy. 146

147 Automatically generating alert policies Database Activity Monitoring (DAM) policies Create new policy group for policy FortiDB automatically creates a policy group and adds it to the monitoring configuration for the target database (This option is available for the target-based configuration: Data Access Monitoring > Monitors > click on the target name > Alert/Audit Policies tab > Data Policies dropdown). Severity For alert policies only. Specifies a severity. Supported Database For data policies, select the type of target database the policy is used with. PCI, SOX, and HIPAA policies are supported on all database types. Privilege and metadata policies are restricted to specific database types. You cannot change the value of Supported Database if FortiDB is currently using the policy to monitor a target database. Use the target monitoring settings (DB Activity Monitoring > Monitoring Management) to stop monitoring, change the value of Supported Database, and then re-start monitoring. Types of DAM policies Data policies Privilege policies Metadata policies PCI, SOX, and HIPAA alert policies Alert and audit policy groups Automatically generating alert policies You can use the Start Generate Alert Policies option to automatically create table, session, and user policies for Oracle and Microsoft SQL Server target databases. The policies work with all the collection methods that are available for these database types. When you activate the option, FortiDB starts to track target database activity. When you stop the option, FortiDB analyzes the information it has gathered. It considers the activity it observed during the monitoring period to be normal activity and generates policies that are appropriate for the target. The Start Generate Alert Policies option creates a DAM Alert policy group that has the same name as the target database. You can manage and modify these policies and policy groups the same way you manage other used-defined policies. The names of the user and session policies in the group use the following format: <target name>_<username>_<policy type> where <policy type> is UserDataPolicy or SessionPolicy. The table policies use the following format: <target name>_<username>_tabledatapolicy_<monitored objects> where <monitored objects> is either inclusive or exclusive. If the policy name contains inclusive, the policy monitors the objects that are specified under Audit Settings. For exclusive, the policy monitors all objects except those specified under Audit Settings. 147

148 Database Activity Monitoring (DAM) policies Data policies Because it monitors all users and tables, the generation process can affect the performance of the monitored database. To automatically generate data policies 1. Go to DB Activity Monitoring > Monitoring Management, and then click a target name. 2. On the General tab, click Start Generate Alert Policies. 3. After FortiDB has monitored the target for an appropriate length of time, click Stop Generate Alert Policies. 4. To view the generated policies, go to Policy > DAM Alert Policy Groups. Managing DAM policies Data policies Alert and audit policy groups Data policies FortiDB uses data policies to monitor or audit reads and writes on specific database objects. It also uses them to monitor database access that takes place via your application server, location, or OS user. To configure a data policy 1. Do one of the following: To configure a policy that is available to add to multiple target monitoring configurations, go to Policy > DAM Alert Policies or Policy > DAM Audit Policies. To configure a policy for a specific target, go to DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the Alert Policies or Audit Policies tab. 2. In the Data Policies list, select a type of data policy. 3. Click Add, and complete the policy settings: For detailed information about the Policy Info settings, see Managing DAM policies on page 145. For information on Audit Settings settings, see the topic for the appropriate data policy type. For example, for a table policy, see Configuring audit settings for a table policy on page 149. For information on Alert Rule settings, see the topic for the appropriate data policy type. For example, for a table policy, see Configuring alert rules for a table policy on page Click Save to save the policy configuration. Managing DAM policies Data policies Automatically generating alert policies Privilege policies 148

149 Data policies Database Activity Monitoring (DAM) policies Metadata policies PCI, SOX, and HIPAA alert policies Alert and audit policy groups Configuring a table policy For basic policy configuration information, see Data policies on page 148. Configuring audit settings for a table policy Configuring alert rules for a table policy Table policy alert rules for different databases Configuring audit settings for a table policy 1. Click the triangle icon of the Audit Settings section to expand it. 2. Select one of the following options: Manually Select Object: You enter the specific object name. Browse Object by Target: You can select one from the dropdown list (default). 3. If you are configuring the policy using Policy > DAM Alert/Audit Policies and selecting an object by browsing, for Target, select a target. 4. Do one of the following: For policies for Oracle and DB2 databases, for Schema, enter a schema name or select a name from the list. For policies for Microsoft SQL Server and Sybase databases, for Database, enter a database name or select a name from the list. Then, for Schema, enter a schema name or select a name from the list. 5. In the Tables list, select one or more tables. For Oracle databases, you can also select a synonym. 6. Under Audit Actions, do one of the following: For an alert policy, select the Read (Select), Write (Insert/Update/Delete), or both. For an audit policy, select one or more of the following options: Select, Insert, Update, Delete, Truncate. 7. Click > (right arrow) to move your selection to the Selected Objects table. If you want to remove the objects from the Selected Objects list, select the object you want to remove and then click < (left arrow). To remove all objects, click << (double left arrow). Configuring alert rules for a table policy Table policy alert rules for different databases Configuring alert rules for a table policy 1. Click the triangle icon of the Alert Rules section to expand it. 149

150 Database Activity Monitoring (DAM) policies Data policies 2. In the Combination Rule field, select one from the dropdown list: Options Issue alert if ANY of the enabled rules are triggered Issue alert if ALL of the enabled rules are triggered Descriptions if you select this, each rule generates alerts individually. If you select this, the combination of selected policies generates alerts. 3. Mark the check box of your interests from the following rules: Options Security Violation Suspicious OS User Descriptions Alert any failed attempt to access selected object without proper permission. Alert any successful access to selected object by certain OS users. You can specify one or more OS usernames by typing the specific name or using a regular expression. 1. Click Add 2. Select an operator from the dropdown list. 3. Enter OS username depending on the operator you selected. To generate alerts for the OS user(s) you specified in the list, check "Alert any successful access if the OS user is specified in the list" check box. To generate alerts for the OS user(s) you didn't specified in the list, check "Alert any successful access if the OS user is not specified in the list" check box. Suspicious Location Alert any successful access to selected object from certain locations. You can specify one or more locations by typing the specific location or using a regular expression. 1. Click Add. 2. Select an operator from the dropdown list. 3. Enter a location name depending on the operator you selected. 4. Repeat steps 1 to 3 if necessary. To generate alerts for any successful access from locations you specified in the list, check "Alert any successful access from locations in the list" check box. To generate alerts for any successful access from locations not in the list, check "Alert any successful access from locations in the list Alert any successful access from locations not in the list" check box. 150

151 Data policies Database Activity Monitoring (DAM) policies Options Suspicious Database Users Descriptions Alert any successful access to selected object by certain database users. You can specify one or more users as follows: 1. Select one or more users from the Users list. 2. Click the right arrow to move the selections the Selected Users list. Note: If you want to remove the users from the selected users list, select the users you want to remove and click the left arrow. To generate alerts for the database user(s) you specified in the list, check "Alert any successful access if the database user is in the list" check box. To generate alerts for the database user(s) you didn't specified in the list, check "Alert any successful access if the database user is not in the list" check box. Suspicious Login Names Alert any successful access to selected object by certain login users. You can specify one or more users as follows: 1. Select one or more users from the Users list. 2. Click the right arrow to move the selections the Selected Users list. Note: If you want to remove the users from the selected users list, select the users you want to remove and click the left arrow. To generate alerts for login user(s) you specified in the list, check "Alert any successful access if the login user is in the list" check box. To generate alerts for login user(s) you didn't specified in the list, check "Alert any successful access if the login user is not in the list" check box. Suspicious Client Application (Client Id) Alert any successful access to selected object by certain client applications. You can specify one or more client applications by typing the specific client application or using a regular expression. 1. Click Add. 2. Select an operator from the dropdown list. 3. Enter a client application depending on the operator you selected. 4. Repeat steps 1 to 3 if necessary. To generate alerts for the client application you specified in the list, check "Alert any successful access if the client application is in the list" check box. To generate alerts for the client application you didn't specified in the list, check "Alert any successful access if the client application is not in the list" check box. 151

152 Database Activity Monitoring (DAM) policies Data policies Options Excessive Access Violation Descriptions Alert excessive access to selected object within the specified time slot. You can specify the maximum accesses allowed within a certain time period. 1. Enter the number of accesses allowed. 2. Enter the number of hours, days, minutes, or seconds after selecting one from the dropdown list. Tracking Strategy - Tracking rule selection for time violation. The threshold you set for time violation can be incremented by OS User, Location, Client Application, or Database User separately, depending on your selection. If you don't select any rule, any access to the selected audit settings will be counted. Time Range Violation Alert any access to selected object by certain time range. You can specify one or more time range. 1. Click Add. 2. Enter hour and minute values in "Received from" and "To" for time range, with 24 hours format. 3. Repeat above if necessary. To generate alerts for the access within the time range, select the "Alert any access if the timestamp is between time range". To generate alerts for the access out of the time range, select the "Alert any access if the timestamp is not between time range". Suspicious Client IP (only for Collection Method "TCP/IP Sniffer") Alert any successful access to selected object by certain client IPs. This rule only has effect for monitoring with Collection Method "TCP/IP Sniffer". You can specify one or more IP address, IP address Range or subnet. 1. Click Add. 2. Enter Start/End IP address, or IP/Netmask. For example, " " - " " for IP range, " / " for subnet. 3. Repeat above if necessary. To generate alerts for the client which's IP is in the specified IP range or subnet, select the "Alert any successful access if the client's IP is in the list". To generate alerts for the client which's IP is not in the specified IP range or subnet, select the "Alert any successful access if the client's IP is not in the list". 4. Select Save. 152

153 Data policies Database Activity Monitoring (DAM) policies Table policy alert rules for different databases Table policy alert rules for different databases The alert rules that are available for a table policy are determined by the database type. DB Available Alert Rules Oracle Security Violation Suspicious OS User Suspicious Location Suspicious Database Users (Login Name) Suspicious Client Application (Client Id) Excessive Access Violation Time Range Violation Suspicious Client IP (only for "TCP/IP Sniffer") Microsoft SQL Server Security Violation Suspicious OS User Suspicious Location Suspicious Database Users Suspicious Login Names Suspicious Client Application Excessive Access Violation Time Range Violation Suspicious Client IP (only for "TCP/IP Sniffer") DB2 Security Violation Suspicious OS User Suspicious Location Suspicious Database Users Excessive Access Violation Time Range Violation Suspicious Client IP (only for "TCP/IP Sniffer") Sybase Security Violation Suspicious OS User Suspicious Location Suspicious Login Names Excessive Access Violation Time Range Violation Suspicious Client IP (only for "TCP/IP Sniffer") 153

154 Database Activity Monitoring (DAM) policies Data policies DB Available Alert Rules MySQL Security Violation Suspicious Location Suspicious Login Names Excessive Access Violation Time Range Violation Configuring alert rules for a table policy Configuring a table and column policy For basic policy configuration information, see Data policies on page 148. For information on setting rules for alert policies, see Configuring alert rules for a table policy on page 149. To configure audit settings for a table and column policy 1. Click the triangle icon of the Audit Settings section to expand it. 2. Select one of the following options: Manually Select Object: You enter the object parameters. Browse Object by Target: You can select an object from the dropdown list (default). 3. If you are configuring the policy using Policy > DAM Alert/Audit Policies and selecting an object by browsing, for Target, select a target. 4. Do one of the following: For policies for Oracle and DB2 databases, for Schema, enter a schema name or select a name from the list. For policies for Microsoft SQL Server and Sybase databases, for Database, enter a database name or select a name from the list. Then, for Schema, enter a schema name or select a name from the list. 5. In the Tables list, select a table. For Oracle databases, you can also select a synonym. 6. In the Column list, select one or more columns for the table you selected. 7. If you are configuring an alert policy, for MatchSQL, enter a SQL string that generates alerts when FortiDB detects it. 8. Under Audit Actions, do one of the following: For an alert policy, select the Read (Select), Write (Insert/Update/Delete), or both. For an audit policy, select one or more of the following options: Select, Insert, Update, Delete, Truncate. 9. Click > (right arrow) to move your selection to the Selected Objects table. If you want to remove the objects from the Selected Objects list, select the object you want to remove and then click < (left arrow). To remove all objects, click << (double left arrow). 154

155 Data policies Database Activity Monitoring (DAM) policies 10. Repeat steps step 5 through step 9 to add additional columns to the Selected Objects table, if required. Configuring a session policy For basic policy configuration information, see Data policies on page 148. Configuring audit settings for a session policy Configuring alert rules for a session policy Configuring audit settings for a session policy 1. Click the triangle icon at Audit Settings to expand it. 2. Select the Any User or Specify Users radio button 3. For Specify Users, input username in Enter user input box. Or click the Browse by target dropdown list, select one or more users from the Users selection box, and click the right arrow to move the selection to the Selected Users table. If you want to remove the user from the selected users list, select the user you want to remove and click the left arrow. Configuring alert rules for a session policy Configuring alert rules for a session policy 1. Click the triangle icon at Alert Rules to expand it. 2. In the Combination Rule field, select one from the dropdown list: Issue alert if ANY of the enabled rules are triggered Issue alert if ALL of the enabled rules are triggered 3. Mark the check box of your interests from the following rules: Options Login/Logout Activity Descriptions Generate alerts for login/logout activity. Select option "Alert Login Failure" to alert for failure login only, or select option "Alert All Login/logout Activity". 155

156 Database Activity Monitoring (DAM) policies Data policies Options Suspicious Login Time Descriptions Time of login is beyond specified normal hours. You can specify the time, entering numbers: 1. In the From and To field, enter the starting and ending times you want to specify as suspicious login time. 2. If necessary, click + sign to add more time range, or - sign to remove the time range. To generate alerts for the login time you specified in the list, check "Alert if login time is within one of the time ranges in the list" check box. To generate alerts for the login time you didn't specified in the list, check "Alert if login time is NOT within one of the time ranges in the list" check box. Extremely Long Session Generate alerts when duration of session is abnormally long. You can specify the threshold by entering how many hours allowed for a session. Excessive Read Activities Generate alerts when number of logical page reads is abnormally high. You can specify the threshold by entering how many page reads are allowed for a session. High Read Ratio Generate alerts when number of logical reads/minute is abnormally high. You can specify the threshold by entering how many page reads are allowed for a session. Suspicious Os User Alert any successful access to selected object by certain OS users. Note: For Microsoft SQL Server, this rule is applicable for only Windows authentication. You can specify one or more OS usernames by typing the specific name or using a regular expression. 1. Click Add. 2. Select an operator from the dropdown list. 3. Enter OS username depending on the operator you selected. 4. Repeat steps 1 to 3 if necessary. To generate alerts for the OS user(s) you specified in the list, check "Alert any successful access if the OS user is specified in the list" check box. To generate alerts for the OS user(s) you didn't specified in the list, check "Alert any successful access if the OS user is not specified in the list" check box. 156

157 Data policies Database Activity Monitoring (DAM) policies Options Suspicious Location Descriptions Alert any successful access to selected object from certain locations. You can specify one or more locations by typing the specific location or using a regular expression. 1. Click Add. 2. Select an operator from the dropdown list. 3. Enter a location name depending on the operator you selected. 4. Repeat steps 1 to 3 if necessary. To generate alerts for location(s) you specified in the list, check "Alert any successful access from locations in the list" check box. To generate alerts for location(s) you didn't specified in the list, check "Alert any successful access from locations not in the list" check box. Suspicious Client Application Alert any successful access to selected object by certain client applications. You can specify one or more client applications by typing the specific client application or using a regular expression. 1. Click Add. 2. Select an operator from the dropdown list. 3. Enter a client application depending on the operator you selected. 4. Repeat steps 1 to 3 if necessary. To generate alerts for the client application you specified in the list, check "Alert any successful access if the client application is in the list" check box. To generate alerts for the client application you didn't specified in the list, check "Alert any successful access if the client application is not in the list" check box. 157

158 Database Activity Monitoring (DAM) policies Data policies Options Excessive Access Violation Descriptions Alert excessive access to selected object within the specified time slot. You can specify the maximum accesses allowed within a certain time period. 1. Enter the number of accesses allowed. 2. Enter the number of hours, days, minutes, or seconds after selecting one from the dropdown list. Tracking Strategy - Tracking rule selection for time violation. The threshold you set for time violation can be incremented by OS User, Location, Client Application, or Database User separately, depending on your selection. If you don't select any rule, any access to the selected audit settings will be counted. Suspicious Client IP (only for Collection Method "TCP/IP Sniffer") Alert any successful access to selected object by certain client IPs. This rule only has effect for monitoring with Collection Method "TCP/IP Sniffer". You can specify one or more IP address, IP address Range or subnet. 1. Click Add. 2. Enter Start/End IP address, or IP/Netmask. For example, " " - " " for IP range, " / " for subnet. 3. Repeat above if necessary. To generate alerts for the client which's IP is in the specified IP range or subnet, select the "Alert any successful access if the client's IP is in the list". To generate alerts for the client which's IP is not in the specified IP range or subnet, select the "Alert any successful access if the client's IP is not in the list". 4. Click Save. Configuring alert rules for a session policy Configuring a user policy For basic policy configuration information, see Data policies on page

159 Data policies Database Activity Monitoring (DAM) policies Configuring audit settings for a user policy Configuring alert rules for a user policy User policy alert rules for various databases Configuring audit settings for a user policy 1. Click the triangle icon of the Audit Settings section to expand it. 2. Select the Any User or Specify Users radio button. 3. In Specify Users, input the account name in Enter user input box. Alternatively, click the Browse by target dropdown list to browse available users from target. 4. For Alert Policy, select the Read (Select) or Write (Insert/Update/Delete) check box or both in the Audit Actions field. 5. For Audit Policy, select the Select,Insert,Update, Delete, Truncate checkboxes in the Audit Actions field. 6. Click the right arrow to move the selection to the Selected Users table. If you want to remove the objects from the Selected Users list, select the user you want to remove, then click the left arrow. 7. Configure Alert Rule (for Alert Policy). Data policies Configuring alert rules for a user policy User policy alert rules for various databases Configuring alert rules for a user policy 1. Click the triangle icon of the Alert Rules section to expand it. 2. In the Combination Rule field, select one from the dropdown list: Options Issue alert if ANY of the enabled rules are triggered Issue alert if ALL of the enabled rules are triggered Descriptions if you select this, each rule generates alerts individually. If you select this, the combination of selected policies generates alerts. 3. Mark the check box of your interests from the following rules: 159

160 Database Activity Monitoring (DAM) policies Data policies Options Security Violation Suspicious OS User Descriptions Alert any failed attempt to access selected object without proper permission. Alert any successful access to selected object by certain OS users. You can specify one or more OS usernames by typing the specific name or using a regular expression. 1. Click Add. 2. Select an operator from the dropdown list. 3. Enter OS username depending on the operator you selected To generate alerts for the OS user(s) you specified in the list, check "Alert any successful access if the OS user is specified in the list" check box. To generate alerts for the OS user(s) you didn't specified in the list, check "Alert any successful access if the OS user is not specified in the list" check box. Suspicious Object Access Alert any successful access to selected object(s). There are the following options to select objects: Manually Select Object Browse Object by Target (default) You can specify one or more objects as follows: 1. Select a target from the Target dropdown list. 2. Select a schema from the dropdown list. 3. Select one or more tables from the Tables list. 4. Select the Read (Select) or Write (Insert/Update/Delete) check box or both in the Audit Actions field. 5. Click the right arrow to move the selections the Selected Objects list. Note: If you want to remove the users from the selected objects list, select the objects you want to remove and click the left arrow. To generate alerts for the object(s) you specified in the list, check "Issue alert if the accessed object is specified in the list" check box. To generate alerts for the object(s) you didn't specified in the list, check "Issue alert if the accessed object is not specified in the list" check box. 160

161 Data policies Database Activity Monitoring (DAM) policies Options Suspicious Location Descriptions Alert any successful access to selected object from certain locations. You can specify one or more locations by typing the specific location or using a regular expression. 1. Click Add. 2. Select an operator from the dropdown list. 3. Enter a location name depending on the operator you selected. 4. Repeat steps 1 to 3 if necessary. To generate alerts for the location(s) you specified in the list, check "Alert any successful access from locations in the list" check box. To generate alerts for the location(s) you didn't specified in the list, check "Issue alert if the accessed object is not specified in the list" check box. Suspicious Client Application (Client Id) Alert any successful access to selected object by certain client applications. You can specify one or more client applications by typing the specific client application or using a regular expression. 1. Click Add. 2. Select an operator from the dropdown list. 3. Enter a client ID depending on the operator you selected. 4. Repeat steps 1 to 3 if necessary. To generate alerts for the client application you specified in the list, check "Alert any successful access if the client application is in the list" check box. To generate alerts for the client application you didn't specified in the list, check "Alert any successful access if the client application is not in the list" check box. Excessive Access Violation Alert excessive access to selected object within the specified time slot. You can specify the maximum accesses allowed within a certain time period. 1. Enter the number of accesses allowed. 2. Enter the number of hours, days, minutes, or seconds after selecting one from the dropdown lis Tracking Strategy - Tracking rule selection for time violation. The threshold you set for time violation can be incremented by OS User, Location, Client Application, or Database User separately, depending on your selection. If you don't select any rule, any access to the selected audit settings will be counted. 161

162 Database Activity Monitoring (DAM) policies Data policies Options Time Range Violation Descriptions Alert any access to selected object by certain time range. You can specify one or more time range. 1. Click Add. 2. Enter hour and minute values in "Received from" and "To" for time range, with 24 hours format. 3. Repeat above if necessary. To generate alerts for the access within the time range, select the "Alert any access if the timestamp is between time range". To generate alerts for the access out of the time range, select the "Alert any access if the timestamp is not between time range". Suspicious Client IP (only for Collection Method "TCP/IP Sniffer") Alert any successful access to selected object by certain client IPs. This rule only has effect for monitoring with Collection Method "TCP/IP Sniffer". You can specify one or more IP address, IP address Range or subnet. 1. Click Add. 2. Enter Start/End IP address, or IP/Netmask. For example, you could enter " " - " " for the IP range, or " / " for a subnet. 3. Repeat the above step if necessary. To generate alerts for the client which's IP is in the specified IP range or subnet, select the "Alert any successful access if the client's IP is in the list". To generate alerts for the client which's IP is not in the specified IP range or subnet, select the "Alert any successful access if the client's IP is not in the list". 4. Click Save. User policy alert rules for various databases User policy alert rules for various databases The alert rules that are available for user policies depends are determined by the type of database. 162

163 Data policies Database Activity Monitoring (DAM) policies Database Available Alert Rules Oracle Security Violation Suspicious OS User Suspicious Object Access Suspicious Location Suspicious Client Application (Client Id) Excessive Access Violation Time Range Violation Suspicious Client IP (only for "TCP/IP Sniffer") Microsoft SQL Server Security Violation Suspicious OS User Suspicious Object Access Suspicious Location Suspicious Client Application Excessive Access Violation Time Range Violation Suspicious Client IP (only for "TCP/IP Sniffer") DB2 Security Violation Suspicious OS User Suspicious Object Access Suspicious Location Excessive Access Violation Time Range Violation Suspicious Client IP (only for "TCP/IP Sniffer") Sybase Security Violation Suspicious OS User Suspicious Object Access Suspicious Location Excessive Access Violation Time Range Violation Suspicious Client IP (only for "TCP/IP Sniffer") MySQL Security Violation Suspicious Object Access Suspicious Location Excessive Access Violation Configuring alert rules for a user policy 163

164 Database Activity Monitoring (DAM) policies Data policies Configuring a database policy Database policies generate audit records only. You do not configure them to generate alerts. To configure a database policy 1. Do one of the following: To configure a policy that is available to add to multiple target monitoring configurations, go to Policy > DAM Audit Policies. To configure a policy for a specific target, go to DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the Audit Policies tab. 2. In the Data Policies list, select Database, and then click Add. 3. Complete the Policy Info settings. For detailed information about the settings, see Managing DAM policies on page To expand Audit Settings, click the triangle icon beside the section name. 5. Do one of the following: Select Manually Select Object and then enter the specific database or schema name. Select Browse Object by Target to select a specific database or schema name from the list. 6. If you are configuring the policy using Policy > DAM Audit Policies and selecting an object by browsing, for Target, select a target. Then, select one or more items from the Database or Schema list. Enter text in the Search field to filter the list of databases and schemas. 7. For Audit Actions, select one of more of the following values: Select, Insert, Update, Delete. 8. Click > (right arrow) to move the selected items to the Selected Objects table. To remove items, select the item, and then click < (left arrow). Click << (double left arrow) to remove all items. 9. Select Save. The new policy is displayed in the list of policies. Data policies Configuring a database query policy A database query policies is an alert policy that allows you to query the target database with SQL and save the result as an alert. You do not configure them to generate audit records. For example, for Microsoft SQL Server databases, create a database query policy with the following SQL Query value: which returns the following result in the alerts: 164

165 Data policies Database Activity Monitoring (DAM) policies Microsoft SQL Server (Intel X86) Feb :13:17 Copyright (c) Microsoft Corporation Express Edition on Windows NT 6.0 <X86> (Build 6002: Service Pack 2) (Hypervisor) FortiDB runs the database query policy according to a schedule you specify. To configure a database query policy and add it to a target monitoring configuration 1. Do one of the following: Go to Policy > DAM Alert Policies. Go to DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the Alert Policies tab. 2. In the Data Policies list, select Database Query, and then click Add. 3. Complete the Policy Info settings. For detailed information about the settings, see Managing DAM policies on page Complete the following settings, which are specific to database query policies: SQL query Return Records Count Limit Enter the query text. Enter the maximum number of returned records that FortiDB includes in the alert that this policy generates. For example, if you enter 5, the database returns the first 5 records of the table that you queried, which FortiDB displays in the details for the corresponding alert. Default value is 1. Targets Select the target database to query. 5. If you are creating the policy using the monitoring configuration for a specific target, you can ensure the policy is added to the configuration by selecting Create new policy group for policy. 6. To test if the SQL query is valid, click Test. If it is valid, the message "Success" is displayed. 7. Click Save. The policy you created is displayed in the data policy list. 8. Go to DB Activity Monitoring > Monitoring Management, and then click a target name. 9. On the Alert Policy Groups tab, ensure that a group that includes the database query policy that you created is selected. For example, the policy is added if the Data Policies policy group is selected. For more information on adding policies, see Adding policy groups to target database monitoring on page Click the Query Schedule tab, select Enable Schedule for Database Query Policy, and then use the following settings to specify a schedule: 165

166 Database Activity Monitoring (DAM) policies Privilege policies Schedule type Starts at Recurrence pattern Specify Run Once or Recurring. Specify a start time and date for the policy. Specify at what interval FortiDB runs the policy. For example, select Weekly, and then select a day of the week. Displayed only when Recurring is selected. Ends by Specify No end date or select a date. Displayed only when Recurring is selected. 11. Click Save. Privilege policies The target database monitoring and auditing features use privilege policies monitor or track changes to privilege settings in selected databases. You cannot create privilege policies, but you can modify some of the settings of the pre-defined privilege policies. To view predefined privilege policies, on the DAM Security Alert Policies or DAM Activity Auditing Policies page, from the View list, select Privilege Policies. To configure a privilege policy 1. Do one of the following: To configure a policy that is available to add to multiple target monitoring configurations, go to Policy > DAM Alert Policies or Policy > DAM Audit Policies. To configure a policy for a specific target, go to DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the Alert Policies or Audit Policies tab. 2. To identify privilege policies, do one of the following: If you are using the DAM Security Alert Policies or DAM Activity Auditing Policies page, from the View list, select Privilege Policies. The View menu filters policies using the pre-defined Privilege Policies group, which include privilege policies for all database types. To view privilege policies for a specific database type, modify the filter of the Privilege Policies group or create a new policy group. For details about modifying a policy group, see Alert and audit policy groups on page 179. If you are using the target monitoring configuration, under Type, look for the icon. 3. Click the name of the policy you want to configure. 4. On the Edit Audit Policy page, under Policy Info, enter an optional description, and then select Enable. 5. If you are configuring an alert policy, for Severity, select one of the following options: 166

167 Privilege policies Database Activity Monitoring (DAM) policies Informational (default, lowest severity level) Cautionary Minor Major Critical (highest severity level) 6. Click Save. Oracle privilege policies Microsoft SQL Server privilege policies Sybase privilege policies DB2 privilege policies MySQL privilege policies Oracle privilege policies FortiDB provides the following privilege policies: Policy Names Contents Description Column Privileges Column-level privilege granting This policy generates alerts when the column privileges are modified. For example, user SCOTT can grant SELECT privileges on a column of a table to a user, without letting that user SELECT on other columns in the same table. Profiles Role Privileges Resources (I/O, etc.) assigned to users Roles granted to users and other roles This policy generates alerts when the profiles are modified. Changes to any profile setting could have wide-reaching effects. This policy generates alerts when the role privileges are modified. It also contains information about which role has been assigned to other roles. Change of user s role means changes in user s access privileges. Role changes should be closely monitored in order to ensure data security. 167

168 Database Activity Monitoring (DAM) policies Privilege policies Policy Names Contents Description Roles Database roles This policy generates alerts when the roles are modified. Contains information about all existing roles in the database. System Privileges All granted system privileges This policy generates alerts when the system privileges are created, deleted, or modified. Contains all granted system privileges to all users or roles. System privileges are powerful privileges and should be granted with great cautions. Monitoring system-privilege changes should be mandatory. This policy generates alerts when the table privileges are modified. Table Privileges All granted schema- object privileges Lists all granted privileges on schema objects. These include privileges on tables, views, sequences, procedures, functions and packages. User Privileges Database users This policy generates alerts when the users privileges are modified. Contains information about users in the database. Although this view has no privilege information, it contains the users to whom privileges may be assigned or changed. Privilege policies Microsoft SQL Server privilege policies The following privilege policies are available for Microsoft SQL databases: Policy Names Privileges involved Description Column Privileges Column-level privilege This policy generates alerts when the column privileges are modified. 168

169 Privilege policies Database Activity Monitoring (DAM) policies Policy Names Privileges involved Description Member Privileges Object Privileges Roles Server Roles User Privileges Role- and group-membership assignments Column- and table-and other object-level privileges All objects that are accessible by the current user Default server roles assigned to users. Lists valid database users and the groups to which they belong This policy generates alerts when the members are modified. This policy generates alerts when the object privileges are modified. This policy generates alerts when the roles are modified. Contains information about all existing roles in the database. This policy generates alerts when the server roles are modified. This policy generates alerts when the user privileges are modified. Privilege policies Sybase privilege policies The following privilege policies are available for Sybase databases: Policy Names Privileges involved Description Column Privileges Column-level privilege This policy generates alerts when the column privileges are modified. Member Privileges Object Privileges Procedures Roles Roles and Groups Role- and group-membership assignments Column- and table-and other object-level privileges Procedure privilege All role groups as the server level. All roles and groups. A group is a user group as the database level. This policy generates alerts when the members privileges are modified. This policy generates alerts when the object privileges are modified. This policy generates alerts when the procedures are modified. This policy generates alerts when the role groups are modified. This policy generates alerts when the roles and groups are modified. 169

170 Database Activity Monitoring (DAM) policies Privilege policies Policy Names Privileges involved Description System Privileges All granted system privileges This policy generates alerts when the system privileges are modified. User Privileges Lists valid database users and the groups to which they belong This policy generates alerts when the user privileges are modified. Privilege policies DB2 privilege policies The following privilege policies are available for DB2 databases: Policy Names Contents Description Column Privileges Database Privileges column privileges database system privileges Index Privileges Index privileges This view contains the right to DROP the indfor example The creator of an index automatically has this CONTROL privilege. Package Privileges A package is a database object grouping related procedures, functions, associated cursors, and variables together. CONTROL: Provides the ability to rebind, drop, execute, and extend these package privileges to others. Only SYSADM and DBADM authorities can grant CONTROL privilege. BIND: Provides the privilege to rebind an existing package. EXECUTE: Provides the privilege to execute a package. Schema Privileges Objects within a schema : tables, views, indexes, packages, data types, functions, triggers, procedures, and aliases CREATEIN: Provides the privilege to create objects within the schema. ALTERIN: Provides the privilege to alter objects within the schema. DROPIN: Provides the privilege to drop objects within the schema 170

171 Privilege policies Database Activity Monitoring (DAM) policies Policy Names Contents Description CONTROL: Provides the privilege to DROP the table or view and GRANT table or view privileges to somebody else. ALTER: Provides the privilege to add columns, comments, primary key or unique constraint, in order to create triggers, and create or drop check constraints Table and View Privileges Tables and view privileges DELETE: Provides the privilege to delete rows INDEX: Provides the privilege to CREATE INDEX INSERT: Provides the privilege to INSERT rows. REFERENCES: Provides the privilege to CREATE or DROP a foreign key. SELECT: Provides the privilege to retrieve data. UPDATE: Provides the privilege to change existing entries. Tablespace Privileges tablespace privileges A SYSADM or SYSCTRL authority can create Tablespace and grant USE privilege to others Privilege policies MySQL privilege policies The following privilege policies are available for MySQL databases: Policy Names Privileges involved Description Column Privileges Column-level privilege This policy generates alerts when the column privileges are modified. Object Privileges Column- and table-and other object-level privileges This policy generates alerts when the object privileges are modified. Procedures Procedure privilege This policy generates alerts when the procedures are modified. 171

172 Database Activity Monitoring (DAM) policies Metadata policies Privilege policies Metadata policies The target database monitoring and auditing features use metadata policies monitor or track changes in metadata in selected databases. You cannot create metadata policies, but you can modify some of the settings of the pre-defined metadata policies. To view predefined metadata policies, on the DAM Security Alert Policies or DAM Activity Auditing Policies page, from the View list, select Metadata Policies. To configure a metadata policy 1. Do one of the following: To configure a policy that is available to add to multiple target monitoring configurations, go to Policy > DAM Alert Policies or Policy > DAM Audit Policies. To configure a policy for a specific target, go to DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the Alert Policies or Audit Policies tab. 2. To identify metadata policies, do one of the following: If you are using the DAM Security Alert Policies or DAM Activity Auditing Policies page, from the View list, select Metadata Policies. The View menu filters policies using the pre-defined Metadata Policies group, which include metadata policies for all database types. To view metadata policies for a specific database type, modify the filter of the Metadata Policies group or create a new policy group. For details about modifying a policy group, see Alert and audit policy groups on page 179. If you are using the target monitoring configuration, under Type, look for the icon. 3. Click the name of the policy you want to configure. 4. On the Edit Audit Policy page, under Policy Info, enter an optional description, and then select Enable. 5. If you are configuring an alert policy, for Severity, select one of the following options: Informational (default, lowest severity level) Cautionary Minor Major Critical (highest severity level) 6. Click Save. 172

173 Metadata policies Database Activity Monitoring (DAM) policies Oracle metadata policies Microsoft SQL Server metadata policies Sybase metadata policies DB2 metadata policies MySQL metadata policies Oracle metadata policies The following metadata policies are available for Oracle databases: Policy Names Contents Description Packages packages This policy generates alerts when database packages are modified. Synonyms synonyms This policy generates alerts when database synonyms are modified. Tables tables, columns and indexes This policy generates alerts when tables, columns, or indexes are modified. Tablespaces tablespaces This policy generates alerts when table spaces are modified. Triggers triggers This policy generates alerts when triggers are modified. Views views This policy generates alerts when views are modified. Metadata policies Microsoft SQL Server metadata policies The following metadata policies are available for Microsoft SQL Server databases: Policy Names Contents Description Routines routines This policy generates alerts when database packages are modified. Tables tables, columns and indexes This policy generates alerts when tables, columns, or indexes are modified. 173

174 Database Activity Monitoring (DAM) policies Metadata policies Policy Names Contents Description Triggers triggers This policy generates alerts when triggers are modified. Views views This policy generates alerts when views are modified. Metadata policies Sybase metadata policies The following metadata policies are available for Sybase databases: Policy Names Contents Description Indexes indexes This policy generates alerts when indexes are modified. Stored Procedures stored procedures This policy generates alerts when stored procedures are modified. Tables tables, columns and indexes This policy generates alerts when tables, columns, or indexes are modified. Triggers triggers This policy generates alerts when triggers are modified. Views views This policy generates alerts when views are modified. Metadata policies DB2 metadata policies The following metadata policies are available for DB2 databases: Policy Names Contents Description Aliases aliases This policy generates alerts when aliases are modified Indexes indexes This policy generates alerts when indexes are modified 174

175 Metadata policies Database Activity Monitoring (DAM) policies Policy Names Contents Description Packages packages This policy generates alerts when database packages are modified. Tables tables This policy generates alerts when tables and columns are modified. Tablespaces tablespaces This policy generates alerts when table spaces are modified. Triggers triggers This policy generates alerts when triggers are modified. Views views This policy generates alerts when views are modified. Metadata policies MySQL metadata policies The following metadata policies are available for MySQL databases: Policy Names Contents Description Events events This policy generates alerts when events are modified. Indexes indexes This policy generates alerts when indexes are modified. Stored Procedures stored procedures This policy generates alerts when stored procedures are modified. Tables tables This policy generates alerts when tables and columns are modified. Triggers triggers This policy generates alerts when triggers are modified. Views views This policy generates alerts when views are modified. Metadata policies 175

176 Database Activity Monitoring (DAM) policies PCI, SOX, and HIPAA alert policies PCI, SOX, and HIPAA alert policies Regulatory compliance policies record all types of database activities and store the data in the FortiDB repository. You can use these policies to generate the following compliance reports: Sarbanes-Oxley (SOX) Payment Card Industry Data Security Standard (PCI DSS) HIPAA (Health Insurance Portability and Accountability Act) You cannot create these types of policies, but you can change the configuration of the pre-defined metadata policies. For details about compliance reports, see PCI, SOX, and HIPAA reports on page 242. To view regulatory compliances policies: 1. Go to Policy > DAM Alert Policies. 2. Select the policy type from the View dropdown. For example, select PCI Policies. For Oracle databases, if the Security Alerts pages does not display alerts generated by regulatory compliance policies as expected, you can run a script that can fix the problem. See Configuring an Oracle database for PCI, SOX, and HIPAA policies on page 81. Configuring PCI, SOX and HIPAA policies Selecting which tables FortiDB tracks for PCI, SOX and HIPAA reports (Object Audit Options) Select users to audit for PCI and SOX reports (User Audit Options) Configuring PCI, SOX and HIPAA policies Some regulatory compliance reports require you to set either Object Audit Options or User Audit Options for the corresponding policy group item. 1. Go to Policy > DAM Alert Policies. 2. For View, select PCI Policies, Sox Policies, or HIPAA Policies. 3. Click the policy name. The Edit Alert Policy page for the policy is displayed. 4. Enter the following information if necessary. a. Enter a description. b. Select Enable to enable the policy. 5. Select one of the following severity options from the dropdown list. 176

177 PCI, SOX, and HIPAA alert policies Database Activity Monitoring (DAM) policies Informational (default, lowest severity level) Cautionary Minor Major Critical (highest severity level) 6. For generating reports, set Object Audit Options or User Audit Options, if required. See Selecting which tables FortiDB tracks for PCI, SOX and HIPAA reports (Object Audit Options) on page 177 and Select users to audit for PCI and SOX reports (User Audit Options) on page 178. Selecting which tables FortiDB tracks for PCI, SOX and HIPAA reports (Object Audit Options) Select users to audit for PCI and SOX reports (User Audit Options) PCI, SOX, and HIPAA reports Selecting which tables FortiDB tracks for PCI, SOX and HIPAA reports (Object Audit Options) Some regulatory compliance reports require you to select the tables on which FortiDB tracks data changes. The reports display the activity in the tables you specify. You select the objects to audit for the following regulatory compliance reports using the corresponding PCI or SOX policy: Abnormal or Unauthorized Changes to Data Abnormal Use of Service Accounts Abnormal Termination of Database Activity End of Period Adjustments PCI - Invalid Operation PCI - Access to Credit Card Tables HIPAA Privilege Changes HIPAA Access to EPHI data HIPAA User Privileges on EPHI data To configure the Object Audit Options settings for a policy 1. Go to the editing page for the policy. (See Configuring PCI, SOX and HIPAA policies on page 176.) 2. Under Object Audit Settings, in the Select Objects to Audit section, select one of the check boxes. The following steps are based on the default setting of this field. Manually Select Object: You enter the specific object name. Browse Object by Target: You can select one from the dropdown list (default). 3. In the Target field, select a target from the dropdown list. 4. For Oracle and DB2, in the Schema field, select one from the dropdown list. For Microsoft SQL Server and Sybase, select one from the dropdown list in the Database field, and then select one in the Schema field. 5. From the Tables selection box, select one or more tables. 177

178 Database Activity Monitoring (DAM) policies PCI, SOX, and HIPAA alert policies For Oracle databases, you can also select a synonym. 6. Select the Read (Select) or Write (Insert/Update/Delete) check box or both in the Audit Actions field. 7. Click the right arrow to move the selection to the Selected Objects table. If you want to remove the objects from the Selected Users list, select the user you want to remove, then click the left arrow. 8. Click Save. 9. Optionally, configure the User Audit Options for the following policies: Sox Abnormal or Unauthorized Changes to Data, Sox Abnormal Termination of Database Activity, Sox Abnormal Use of Service Accounts policies, and PCI - User Audit Options. For more information, details about setting the User Audit Options, go to "Setting or Modifying User Audit Options". Configuring PCI, SOX and HIPAA policies PCI, SOX, and HIPAA reports Select users to audit for PCI and SOX reports (User Audit Options) This action is required for the following policies to generate the corresponding reports: Abnormal Use of Service Accounts, Abnormal Termination of Database Activity, Sox Abnormal or Unauthorized Changes to Data, and PCI- Privileged User Action. 1. To edit the policy, in the list of SOX or PCI policies, click its name. For example, click Sox Abnormal or Unauthorized Changes to Data. 2. In the User Audit Options section, select a target from the Browse by target dropdown list. You can enter a username in the Enter user field. 3. Click the right arrow to move the selection to the Selected Objects table. If you want to remove the objects from the Selected Users list, select the user you want to remove, then click the left arrow. 4. Click Save. Configuring PCI, SOX and HIPAA policies PCI, SOX, and HIPAA reports 178

179 Alert and audit policy groups Database Activity Monitoring (DAM) policies Alert and audit policy groups FortiDB provides pages that display all DAM alert and audit policy groups with descriptions and allow you to perform the following tasks: Add a new policy group by selecting Add. Click the group name to modify the policy group, including selecting which target databases FortiDB monitors using the policies in the group. Delete the user-defined policy groups by selecting the group and clicking Delete. Because you use filtering criteria to specify which policies are members of a group, any time you create a new policy that matches the filtering criteria, FortiDB automatically adds it to the corresponding policy group. Creating or modifying an alert or audit policy group Adding policy groups to target database monitoring Deleting a policy group Creating or modifying an alert or audit policy group 1. Do one of the following: Go to Policy > DAM Alert Policy Groups Go to Policy > DAM Audit Policy Groups 2. Do one of the following: To add a new group, click Add. Then, for Group Name, enter a name for the policy group. You can click Cancel to cancel creating a new policy-group filter and go back to the main policies page. To modify a group, click its name. 3. Optionally, for Description, add or edit text that describes your grouping criteria or other helpful information. 4. On the Filters tab, use the following settings to create or edit your filtering criteria: Operator Column Operator Value Values And and Or are not available for the first row. Specify a column to use for filtering. Specify an operator. Enter a value or select one from the list of available values. If you are using a list, click > (right arrow) to add selected items to the right-hand list. - (minus) and + (plus) Click to add or remove rows that define criteria. For example: 179

180 Database Activity Monitoring (DAM) policies Alert and audit policy groups Column Operator Value Returns Database Type Equals DB2 All policies associated with DB2 databases Policy Type Equals Metadata Policies Metadata policies associated with DB2 databases 5. To apply your filtering criteria, click Search. 6. To save the configuration, select Save Group. 7. To associate the policy group to a target database: 8. Click Save. a. Select the Targets tab. b. In the box on the left, select targets to associate with the policy group, and then click the right arrow to move the selection to the box on the right. Adding policy groups to target database monitoring Adding policy groups to target database monitoring You use the DAM Alert Policy Groups and DAM Audit Policy Groups pages to add alert or audit policy groups to the monitoring configuration for one or more target databases. Go to Policy > DAM Alert Policy Groups or Policy > DAM Audit Policy Groups, click a group name, and then use the Targets tab to select targets. Alternatively, you can use the target database monitoring configuration to add policies to an individual target. For information, see Adding alert and audit policies to monitoring on page 205 and Adding policy groups to target monitoring on page 206. Deleting a policy group You can delete user-defined policy groups but not pre-defined policy groups. 1. Do one of the following: Go to Policy > DAM Alert Policy Groups Go to Policy > DAM Audit Policy Groups 2. Select the check box for one or more user-defined policies. 3. Click Delete. 180

181 Vulnerability assessment Adding or modifying assessments Vulnerability assessment You configure and run vulnerability assessments (VAs) from the Assessments page. This assessment management page allows you to create a database group, add policy groups and a schedule, and run the scan. Adding or modifying assessments View VA global summary information Assessment history Viewing and exporting a privilege summary Sensitive data discovery Viewing VA and sensitive data discovery event logs Adding or modifying assessments This topic describes the task of adding (or modifying) FortiDB assessments. For a successful assessment, you must: Create, or use an existing, target-base group which contains at least one valid target database Create, or use an existing, policy group which contains at least one working policy FortiDB does not perform an automatic session timeout after a certain period of time has elapsed. For example, if you leave assessment results on your screen while at lunch, unauthorized individuals could see this information. Therefore, you should logout or close your browser if you expect to leave your computer unattended. Items marked with an asterisk (*) on data-entry forms are mandatory. 1. Go to Vulnerability Assessment > Assessments. 2. Do one of the following: To add an assessment, click Add. To modify an assessment, click its name. 3. On the General tab, enter the requested items: an Assessment Name so that you can reuse it later and (optionally) a Description of your assessment. Then configure your assessment using the tabs on the web page. 4. In the Targets tab, specify which target groups you want to assess. Select one or more target groups from the Available Target Groups list on the left and click >> (right arrows) to add them to the Assigned Target Groups list. You can remove a target group from Assigned Target Groups list on the right by clicking << (left arrows). 5. In the Policies tab, specify which target groups you want to assess. 181

182 Adding or modifying assessments Vulnerability assessment a. Select one or more target groups from the Available Policy Groups list on the left and add them to the Assigned Policy Groups list by selecting the right-arrow button. (In order to remove a policy group from the Assigned Policy Groups list, select the left-arrow button.) b. In order to see the policies associated with a policy group, select the group in either the Available Policy Groups list or the Assigned Policy Groups list. The list of policies is displayed in the Active Policies list. 6. Optionally, to specify policies to exclude from assessments by target: a. Click Vulnerability Assessment > Assessments Exempted Policies. b. Double-click the name of the target to view the list of policies you can exempt from assessments for that target. c. In the Available Exempted Policies list, select the policy to exclude, and then click >> (double arrows) to add it to the Selected Exempted Policies list. d. Click Save. Running assessments Configuring assessment notifications Selecting the type of report an assessment generates Reviewing, deleting, and aborting assessment results Running assessments The Scheduling tab of the Assessment page provides the following options: Run once Enables you to specify the time and date for a single assessment run Recurring Enables you to schedule a series of assessments Running an assessment immediately 1. Go to Vulnerability Assessment > Assessments. 2. Click the name of an assessment. 3. Click Run. Running an assessment at a specified date and time 1. Select the Run once radio button. 2. In the Starts at field group, specify a starting date directly, use the default, or alternatively, select the calendar icon, and then select a date. 3. Select the Enable Schedule check box if you want to activate your schedule. (By default, your assessment schedule is disabled so that you can configure it without activating it.) 4. Select the Save button to save your schedule. Running scheduled assessments 1. Select the Recurring radio button. 182

183 Vulnerability assessment Adding or modifying assessments 2. In the Starts at field group, specify a starting date directly, use the default, or alternatively, select the calendar icon, and then select a date. 3. Select one of the radio buttons in the Recurrence pattern field group. If you choose the Hourly radio button, you can then specify the hourly interval in the Every hours field. If you choose the Daily radio button, you can then specify the daily interval in the Every days field. If you choose the Weekly radio button, you can then specify the day(s) of the week on which you want your weekly assessments to run. If you choose the Monthly radio button, you can then specify which day(s) during which month(s) you want your assessment to run. The Day radio button and adjacent dropdown list allows you to specify the numeric day for your assessment to run in each specified month. Alternatively, you may specify the day in each month, such as the 'first Monday', using the two provided dropdown lists. a. In the Starts at field group, specify a starting time or use the default. b. In the Recurrence pattern field group, select the Hourly, Daily, Weekly, or Monthly radio button. c. In the Ends by field group, you can leave the default No end date radio button selected or select the End by radio button and then specify a particular date at which you want your schedule to end by selecting on the calendar icon. 4. Select the Enable Schedule check box if you want to activate your schedule. (By default, your assessment schedule is disabled so that you can configure it without activating it.) 5. In the Administrative Domains section, you can select which users this scheduled task will be applicable for. Remember that users may only manage specific targets, so this section provides a way to perform assessments on particular targets. If one or more of the selected users manages all targets, then assessments will be performed on all applicable targets for this VA scan. 6. Select the Save button to save your schedule. Adding or modifying assessments Viewing VA and sensitive data discovery event logs Configuring assessment notifications This topic describes the task of configuring how and to whom assessment notifications will be sent. You can choose and/or SNMP-trap notifications of these issues. 1. In the Desired Notification format(s) section of the Notifications tab, select the Target Level (default) and/or the Rule Level check box(es). Target-level notifications contain a target-database-level summary of issues discovered during the assessment. Rule-level notifications contain detail for every discovered issue. 2. Select the Enable and/or the Enable SNMP Trap check box(es) in order to enable and/or SNMP notifications, respectively, of assessment-discovered issues. a. For notifications, you must designate one or more receivers. Select one or more of the entries in the Available Receivers list box and add them to the Selected Receivers list on the right by selecting on the right-arrow button. 183

184 Adding or modifying assessments Vulnerability assessment When the receiver cannot be reached, it is your server's responsibility to retry sending the . In order to remove receiver(s), select them in the Selected Receivers list and select the left-arrow button. In order to see the details associated with any receiver, select the name of a receiver in either the Available Receivers or Selected Receivers lists and those details will appear in Receiver Details list on the right. b. For SNMP notifications, you should set the Notification properties in the System Configuration component of the FortiDB application. The non-appliance version of FortiDB ships with MIB files in the $FortiDB_ HOME/etc/snmp directory. 3. (Optional) If you want to attach reports to the notification, go to the Reports tab and select the Attach reports to selected receivers check box, and make sure to select one or more report(s) and format (s). Note that the Enable Report Generation to Disk option is not required to be selected to use this capability. Adding or modifying assessments Notification OIDs for target-level assessments Notification OIDs for Rule-Level Assessments Notification OIDs for target-level assessments FortiDB uses the following object identifiers (OIDs) for target-level assessment notifications: OID SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises Meaning Fortinet enterprise ID FortiDB product ID VA Alert Trap/Notification assessment Time Target Name Assessment Name FortiDB host name Policy count 184

185 Vulnerability assessment Adding or modifying assessments OID SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises Meaning Total Failed Count Critical failure count Major failure count Minor failure count Caution failure count Informational count An example of a trap for a target-database-level SNMP notification: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (3) 0:00:00.03 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises = STRING: "Tue Dec 04 17:38:15 PST 2007" SNMPv2- SMI::enterprises = STRING: "Test Target" SNMPv2-SMI::enterprises = STRING: "Test Assessment" SNMPv2-SMI::enterprises = STRING: "jdoe.fdb.com" SNMPv2- SMI::enterprises = STRING: "158" SNMPv2-SMI::enterprises = STRING: "36" SNMPv2-SMI::enterprises = STRING: "10" SNMPv2-SMI::enterprises = STRING: "0" SNMPv2-SMI::enterprises = STRING: "2" SNMPv2-SMI::enterprises = STRING: "4" SNMPv2-SMI::enterprises = STRING: "20" Adding or modifying assessments Notification OIDs for Rule-Level Assessments Notification OIDs for Rule-Level Assessments FortiDB uses the following object identifiers (OIDs) for rule-level assessment notifications: OID SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises Meaning Fortinet enterprise ID FortiDB product ID VA Alert Trap/Notification VA Target Level Alert Trap/Notification Severity Policy Name 185

186 Adding or modifying assessments Vulnerability assessment OID SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises Meaning Assessment Time Application server name Target Name Assessment Name Target Name FortiDB host name Policy count Total Failed Count Critical failure count Major failure count Minor failure count Caution failure count Informational count Policy ID An example of formatted traps for a rule-level SNMP notification. DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (73) 0:00:00.73 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises = STRING: "Test Assessment" SNMPv2-SMI::enterprises = STRING: "Test Target" SNMPv2-SMI::enterprises = STRING: "jdoe.fdb.com" SNMPv2-SMI::enterprises = STRING: "Thu Dec 06 16:26:26 PST 2007" SNMPv2-SMI::enterprises = STRING: "158" SNMPv2-SMI::enterprises = STRING: "36" SNMPv2-SMI::enterprises = STRING: "10" SNMPv2-SMI::enterprises = STRING: "0" SNMPv2-SMI::enterprises = STRING: "2" SNMPv2-SMI::enterprises = STRING: "4" SNMPv2-SMI::enterprises = STRING: "20" An example of the trap with the rule information: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (84) 0:00:00.84 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises SNMPv2-SMI::enterprises = STRING: "6501" SNMPv2-SMI::enterprises = STRING: "MINOR" SNMPv2-SMI::enterprises = STRING: "DVA ORCL Lock and Expire 186

187 Vulnerability assessment Adding or modifying assessments Unused Default Accounts" SNMPv2-SMI::enterprises = STRING: "VA@jdoe.fdb.com" SNMPv2-SMI::enterprises = STRING: "Test Target" SNMPv2-SMI::enterprises = STRING: "Test Assessment" SNMPv2-SMI::enterprises = STRING: "Thu Dec 06 16:26:26 PST 2007" Notification OIDs for target-level assessments Selecting the type of report an assessment generates FortiDB allows you to select which reports your assessment generates. For example, it can generate a summary report, a detailed report, or both. 1. Go to Vulnerability Assessment > Assessment 2. Click the name of an assessment. 3. Click the Reports tab. 4. Specify which report you want for your assessment. a. Select one or more report groups from the Available Reports: list on the left and add them to the Selected Reports list box by clicking on the right-arrow button. (In order to remove a report from the Selected Reports list, select the left-arrow button.) To view a report description, select the report in the Selected Reports list box and then the description should show up in the Report Description list box on the right. b. Check the Enable Report check box. 5. In the Report formats field group, enable one or more of the following checkboxes: PDF (.pdf) (the default) Excel (.xls) Comma Delimited (.csv) Tab Delimited (.txt). 6. Select the Save button Adding or modifying assessments Reviewing, deleting, and aborting assessment results The Results tab of the Assessment page allows you to view the status and other information about completed and incomplete assessments, view assessment results, and to abort assessments. When you click a Start Time value in the top table, target name and other information is displayed in the bottom table (under Results for each target). When you click a Target value in the bottom table, detailed results for the target are displayed. 187

188 Adding or modifying assessments Vulnerability assessment Column name Status DB Type Failed (Cri,Maj,Min,Cau) Description The current status of the assessment The type of your target database The number of failed policies by Severity type where: Cri is Critical Maj is Major Min is Minor Cau is Cautionary Passed Informational Errors Total The number of passed policies The number of Informational policies The number of policies for which errors were returned The total number of policies incorporated by the assessment The Status column can display the following values: Status column icon Description Running Idle Queued Completed Error Aborted To delete an assessment, select one or more items in the top table, and then click Delete. To abort an assessment Do one of the following: To abort an entire assessment, check the row of interest in the top table and then, below the top table, click Abort. 188

189 Vulnerability assessment View VA global summary information To abort the assessment of a particular target database within an assessment, click a Start Time value in the top table, select a row in the bottom table, and then, below the bottom table, click Abort. Adding or modifying assessments View VA global summary information View VA global summary information Click Vulnerability Assessment > Assessment Summary to view the summary information for all target databases. The summary information includes statistics of assessments and vulnerabilities found by assessment. If you assess the same target more than once, this global summary only summarizes the latest one assessment. The Vulnerability Assessment Global Summary page also displays statistics for checks that failed during the assessment, including severity, classification, and database type. Reviewing, deleting, and aborting assessment results Assessment history Assessment history The Assessment History page displays the run assessments and scheduled reports in disk. Assessments History tab Display all run assessment in this list page. Click the Target link to view the Detailed Report of this assessment. Select the assessment record(s), click the Delete button to delete. Scheduled Reports tab When you enable the option "Save Scheduled Assessment Report to Disk File" in Assessment > Report tab, the selected report files are saved in disk after running the scheduled assessment. Go to Scheduled Reports tab page to download or delete report files. Import or export assessment history You can export or import the result of an assessment as an XML file. 189

190 Viewing and exporting a privilege summary Vulnerability assessment To export assessment results to an XML file 1. On the the Assessments History page, specify a date range. Assessments run between this date range, from the 1st date 0:00 to 2nd date 0:00(not include result in 2nd date). 2. Optionally, for Prefix, specify a prefix for the XML file name. 3. Click Export, and than save the downloaded XML file. To import assessment results from an XML file 1. On the the Assessments History page, click Import. The Import assessments history page is displayed. 2. Click Choose File to select an XML file. 3. Click Import. 4. Click the Back button to return to the Assessments History page. If you import the XML from another FortiDB, it might contain information about its own target databases information, which is not managed by your current FortiDB. FortiDB imports these target databases as imported shadow targets, which it uses for assessment reporting. However, it doesn not add them to the target list and cannot manage by them. Reviewing, deleting, and aborting assessment results View VA global summary information Viewing and exporting a privilege summary To view the privilege summary, log in to FortiDB with an administrator account that has the Operations Manager or Report Manager role. A privilege summary shows who has access to what in your target databases. As such, it can: Help you establish a baseline for your security system Show you if any users have more privileges than they need in order to do their jobs Show you if any roles (or, for DB2, groups) include more privileges than necessary Provide a common place to review privilege assignments for all FortiDB-supported target DB types Eliminate the need to execute the SQL statements to get privilege-assignment information 1. Click Vulnerability Assessment > Privilege Summary. 2. For Target Group, select the target group that contains the target database for which you want to see a privilege summary. 3. For Target, select the target database for which you want to see a privilege summary. 190

191 Vulnerability assessment Viewing and exporting a privilege summary You can access Microsoft SQL Server and Sybase targets individually via databaselevel connections or, as a group, via server-level connections. 4. For Database Name, select the name of the database for which you want to see a privilege summary. 5. Select the Users tab in order to see a list of users, or the Roles tab in order to see a list of roles, for the specified database. Because MySQL does not support roles or groups of privileges, no Role tab is displayed for MySQL target databases. In MySQL, a user is identified by a combination of a user name and host name, such as `root@localhost or navicat@ Therefore, two users with the same name but at different hosts can have different privileges. a. After you have selected a user or role, you can then use the Privilege Type or Classification dropdown lists in order to filter the displayed information. The subsequently available privilege information depends on: FortiDB-user access having already been given to certain target-database system tables, catalogs, and/or views. (See the Target Privilege Matrix for a list of the appropriate tables.) The particular combination of Privilege Type and Classification choices you make. (For more information on these choices, see DB-Type Distinctions on page 191.) b. Optionally, you may export most of the privilege summary information that is displayed in one of the following file formats: PDF (Portrait (the default) or Landscape orientation) Tab-delimited text (.txt) Comma-separated-values (.csv) DB-Type Distinctions Privileges for VA assessments, privilege summaries, and penetration tests DB-Type Distinctions The privilege summary information varies slightly by the type of the target database. General differences There are differences by RDBMS type: The Users tabs are used for all RDBMS types. The Roles tab are used for all RDBMS types, except for MySQL which does not support roles. For DB2 target database, Roles means Groups. 191

192 Viewing and exporting a privilege summary Vulnerability assessment Filtering differences After selecting a specific user name on the Users tab, or a specific role on the Roles tab, you can filter the displayed privilege information. For Oracle, DB2, Microsoft SQL Server, and Sybase, the Privilege Type dropdown offers these choices: Direct which refers to privileges that have been directly assigned (i.e., not via roles) to the selected user name Indirect which refers to privileges that have been assigned via roles to the selected user name MySQL applies the Direct type only. For Oracle, the Classification dropdown offers these choices: Object Privileges which refers to privileges that pertain to a specific schema or object System Privileges which refers to privileges that do not pertain to a specific schema or object For DB2, the Classification dropdown offers these choices: Column Auth which refers to privilege information on certain columns DB Authwhich refers to privilege information on certain databases Index Auth which refers to privilege information on certain indexes Package Auth which refers to privilege information on certain packages Schema Auth which refers to privilege information on certain schemas Table Auth which refers to privilege information on certain tables Tablespace Auth which refers to privilege information on certain tablespaces For MySQL, the Classification dropdown offers these choices: Column Level which refers to privilege information on certain columns. Granting/Revoking grant option is applied for all privileges within the same table only. Schema Level which refers to privilege information on certain databases. Granting/Revoking grant option is applied for all privileges. Table Level which refers to privilege information on certain tables. Granting/Revoking grant option is applied for all privileges within the same table only. User Level which refers to privilege information applied to all databases on the database server. Granting/Revoking grant option is applied for all privileges. Column and column value differences The column names and values used by the privilege summary vary by the DB type of your target database. For more information, see the documentation provided by your database vendor for system tables, views, and/or catalogs. Viewing and exporting a privilege summary 192

193 Vulnerability assessment Sensitive data discovery Sensitive data discovery The FortiDB sensitive data discovery feature searches a target database for sensitive information located in tables and columns. It works with Oracle and Microsoft SQL Server target databases only. Before you configure and run a sensitive data discovery scan, complete the following configurations: A FortiDB connection to the target database. See Adding (or modifying) a target connection on page 107. One or more data discovery policies. See Data discovery policies and policy groups on page 141. Manage sensitive data discovery Go to Vulnerability Assessment > Sensitive Data Discovery to manage data discovery. In the list page: Status: indicates discovery is running (active) or not(inactive). Data Discovery Policy Group: which policy groups are assigned to this discovery. Last Discovery: Last discovery time and found result, click to view detail report. Click 'Target Name' in list to add/modify data discovery: Target tab: select database metadata as discovery object(s). Policy Group tab: select discovery policy group to assign to this discovery. Result tab: after run discovery, check this tab for result summary. And click Save to save discovery definition. Running sensitive data discovery In discovery add/modify page, click Save & Start Scan to save and start discovery. In discovery list page, select one or more discovery with check box(es), click 'Start Scan' button to start discovery, click 'Stop Scan' button to stop. Viewing sensitive data discovery reports There are two pre-defined data discovery reports: detailed and summary. To view a detailed report, do one of the following: On the discovery list page, click the link in the Last Discovery column. Go to Report > Pre-Defined VA Reports, click Sensitive Data Discovery Detailed Report, and then select a target and discovery time. For a summary report, go to Report > Pre-Defined VA Reports, click Sensitive Data Discovery Summary Report, and then select a target and discovery time. Data discovery policies and policy groups Viewing VA and sensitive data discovery event logs 193

194 Viewing VA and sensitive data discovery event logs Vulnerability assessment Viewing VA and sensitive data discovery event logs The Assessment Log page lists the event logs that vulnerability assessments and sensitive data discovery scans generate. To view the log, click Vulnerability Assessment > Local Assessment Log. The assessment log information includes Date, Module (VA or SDD), Assessment, Target, Severity, Action, and Result or Description. You can use the Assessment Logs page for the following tasks: Display logs filtered by module (VA or SDD) that you select from the Module dropdown list. Display logs filtered by Assessment name(for VA only) that you select from the Assessment dropdown list. Display logs filtered by Target that you select from the Target dropdown list. Display logs filtered by Severity that you select from the Severity dropdown list. Display logs filtered by Action that you select from the Action dropdown list. Display logs filtered by the date range you select from the From and To fields. Display Date, Policy name, Target, Type, Severity, and description for each error. Export the logs view you selected, by selecting Export Delete all logs by selecting Delete All Configure the History Prune - specify the number of days after which to delete the log entries. The default number is 30 (days). Adding or modifying assessments Sensitive data discovery 194

195 Database activity monitoring (DAM) Managing target monitoring Database activity monitoring (DAM) Database activity monitoring (DAM) centralizes monitoring and auditing. DAM also displays alerts and allows you to generate reports. Alert filtering criteria ranges from general classifications such as target or database type to detailed classifications such as severity and rule violation. Your filter settings can create a new alert group or modify the pre-defined alert groups. Alert groups can be exported to files in various formats such as.pdf,.xls,.csv, and.txt. Managing target monitoring Configuring target database monitoring Viewing alerts Viewing audit records (activity auditing results) Activity profiling SOX audit Managing target monitoring The Monitoring Management page provides centralized management for monitoring target databases. You can view monitoring status, policies you configured, and start and stop monitoring. You can also associate policy groups with target databases and view generated alerts. 195

196 Managing target monitoring Database activity monitoring (DAM) Monitoring Management page columns Columns Status Descriptions indicates the target has not been initialized for monitoring. Go to monitoring configuration page to setup monitoring. indicates the target is not monitored. that monitoring is starting indicates that monitoring is stopping. indicates the target is being monitored but some of the policies could not be applied. indicates that monitoring is active. indicates that monitoring is not running. An attempt to start the monitor failed. indicates that the FortiDB is has disconnected from the target. The target database maybe not available, or disconnected from FortiDB agent (if using agent as collection method). Name DB Host Name/IP DB Type Collection Method Alert Policy Groups Action Target name. Click to configure monitoring. Database host name or IP address of your target database computer Database type of your target. ORACLE, MSSQL, DB2, SYBASE, or MYSQL Collection method used for monitoring The group or groups of alert policies that specify the database activities that generate security alerts. configure monitoring, same as click Name. show the Alerts of this target. show the Local Monitoring Logs of this target Monitoring Management page buttons and fields Buttons and Fields View dropdown Descriptions Filters a display of the target list 196

197 Database activity monitoring (DAM) Target monitoring configuration tabs and options Buttons and Fields Start Monitoring Stop Monitoring Restart Descriptions This button starts monitoring for the target database. You must select the target first. This button stops monitoring. You must select the target first. This button stops then starts monitoring. Configuring target database monitoring Target monitoring configuration tabs and options The monitoring configuration for a target database is displayed when you click the target s name on the Monitoring Management page. Monitoring configuration page tabs and options Tabs General Alert Policies Alert Policy Groups Audit Policies Audit Policy Groups Purposes Settings of audit configuration for each target database. You can start and stop monitoring and auditing in this page. It also shows monitoring and auditing status. See Configuring target database monitoring on page 198. Shows the available alert policies with information, such as policy type, status, name, and severity. You can create Data policies from this page, and enable/disable policies for the target. See Adding alert and audit policies to monitoring on page 205. Associate the alert policy group to your target database. See Adding policy groups to target monitoring on page 206. Shows the available audit policies with information. You can create Data policies, or enable/disable policies from this page. See Adding alert and audit policies to monitoring on page 205. Note: This tab is only available for collection method "TCP/IP Sniffer" for Oracle, Microsoft SQL Server, Sybase and DB2. Associate the audit policy group to your target database. See Adding policy groups to target monitoring on page 206. Note: This tab will be only available for collection method "TCP/IP Sniffer" for Oracle, Microsoft SQL Server, Sybase and DB2. 197

198 Configuring target database monitoring Database activity monitoring (DAM) Tabs Query Schedule Alert Notification Real Time Blocking Audit Management Purposes Specifies a schedule for any database query policies, which are alert policies that query the target database with SQL and save the result as an alert. See Configuring a database query policy on page 164. Configure Alert Notification for monitoring. See Sending alert notifications on page 207. Enables or disables real-time blocking for monitoring configurations that use the TCP/IP sniffer, and configures blocking settings. See Blocking invalid access while monitoring on page 209. For Oracle, this page shows the issued audit command and all audit commands for each object. For Microsoft SQL Server, this page shows audited events and audited filters used by FortiDB. This page is not applicable for Sybase. See Displaying the history of issued audit commands on page 212. Note: This tab is only available for the following collection methods: Oracle "DB, EXTENDED" or "XML File Agent" Microsoft SQL Server "SQL Trace" DB2 "DB2 Agent White List In the White List tab, you can configure data policies, which will be automatically excluded from the Alert Policy settings for Oracle or Microsoft SQL Server Server. See Excluding policies from the Alert Policy settings (whitelist) on page 210. Note: This tab will be only available for collection method "DB, EXTENDED" for Oracle,"SQL Trace" for Microsoft SQL Server.After Monitor started, the SQL action matching with the white list settings, fortidb will not generante alerts for it. The SQL action matching the white list settings should be known secure action. Configuring target database monitoring Configuring target database monitoring The General tab shows audit configuration information and monitoring status for each target database. The Audit Configuration settings specify how FortiDB collects audit information. The settings that are displayed depend on the database type and collection method. For more information, see the topic for the appropriate database type: Configuring monitoring using the TCP/IP sniffer (all database types) on page 199 Configuring Microsoft SQL Server monitoring on page

199 Database activity monitoring (DAM) Configuring target database monitoring Configuring DB2 monitoring on page 202 Configuring Sybase monitoring on page 202 Configuring MySQL monitoring on page 203 Configuring Oracle monitoring on page 204 The Test button is available for some collection methods. Click it to verify the connection. Click the Save button to save your Audit Configuration settings. The Monitoring settings allow you to start or stop monitoring. Monitoring settings and messages Setting Start Monitoring/Stop Monitoring Start monitoring when FortiDB starts Monitoring Status Description Click to start or stop monitoring. Specifies whether FortiDB starts monitoring the current target automatically when it starts. Displays one of the following monitoring status values: Running Need Restart: A monitoring restart is required to apply a policy change Idle Terminating Terminated INIT (Initializing) Status Message Displays information related to the monitoring or auditing status Target monitoring configuration tabs and options Configuring monitoring using the TCP/IP sniffer (all database types) FortiDB can monitor database activity using its TCP/IP sniffer. The activity auditing and profiling features require the TCP/IP sniffer. 1. To configure a target to support database activity monitoring, on the General tab for the target, for DB Activity Monitoring, select Allow. For more information on target configuration, see Adding (or modifying) a target connection on page Go to DB Activity Monitoring > Monitoring Management, and then click the name of the target. 3. On the General tab, complete the following settings: 199

200 Configuring target database monitoring Database activity monitoring (DAM) Collection Method Version Select TCP/IP Sniffer. Select the version of the target database. FortiDB supports the following versions: Oracle 9i, 10g, 11g, 12c Microsoft SQL Server 2000, 2005, 2008, 2008_R2, 2012, 2014 DB2 UDB 9.1, 9.5, 9.7 Sybase ASE 12.5, 15.0, 15.5, 15.7 Postgre Postgre SQL 8.x SSL Certificate Private Key For Microsoft SQL Server databases only. If SSL encryption is enabled, select the SSL Certificate Private Key file and enter the Key Password (if you have it) that FortiDB uses. The SSL Certificate for SSL encryption is configured on the server side. SSL Certificate Private Key (P12) For Oracle databases only. If SSL encryption is enabled and certificate information is stored in PKCS #12 format, select the certificate file and enter the Key Password. The SSL Certificate for SSL encryption is configured on the server side. For more information, see Monitoring encrypted Oracle traffic on page 83. SSL Certificate Private Key (SSO) For Oracle databases only. If SSL encryption is enabled, select the X.509 format certificate file and enter the Key Password. For more information, see Monitoring encrypted Oracle traffic on page 83. Sniffer on Port Enable Activity Auditing Log All Enable Activity Profiling Specify the FortiDB port that is connected to the switch's SPAN port. Select to enable activity auditing. Select to audit all activity. Otherwise, FortiDB audits only activity captured by the policies specified by the Audit Policies tab. Select to enable activity profiling. 4. If you did not select Log All, to specify the activity that is audited, do one of the following: On the Audit Polices tab, create a list of one or more policies to use. On the Audit Policy Groups tab, select one or more policy groups to use. 200

201 Database activity monitoring (DAM) Configuring target database monitoring For information on adding audit policies and audit policy groups to the configuration, see Adding alert and audit policies to monitoring on page 205. By default, no audit policies or policy groups are specified. 5. On the General tab, under Monitoring, click Start Monitoring. For more information about monitoring, see Monitoring settings and messages on page 199. Target monitoring configuration tabs and options Network requirements for monitoring using the TCP/IP sniffer Configuring Microsoft SQL Server monitoring FortiDB uses either SQL Trace or the TCP/IP sniffer to collect audit information from Microsoft SQL Server databases. The TCP/IP sniffer is provided by the appliance version of FortiDB only. For detailed configuration instructions, see Configuring monitoring using the TCP/IP sniffer (all database types) on page 199. To configure auditing for a Microsoft SQL Server database using SQL Trace To change the collection method or polling frequency for monitoring, first stop monitoring. You cannot change these settings while FortiDB is monitoring the target database. 1. Ensure the required database pre-configuration is complete.see Microsoft SQL Server target database preconfiguration on page Verify that the SQL Server has an audit trace folder (for example, C:\SQLTrace). Ensure that you enter the full path to the folder. 3. In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor. 4. On the General tab, complete the following settings: Collection Method Select SQL Trace. To change a collection method from one option to the other, first stop monitoring, change the collection method, then restart monitoring. Trace Folder Specify the folder where your server writes the trace information. Ensure that you enter the full path. Polling Frequency (ms) Enter the polling frequency for audit collection, in seconds To change the polling frequency later, stop monitoring, change the value, and then re-start monitoring. 5. Click Test to confirm the connection with the method you selected. 201

202 Configuring target database monitoring Database activity monitoring (DAM) 6. On the General tab, under Monitoring, click Start Monitoring. For more information about monitoring, see Monitoring settings and messages on page 199. Target monitoring configuration tabs and options Microsoft SQL Server target database pre-configuration Configuring DB2 monitoring FortiDB uses either a DB2 agent or the TCP/IP sniffer to collect audit information from DB2 databases. The TCP/IP sniffer is provided by the appliance version of FortiDB only. For detailed configuration instructions, see Configuring monitoring using the TCP/IP sniffer (all database types) on page 199. To configure auditing for a DB2 database using the DB2 agent To change the collection method, first stop monitoring. You cannot change this setting while FortiDB is monitoring the target database. 1. Ensure the required database pre-configuration is complete.see DB2 target database pre-configuration on page In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor. 3. On the General tab, for Collection Method, select DB2 Agent. 4. Click Test to confirm the connection with the method you selected. 5. On the General tab, under Monitoring, click Start Monitoring. For more information about monitoring options, see Monitoring settings and messages on page 199. Target monitoring configuration tabs and options DB2 target database pre-configuration Configuring Sybase monitoring FortiDB uses either the Sybase audit system (Sybase Monitoring and Diagnostic (MDA) tables) or the TCP/IP sniffer to collect audit information from Sybase databases. The TCP/IP sniffer is provided by the appliance version of FortiDB only. For detailed configuration instructions, see Configuring monitoring using the TCP/IP sniffer (all database types) on page

203 Database activity monitoring (DAM) Configuring target database monitoring To configure auditing for a Sybase database using Monitoring and Diagnostic (MDA) tables To change the collection method or polling frequency for monitoring, first stop monitoring. You cannot change these settings while FortiDB is monitoring the target database. 1. Ensure the required database pre-configuration is complete, which includes: Creating the sybsecurity database Installing installsecurity Configuring the MDA (Monitoring and Data Access) tables See Sybase target database pre-configuration on page In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor. 3. On the General tab, complete the following settings: Collection Method Select MDA. To change the collection method, first stop monitoring, change the collection method, then restart monitoring. Polling Frequency (ms) Enter the polling frequency for audit collection, in seconds To change the polling frequency later, stop monitoring, change the value, and then re-start monitoring. 4. Click Test to confirm the connection with the method you selected. 5. Under Monitoring, click Start Monitoring. For information about the Monitoring options, see Monitoring settings and messages on page 199. Target monitoring configuration tabs and options Sybase target database pre-configuration Configuring MySQL monitoring FortiDB uses the MySQL general log to collect audit information from DB2 databases. To configure auditing for a MySQL database To change the polling frequency for monitoring, first stop monitoring. You cannot change this setting while FortiDB is monitoring the target database. 1. Ensure the required database pre-configuration is complete.see MySQL target database pre-configuration on page

204 Configuring target database monitoring Database activity monitoring (DAM) 2. In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor. 3. On the General tab, complete the following settings: Collection Method Select General Log. To change the collection method, first stop monitoring, change the collection method, then restart monitoring. Polling Frequency (ms) Enter the polling frequency for audit collection, in seconds. To change the polling frequency later, stop monitoring, change the value, and then re-start monitoring. 4. Click Test to confirm the connection with the method you selected. 5. Under Monitoring, click Start Monitoring. For more information about monitoring, see Monitoring settings and messages on page 199. Target monitoring configuration tabs and options MySQL target database pre-configuration Configuring Oracle monitoring FortiDB can use several methods to collect audit information from Oracle databases. The TCP/IP sniffer method is provided by the appliance version of FortiDB only. For detailed configuration instructions, see Configuring monitoring using the TCP/IP sniffer (all database types) on page 199. To configure auditing for an Oracle database To change the collection method or polling frequency for monitoring, first stop monitoring. You cannot change these settings while FortiDB is monitoring the target database. 1. Ensure the required database pre-configuration is complete.see Oracle target database pre-configuration on page In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor. 3. Obtain the value of your database s audit_trail parameter. 4. On the General tab, for Collection Method, select one of the following options: 204

205 Database activity monitoring (DAM) Adding alert and audit policies to monitoring Oracle audit_ trail parameter value db, extended db xml, extended Collection method DB, EXTENDED DB, EXTENDED XML File Agent Agent required? No No For Oracle 9i only. Monitoring Oracle 9i databases has the following limitations: Table and table column policy - Cannot retrieve the SQL statement text Table, user, and session policy - No effect with Suspicious Location rule Session policy - No effect with Extremely Long Session rule and High Read Ratio rule Yes FortiDB's XML file agent provides high performance for auditing Oracle target databases. To use the XML file agent option, run the FortiDB XML file agent in your target database. For more information, see Oracle XML file agent installation and configuration (UNIX, Windows, AIX) on page If you selected DB, EXTENDED, for Polling Frequency(secs), enter the polling frequency for audit collection, in seconds. 6. Click Test to confirm the connection with the method you selected. 7. Under Monitoring, click Start Monitoring. For more information about monitoring, see Monitoring settings and messages on page 199. Target monitoring configuration tabs and options Oracle target database pre-configuration Adding alert and audit policies to monitoring The Alert Policies and Audit Policies tabs on the monitoring configuration page allow you to configure data policies. FortiDB can add these policies to a new policy group automatically and associate the group with the current target. Audit policies are available only for target monitoring configurations that use the TCP/IP Sniffer collection method. The list of policies on the tab allows you to manage the policies that FortiDB uses to monitor the target: 205

206 Adding policy groups to target monitoring Database activity monitoring (DAM) To enable or disable policies, select one or more items in the list (or the checkbox in the column header to select all items), and then click Enable or Disable. To delete user-defined policies, select the appropriate item, and then click Delete. To create a data policy, in the Data Policies list, select a policy type, and then click Add. For examples of creating data policies, see the database activity monitoring tutorials in FortiDB tutorials on page 19. To edit a policy name, click its name. Click the Restart button to restart monitoring after policy change. For detailed information on these policies, see Database Activity Monitoring (DAM) policies on page 144. Target monitoring configuration tabs and options Oracle target database pre-configuration Adding policy groups to target monitoring When you configure monitoring for a target database, FortiDB automatically adds the data, metadata, and privilege alert policy groups to the configuration. However, it does not automatically associate PCI, SOX, and HIPAA alert policy groups. FortiDB does not automatically associate any audit policies or audit policy groups with the target monitoring configuration. To allow FortiDB to perform policy-based activity auditing, you either select Log All on the configuration s General tab or use the Audit Policies or Audit Policy Groups tabs to select policies. Alternatively, instead of adding a policy group to a single target, you can add groups to multiple targets. For information, see Adding policy groups to target database monitoring on page 180. To add a policy group to target database monitoring 1. Verify that you have a target connection that allows monitoring. 2. Go to DB Activity Monitoring > Monitoring Management. 3. Click the target name. The Target Monitor:<target name> page is displayed. 4. Select the Alert Policy Groups or Audit Policy Groups tab. 5. Select the policy groups you want to associate to the target from the Available Policy Groups box. 6. Click the right arrow to move the selection to the Selected Policy Groups box. When you select a group, its policies are displayed in the Selected Policy Group contents box. 7. Select Save. Alert and audit policy groups 206

207 Database activity monitoring (DAM) Sending alert notifications Sending alert notifications Use the Alert Notification tab to configure FortiDB to send a notification when it receives a monitoring alert. It can send alerts via , SNMP, and other methods. You can also generate notifications as reports, which allows you to specify what alert information to include and schedule a time for FortiDB to generate and send the report. For more information, see Reports on page 233. To access the Alert Notification tab, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that you want to configure. To send notifications via 1. Go to Administration > Global Configuration > Notification, and then ensure that the host name and port of an server are specified. For more information, see Notification properties on page Go to Administration > Administrators, and then ensure that an address is specified for the administrators that you want to send notifications to. For more information on configuring administrators, see Administrators on page Click DB Activity Monitoring > Monitoring Management, and then click the name of the target to configure. 4. On the Alert Notification tab, select Enable In the Available Receivers list, select an item, and then click >> (right arrows) to add it to the Selected Receivers list. 6. Click Save. To send notifications via SNMP 1. Go to Administration > Global Configuration > Notification, and then ensure that the SNMP receiver host and port are specified. For more information, see Notification properties on page Click DB Activity Monitoring > Monitoring Management, and then click the name of the target that you want to configure. 3. On the Alert Notification tab, select Enable SNMP Trap. 4. Click Save. To send notifications to a Syslog server 1. Go to Administration > Global Configuration > Notification, and then ensure that the Syslog receiver host and port are specified. For more information, see Notification properties on page Click DB Activity Monitoring > Monitoring Management, and then click the name of the target that you want to configure. 207

208 Sending alert notifications Database activity monitoring (DAM) 3. On the Alert Notification tab, select Enable Syslog. 4. Click Save. To send notifications to an ArcSight Syslog server For FortiDB event to ArcSight data field mapping information, see FortiDB event to ArcSight data field mapping on page Go to Administration > Global Configuration > Notification, and then ensure that the ArcSight Syslog receiver host and port are specified. For more information, see Notification properties on page Click DB Activity Monitoring > Monitoring Management, and then click the name of the target that you want to configure. 3. On the Alert Notification tab, select Enable ArcSight Syslog. 4. Click Save. FortiDB event to ArcSight data field mapping FortiDB event to ArcSight data field mapping The following table displays the corresponding ArcSight remote logging format field for each FortiDB event: FortiDB event Hostname Source Hostname Alert Timestamp FortDB Hostname Severity Action Return Code Display ID DB Type System User DB User ArcSight Event Data Field dhost shost rt dvchost cat act cn1 externalid cs1 suser duser 208

209 Database activity monitoring (DAM) Blocking invalid access while monitoring FortiDB event Login Name DB Object Description Target Database Name Policy Name Source Application SQL Statement ArcSight Event Data Field cs3 fname cs4 cs5 cs6 requestclientapplication msg Sending alert notifications Blocking invalid access while monitoring Because the real-time blocking feature uses the TCP/IP Sniffer, the Real Time Blocking tab is only available when Collection Method is TCP/IP Sniffer. You can configure FortiDB to use a TCP/IP Reset (RST) mechanism to prevent invalid access to the server by database clients. FortiDB allows you to select which alert policies FortiDB uses to validate the connection data. Whenever it blocks access, FortiDB generates a critical security alert. Because real-time blocking interrupts the TCP connection, it can destabilize your database client application or application server. Ensure that you understand this feature and its implications before you enable it. You can configure FortiDB to block a client for a specified period of time after it violates access policies. During this period, instead of scanning the connection for policy violations, which uses system resources, FortiDB automatically resets connections from the client. After the blocking period expires, FortiDB resumes the scanning process. Specifying a blocking period can improve performance if FortiDB is under attack by malicious clients. The default blocking period is 5 minutes. To enable real-time blocking 1. Go to DB Activity Monitoring > Monitoring Management, and then click the name of the target. 2. If FortiDB is currently monitoring the target, click Stop Monitoring. 3. On the Real Time Blocking tab, select Enable Real Time Blocking. 4. To configure FortiDB to continue to deny access to clients that it blocks for a specified period of time, select Block Client for [x] minutes, and then enter a value in minutes. 209

210 Excluding policies from the Alert Policy settings (whitelist) Database activity monitoring (DAM) The default value is 5 minutes. 5. For TCP RST Blocking Port, select the network port FortiDB uses to send the TCP RST packet to the client's connection. Ensure that FortiDB can reach the connection between database client and server through the port you specify. If the client is behind firewall or router with NAT, the TCP reset signal appears to be sent to the client from the firewall or router. 6. To assign alert policies for real-time blocking, select one or more policies from the Available Policies list, and then click >> (right arrows) to move them to the Selected Policies list. The items in the Available Policies list are from groups selected on the Alert Policy Groups tab. To remove items, select them and then click << (left arrows). 7. Click Save. 8. On the General tab, to re-start monitoring with the real-time blocking feature, click Start Monitoring. Database Activity Monitoring (DAM) policies Excluding policies from the Alert Policy settings (whitelist) Use the White List tab to specify Oracle or Microsoft SQL Server Server database activities that do not generate alerts. The White List tab is available only when the collection method is DB, EXTENDED (for Oracle databases) or SQL Trace (for Microsoft SQL Server databases). Because FortiDB does not generate alerts for SQL actions that match the whitelist criteria, ensure that the SQL actions in the whitelist are known, secure actions. To enable the whitelist 1. Go to DB Monitoring Activity > Monitoring Management and click the name of the target to configure. 2. On the White List tab, select Enable White List. 3. Use the following settings to specify the whitelist criteria: 210

211 Database activity monitoring (DAM) Excluding policies from the Alert Policy settings (whitelist) Setting Object Settings Description Excludes from alerts any successful access to the specified objects from alerts. Select one of the following selection methods: Manually Select Object Browse Object by Target (default) Use the following options to specify one or more objects: 1. Select an item from the Target list. 2. Select an item from the Schema list. 3. In the Tables list, select one or more items and then click > (right arrow) to move your selections to the. To remove objects, select them in the Selected Objects list and then click < (left arrow). Login Name Settings Excludes from alerts any successful access to the specified object by the specified login names. To specify one or more login names: 1. Select one or more login names from the login names list. 2. Click the right arrow to move the selections to the Selected login names list. Note: If you want to remove the login names from the selected login names list, select the login names you want to remove and click the left arrow. DB User Settings Excludes from alerts any successful access to selected object by certain database users. You can specify one or more database users as follows: 1. Select one or more database users from the login names list. 2. Click the right arrow to move the selections to the Selected database users list. Note:If you want to remove the database users from the selected database users list, select the database users you want to remove and click the left arrow. 211

212 Displaying the history of issued audit commands Database activity monitoring (DAM) Setting OS User Settings Description Exclude to alert any successful access to selected object by certain OS users. You can specify one or more OS user names by typing the specific name or using a regular expression. 1. Input one OS user into the textbox. 2. Click the right arrow to move the selections to the Selected users List. Note: If you want to remove the OS users from the selected OS users list, select the OS users you want to remove and click the left arrow. Source Location Settings Exclude to alert any successful access to selected object from certain locations. You can specify one or more locations by typing the specific location or using a regular expression. 1. Input one Hostname or ip address into the textbox. 2. Click the right arrow to move the selections to the Selected source locations list. Note: If you want to remove the users from the selected users list, select the users you want to remove and click the left arrow. Application Settings Exclude to alert any successful access to selected object by certain client applications. You can specify one or more client applications by typing the specific client application or using a regular expression. 1. Input one application name or client ID into the textbox. 2. Click the right arrow to move the selections to the Selected applications list. Note: If you want to remove the users from the selected users list, select the users you want to remove and click the left arrow. Database Activity Monitoring (DAM) policies Displaying the history of issued audit commands The Target s Audit Management tab displays the history of issued audit commands. Each type of target database has a different style of audit management. 212

213 Database activity monitoring (DAM) Displaying the history of issued audit commands The Target s Audit Management tab is not available for Sybase or MySQL databases. For the remaining database types, it only available when Collection Method is one of the following values: DB, EXTENDED or XML File Agent (for Oracle) SQL Trace (for Microsoft SQL Server) DB2 Agent (for DB2) Oracle audit management Microsoft SQL Server audit management DB2 audit management Oracle audit management The Target s Audit Management page for Oracle target databases displays the history of issued audit commands. Statement options The Statement options section displays: Database User Audit Option Success Failure Object options The Object options section displays all the audit commands, including success or failure, for each object with: Object owner Object name Object type Access or Session on SELECT/INSERT/UPDATE/DELETE/EXECUTE/ALTER To update the list, click the Refresh button. Clearing audit settings FortiDB modifies the Oracle auditing system to monitor the policies that you define. These audit settings affect what is audited and affect how fast the SYS.AUD$ table will fill. Under normal operating conditions, FortiDB removes its settings when monitoring is stopped. However, sometimes the SYS.AUD$ table can become cluttered with other peoples' settings that were not properly removed. To correct this, use FortiDB's clear audit setting feature to remove all audit settings. If FortiDB is the only client of the audit system, then you can use this feature to clear all audit settings. But if other people need the audit settings, do not clear audit settings. To clear audit settings, you must stop monitoring. After clearing the settings, the audit statement and audit options tables will be empty. If you then start FortiDB monitoring,you will see only FortiDB's audit settings that are necessary for enabled policies. 213

214 Displaying the history of issued audit commands Database activity monitoring (DAM) Audit management When using the audit-based collection methods for Oracle, you may want to clear the audit settings from previous operations if FortiDB is used as the exclusive auditing mechanism for that target database. Also, for the DB,EXTENDED collection method, you may want to delete all previous log entries in the Oracle target database. You can do both in the Audit Settings Management section of the Audit Management tab. These options are selected by default, so be sure to deselect these options if FortiDB is not the only service that is using Oracle's auditing mechanism. For the DB,EXTENDED collection mechanism, the audit log table may periodically grow larger than the file system's capacity for that table. To periodically delete audit log entries, go tothe Scheduled Maintenance section. Warning: Using FortiDB to manage the contents of the SYS.AUD$ should be compliant with the best practices of your organization. Microsoft SQL Server audit management The Target s Audit Management page for Microsoft SQL Server target databases displays a list of SQL Server events and filters used by FortiDB to audit. If you select Monitoring or Auditing from the Trace Type dropdown list then click the Refresh button, FortiDB will display the general information. Audited events The Microsoft SQL Server Audited Events section displays a list of SQL Server events used by FortiDB for auditing purposes with the following information: Column Event Audited filters The Microsoft SQL Server Audited Filters section displays a list of Microsoft SQL Server filters used by FortiDB for auditing purposes with the following information: Column Comparison Operator Logical Operator Value To update the list, click Refresh. DB2 audit management The Target s Audit Management page for DB2 target databases displays the history of audit commands issued by the database. DB2 audit settings with syscat.auditpolicies The DB2 Audit Settings section displays DB2 syscat.auditpolicies view contents with the following information: 214

215 Database activity monitoring (DAM) Viewing alerts Policy Name Policy ID Create Time Alter Time Audit Status Context Status Validate Status Checking Status SecMaint Status ObjMaint Status SysAdmin Status Execute Status Execute with Data Error Type DB2 audit settings with syscat.audituse The DB2 Audit Settings section also displays DB2 syscat.audituse view contents with the following information: Policy Name Policy ID Schema Object Name Object Type Sub Object Type To update the list, click the Refresh button. Viewing alerts The Security Alerts page displays a list of all alerts generated from all databases and their details. You can filter the list using a pre-defined alert group, an alert group that you defined, or by date. You can also export the list in a number of formats. You can also export the alert list in several different formats. Security Alerts page columns Column ID Description FortiDB assigns alert identifiers sequentially. 215

216 Viewing alerts Database activity monitoring (DAM) Column Description indicates that a table policy generated the alert indicates that a table and column policy generated the alert indicates that a session policy generated the alert Type indicates that a user policy generated the alert indicates that a database query policy generated the alert indicates that a privilege policy policy generated the alert indicates that a metadata policy generated the alert Status One of the following types of alert status: You can change the alert status from the Alert Summary page. (Unacknowledged) (Acknowledged) (Error Corrected) (Alert has an annotation created by a FortiDB administrator) For information on changing the status value, see Changing the status of and annotating alerts on page 217. Severity Received Time Target Source Location Policy Violation & Action Severity of the policy that generated the alert: Informational, Cautionary, Minor, Major, or Critical The date and time when FortiDB received the alert Name of the target database Hostname of source client The name of the policy that generated the alert the action that violated the rule Security Alerts page filtering options Option View Description Filter alerts based on the alert group, per-defined or user-defined, by select group from View drop-down list. 216

217 Database activity monitoring (DAM) Viewing alerts Option Search Description Click Search / New Group to define search criteria, or click the Edit button to modify search criteria of user-defined group. When you finish search criteria configuration, click the Search button to search alerts. You can also click the Save Group button to save the search criteria to an alert group quickly. For more information on groups, see Alert group on page 220. For information on search criteria configuration, see Filtering and searching alerts on page 218. Date Range and Entry Limit Filters alerts based on the specified date range, and input number for Limit To, then click the Refresh button to refresh alerts. Click an alert to view its detail below the list. For more information, see Alert details on page 218. Changing the status of and annotating alerts Exporting the alert list as a report Filtering and searching alerts Alert details Alert group Changing the status of and annotating alerts Select one or more alerts with checkboxes, click one of three Status Icon button, to change status to Unacknowledged, Acknowledged, or Error Corrected. Select one or more alerts with check boxes then click the Annotate icon button to add or edit exist alert's annotation. Click the Save button to save the annotation. Viewing alerts Exporting the alert list as a report The alert list displayed on this page can be exported as a report in several different formats. PDF (.pdf) Excel (.xls) Tab (.txt) CSV (.csv) To export alerts, select the file format from the Export as dropdown, then click the Export button. 217

218 Viewing alerts Database activity monitoring (DAM) If you want to generate alerts report with more detail information, use the predefined or user-defined DAM alert feature. For detail, go to the Reports. Viewing alerts Filtering and searching alerts For alerts search or group filters setting, to filter alerts by columns condition, you can define filtering criteria with one or more data filtering entries. Exclude option Check Exclude following filters option, if you want alerts in opposite (don't match the criteria). Configure criteria row One filtering criteria entry is defined in a row. Select the Operator ("And" or "Or", not available for first row), Column, Operator from dropdown list, and input Value or select from available value list to add. Multiple criteria rows Add or subtract, respectively, filtering criteria rows by selecting the + (plus) or - (minus) buttons. If there are multiple filtering entries, combined both with "And" and "Or" operations, use the brackets "(" and ")" for the operations priority. Filters sample for group "Table change by non-system user": Action Equals Delete Insert Truncate Update and ( DB User Not Equal SYSTEM or Login Name Not Equal SYSTEM ) Viewing alerts Alert details The Alert Details section shows following details information about the alerts: Field Name ID Timestamp Description Alert ID. This number is set sequentially The date and time when the alert was received by FortiDB 218

219 Database activity monitoring (DAM) Viewing alerts Field Name Target Name Policy Name Action Rule Violations Severity Description Target database name. Policy name that generated the alert. For example, Tables, Column Privileges, tablepolicy1, etc. Action that was taken and caused the alert Alert rules that generated the alert. For example, Suspicious location, Suspicious Login Name, etc. Short name of Severity level to which the policy is configured: INF - Information CAU - Cautionary MAJ - Major MIN - Minor CRI - Critical OS User or Auth Id DB User Login Name Object SQL Statement Return Code Source Location Application Annotation OS user (for Oracle, Microsoft SQL Server), Auth Id (for DB2) that accessed to the target database DB user who took an action Login name that logged into the target database Object that was accessed and caused the alert SQL Statements that were executed and caused the alert Return code from the target database Hostname of source location that originated the action Source application that originated the actions and caused alerts Annotation text added by administrator for this alert For Sybase target databases, the OS User field shows as "not available". For Microsoft SQL Server, the OS User is available only when you use the Windows authentication. For Sybase, and Microsoft SQL Server, the Object field may not be available for Privilege Policies: Roles and System Privileges. Viewing alerts 219

220 Alert group Database activity monitoring (DAM) Alert group The Alerts Group page allows you to organize the security alerts that FortiDB s monitoring activity generates. You use the alert groups to filter the list of alerts displayed on the Security Alerts page and to filter the information in a DAM report. Add, edit, or delete an alert group Use the Alerts Group page to perform the following tasks: To create new group, click Add. To modify group settings, click the name of the group or the Edit icon in the Action column. To delete a group, select the check box for one or more user-defined audit groups, and then click Delete. Alternatively, you can create a new group when you search the list of alerts on the Security Alert page. (See Filtering and searching alerts on page 218.) Pre-defined alert groups FortiDB provides pre-defined alert groups that you can use to add and modify filtering criteria. Pre-defined alert groups Major and Critical Alerts Metadata Changes Privilege Changes Security Violations Table changes Unacknowledged Alerts Descriptions Alerts that have major and critical severities. Alerts generated by triggering metadata policies. Alerts generated by triggering privilege policies. Alerts that are triggered by security violations. Alerts that are triggered by inserts, updates, or deletes on tables. Alerts that have a status of 'Unacknowledged'. Data filter for an alert group The Filters tab allows you to define data filtering criteria for the group when you add or edit a group. You can define one or more data filtering entries that specify the criteria to match. When an alert matches the specified criteria, it is included in the group. Exclude following filters Operator Column Select to select alerts that do not match the criteria. Values And and Or are not available for the first row. Specify a column value. 220

221 Database activity monitoring (DAM) Alerts summary Operator Value Specify an operator. Enter a value or select one from the list of available values. - (minus) and + (plus) Click to add or remove rows that define criteria. If there are multiple filtering entries, combined both with "And" and "Or" operations, use the brackets "(" and ")" for the operations priority. For example, to create a filter for the group "Table change by non-system user", use the following settings: Row Operator Column Operator Value 1 - Action Type Equals Delete, Insert, Truncate, Update 2 and Database User Not Equal SYSTEM 3 and Login Name Not Equal SYSTEM To create a filter for a group that selects alerts generated when a specific user (scott) creates a table: Row Operator Column Operator Value 1 - Policy Type Equals Metadata Policies 2 and Action Type Equals Create Table 3 and Database User Equals scott Viewing alerts Filtering report data Alerts summary The Alerts Summary page summarizes the alerts statistics and recent trends. The DB Activity Monitoring table shows the alerts statistics for today, recent years, and all ("total"). It also displays the number of databases FortiDB is monitoring and the current count of alert groups. The alert trend charts show alerts that changed by time, include alerts trends for last 7 days, last 30 days, last 90 days, and last 12 months. 221

222 Alerts analysis Database activity monitoring (DAM) Viewing alerts Alerts analysis Alerts analysis The Alerts Analysis page allows you to analyze the alerts received within a date range that you specify. Columns Descriptions Status indicates that the alert analysis is new created or edit indicates that the alert analysis is in queue to run indicates that the alert analysis is running indicates that the alert analysis is complete Target Alert Received From Alert Received To Analyze Time Target to analyze, either a specific target or ALL Start date of alerts End date of alerts Analyze time Action Edit icon button. Click to edit analysis View icon button. Click to view analysis result To analyze results 1. Click the Add button. Click the analysis name, or click the Edit icon in the Action column to edit the analysis. 2. In the analysis add/edit page, input the name, select the target - All or one of target, specify alerts receive date range, and Save. Include alerts received in "Received To" day, e.g. From "March 1" to "March 31" for alerts received in March. 3. Mark the check box corresponding to an analysis. 4. Click the Run button. 5. To view the results, either click the View icon button in Action column, or click the time when an analysis finished. 222

223 Database activity monitoring (DAM) Viewing audit records (activity auditing results) To view the results of an analysis Do one of the following: In the Action column, click (View). Click an Analyze Time value. The analysis result page displays the following information: Analysis Summary: Target, Alerts date range, and Total alerts count in this range. Statistics Chart: Alerts statistics date-series chart. More alerts statistics by different category: By Target(for 'All' target analysis) By Severity By Policy By Action By DB Login By DB User By Client Location (Top 10) By Client Application (Top 10) Viewing alerts Alerts summary Viewing audit records (activity auditing results) The Activity Auditing page displays a list of audit records with their details. The audit records FortiDB generates when it is monitoring the database is determined by the activity auditing option you specify: Log All, or the policies selected on the Audit Policy Groups tab. To enable activity auditing, you configure FortiDB to monitor the target database using the TCP/IP sniffer. For more information, see Configuring monitoring using the TCP/IP sniffer (all database types) on page 199. Audit record list columns Columns ID Descriptions Audit ID. This number is set sequentially. 223

224 Viewing audit records (activity auditing results) Database activity monitoring (DAM) Columns Descriptions indicates that the audit is generated by Log All option enabled for target monitoring indicates that the audit is generated by Table Policy indicates that the audit is generated by Table and Column Policy Type indicates that the audit is generated by Session Policy indicates that the audit is generated by User Policy indicates that the audit is generated by Database Policy indicates that the audit is generated by Privilege Policy indicates that the audit is generated by Metadata Policy Timestamp Target Source Hostname/IP Action DB User SQL Text Audit timestamp Target database name. Hostname and IP address of source client. Action of database activity Database user of action. SQL Text. Filtering and searching the audit record list Viewing audit record details Filtering and searching the audit record list To filter the audits by audit group, select an option from the View list. For more information on audit groups, see Audit group on page 225. To search the audits, click Search/New Group, specify the search criteria, then click Search. You can save the search criteria as an audit group. For more information on the search and group creation options, see Searching or filtering the target list on page 106. To edit your saved group, select the group from View dropdown list, click Edit, modify the search criteria, and then click Save Group. To display audit records for a specific time range, specify the Received from and To time, enter the Limit to value, and then click Refresh. Viewing audit records (activity auditing results) Viewing audit record details 224

225 Database activity monitoring (DAM) Audit group Viewing audit record details Click an audit record to display its details at the bottom of the audit record list. Field Name ID Timestamp Target/IP Target Service Port Policy Type Policy Name Action Source Hostname/IP Source MAC DB User SQL Text Description Audit ID. FortiDB sets this number sequentially. The date and time activity audited. Target database name and database server's IP address. Target database server's service port. Type of audit policy that generate the audit. Shows "All" if enable Log All option. Name of audit policy that generated the alert. For example, Tables, Column Privileges, tablepolicy1, etc. Activity action. Hostname and IP address of source client. MAC address of source client. DB user who took an action. SQL Statements text of activity. Viewing audit records (activity auditing results) Filtering and searching the audit record list Audit group The Audit Group page allows you to organize audit records. You use the audit groups to filter the list of alerts displayed on the Activity Auditing page and to filter the information in a DAM report. Add, edit, or delete an audit group Use the Audit Group page to perform the following tasks: To create new group, click Add. To modify group settings, click the name of the group or the Edit icon in the Action column. 225

226 Activity profiling Database activity monitoring (DAM) To delete a group, select the check box of one or more user-defined audit groups, and then click Delete. Alternatively, you can create a new group when you search the list of audit records on the Activity Auditing page. (See Filtering and searching the audit record list on page 224.) Pre-defined audit groups FortiDB has pre-defined audit groups that you can use to add and modify filtering criteria. Pre-defined audit groups All All DB2 Policies All MySQL Policies All Oracle Policies All SQL Server Policies All Sybase Policies Data Policies Metadata Policies Privilege Policies SYS Operations Descriptions All available policies All policies that are supported for DB2 databases All policies that are supported for MySQL databases All policies that are supported for Oracle databases All policies that are supported for Microsoft SQL Server databases All policies that are supported for Sybase databases All policies that trigger on table, table-column, user, or session changes to the target database All policies that trigger on metadata changes to the target database All policies that trigger on privilege changes to the target database Policies that monitor SYS operations Data filter for an audit group Use the Filters tab to define filtering criteria for a group. For information on the filtering options, see Data filter for an alert group on page 220. Viewing audit records (activity auditing results) Activity profiling FortiDB s activity profiling feature generates statistics about database activity by user and table. You can use these statistics as a baseline when you configure policies that identify suspicious access patterns. Activity profiling requires the appliance version of FortiDB and the TCP/IP sniffer collection method. For information on using the sniffer, see Configuring monitoring using the TCP/IP sniffer (all database types) on page

227 Database activity monitoring (DAM) Activity profiling Viewing status and summary information for activity profiling Viewing and exporting activity profiling results Viewing status and summary information for activity profiling The Activity Profiling page displays target profiling status and a summary of profiling results. Activity Profiling page columns Columns Descriptions Status indicates the target is not monitored. indicates that monitoring and profiling are active. indicates that monitoring is active and profiling is not enabled. Name DB Host Name/IP DB Type Profiling Statistics Profiling Start Time Target name. Click to view detailed profiling results. Database host name or IP address of your target database computer The type of database Total number of activities since profiling started Either the time when FortiDB started to monitor the database start time or the time when you cleared the existing profiling results Action Click (View Profiling Detail) to view detailed profiling information for the target. Click (Reset Profiling Statistics) to clear the existing profiling results for the target. If monitoring with profiling is enabled, FortiDB sets Profiling Start Time to the current time. Otherwise, it sets Profiling Start Time when monitoring starts. To display profiling status and summary information for a specific target group, in the View list, select a target group. Viewing status and summary information for activity profiling Viewing and exporting activity profiling results The Target DB Activity Profiling page displays detailed profiling results. 227

228 Activity profiling Database activity monitoring (DAM) FortiDB organizes profiling results for specific targets by database login and user, source clients, and database table access. To view statistics for a login or user, in the DB Login/User list, select the appropriate name. Source clients access list Source clients access list columns Columns Source IP OS Hostname Source Application OS User Session Count Descriptions IP address of database source client Hostname of source client Application name of source client Operating system (OS) user name Database access session count from this source client Database tables access list The list of database tables access displays all database tables accessed by the selected login or user and information about related access actions. The Table Name column displays the name of the database that the login or user accessed. (For Oracle databases, this can also be the name of a synonym.) The other columns display the count number for actions, which include the following actions: Select Update Insert Delete Create Alter Drop Trunc Grant Revoke Exporting profiling results For information on generating and exporting an activity profiling report that you can run at a scheduled time and send automatically to receipients using , see Activity Profiling Reports on page 251. To export the detailed profiling results as report 1. For Export as, select one of the following file formats: 228

229 Database activity monitoring (DAM) SOX audit PDF (.pdf) Excel (.xls) Tab (.txt) CSV (.csv) 2. Click Export. Viewing status and summary information for activity profiling SOX audit When you use one or policies from the Sox Policies DAM alert policy group to monitor the target database, FortiDB saves SOX compliance audit logs. The Sox Audit page displays the compliance audit logs. To filter the audit logs, in the Target list, select the appropriate target database, enter from and to dates, and then click Refresh. PCI, SOX, and HIPAA alert policies PCI, SOX, and HIPAA reports 229

230 Logs Local monitoring log Logs Local monitoring log The Local Monitoring Log page lists monitoring events logs. The log information includes Date, Target, Policy name, Severity, and Description. In the Local Monitoring Logs page, you can: Display logs filtered by the severity level that you select from the Severity dropdown list. Display logs filtered by the target database that you select from the Target dropdown list. Display logs filtered by the date range you select from the From and To fields. Export the current list by selecting Export Delete all logs by selecting Delete All Schedule error checks using one of the following options: Run Once: FortiDB checks for errors at the time specified by Starts at. Recurring: FortiDB checks for errors during the interval specified by Starts at and End by. Local audit trail The local audit trail feature allows you to capture the following information as audit trail records: All administrator activities: Add/delete/update admininstrators, add/delete/update policies or policy groups, add/delete/update targets or target groups, add/delete/run assessments, archive, restore, log on, and system configuration. System activities: Start and stop. You can filter the list of audit trail records by date. You can also export the list as a tab-delimited text file, which you can open in spreadsheet applications such as Microsoft Excel. To display the audit trail, an administrator requires the System Administrator role. To enable the local audit trail 1. In the navigation menu, go to Administration > Global Configuration. 2. On the User Profile/Security tab, for Enable Local Audit Trail, select true. 3. Click Save. 230

231 Local audit trail Logs Viewing and managing the audit trail records Examples of audit trail records Viewing and managing the audit trail records To view the local audit trail, in the navigation menu, click Administration > Local audit trail. Column Timestamp Action By Description The date and time of the action. The action that occured. The name of the account that performed the action. For example, the admin account. Note: When FortiDB invokes actions such as scheduled scan, scheduled archive, start FortiDB, and stop FortiDB, internal is displayed in this column. Location Object Name The location where the action occurred. For example, local or the remote location where the account logged in, which is displayed as an IP address or host name. Note: When FortiDB invokes actions such as scheduled scan, scheduled archive, start FortiDB, and stop FortiDB, internal is displayed in this column. The object that the action affected. To filter the list of local audit records by date, either enter start and end dates or click the calendar icon to select dates, and then click Apply. To sort the list, click a column heading to sort using values in that column. Click Delete to delete the audit trail records in the selected date range. If the Local Audit Trail global setting is enabled and you delete audit trail records, FortiDB generates an audit trail record for the delete action. Select the Export button to export the audit trail records in the selected date range as a comma-delimited text file. Examples of audit trail records 231

232 Logs Local audit trail Examples of audit trail records Timestamp: :06:47 Action: Update By: admin Location: Object Name: VA Policy: DVA IBM DB2 UDB Latest Fixpak not installed Timestamp: :36:31 Action: Scan By: jsmith Location: Object Name: VA Scan: Latest Patch Policies Timestamp: :02:25 Action: Add By: admin Location: Object Name: DAM Policy Group: tablepolicy1_2 Group Viewing and managing the audit trail records 232

233 Reports Reports FortiDB can generate various reports, including pre-defined and user-defined vulnerability assessment (VA) reports and database activity monitoring (DAM) reports. For VA and DAM reports, select an item in Report menu, to manage and generate reports. For other exportable reports, go to the corresponding context page, use Export function to export the report file. Reports can be exported as a PDF file. Some reports can be exported as an Excel, tabbed text, or CSV file. To generate VA and DAM reports, your administrator account requires the Report Manager role. Vulnerability assessment (VA) reports Vulnerability assessment (VA) reports include: pre-defined or user-defined assessment reports pre-defined VA policy reports pre-defined sensitive data discovery reports You can view and export VA reports manually. Go to a pre-defined or user-defined VA report, select the report to preview content, then click Export to export the report in PDF or other file format. You can also generate assessment report files automatically by scheduling FortiDB to generate them. DAM reports DAM reports include: pre-defined and user-defined security alert reports activity audit reports PCI, SOX, and HIPAA compliance reports The information in activity audit reports comes from DAM activity auditing, a feature that requires the appliance version of FortiDB and the TCP/IP Sniffer collection method. You can configure the report criteria such as data filtering, schedule, and notification of security alert reports and activity audit reports. For user-defined reports, you can also customize the display of the data table view and analysis chart view. FortiDB generates and saves security alert reports and activity audit reports in all file formats, whether you generate them manually or using a schedule. 233

234 Pre-defined VA reports Reports Report files that FortiDB saves to disk FortiDB saves generated report files (such as PDF or Excel (.xls)) to disk when: FortiDB generates all file types for all DAM reports. You enable the Schedule and Save Scheduled Assessment Report to Disk File option for vulnerability assessment. To free disk space, delete report files after you download them. Other reports you can export You can export PDF report files for: Administrators Entitlement Report: Administration > Administrators Target Database Report: Target Database Server > Targets Database Discovery Report: Target Database Server > Auto Discovery VA Privilege Summary Report: Vulnerability Assessment > Privilege Summary VA Local Log Report: Vulnerability Assessment > Local Assessment Log DAM Security Alerts Summary Report for search result: DB Activity Monitoring > Security Alerts Activity Profiling Report: DB Activity Monitoring > Activity Profiling > Profiling Detail DAM Local Log Report: DB Activity Monitoring > Local Monitoring Log Pre-defined VA reports User-defined VA reports Pre-defined DAM reports User-defined DAM reports PCI, SOX, and HIPAA reports Activity Profiling Reports Pre-defined VA reports Go to Report > Pre-Defined VA Reports to view a list of available reports and select a report template to use to view and export report information. Assessment reports Policy reports Sensitive data discovery reports 234

235 Reports Pre-defined VA reports Assessment reports Assessment reports provide the results of target database assessments, including assessment statistics, vulnerabilities detail, and run result of policies. To view and export assessment reports, select report parameters include Assessment, run time and target database. Go to Preview Report tab to view the report content, and Export as file with format you selected. Pre-defined Assessment Reports: Global Detailed Report: this report gives the number and types of passed and failed policies and their details for all targets in the assessment Target Detailed Report: this report gives the number and types of passed and failed policies and their details Target Detailed Failed Report: this report gives the number and types of failed policies and their details Target Summary Report: this report summarizes the number and types of passed and failed policies Target Summary Failed Report: this report summarizes the number and types of failed policies Target Score Report: this report displays the scan results in graphical form Target Trend Report: this report displays the database policy progress over time Statistics tables With the exception of the target trend report, all report templates contain the following two statistics tables: Severity: Summarizes numbers of each state by policy-severity type Classification: Summarizes numbers of each state by policy-classification type Vulnerabilities With the exception of target score and trend reports, all report templates contain summary or detailed vulnerabilities information, which is sorted using the following categories: Critical Vulnerabilities Major Vulnerabilities Minor Vulnerabilities Cautionary Vulnerabilities Informational Vulnerabilities Score report and trend report The pre-defined Score Report template provides you a way to see vulnerability results in graphical form for all target databases used in an assessment. It also shows results by the RDBMS type of the assessed targets. The pre-defined Trend Report template provides you a way to see assessment results over time to assist your vulnerability planning and remediation efforts. Adding or modifying assessments 235

236 User-defined VA reports Reports Policy reports Policy reports provide information about pre-defined and user-defined VA policies. You can choose to generate reports for all VA policies or filter by database type, classification, severity, or policy type. FortiDB provides the following two types of policy reports: Policy Summary Report: Provides detailed information about the current vulnerability assessment policies in the system Policy Detailed Report: Summarizes the most current vulnerability assessment policies in the system Vulnerability assessment (VA) policies Sensitive data discovery reports Sensitive data discovery reports allow you to view and export the results of sensitive data discovery. Select target database and discovery time to view and export discovery report. FortiDB provides the following two types of sensitive data discovery reports: Sensitive Data Discovery Detailed Report: Provides detailed information about the sensitive data discovery. Sensitive Data Discovery Summary Report: this report gives the summary information about the sensitive data discovery. Data discovery policies and policy groups Sensitive data discovery User-defined VA reports You can customize your report template with selected columns and data from the User-Defined VA Reports and User-Defined DAM Reports pages. The User-Defined VA Reports page lists the report(s) you created, and allows you add, modify, and delete reports. Column or button Name Description Last Modified Created By Description User defined name for report. Click name link to modify and export report. User defined description Date and time of the report you modified last User who created the report 236

237 Reports User-defined VA reports Column or button Add Delete Description This button adds a report This button deletes the report you checked in the check box Managing user-defined reports Managing user-defined reports Click the Add button, or click the name of exist report, to go to report edit page General tab Naming and describing your reports. Columns tab Specifying which columns you want to include in your reports. Select columns from Available Columns list, add into Columns in Report list. Your report must contain at least one display column. Grouping tab Specifying grouping criteria: In the Group Data By dropdown list, select the column name(s) by which you want to group data results. Optionally, specify a sort order in the Order dropdown(ascending or Descending). And specify a Day, Week, Month, Quarter, or Year value by which to group date-related report results in the Group date values by dropdown. For VA reports, you cannot group by Policy Description. You can specify two additional grouping levels, in the same way, by using the and then by and the and lastly by drop down lists. Filtering tab Specifying filtering criteria: Define a column filtering entry in a row, by selecting Column, Operator and inputing the Value. Add or subtract filtering criteria rows respectively by selecting the + (plus) or - (minus) buttons. In order to limit the number of rows to display, check the Enter number radio button and then specify, as your row limit, any positive number less than Export options Export/Save report or Cancel editing. Exporting your report in a certain output format, PDF or tab-delimited text file. Click the Save button to save report, click the Cancel button to cancel. 237

238 Viewing scheduled VA reports Reports Vulnerability assessment (VA) policies Viewing scheduled VA reports The Scheduled VA Reports page allows you manage report files generated by scheduled vulnerability assessments. The following VA configurations generate a scheduled VA report file and save it to disk: Enable schedule for Vulnerability Assessment Enable the report option Save Scheduled Assessment Report to Disk File For information on configuring assessments, see Adding or modifying assessments on page 181. Target database name and report filename will be list in Scheduled VA Reports page. Click the report filename to download/open the report file. Select the checkbox for one or more reports, click Download to download the ZIP archive file, and then click Delete to delete the selected report files. Running an assessment at a specified date and time Pre-defined DAM reports Pre-defined DAM reports display security alerts data or activity audit events, which you can filter to exclude from the report data. Go to Report > Pre-Defined DAM Reports, select Security Alert Reports or Activity Audit Reports tab, to configure/run reports with pre-defined template, and browse generated report content and download report file (s). Activity Audit Report is available only for FortiDB appliance, and monitoring target database with collection method of TCP/IP sniffer. For details, see Viewing audit records (activity auditing results) on page 223. The following pre-defined report templates are available for Pre-defined DAM reports. Pre-defined Security Alert Reports: Security Alert Detailed report: this report shows the details for all alerts generated within the report filter criteria. Security Alert Summary report: this report summarizes the alerts generated within the report filter criteria. Security Alert Statistical report: this report summarizes statistical information about alerts generated based on rules-violations, policies, and severities. Pre-defined Audit Reports: 238

239 Reports User-defined DAM reports Activity Audit Detailed report: this report shows the details for all activity audit events generated within the report filter criteria. Activity Audit Summary report: this report summarizes the activity audit events generated within the report filter criteria. Report management Filtering report data Schedule and notification User-defined DAM reports The User-Defined DAM Reports page allows you filter report data, configure scheduling and notification, and customize the report layout. Go to Report > User-Defined DAM Reports, click User-Defined Alert Reports or User-Defined Audit Reports tab for your report type, and then define the report. Report management Filtering report data Schedule and notification Report management The Pre-Defined DAM Reports, User-Defined DAM Reports, and Activity Profiling Reports pages display a table with following columns: Column Description [+] [-] Click to expand or collapse the 10 most recent results for a report. When the item is expanded, you can do the following: Click the name of a report instance (which contains the time FortiDB generated it) to view the report contents in HTML format. Click the one of file format icons on the right (PDF/TXT/XLS/CSV) to download the report. indicates a report is idle Status indicates a report is running indicates a report is scheduled to run Name Description Click to configure report Report description specified in the report configuration 239

240 User-defined DAM reports Reports Column Last Modified Created By Results Action Description Date and time when an administrator last modified the report FortiDB administrator who created the report The number of times FortiDB has run the report click to edit the report configuration click to view all instances of FortiDB running this report To run a report Do one of the following: On the Pre-Defined DAM Report page, use the check boxes to select one or more reports to run, and then click Run. On the User-Defined DAM Report page, if the report you want to run is not in the list, click Add and configure the report. Then use the check boxes to select one or more reports to run, and then click Run. On the Activity Profiling Reports page, click Run. For information on configuring an activity profiling report, see Activity Profiling Reports on page 251. Pre-defined DAM reports Activity Profiling Reports Filtering report data To add or edit a DAM report, go to the Data Filter tab. Data time range You can choose dynamic time period, or specific time range, for report's data filtering. Select the Last Period option for dynamic time period. Input period value, and select period unit from Day, Week or Month. The dynamic time range will be calculated every time when you run the report (manually or scheduled run). For example, when you select "last 2 days" for period, FortiDB will filter the alerts (or audits) received from 48 hours early to the report running moment. To use specific time range, select Date Range option, input from date/time and to date/time. Records limit Input the number for records entry limit, in Limit to. This limit number is the maximum records available to display in report data table. Custom data filters Custom Data Filters allows you configure filtering criteria by columns conditions. 240

241 Reports User-defined DAM reports The Filters configuration is same as configuring filtering criteria for Alert/Audit Search Group. For details, see Filtering and searching alerts on page 218. For DAM Alerts Report, you can select Alert Group option, select one group from dropdown list, to use the group's filtering setting for reporting. For DAM Audits Report, you can select Audit Group option, select one group from dropdown list, to use the group's filtering setting for reporting. Configuring data displays The Table View tab allows you to configure data table display and the Analysis tab allows you to configure analysis charts. Data table view To configure which data columns displayed in report, select columns from Available Columns list, add into Columns in Report list. You can also configure the data groups in report's data table (optional). In the Group Data By dropdown list, select the column name(s) by which you want to group data results. Optionally, specify a sort order in the Order dropdown (Ascending or Descending). And specify a Day, Week, Month, Quarter, or Year value by which to group date-related report results in the Group date values by dropdown. Adding analysis charts and statistics tables to reports You can add multiple analyses, each with a statistics chart and table, to a report. You define each analysis in a row in the Analysis tab. Click + (plus) or - (minus) to add or remove rows. To configure anlysis: 1. Select the Chart type: Pie or Bar. 2. Select which data column you want to count for statistics, from Column type dropdown list. 3. For DAM Alert report, you can select Severity or Status as second Column type for Bar chart. The enumeration of Severity or Status will be list as Y-axis in statistics table. 4. If the data come from multiple target databases, enable Group by target check box, to generate analysis chart and statistics table respectively for each target. 5. Input the Max item number for data column. 6. Enable Count others, will add Others into analysis chart/table as last column. Schedule and notification Both Pre-Defined and User-Defined DAM Report, allows you configure the schedule and notification. FortiDB only sends notifications for reports that run on a schedule. 241

242 PCI, SOX, and HIPAA reports Reports Go to Schedule tab to configure schedule, and go to Notification tab to configure notification. Scheduling reports The report scheduler allows you to set up when to start report generation, how often to generate reports, and when to stop. Select the Enable Schedule check box to enable scheduler. For schedule, there are two ways that you can set up the scheduler: Scheduled Type Description When to Run Run Once Recurring Report generation will occur once at the specific time you set in the Start at field. Report generation will occur starting from the time set in the Start at field, and continue until the End by. The date range used to run the report when the time is in the Date Range field. The Recurrence pattern can be Minutely, Hourly, Daily, Weekly, or Monthly. Enter the value for recurring time interval. notification for scheduled reports Notification allows FortiDB send report file(s) via at the scheduled time. Select Enable to enable notification. For notifications, you must designate one or more receivers. Select one or more of the entries in the Available Receivers list box and add them to the Selected Receivers list. You must set the server and user properties in the Global Configuration for notification. Select the Report formats of report file(s) you want to be included in . Notification properties PCI, SOX, and HIPAA reports FortiDB provides the following types of compliance reports to help you achieve compliance with both internal and external requirements: Sarbanes-Oxley (SOX) Payment Card Industry Data Security Standard (PCI DSS) Health Insurance Portability & Accountability Act (HIPAA) Some compliance reports must be generated weekly, monthly, or quarterly. 242

243 Reports PCI, SOX, and HIPAA reports PCI compliance report templates Name PCI - Invalid Operation PCI - Privileged User Action PCI - System Object Operations PCI - Access to Credit Card tables PCI - Successful/Unsuccessful Database Logins Description Identifies failed access attempts. This should be reviewed on a periodic basis by IT. Tracks all access/changes by the administrative accounts. The administrative accounts need to be specified during the configuration stage. The report should be reviewed and commented on by appropriate management. Tracks all access/changes by the administrative accounts. The administrative accounts need to be specified during the configuration stage. The report should be reviewed and commented on by appropriate management. Tracks all access/changes by the administrative accounts. The administrative accounts need to be specified during the configuration stage. The report should be reviewed and commented on by appropriate management. Tracks all successful and failed logins. Required option settings Object Audit Options User Audit Options Not required Object Audit Options Not required Name Abnormal or Unauthorized Changes to Data Abnormal Termination of Database Activity Abnormal Use of Service Accounts End of Period Adjustments Description This report shows all changes made to data by any account other than the application user account. This report shows failed database processes (i.e. financial transactions or failed login attempts) originating from an application server. This report shows service accounts and the associated or related transaction origins. For example, the use of service account from an origin other than the application server would be shown. This report shows changes to the general ledger at month-, quarter-, year-end. Required option settings Object Audit Options or User Audit Options Object Audit Options or User Audit Options Object Audit Options or User Audit Options Object Audit Options 243

244 PCI, SOX, and HIPAA reports Reports Name History Of Privilege Changes Verification of Audit Settings Description This report shows changes to user access rights that were elevated or lessened in the database over time. This report shows changes to configurable audit parameters. Required option settings Not required Not required HIPAA compliance report templates Name Privilege Changes Logins Security Incident Procedures Access to the Assessment Logs Access to EPHI Data User Privileges on EPHI Data Description This report shows all user account additions, deletions, and changes. This report shows all successful and failed login attempts. This report shows what methods are used to communicate with external systems in case of security incidents. This report shows all activities related to the assessment logs. This report shows all access and and changes to the EPHI data made by any account. This report shows all users with access privileges for EPHI data. Required option settings Object Audit Options Not required Not required Not required Object Audit Options Object Audit Options Privilege Summary This report shows all users with privileges. Not required Audit Controls This report shows all audit settings. Not required You cannot use regulatory compliance reports to monitor activity at the column level. General steps for generating PCI, SOX, and HIPAA reports Report: Abnormal Termination of Database Activity Report: Abnormal or Unauthorized Changes to Data Report: Abnormal Use of Service Accounts Report: End of Period Adjustments 244

245 Reports PCI, SOX, and HIPAA reports Report: History of Privilege Changes Report: Verification of Audit Settings General steps for generating PCI, SOX, and HIPAA reports 1. Configure your target databases. See Pre-configuration for monitoring target databases on page Configure the FortiDB connection to your target databases. See Adding (or modifying) a target connection on page Configure FortiDB compliance policies. See Configuring PCI, SOX and HIPAA policies on page Configure and start monitoring for the target database. For details, see Configuring target database monitoring on page Assuming that several violations occurred in your target database, under Reports, go to PCI Reports, Sox Reports, or HIPAA Reports. 6. Select one of the reports and export reports: In the Export as field, select the format type you want to generate a report from the dropdown list: PDF, Excel, or CSV. (Optional) Enter W/P reference and/or Customer name in each field. Enter the Date Range for data retrieval. The date entered in these fields means 00:00 (midnight) of the day. For example, 9/23/09 means 00:00AM of 9/23/09. Select one or more target databases, or enable All Targets check box for all databases. (Optional) You can set filters to display the specific data in the report. Select the Export to generate and export report file. PCI, SOX, and HIPAA reports Report: Abnormal Termination of Database Activity Report: Abnormal or Unauthorized Changes to Data Report: Abnormal Use of Service Accounts Report: End of Period Adjustments Report: History of Privilege Changes Report: Verification of Audit Settings Report: Abnormal Termination of Database Activity This report identifies failed database processes (that is, financial transactions) originating from the application server. This report should be reviewed on a daily basis by IT Management. COBIT objectives This report is designed to meet the following COBIT objectives: 245

246 PCI, SOX, and HIPAA reports Reports Objective Number DS10.1 Description Routine transactions and processes between the application and the database are reviewed on a daily basis for successful completion by IT Management. Setup requirements Sox Abnormal Termination of Database Activity policy: Object Audit Options and/or User Audit Options Report columns The following columns are displayed in the report body. Columns User ID Object Timestamp Terminal Origin Application Action Type Error Code Description The ID of the database user that conducted the flagged activity The name and owner of the database object that was directly manipulated by the flagged activity The exact time the flagged activity was conducted The terminal IP address or name The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server The type of action successfully enacted by the User ID. The proprietary error code generated by the originating application. General steps for generating PCI, SOX, and HIPAA reports Report: Abnormal or Unauthorized Changes to Data This report tracks all changes made to data by any account other than the application user account. The report should be reviewed and commented on by appropriate management on a quarterly basis. COBIT objectives This report is designed to meet the following COBIT objectives: Objective Number AI2.3 Description Unauthorized changes to data by non-application[13] accounts are tracked and reviewed by IT Management on a quarterly basis. 246

247 Reports PCI, SOX, and HIPAA reports Setup requirements Sox Abnormal or Unauthorized Changes to Data policy: Object Audit Options Report columns The following columns are displayed in the report body: Columns User ID Object Timestamp Terminal Origin Application Action Type Description The ID of the database user that conducted the flagged activity The name and owner of the database object that was directly manipulated by the flagged activity The exact time the flagged activity was conducted The terminal IP address or name The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server The type of action successfully enacted by the User ID. By default, all actions are considered unauthorized. If you want, for example, to only mark UPDATEs as unauthorized actions, use Filters section in order to filter out the other action types. General steps for generating PCI, SOX, and HIPAA reports Report: Abnormal Use of Service Accounts This report identifies the use of service accounts and the associated transaction origins. For example: The use of a service account from an origin other than the application server would be identified. The report should be reviewed and commented on by IT Management on a weekly basis. COBIT objectives This report is designed to meet the following COBIT objectives: Objective Number DS5.3 Description Database transactions from unauthorized sources are tracked and reviewed by IT Management on a weekly basis Setup requirements Sox Abnormal Use of Service Accounts policy: Object Audit Options and/or User Audit Options 247

248 PCI, SOX, and HIPAA reports Reports Report columns The following columns are displayed in the report body. Columns User ID Terminal Originating Application Number of Actions Timestamp Description The ID of the database user that conducted the flagged activity The terminal IP address or name The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server The number of actions attempted by the account associated with the User ID The exact time the flagged activity was conducted General steps for generating PCI, SOX, and HIPAA reports Report: End of Period Adjustments This report tracks changes to the general ledger at month/quarter/year end. The report should be reviewed and commented on by appropriate management on a monthly basis. COBIT objectives This report is designed to meet the following COBIT objectives: Objective Number AI2.3 Description End of period adjustments to the general ledger are tracked and reviewed by Business Management on a monthly basis. Setup requirements Sox End of Period Adjustments policy: Object Audit Options Report columns The following columns are displayed in the report body. Columns User ID Object Description The ID of the database user that conducted the flagged activity The name and owner of the database object that was directly manipulated by the flagged activity 248

249 Reports PCI, SOX, and HIPAA reports Columns Timestamp Terminal Origin Application Action Description The exact time the flagged activity was conducted The terminal IP address or name The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server The type of action successfully completed by the User ID. General steps for generating PCI, SOX, and HIPAA reports Report: History of Privilege Changes This report tracks privileged changes to database user access rights (that is, granting of privileged or escalated access rights). The report identifies the database account that was changed, the type of privilege that was granted, the date of the change, and the account that initiated the change. The report should be reviewed by both IT and Business Management on a quarterly basis. COBIT objectives This report is designed to meet the following COBIT objectives: Objective Number AI2.4, DS3.5, DS5.3, DS5.4 Description Changes to escalate database user access privileges are tracked for review on a quarterly basis by the IT manager and the application business manager Setup requirements Sox History of Privilege Changes policy: Just enable the policy. No settings of Object Audit or User Audit Options required. Report columns The following columns are displayed in the report body. Columns User ID Grantee Action Description The ID of the database user that conducted the flagged activity The name of the user for whom privileges were changed The type of action successfully enacted by a non-application user account. Actions include UPDATE, INSERT, and GRANT 249

250 PCI, SOX, and HIPAA reports Reports Columns Target Privilege Details Timestamp Description The object on which the privileges were changed The type of object privilege granted to, or revoked from, the grantee. The exact time the flagged activity was conducted. General steps for generating PCI, SOX, and HIPAA reports Report: Verification of Audit Settings This report identifies any changes that have been made to the audit reporting and tracking capability of the database. COBIT objectives This report is designed to meet the following COBIT objectives: Objective Number DS3.5, DS5.5, DS13.3 Description Audit tracking is configured on all financial databases, changes to audit functionality is reviewed by IT Management on a quarterly basis. Setup requirements There are two requirements: 1. At least one of the following types of audit policies must be run in order to collect audit data: Data Policies Privilege Policies: using the audit data retrieval method Metadata Policies: using the audit data retrieval method 2. For tracking audit activity with the Data policies, run the following commands audit system audit; audit audit system; audit audit any; and then Close and Open your database connection in Data policies. Report columns The following columns are displayed in the report body. Columns User ID OS User Description The ID of the database user that conducted the flagged activity The OS User that conducted the flagged activity 250

251 Reports Activity Profiling Reports Columns Object Timestamp Terminal Origin Application Action Description The name and owner of the database object that was directly manipulated by the flagged activity The exact time the flagged activity was conducted The terminal IP address or name The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server The type of action successfully enacted by the User ID. General steps for generating PCI, SOX, and HIPAA reports Activity Profiling Reports FortiDB allows you to export activity profiling information in report form. You filter the information that FortiDB includes in the report by target database and, optionally, by database user and table. For information on managing reports using the Activity Profiling Reports page, see Report management on page 239. Alternatively, you can export the profiling results displayed on the Target DB Activity Profiling page. You cannot add a schedule or configure notification for this type of report. See Viewing and exporting activity profiling results on page 227. To configure and run an activity profiling report 1. On the navigation menu, click Report > Activity Profiling Reports. 2. On the Activity Profiling Reports page, under Name, click Activity Profiling Report. 3. On the General tab, for Name, enter a name for the report and an optional description. Alternatively, you can use the default name (Activity Profiling Report). FortiDB adds the date to the name of each report it generates to distinguish it from any other reports with the default name. 4. Click the Data Filter tab. 5. For Target, select the target database whose activity profiling results you want to include in the report. 6. For DB Login/User, select either All Users or a specific user. 7. In the All Table Name list, select an item and click > (right arrow) to add it to the Selected Table Names list. Repeat this step as required until all the tables to include in the report are in the list. 251

252 Activity Profiling Reports Reports To select multiple items, click and item and then Shift-click a second item. Both items and any items between them are selected. Click Control-A to select all items. 8. Optionally, use the Schedule and Notification tabs to configure FortiDB to run the report at a scheduled time and send the report to one or more FortiDB administrators using . For detailed instructions, see Schedule and notification on page Click Save. 10.Do one of the following: If you configured the report to run at a scheduled time, wait for it to run. Click Run to run the report immediately. 11.When the Status value shows that the report no longer running, click [+] (plus sign) to access the instance of the report that you generated. Configuring monitoring using the TCP/IP sniffer (all database types) Activity profiling 252

Archiving audit data Archiving example Archiving audit data DAM activity auditing and compliance audits that run with with alert PCI, SOX, and HIPAA policies generate data that is stored in the

253 Archiving audit data Archiving example Archiving audit data DAM activity auditing and compliance audits that run with with alert PCI, SOX, and HIPAA policies generate data that is stored in the FortiDB repository. To conserve repository space and improve performance, you can move this data to archive files that you can return to the repository later. FortiDB allows you to archive and retrieve the following types of data: Assessment Alert Auditing (includes sniffer activity auditing data and SOX audit data generated by alert SOX policy) Archiving data exports it to an excrypted file. When you retrieve data, FortiDB imports it back into its repository. Depending on how often you assess or monitor databases and the number and type of policies and target databases involved, the archive files can consume a large amount of space. To make space available on your appliance, you can move the exported files to remote storage and retrieve them later, if necessary. FortiDB requires an FTP server for remote storage. You cannot use another type of server. To generate reports using archived data, you first retrieve the data. You cannot retrieve archived data if the target associated with the data is deleted. For example, if you archive assessment data for a target database and then delete the target configuration for that database, you cannot restore the archived assessment data. The day and time that FortiDB created the archive is displayed in the Timestamp column on Retrieve tab. You cannot retrieve any data that you have already retrieved. This limitation prevents duplicate records in the FortiDB repository. Archiving example In the following illustration, FortiDB archives assessments with a date between January 8, 2008 and January 10, (Because the archive interval starts at 0:00 a.m. on the start date and ends at 0:00 a.m. on the end date, FortiDB does not archive data for January 11.) The assessments for all other dates remain in the repository. 253

FortiDB. Version User Guide

FortiDB. Version User Guide FortiDB Version 4.3.0 User Guide FortiDB User Guide Version 4.3.0 27 July 2011 15-32100-79408-20090311 Copyright 2011 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,