Instruction d'utilisation Fortinet FortiDB

Résumé du contenu de la page N° 1

Utilities User Guide
FortiDB
Version 3.2
www.fortinet.com

Résumé du contenu de la page N° 2

FortiDB Utilities User Guide Version 3.2 December 19, 2008 15-32000-81369-20081219 © Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks ABACAS, APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiD

Résumé du contenu de la page N° 3

Table of Contents Table of Contents FortiDB MA Utilities ................................................................................................. 3 Auto Discovery......................................................................................................... 4 DB2.....................................................................................................................................6 MS-SQL ...........................................................................

Résumé du contenu de la page N° 4

Table of Contents Report Body Columns .................................................................................................44 Abnormal or Unauthorized Changes to Data Report (AUC).............................................45 COBIT Objectives and Setup Requirements ..............................................................45 Report Body Columns .................................................................................................45 Abnormal Use of Service Accounts Rep

Résumé du contenu de la page N° 5

FortiDB MA Utilities FortiDB MA Utilities FortiDB MA provides several utilities to help you use other modules: • Auto Discovery to ease the burden of manually setting up database connections • Connection Summary to show which database connections are Open or are Open and Running • Rule Chaining to trigger one rule based upon another • Report Manager for custom, offline reports FortiDB Version 3.2 Utilities User Guide 15-32000-81369-20081219 3

Résumé du contenu de la page N° 6

Auto Discovery Auto Discovery FortiDB MA provides the ability to search for, and establish connections to, databases on your network. Rather than manually entering all of the connection information, you can have FortiDB MA automatically discover it for you. Selecting Addresses for Auto-Discovery In order to use this feature: 1 Select the Database->New menu, and click the Auto Discovery button on the Create New Database Connection screen. Or you can just select Auto Discovery from the Main p

Résumé du contenu de la page N° 7

Auto Discovery Selecting Non-Standard Ports for Auto-Discovery 5 Click the Begin Discovery button. Results from Auto-Discovery FortiDB Version 3.2 Utilities User Guide 15-32000-81369-20081219 5

Résumé du contenu de la page N° 8

DB2 Auto Discovery Discovered Database Information Populating Connection Form The process will automatically return: • Database Type and version • IP address (with port if applicable) • Database name/instance Once the Auto Discovery list is returned, you can create, by clicking the Add button on the Discovered Database Applications screen, the database connections you wish to assess or monitor. The additional required and recommended fields will need to be completed manually. (See the FortiD

Résumé du contenu de la page N° 9

Auto Discovery MS-SQL • Destined for port 1434 Note: FortiDB MA sends a packet to port 1434, which MSSQL uses in order to return information about itself such as instance name, version, etc. (Even though this is an MSSQL-specific port number, FortiDB MA uses it for all Auto-Discovery- related transmissions.) • Originating from the port whose number is specified in the dss.udpport property in dssConfig.properties. FortiDB Version 3.2 Utilities User Guide 15-32000-81369-20081219 7

Résumé du contenu de la page N° 10

MS-SQL Connection Summary Connection Summary The Connection Summary utility allows you to see, by FortiDB MA module and in one place, a dashboard view of all of your database connections. Connection Summary Button Connection Summary Output FortiDB Version 3.2 Utilities User Guide 8 15-32000-81369-20081219

Résumé du contenu de la page N° 11

Rule Chaining MS-SQL Rule Chaining 1 The Rule Chaining module allows you to associate rules so that one, the source 2 rule, can influence the execution of another, the target rule. Both rules are established with the same target database. Rule Chaining Setting Screen FortiDB MA offers two types of chained-rule pairs: • Rule pairs in which there are no parameters passed. (In this case, you may use Guarded Items from Privilege Monitor (PM), Metadata monitor (MM), Content Monitor (CM), and Use

Résumé du contenu de la page N° 12

MS-SQL Rule Chaining Configuring a Rule Chain for a Specific Target Database Connection You can perform the following: • Choose the target database (the database you want to run the rules against) • Add item (new chain) • Delete item • View/Modify item (make changes to an existing chain) • Enable item (a chain does not have to be enabled when it is created) • Disable item Rule Chaining Setting Screen FortiDB Version 3.2 Utilities User Guide 10 15-32000-81369-20081219

Résumé du contenu de la page N° 13

Rule Chaining Chaining with Parameterized User-Defined Rules After the database has been specified and you have clicked on [Add Item], you will be presented with the Create Rule Chaining Settings page. Here, you need to: • Name the Rule Chain • Select the policy you want to use as the Source Rule • Select the target rule (Chained Rule) you want to execute, once the first rule had been violated. • Specify whether you want the chain to run immediately upon source-rule violation or not. Run Imme

Résumé du contenu de la page N° 14

Chaining with Parameterized User-Defined Rules Rule Chaining General PUDR Steps The general step for creating a chain that uses a PUDR are: 1 In UBM, define an Object, User, or Session policy that will be your Source Rule. 2 In UBM, define a PUDR that will be your Target Rule 3 In the Rule Chaining module, define a chain which associates the UBM policy and the PUDR. PUDR Process Parameterized User-Defined Rule Flow Diagram The PUDR process involves these steps. 1 The source rule is violated a

Résumé du contenu de la page N° 15

Rule Chaining Chaining with Parameterized User-Defined Rules PUDR Eligible Rules Disabled Parameter Checkboxes If the chosen target rule cannot accept parameters, they will be grayed out. Validating the PUDR before Saving If one or more variables selected do not appear in the PUDR, FortiDB MA presents a warning message. FortiDB Version 3.2 Utilities User Guide 15-32000-81369-20081219 13

Résumé du contenu de la page N° 16

Chaining with Parameterized User-Defined Rules Rule Chaining Chaining the UBM Policy and PUDR Together Associating a Source Rule That Can Pass parameters with a PUDR Example of Chaining to a PL/SQL-based PUDR In this Oracle PL/SQL kill-session example, we: 1 Create a DB user, BAD_GUY, whose session we will monitor, in our Oracle target database. Item Setting for Session Policy FortiDB Version 3.2 Utilities User Guide 14 15-32000-81369-20081219

Résumé du contenu de la page N° 17

Rule Chaining Chaining with Parameterized User-Defined Rules Policy Settings for Suspicious Login Time 2 Create a UBM Session Policy, our Source rule, in order to monitor BAD_GUY and generate an alert to trigger our Target rule, a PUDR. We will pass the Session ID from the Source to the Target rule. 3 Create a Target PUDR, in the UBM module, which will contain the following kill- session code. That code, in turn, will accept our passed Session ID parameter (shown in red): FortiDB Version 3.2

Résumé du contenu de la page N° 18

Chaining with Parameterized User-Defined Rules Rule Chaining DECLARE v_str VARCHAR2(80) := 'ALTER SYSTEM KILL SESSION '||chr(39); v_statementVARCHAR2(80); sesid NUMBER; serial NUMBER; usernameVARCHAR(50); osuser VARCHAR(50); machine VARCHAR(50); program VARCHAR(50); BEGIN SELECT sid, serial#,username,osuser,machine,program INTO sesid,serial,username,osuser,machine,program FROM v$session WHERE audsid =$sessionid; v_statement := v_str||sesid||','||serial||chr(39)||

Résumé du contenu de la page N° 19

Rule Chaining Chaining with Parameterized User-Defined Rules Chained-Rule Alerts: (UBM Session Policy and PUDR) 5 Get an alert when the (the Session Policy) Source rule is violated. 6 Get another alert when the chained PUDR executes and, in this case kills the session of BAD_GUY. 7 And, in the Alert Details dialog, display DB user name, OS user name, machine name, and source-program name as shown above. Resulting Killed Session 8 Notice that our SQLPlus session has been killed Alert Behavior T

Résumé du contenu de la page N° 20

Chaining with Parameterized User-Defined Rules Rule Chaining SELECT username, osuser, terminal FROM v$session WHERE osuser = '$osusername' Multiple Source-Rule-Violation Behavior When using the Rule Chaining feature with PUDRs, you might expect a target- policy alert for each source-policy alert. However, unless there is a change in the passed parameter, there will be only one PUDR alert--despite multiple source- policy alerts. For example, assume you have a session policy for your source rule