FortiDB - Admin Guide Version 5.1.13 FORTINET DOCUMENT LIBRARY https://docs.fortinet.com
FORTINET VIDEO GUIDE https://video.fortinet.com
FORTINET BLOG https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/support-and-training/training.html
NSE INSTITUTE https://training.fortinet.com
FORTIGUARD CENTER https://fortiguard.com/
END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK Email: [email protected]
October 31, 2018 FortiDB 5.1.13 Admin Guide 00-400-000000-20181031 TABLE OF CONTENTS
What’s new 11 Introduction 15 FortiDB tutorials 16 Tutorial: Generating a vulnerability assessment (VA) report 16 Tutorial: Monitoring a database table using the TCP/IP sniffer 19 Tutorial: Monitoring a database table using the native auditing feature 23 Tutorial: Monitoring changes to metadata 26 Tutorial: Generating PCI, SOX, and HIPAA compliance reports 28 Installation (software-only) 31 System requirements 31 Preparing to install 32 Configuring the FortiDB repository database 33 Configuring a PostgreSQL repository 33 Configuring an Oracle repository 34 Configuring an Microsoft SQL Server repository 35 UNIX/Linux installation 36 Windows installation 37 Confirming the installation 37 Starting or stopping FortiDB 38 Installing a new license 38 Managing disk space 39 Useful directories, files, and folders 39 Log files for troubleshooting 40 General logs 40 Tomcat logs 41 Upgrading FortiDB 41 How to set up your FortiDB 42 Registering your FortiDB 42 Planning the network topology for database activity monitoring (DAM) 42 Connecting to the web UI and CLI 43 Updating the firmware 43 Upgrading the firmware 44 Installing FortiDB firmware 45 Changing the "admin" account password 46 Setting the system time 47 Configuring the network settings 49 Configuring network settings using the web UI 49 Configuring network settings using the CLI 51 Backups 52 Administrators 53 Configuring permissions 54
FortiDB 5.1.13 Admin Guide 3 Fortinet Inc. Privileges by license type (software-only FortiDB) 55 Viewing and exporting an administrator report 56 FortiMonitor administrator 58 Advanced/optional system settings 59 System information and settings 59 Changing the FortiDB host name 60 Global configuration 60 Assessment properties 61 Notification properties 63 Reporting properties 65 User Profile/Security properties 65 Target properties 66 LDAP Server properties 67 Monitor properties 68 Connecting to target databases 69 Pre-configuration for monitoring target databases 69 Network requirements for monitoring using the TCP/IP sniffer 69 Oracle target database pre-configuration 70 MySQL target database pre-configuration 74 Sybase target database pre-configurations 75 DB2 target database pre-configuration 80 Microsoft SQL Server target database pre-configuration 83 Privileges required by the database user 83 Privileges for VA assessments, privilege summaries, and penetration tests 83 Privileges for monitoring data 88 Privileges for monitoring privileges 89 Privileges for monitoring metadata 90 Managing targets 91 Columns 91 Buttons and fields 91 Searching or filtering the target list 92 Adding (or modifying) a target connection 93 Configuring DB2 options 94 Configuring SSH connections to Oracle and DB2 databases 94 SSH environment requirements (software-only version) 95 Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX 96 Exporting target information 97 Importing targets 97 Managing target groups 99 Pre-defined target groups 99 Adding or modifying a target group 99 Auto-discovery 100 How to discover DB2 databases 100 How to discover Microsoft SQL Server 100 Running auto-discovery 101 Adding targets from auto-discovery 101
FortiDB 5.1.13 Admin Guide 4 Fortinet Inc. Vulnerability assessment (VA) policies 103 Types of VA policies 103 Updates to VA policies 103 Exporting and importing VA policies 104 VA policy version 104 VA policy groups 104 VA policy states 105 Keywords and user keywords for VA policies 105 Managing VA pre-defined policies 106 Importing pre-defined policies (appliance) 107 Importing pre-defined policies (software-only FortiDB) 108 OS-Level pre-defined policies 108 VA user-defined policies 114 Adding user-defined policies 115 Deleting user-defined policies 116 Exporting user-defined policies 117 Importing user-defined policies 117 VA policy groups 118 Adding VA policy groups 118 Modifying VA policy groups 119 Deleting VA policy groups 120 Penetration tests 120 Connection options for penetration tests 121 Files used for penetration tests 121 Configuring and running penetration test assessments 122 Data discovery policies and policy groups 124 Managing data discovery policies 124 Data discovery policy groups 125 Database Activity Monitoring (DAM) policies 126 Types of DAM policies 126 Managing DAM policies 127 Configuring policy information for a policy 128 Automatically generating alert policies 129 Data policies 130 Configuring a table policy 130 Configuring a table and column policy 135 Configuring a session policy 136 Configuring a user policy 139 Configuring a database policy 144 Configuring a database query policy 144 Privilege policies 146 Oracle privilege policies 147 Microsoft SQL Server privilege policies 148 Sybase privilege policies 148 DB2 privilege policies 149 MySQL privilege policies 150 Metadata policies 150
FortiDB 5.1.13 Admin Guide 5 Fortinet Inc. Oracle metadata policies 151 Microsoft SQL Server metadata policies 152 Sybase metadata policies 152 DB2 metadata policies 153 MySQL metadata policies 153 PCI, SOX, and HIPAA alert policies 154 Configuring PCI, SOX and HIPAA policies 154 Selecting which tables tracks for PCI, SOX and HIPAA reports (Object Audit Options) 155 Select users to audit for PCI and SOX reports (User Audit Options) 156 Alert and audit policy groups 156 Creating or modifying an alert or audit policy group 157 Adding policy groups to target database monitoring 158 Deleting a policy group 158 Vulnerability assessment 159 Adding or modifying assessments 159 Running assessments 160 Configuring assessment notifications 161 Selecting the type of report an assessment generates 164 Reviewing, deleting, and aborting assessment results 165 View VA global summary information 166 Assessment history 167 Assessments History tab 167 Scheduled Reports tab 167 Import or export assessment history 167 Viewing and exporting a privilege summary 168 DB-Type Distinctions 169 Sensitive data discovery 170 Manage sensitive data discovery 170 Running sensitive data discovery 171 Viewing sensitive data discovery reports 171 Viewing VA and sensitive data discovery event logs 171 Database activity monitoring (DAM) 173 Managing target monitoring 173 Target monitoring configuration tabs and options 174 Configuring target database monitoring 176 Configuring monitoring using the TCP/IP sniffer (all database types) 177 Configuring Microsoft SQL Server monitoring 178 Configuring DB2 monitoring 179 Configuring Sybase monitoring 179 Configuring MySQL monitoring 180 Configuring Oracle monitoring 181 Adding alert and audit policies to monitoring 182 Adding policy groups to target monitoring 183 Sending alert notifications 183 FortiDB event to ArcSight data field mapping 185 Blocking invalid access while monitoring 185 Excluding policies from the Alert Policy settings (whitelist) 186
FortiDB 5.1.13 Admin Guide 6 Fortinet Inc. Displaying the history of issued audit commands 188 Oracle audit management 189 Microsoft SQL Server audit management 190 DB2 audit management 190 Viewing alerts 191 Changing the status of and annotating alerts 193 Exporting the alert list as a report 193 Filtering and searching alerts 193 Alert details 194 Alert group 195 Add, edit, or delete an alert group 195 Pre-defined alert groups 195 Data filter for an alert group 196 Alerts summary 196 Alerts analysis 197 Viewing audit records (activity auditing results) 198 Filtering and searching the audit record list 199 Viewing audit record details 199 Audit group 200 Add, edit, or delete an audit group 200 Pre-defined audit groups 200 Data filter for an audit group 201 Activity profiling 201 Viewing status and summary information for activity profiling 201 Viewing and exporting activity profiling results 202 SOX audit 204 Logs 205 Local monitoring log 205 Local audit trail 205 Viewing and managing the audit trail records 206 Examples of audit trail records 207 Reports 208 Vulnerability assessment (VA) reports 208 DAM reports 208 Report files that saves to disk 209 Other reports you can export 209 Pre-defined VA reports 209 Assessment reports 210 Policy reports 211 Sensitive data discovery reports 211 User-defined VA reports 211 Managing user-defined reports 212 Viewing scheduled VA reports 213 Pre-defined DAM reports 213 User-defined DAM reports 214 Report management 214 Filtering report data 215
FortiDB 5.1.13 Admin Guide 7 Fortinet Inc. Configuring data displays 216 Schedule and notification 216 PCI, SOX, and HIPAA reports 218 General steps for generating PCI, SOX, and HIPAA reports 220 Report: Abnormal Termination of Database Activity 221 Report: Abnormal or Unauthorized Changes to Data 221 Report: Abnormal Use of Service Accounts 222 Report: End of Period Adjustments 223 Report: History of Privilege Changes 224 Report: Verification of Audit Settings 225 Activity Profiling Reports 226 Archiving audit data 228 Archiving example 228 Archiving strategy 229 Archiving data 229 Using the command line interface (CLI) 231 Connecting to the CLI 231 Command syntax 231 Specifying file names and locations in commands 231 Entering spaces in a command strings 231 Entering quotation marks in strings 232 Entering a question mark (?) in a string 232 Special characters that are not permitted in commands 232 Specifying IP address formats in commands 232 Notation 232 Tips & tricks 233 Help 233 Completing commands automatically 234 Recalling commands 234 Editing commands 234 Breaking a long command 234 Abbreviating commands 234 Overview of commands 235 config 237 config system admin setting 237 config system backup all-setting 238 config system debug-filter 239 config system dns 240 config system global 241 config system interface 242 config system mapping 243 config system ntp 244 config system raid 244 config system route 246 execute 247 execute backup all-settings 247 execute backup configurations 248
FortiDB 5.1.13 Admin Guide 8 Fortinet Inc. execute backup fd-tcpdump 249 execute backup-remove fd-archive 250 execute backup-remove fd-report 251 execute backup-remove fd-tcpdump 251 execute date 252 execute format disk 253 execute generate certificate 253 execute ping 253 execute raid rebuild 254 execute reboot 254 execute reset 254 execute restart 255 execute restore all-settings 255 execute restore configurations 256 execute restore fd-archive 257 execute shutdown 257 execute time 258 execute top 258 execute traceroute 259 show 259 show system admin setting 260 show system backup all-settings 260 show system dns 261 show system global 261 show system interface 261 show system ntp 262 show system route 262 get 263 Example 263 set 263 Example 263 diagnose 264 diagnose counter memory 265 diagnose counter misc 265 diagnose counter packet 265 diagnose counter parser 266 diagnose counter session 266 diagnose debug application control basic 267 diagnose debug application housekeep basic 267 diagnose debug application parser basic 267 diagnose debug application parser packet 268 diagnose debug application sniffer abnormal 268 diagnose debug application sniffer basic 268 diagnose debug application sniffer block-ip 269 diagnose debug application sniffer block-session 269 diagnose debug application sniffer ip-reassemble 269 diagnose debug application sniffer malformed-packet 270 diagnose debug application sniffer packet 270 diagnose debug application sniffer tcp-reassemble 271
FortiDB 5.1.13 Admin Guide 9 Fortinet Inc. diagnose log show|tail|remove 271 diagnose mapping debug 272 diagnose mapping reset 272 diagnose mapping status 272 diagnose system coredump check 272 diagnose system coredump export 273 diagnose system export fd_log 274 diagnose system raid list 274 diagnose tcpdump start|stop 275 diagnose tcpdump status 276 diagnose network interface list 276 diagnose network interface detail 276
FortiDB 5.1.13 Admin Guide 10 Fortinet Inc. What’s new
What’s new
The following features are new or have changed since FortiDB 5.1. For upgrade information, see the release notes available with the firmware and Updating the firmware on page 43.
FortiDB 5.1.13
l Fix OpenSSH vulnerability — This release fixes vulnerability in OpenSSH which is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed (CVE-2018-15473).
l Fix tcpdump vulnerabilities — This release fixes tcpdump buffer overflow issue in the sliplink_print function (CVE-2017-11543). And fixes tcpdump protocol parsers buffer overflow issue in util- print.c:bittok2str_internal (CVE-2017-13011).
l Fix RC4 algorithm vulnerability — This release fixes known RC4 algorithm vulnerability which allows remote attackers to conduct plain text-recovery attacks using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue (CVE-2015-2808).
l Upgrade Tomcat server to 7.0.94 — This release applies Apache vulnerabilities fixes for Tomcat server before version 7.0.94. https://tomcat.apache.org/security-7.html#Apache_Tomcat_7.x_vulnerabilities
FortiDB 5.1.11
l Patch release only.
FortiDB 5.1.10
l Disk partitioning requirement — If upgrading from a version older than 5.1.8, you MUST repartition the hard disk to ensure FortiDB works properly.
l Support "Flashback" for oracle XML agent — Two metadata DAM alert policies have been added in Oracle XML agent mode to cover the flashback table and the flashback database.
l Update SqbaseIQ for VA — Twelve (12) VA policies have been added for SybaseIQ.
l MongoDB VA SSL connection support — Support for SSL connection has been added to MongoDB VA.
l MongoDB VA YAML-type configuration file support — Support for YAML-type configuration file has been added to MongoDB VA.
FortiDB 5.1.9
l Fix for glibc vulnerability — This release fixes a bug in the glibc open source library that made the product vulnerable to denial of service and other types of attacks (CVE-2015-7547).
l Software support for FortiDB 1000B — FortiDB 5.1.9 and higher software is not supported on model 1000B.
l Software version support — This release is supported on hardware versions of the product only. (The glibc vulnerability (CVE-2015-7547) vulnerability does not affect the software versions of the product.) FortiDB 5.1.8
FortiDB 5.1.13 Admin Guide 11 Fortinet Inc. What’s new
l Vulnerability assessment (VA) for MongoDB and Oracle 12c — FortiDB now supports VA for MongoDB version 2.6 and Oracle 12c.
l DAM using the TCP/IP sniffer supports Microsoft SQL RPC variables and commands — FortiDB can now match DAM policies by parsing values generated by remote call procedure (RPC) operations generated by right-clicking in client-side database tools (for example, SQL Studio) and translating SQL commands beginning with 'rpc executesql' to standard SQL commands.
l Reconnect when target is offline and send email notification — When a target is offline, FortiDB now makes up to 5 attempts to reconnect. FortiDB sends an email notification to an administrator if a connection fails.
l Disk usage detection and reserve — FortiDB now reserves 1% of free disk space to help prevent system crashes.
FortiDB 5.1.7
l Oracle 12c support for DAM — For Oracle 12c, FortiDB now supports Database Activity Monitoring (DAM) using both the TCP/IP packet sniffer and native, audit-based data collection methods.
l Support for Oracle syslog data collection — Oracle syslog data collection is now available when you use sniffer-based data collection. For more information, see Using the SYSLOG utility to collect audit data on page 73.
l Fdbagent supports AIX and Linux 6 — For DAM, you can now use the Oracle XML file agent or DB2 agent to monitor databases installed on AIX 6 and Linux 6.
l Monitor synonyms — You can now monitor synonyms (an alternative name for a database element such as a table, view, sequence, or procedure) on Oracle databases.
l PostgreSQL support for DAM — DAM can now monitor PostgreSQL databases when you use sniffer- based data collection.
l Configuration backup via CLI — You can now back up your FortiDB configuration using CLI commands, without backing up audit and other data. For more information, see execute backup configurations on page 248.
l Security enhancements — A number of security enhancements have been added to address current threats and SSL-related issues.
l Support for Microsoft SQL RPC (remote procedure call) in native audit mode — FortiDB now supports RPC (remote procedure call) when it monitors a Microsoft SQL Server database using the native auditing featuring.
l DB2 version 10.x support for both VA and DAM — DAM and VA now support newer versions of IBM DB2.
l Troubleshooting enhancements — FortiDB now provides more CLI commands that retrieve diagnostic data. For more information, see diagnose system coredump check on page 272 and diagnose system coredump export on page 273.
FortiDB 5.1.6
l HIPAA compliance reports — In addition to SOX and PCI reports, FortiDB now has pre-defined HIPAA (Health Insurance Portability and Accountability Act) reports to help customers meet regulatory requirements. See PCI, SOX, and HIPAA reports on page 218.
FortiDB 5.1.13 Admin Guide 12 Fortinet Inc. What’s new
l SQL string detection in Alert policies — You can now specify a SQL string to detect in a Table and Column DAM alert policy. This is useful for detecting attacks that use SQL injection. See Configuring a table and column policy on page 135.
l Support for encrypted Oracle traffic for database activity monitoring (DAM) — FortiDB now can monitor encrypted Oracle traffic in sniffer mode. See Monitoring encrypted Oracle traffic on page 73.
l Exclude policies from vulnerability assessment (VA) scans — You can now exclude policies from VA scans of specific targets. This feature allows you to scan databases with different policy sets without creating new scans for each case. See Adding or modifying assessments on page 159.
l Sysbase IQ support for VA — FortiDB now supports SybaseIQ for VA. (Penetration test and DAM are not supported.) See Adding (or modifying) a target connection on page 93.
l Performance enhancement — FortiDB now has an internal alert policy pre-filter that speeds up alert data processing.
FortiDB 5.1.5
l Tomcat upgrade — Tomcat (one of FortiDB’s internal components) has been upgraded to eliminate vulnerabilities found in the older version.
l Mitigate vulnerability related to Bash (CVE-2014-6271) — FortiDB used Bash to allow access to the shell in its debug builds. It has been replaced to eliminate the CVE-2014-6271 vulnerability.
FortiDB 5.1.4
l Support for SQL Server 2014 VA — You can now scan the latest MS SQL server platform for vulnerabilities.
l TCP/IP sniffer optimized for better performance and stability — Throughput and performance for the sniffer-based data collection method has been improved.
l Enhanced diagnose mode — FortiDB has a new command set that allows you to troubleshoot more efficiently. See Using the command line interface (CLI) on page 231.
l Security enhancements — Enhanced protection for Cross Frame Scripting (XSS), and cache control to prevent data from being saved by the browser.
FortiDB 5.1.3
l Internal message queuing mechanism enhancement — The internal message queuing mechanism was upgraded. This improves the stability of data collection in high transaction volume environments.
l Support for online context in help — FortiDB now supports online context in Help. This allows more comprehensive searches and more up to date information for end-users.
l Support for partitions larger than 2TB in 3000D — The large partition size enables more efficient audit data storage in the 3000D appliances.
l For information on adjusting the RAID level for the FortiDB 3000D and other models, see config system raid on page 244.
l Email notification enhancement — This enhancement alleviates the problems associated with configuring reports in the notification section of the Monitor setup.
FortiDB 5.1.13 Admin Guide 13 Fortinet Inc. What’s new
FortiDB 5.1.2
l No design changes. Bug fixes only.
FortiDB 5.1.1
l Support for FortiDB 1000D appliance — FortiDB 1000D is a stronger, faster platform supporting up to 30 databases that replaces the -1000C.
l tcpdump — FortiDB now includes tcpdump, a packet analyzer that you access using the command-line interface (CLI). The tcpdump provides a reliable way for FortiDB deployments that use the TCP/IP sniffer to collect traffic data for troubleshooting purposes.
FortiDB 5.1.13 Admin Guide 14 Fortinet Inc. Introduction
Introduction
Welcome, and thank you for selecting Fortinet products for your network. FortiDB software is a comprehensive database security and compliance platform that helps large enterprises and cloud-based service providers protect their databases and applications from internal and external threats. Its flexible policy framework allows you to quickly and easily implement internal IT control frameworks for database activity monitoring, IT audit and regulatory compliance.
FortiDB 5.1.13 Admin Guide 15 Fortinet Inc. FortiDB tutorials
FortiDB tutorials
Use the FortiDB tutorials to quickly create a basic, working assessment and monitoring configuration for your environment and familiarize yourself with the web UI. For initial installation instructions (for the software-only version) and initial product configuration, see Installation (software-only) on page 1 and How to set up your on page 1.
See also
l Tutorial: Generating a vulnerability assessment (VA) report on page 16
l Tutorial: Monitoring a database table using the TCP/IP sniffer on page 19
l Tutorial: Monitoring a database table using the native auditing feature on page 23
l Tutorial: Monitoring changes to metadata on page 26
l Tutorial: Generating PCI, SOX, and HIPAA compliance reports on page 28
Tutorial: Generating a vulnerability assessment (VA) report
The following example FortiDB configuration provides step-by-step instructions for creating a vulnerability assessment (VA) report for an Oracle target database. To complete this example, the Oracle target database requires the following privileges:
l CREATE SESSION
l SELECT_CATALOG_ROLE
l SELECT ON:
l SYS.AUDIT$
l SYS.REGISTRY$HISTORY
l SYS.USER$
l SYS.LINK$
l SYSTEM.SQLPLUS_PRODUCT_PROFILE For requirements for other types of target databases, see Privileges for VA assessments, privilege summaries, and penetration tests on page 83 Use the following steps to complete this tutorial:
l Create a FortiDB administrator on page 17
l Create a target on page 17
l Create a target group on page 18
l Run a vulnerability assessment of the target group on page 18
l View the assessment results as a report on page 19
FortiDB 5.1.13 Admin Guide 16 Fortinet Inc. FortiDB tutorials
Create a FortiDB administrator
The FortiDB admin account is required for administrative tasks related to vulnerability assessment (VA) (for example, making backups and creating new accounts). However, for general VA tasks, Fortinet recommends that you create additional administrators with appropriate roles to allow you to separate duties. 1. Log in FortiDB to using the following credentials:
User Name admin
Password fortidb1!$
2. In the navigation menu (on the left side of the web UI), click Administration to expand it, and then click Administrators. 3. On the Administrators page, click Add. 4. On General tab, enter information in the fields marked with an asterisk (*). For this example, for User Name, enter vauser. For Password, enter fdb!23.
5. On the Roles tab, for Available Roles, select the following options, and then click to add them to the Assigned Roles list:
l Target Manager
l Operations Manager
l Report Manager 6. Click Save.
7. To log out the admin user, click (Logout icon) at the top-right of the screen.
Create a target
A target specifies a database for FortiDB to assess. 1. Log in to FortiDB as the vauser user and the password fdb!23. Because vauser cannot view or create other users, Administration is not displayed in the navigation menu. 2. In the navigation menu, go to Target Database Server > Targets. 3. On the Targets page, click Add. 4. On the General tab, enter the following information. For this example, the target is an Oracle database:
Name vatarget
Type Oracle
DB Host Name/IP The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112)
Port The number of the port the database uses; the default port is 1521
DB Name The name of the database (for example, orcl)
User Name The database user name
Password The password for the database user
5. To verify that the connection parameters are correct, click Test Connection. The message "Success" is displayed at the top of the page.
FortiDB 5.1.13 Admin Guide 17 Fortinet Inc. FortiDB tutorials
6. Click Save. The vatarget item is displayed in the list of targets.
Create a target group
1. In the navigation menu, click Target Database Server > Target Groups. 2. On the Target Groups page, select Add. 3. On the Targets page, for Group Name, enter a name for your group. For this example, enter mygroup. 4. To filter the list of targets, select the following values:
Column Name
Operator Contains
Value All or part of the name of the target (for example, vatargetor targ)
5. Click Search. 6. Ensure that only the target you created (vatarget) is displayed in the list, and then, to the right of the Group Name field, click Save Group. 7. To verify that the target group you created is in the list of target groups, click Target Database Server > Target Groups.
Run a vulnerability assessment of the target group
1. In the left-side menu, go to Vulnerability Assessment > Assessments. 2. On the Assessments page, click Add. 3. For Assessment Name, enter a name for your new assessment. For this example, enter myscan. 4. To add a target group to your assessment, on the Assessment page, click the Targets tab.
5. In the Available Target Groups list , select mygroup (the target group that you just created), and then select to move mygroup to the Assigned Target Groups list. 6. To add policies to your assessment, click the Policies tab.
7. In the Available Policy Groups list, select Oracle Policy Group, and then select to move Oracle Policy Group name to the Assigned Policy Groups list. When you select a policy group in the Available Policy Groups or Assigned Policy Groups list, the group’s policies are displayed in the Active Policies list.
Although you can select items in the Active Policies list, you cannot use this list to select policies to execute.
8. Click Save. On the Assessments page, the myscan assessment is displayed. 9. To run your newly created assessment, select the check box for the myscan item, and then click Run. In this example, you run the assessment manually and view the results in the web UI. However, FortiDB also allows you to schedule assessments and configure email and SNMP-trap notifications of assessment results. (See Running assessments on page 160 and Sending alert notifications on page 183.) After approximately a minute, a stop date and time is displayed in the Last Run Time column of the myscan item.
FortiDB 5.1.13 Admin Guide 18 Fortinet Inc. FortiDB tutorials
View the assessment results as a report
FortiDB provides several pre-defined reports that can help you analyze your assessments. This example uses the Target Summary Failed Report to view the assessment results. This report summarizes failed policies by number and type. 1. In the navigation menu, go to Report > Pre-Defined VA Reports. 2. On the Pre-Defined Reports page, click Target Summary Failed Report. 3. On the Vulnerability Assessment Target Summary Failed Report page, select the following values:
Assessment Name myscan
Assessment Time A date and time when FortiDB ran myscan
Target The target group associated with myscan (for this example, vatarget)
On the Target Information tab, the parameters of the selected assessment are displayed. 4. Click the Preview Report tab. After FortiDB complies it, the report is displayed. 5. To view your report in another formats, at the bottom of the page, for Export as, select one of the following formats, and then click Export:
l PDF (.pdf)
l Excel (.xls)
l Tab (.txt) (tab-delimited)
l CSV (.csv) (comma-separated values)
See also
l Administrators on page 53
l Connecting to target databases on page 69
l Adding or modifying a target group on page 99
l Vulnerability assessment (VA) policies on page 103
l Adding or modifying assessments on page 159
l Reports on page 208
Tutorial: Monitoring a database table using the TCP/IP sniffer
You can configure to use a TCP/IP packet sniffer to monitor specific tables in a database and generate alerts based on policies you specify. For example, you can configure FortiDB to generate alerts when it detects security violations or suspicious database users. You can then use the alert information to generate a report.
Database activity monitoring (DAM) using the TCP/IP sniffer is only available with FortiDB appliance. DAM does not work for the software version of FortiDB.
This example configures FortiDB to monitor an Oracle database. Before you start the tutorial, ensure that the database has the required configuration. For details, see Oracle target database pre-configuration on page 70.
FortiDB 5.1.13 Admin Guide 19 Fortinet Inc. FortiDB tutorials
The TCP/IP sniffer for DAM requires the following network environment and connections:
l The database server and clients use the TCP/IP protocol and all database activity takes place on the LAN.
l The network switch that FortiDB and the database server are connected to supports the port mirroring feature.
l One of the FortiDB ethernet ports is connected to the switch’s mirror port (also known as SPAN port). This port allows FortiDB to receive copies of all network traffic that is associated with the database.
Create a target
A target specifies a database for FortiDB to monitor. 1. Log in to FortiDB using the following credentials (the default values):
User Name admin Password fortidb1!$
All DAM tasks require the user to log in as admin. 2. In the navigation menu, go to Target Database Server > Targets. 3. On the Targets page, click Add. 4. On the General tab, enter the following information. For this example, the target is an Oracle database:
Name damtarget
Type Oracle
DB Host Name/IP The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112)
Port The number of the port the database uses; the default port is 1521
DB Name The name of the database (for example, orcl)
User Name The database user name
Password The password for the database user
DB Activity Monitoring Select Allow.
5. To verify that the connection parameters are correct, click Test Connection. The message “Success” is displayed at the top of the page. 6. Click Save. The damtarget item is displayed in the list of targets.
Configure an alert policy for a database table
1. In the navigation menu, click DB Activity Monitoring > Monitoring Management. Your target database is listed on the Target Monitoring Management page. 2. Click damtarget (the name of the target you created). 3. On the General tab, use the following values to complete the Audit Configuration settings:
FortiDB 5.1.13 Admin Guide 20 Fortinet Inc. FortiDB tutorials
Collection Method TCP/IP Sniffer
Version The database version (9, 10g, 11g, 12c)
Sniffer on Port The FortiDB appliance port that is connected to the switch's mirror port
Enable Activity Auditing Selected
Log All Selected
Enable Activity Profiling Selected
When you create a target monitoring configuration, selecting Enable Activity Auditing, Log All, or Enable Activity Profiling is optional. 4. Click Save. 5. Click the Alert Policies tab. 6. At the bottom-left of the page, for Data Policies, select Table, and then click Add. 7. On the Target Monitor:
Policy Name Enter a policy name or use the default name
Description Enter an optional description
Enable Selected
Create new policy group Selected for policy check box
Severity Informational (the default) or other value
When you create a table policy, selecting Enable or Create new policy group for policy check box is optional. 8. Beside Audit Settings, click the triangle icon to view the settings, and then select Browse Object by Target. 9. For Schema, select a schema to use (for example, SCOTT). 10. In the Tables list, select a table to monitor (for example, EMP). To select multiple tables, click a table, and then Shift-click another table in the list. All tables between the two tables are selected. 11. Under Audit Actions, select Read, Write, or both. 12. Click > (right arrow) to move the selected tables and their Audit Action settings to the Selected Objects table. 13. Move any other tables you want to monitor to the Selected Objects table. 14. Beside Alert Rule, click the triangle icon to view the settings. 15. Select Issue alert if ANY of the enabled rules are triggered. 16. Select Security Violation (selected by default). 17. Select Suspicious Database Users, and then click the triangle icon beside it to view additional settings. 18. Select one or more user names, and then click > (right arrow) to move them to the Selected users list. 19. Select Alert any successful access if the database matches a selected entry. 20. Select Save. On the Alert Policies tab, the new policy is listed. The green up-arrow in the Status column indicates that the policy is enabled.
FortiDB 5.1.13 Admin Guide 21 Fortinet Inc. FortiDB tutorials
Confirm the policy group was created and start monitoringClick the Alert Policy Groups tab.
1. Click the Alert Policy Groups tab. 2. In Selected Policy Groups, confirm that FortiDB created a policy group based on the alert policy that you created. 3. In Selected Policy Groups, select the new policy group, and then confirm that the alert policy that you created is displayed in the Selected Policy Group contents list. 4. To start monitoring the database, click the General tab, and then click Start Monitoring. Monitor Status displays Starting and then Running.
View alerts generated by the policy and export them as a report
1. Using a database client-side application, execute one or more SQL statements that generate alerts. 2. To view alerts, click DB Activity Monitoring > Security Alerts. 3. In the Security Alerts list, click an item to display its details under Alert Details (below the list). To hide the alert details, beside Alert Details, click the triangle icon. 4. To create a customized report, click Report > User-Defined DAM Reports, and then select Add. 5. On the General tab, for Name, enter a name for the report. Optionally, for Description, enter a short description for the report. 6. Click the Table View tab 7. In the Available Columns list, select columns to include in the report, and then click >> (right arrows) to add the selected columns to the Columns in Report list. 8. Click Save. 9. On the User-Defined Alert Reports page, in the list of reports, select the report you just created, and then click Run. 10. After FortiDB has run the report, beside the report name, click [+] (plus sign). A list of items with names created from the report name and run times is displayed. 11. Click a run report item to view the report. 12. To export the report, click one of the following file format icons:
l PDF
l TXT (tab-delimited)
l XLS (Excel)
l CSV (comma-separated values) Your browser prompts you to download a file of the specified format.
View activity auditing and profiling
1. To view activity auditing, go to DB Activity Monitoring > Activity Auditing. Database activity events for the specified dates are displayed. 2. Click an event to display its details under Activity Event Details (below the list). 3. To check activity profiling, click DB Activity Monitoring > Activity Profiling. The Target DB Activity Profiling page lists the profiling status and summary information for the targets that FortiDB is monitoring. 4. To view details, click the name of the target.
FortiDB 5.1.13 Admin Guide 22 Fortinet Inc. FortiDB tutorials
See also
l Connecting to target databases on page 69
l Configuring monitoring using the TCP/IP sniffer (all database types) on page 177
l Data policies on page 130
l Viewing alerts on page 191
l User-defined DAM reports on page 214
l Viewing audit records (activity auditing results) on page 198
l Activity profiling on page 201
Tutorial: Monitoring a database table using the native auditing feature
You can configure FortiDB to use your database’s auditing features to monitor specific database tables and generate alerts based on policies you specify. For example, you can configure FortiDB to generate alerts when it detects security violations or suspicious database users. You can then use the alert information to generate a report This example configures FortiDB to monitor an Oracle database. Before you start the tutorial, ensure that the database has the required configuration. For details, see Oracle target database pre-configuration on page 70 . FortiDB can use several different methods to collect information from the monitoring process. The value of your database’s audit_trail parameter determines which collection method you use. For this example, because the value of audit_trail is db, extended, the collection method is DB, EXTENDED. For a description of other collection methods, see Configuring Oracle monitoring on page 181.
Create a target
A target specifies a database for FortiDB to monitor. 1. Log in to FortiDB using the following credentials (the default values):
User Name admin Password fortidb1!$
All DAM tasks require the user to log in as admin. 2. In the navigation menu, go to Target Database Server > Targets. 3. On the Targets page, click Add. 4. On the General tab, enter the following information. For this example, the target is an Oracle database:
Name dam2target
Type Oracle
DB Host Name/IP The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112)
Port The number of the port the database uses; the default port is 1521
FortiDB 5.1.13 Admin Guide 23 Fortinet Inc. FortiDB tutorials
DB Name The name of the database (for example, orcl)
User Name The database user name
Password The password for the database user
DB Activity Monitoring Select Allow.
5. To verify that the connection parameters are correct, click Test Connection. The message "Success" is displayed at the top of the page. 6. Click Save. The dam2target item is displayed in the list of targets.
Configure an alert policy for a database table
1. In the navigation menu, click DB Activity Monitoring > Monitoring Management. Your target database is listed on the Target Monitoring Management page. 2. Click damtarget (the name of the target you created). 3. On the General tab, confirm that the following default Audit Configuration values are selected:
Collection Method DB, EXTENDED
Polling Frequency 60 (default value)
4. To test the collection method, click Test. The message "Success" is displayed the top of the page. 5. Click the Alert Policies tab. 6. At the bottom-left of the page, for Data Policies, select Table, and then click Add. 7. On the Target Monitor:
Policy Name Enter a policy name or use the default name
Description Enter an optional description
Enable Selected
Create new policy group for policy check box Selected
Severity Informational (the default) or other value
When you create a table policy, selecting Enable or Create new policy group for policy check box is optional. 8. Beside Audit Settings, click the triangle icon to view the settings, and then select Browse Object by Target (the default value). 9. For Schema, select a schema to use (for example, SCOTT). 10. In the Tables list, select a table to monitor (for example, EMP). To select multiple tables, click a table, and then Shift-click another table in the list. All tables between the two tables are selected. 11. Under Audit Actions, select Read, Write, or both. 12. Click > (right arrow) to move the selected tables and their Audit Action settings to the Selected Objects table. 13. Move any other tables you want to monitor to the Selected Objects table. 14. Select Issue alert if ANY of the enabled rules are triggered.
FortiDB 5.1.13 Admin Guide 24 Fortinet Inc. FortiDB tutorials
15. Select Security Violation (selected by default). 16. Select Suspicious Database Users, and then click the triangle icon beside it to view additional settings. 17. Select one or more user names, and then click > (right arrow) to move them to the Selected users list. 18. Select Alert any successful access if the database matches a selected entry. 19. Select Save. On the Alert Policies tab, the new policy is listed. The green up-arrow in the Status column indicates that the policy is enabled.
Confirm the policy group was created and start monitoring
1. Click the Alert Policy Groups tab. 2. In Selected Policy Groups, confirm that FortiDB created a policy group based on the alert policy that you created. 3. In Selected Policy Groups, select the new policy group, and then confirm that the alert policy that you created is displayed in the Selected Policy Group contents list. 4. To start monitoring the database, click the General tab, and then click Start Monitoring. Monitor Status displays Starting and then Running.
View alerts generated by the policy and export them as a report
1. Using a database client-side application, execute several SQL statements that generate alerts. 2. To view alerts, click DB Activity Monitoring > Security Alerts. 3. In the Security Alerts list, click an item to display its details under Alert Details (below the list). To hide the alert details, beside Alert Details, click the triangle icon. 4. To create a customized report, click Report > User-Defined DAM Reports, and then select Add. 5. On the General tab, for Name, enter a name for the report. Optionally, for Description, enter a short description for the report. 6. Click the Table View tab. 7. In the Available Columns list, select columns to include in the report, and then click >> (right arrows) to add the selected columns to the Columns in Report list. 8. Click Save. 9. On the User-Defined Alert Reports page, in the list of reports, select the report you just created, and then click Run. 10. After FortiDB has run the report, beside the report name, click [+] (plus sign). A list of items with names created from the report name and run times is displayed. 11. Click a run report item to view the report. 12. To export the report, click one of the following file format icons:
l PDF
l TXT (tab-delimited)
l XLS (Excel)
l CSV (comma-separated values) Your browser prompts you to download a file of the specified format.
FortiDB 5.1.13 Admin Guide 25 Fortinet Inc. FortiDB tutorials
See also
l Connecting to target databases on page 69
l Data policies on page 130
l Viewing alerts on page 191
l User-defined DAM reports on page 214
Tutorial: Monitoring changes to metadata
You can configure FortiDBto use your database’s auditing features to monitor for metadata changes and generate alerts based on the policies you specify. For example, you can configure FortiDB to generate alerts when database tables or columns are created, deleted, or modified. You can then use the alert information to generate a report. This example configures FortiDB to monitor an Oracle database. Before you start the tutorial, ensure that the database has the required configuration. For details, see Oracle target database pre-configuration on page 70. FortiDB can use several different methods to collect information from the monitoring process. The value of your database’s audit_trail parameter determines which collection method you use. For this example, because the value of audit_trail is db, extended, so the collection method is DB, EXTENDED. For a description of other collection methods, see Configuring Oracle monitoring on page 181.
Create a target
A target specifies a database for to monitor. 1. Log in to using the following credentials (the default values):
User Name admin Password fortidb1!$
All DAM tasks require the user to log in as admin. 2. In the navigation menu, go to Target Database Server > Targets. 3. On the Targets page, click Add. 4. On the General tab, enter the following information. For this example, the target is an Oracle database:
Name dam3target
Type Oracle
DB Host Name/IP The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112)
Port The number of the port the database uses; the default port is 1521
DB Name The name of the database (for example, orcl)
User Name The database user name
FortiDB 5.1.13 Admin Guide 26 Fortinet Inc. FortiDB tutorials
Password The password for the database user
DB Activity Monitoring Select Allow.
5. To verify that the connection parameters are correct, click Test Connection. The message "Success" is displayed at the top of the page. 6. Click Save. The dam3target item is displayed in the list of targets.
Configure an alert policy for metadata
1. In the navigation menu, click DB Activity Monitoring > Monitoring Management. Your target database is listed on the Target Monitoring Management page. 2. Click dam3target (the name of the target you created). 3. On the General tab, confirm that the following default Audit Configuration values are selected:
Collection Method DB, EXTENDED
Polling Frequency 60
4. To test the collection method, click Test. The message "Success" is displayed the top of the page. 5. Click the Alert Policies tab. 6. Locate the policy item Tables, which has a Type value of (metadata policy icon), and then select by selecting its check box. 7. Click Enable. Under Status, a green icon with an arrow is displayed.
Start monitoring
1. To start monitoring the database, click the General tab, and then click Start Monitoring. Monitor Status displays Starting and then Running. 2. If the message "NEED_RECONFIGURE" is displayed, click the Alert Policies tab, and then click the Reconfigure* button.
View alerts generated by the policy and export them as a report
1. Using a database client-side application, execute several SQL statements that generate alerts. For example, execute the following SQL statements: create table table1 (column1 int, column2 char); drop table table1; 2. To view alerts, click DB Activity Monitoring > Security Alerts. 3. In the Security Alerts list, click an item to display its details under Alert Details (below the list). To hide the alert details, beside Alert Details, click the triangle icon. 4. To change the alert status from "Unacknowledged" to "Acknowledged", do the following: a. Select the check box(es) of the alerts to change, and then select "Acknowledged" in the Status dropdown list. b. Click Apply. The color of the status icon changes. 5. To create a customized report, click Report > User-Defined DAM Reports, and then select Add.
FortiDB 5.1.13 Admin Guide 27 Fortinet Inc. FortiDB tutorials
6. On the General tab, for Name, enter a name for the report. Optionally, for Description, enter a short description for the report. 7. Click the Table View tab. 8. In the Available Columns list, select columns to include in the report, and then click >> (right arrows) to add the selected columns to the Columns in Report list. 9. Click Save. 10. On the User-Defined Alert Reports page, in the list of reports, select the report you just created, and then click Run. 11. After FortiDB has run the report, beside the report name, click [+] (plus sign). A list of items with names created from the report name and run times is displayed. 12. Click a run report item to view the report. 13. To export the report, click one of the following file format icons:
l PDF
l TXT (tab-delimited)
l XLS (Excel)
l CSV (comma-separated values) Your browser prompts you to download a file of the specified format.
See also
l Connecting to target databases on page 69
l Metadata policies on page 150
l Viewing alerts on page 191
l User-defined DAM reports on page 214
Tutorial: Generating PCI, SOX, and HIPAA compliance reports
You can configure FortiDB to monitor a database and generate alerts based on the following regulatory compliance standards:
l Sarbanes-Oxley Act (SOX)
l Payment Card Industry Data Security Standard (PCI DSS)
l Health Insurance Portability & Accountability Act (HIPAA) This example configures a Microsoft SQL Server database. Before you start the tutorial, ensure that the database has the required configuration. For more information, see Microsoft SQL Server target database pre-configuration on page 83.
Create a target
A target specifies a database for FortiDB to monitor.
FortiDB 5.1.13 Admin Guide 28 Fortinet Inc. FortiDB tutorials
1. Log in to FortiDB using the following credentials (the default values):
User Name admin Password fortidb1!$
2. In the navigation menu, go to Target Database Server > Targets. 3. On the Targets page, click Add. 4. On the General tab, enter the following information. For this example, the target is a Microsoft SQL Server database:
Name dam_pci_sox
Type Microsoft SQL Server
DB Host Name/IP The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112)
Port The number of the port the database uses; the default port is 1433
Connect At Server Level (default)
DB Name The name of the database. Because this target connects at the server level, the database name is master and you cannot change it.
User Name The database user name
Password The password for the database user
DB Activity Monitoring Select Allow.
5. To verify that the connection parameters are correct, click Test Connection. The message “Success” is displayed at the top of the page. 6. Click Save. The dam_pci_sox item is displayed in the list of targets.
Add the PCI, SOX, and HIPAA policy groups to the target
1. In the navigation menu, click DB Activity Monitoring > Monitoring Management. 2. Click dam_pci_sox (the name of the target you created). 3. On the General tab, confirm that the following default Audit Configuration values are selected:
Collection Method SQL Trace
Trace Folder Enter the full path of the existing trace folder (for example, C:\SQLTrace)
Polling Frequency 60 (default)
4. To test the collection method, click Test. The message "Success" is displayed the top of the page. 5. Click the Alert Policy Groups tab. 6. Select PCI Policies and click >> (right arrows) to move the item to the Selected Policy Groups list. 7. Select Sox Policies and click >> (right arrows) to move the item to the Selected Policy Groups list.
FortiDB 5.1.13 Admin Guide 29 Fortinet Inc. FortiDB tutorials
8. Select HIPAA Policies and click >> (right arrows) to move the item to the Selected Policy Groups list. 9. Click Save.
Start monitoring
To start monitoring the database, click the General tab, and then click Start Monitoring. Monitor Status displays Starting and then Running.
Configure and export PCI and SOX reports
1. Using a database client-side application, execute several SQL statements that generate data. For example, to generate data that is captured in a History of Privilege Changes report, execute SQL statements that change privileges. 2. To create a PCI compliance report, click Report > PCI Reports. 3. For this example, select PCI - Successful/Unsucessful Database Logins. 4. On the Generate Audit PCI Report page, configure the report using the following values:
Export as PDF (default)
W/P Reference Enter the work paper reference value, if required. This value is a tracking mechanism customers can use to identify and place controls around reports.
Date Range Enter start and end dates for report (click the calendar icons to select dates using the date picking tool)
5. Confirm that the target database is displayed in the Targets list. If there is no data, the database name does not appear in the box. 6. In the bottom-right corner of the page, select Export. Your browser downloads the report file. 7. Repeat the compliance report steps to generate the following report types:
l Sox Report: History of Privilege Changes.
l HIPAA Report: Privilege Changes
See also
l Connecting to target databases on page 69
l PCI, SOX, and HIPAA alert policies on page 154
l PCI, SOX, and HIPAA reports on page 218
FortiDB 5.1.13 Admin Guide 30 Fortinet Inc. Installation (software-only)
Installation (software-only)
The software-only version of FortiDB allows you to install FortiDB on hardware that you provide. FortiDB software runs as a web application and uses Tomcat as the application server. You can install it on either Windows or UNIX (Solaris, AIX, Linux) platforms. FortiDB uses one of the following repositories for its internal data:
l Apache Derby
l PostgreSQL
l Oracle
l Microsoft SQL Server The Apache Derby database is included with the FortiDB software. No manual setup is required. Because the software-only version of FortiDB cannot monitor databases using the TCP/IP sniffer, the software-only version does not support the activity auditing and profiling features.
System requirements
To ensure both security and performance, install FortiDB on a dedicated computer that does not run any other memory or processor-intensive applications. Start with a clean installation of the operating system that has a minimum number of services running. For a list of currently supported hardware and software, see the Supported Hardware section of the Release Notes for your version of FortiDB.
Requirement Details
Disk space 300 MB of free disk space (minimum) Additional space is required for the repository database, log files, reports and archives.
Memory A minimum of 2048 MB of system memory, 1024 MB of which are dedicated to the FortiDB application
Processor Windows and Linux: Intel-based platforms configured with one or more P4 (or higher) processors Solaris: SPARC-based platform configured with one or more processors
These are minimum disk space and memory requirements. For optimal performance, consult with a FortiDB representative for recommendations that are best suited to your individual situation.
FortiDB 5.1.13 Admin Guide 31 Fortinet Inc. Installation (software-only)
Preparing to install
Before you install FortiDB, ensure you have the following information:
Prerequisite Details Notes
User account for FortiDB Windows: An Administrator-level account installation Linux or Solaris: A non-root user account
Location for FortiDB You can install FortiDB in any directory. If you choose a location where a Do not choose a path with a a name that previous version of FortiDB exists, the contains one or more spaces. For example, installation process upgrades the because there is a space between Program current installation. and Files, do not use C:\Program Files\FortiDB.
DB type for your Derby, Microsoft SQL Server, Oracle, or The FortiDB installation process repository database PostgreSQL installs the compatible Derby database with the required configuration. For Microsoft SQL Server, Oracle, and PostgreSQL, configure your repository database before you install FortiDB. See Configuring the FortiDB repository database on page 33.
Name of host machine The hostname or IP address for the machine for repository database where the repository database resides
Port number for An available port number above 1024 repository database
Database name/SID for The name (or SID) of the repository database repository database
Username for repository The account name of the repository database database user user
Password for repository The password for repository database user database user account
Application Server HTTP An available port number above 1024 Port Number
Application Server An available port number above 1024 HTTPS Port Number
Application Server An available port number above 1024 Shutdown Port Number
FortiDB 5.1.13 Admin Guide 32 Fortinet Inc. Installation (software-only)
Configuring the FortiDB repository database
When you use Derby for the FortiDB repository database, no configuration is required. For all other database types, follow the configuration instructions in this section.
For all repository types except Derby, verify that your character- encoding setting is UTF-8. Do not use the FortiDB application to monitor or audit its own repository database. To ensure best performance, do not install FortiDB and its repository database on the same computer. You cannot install the Derby repository that is included with FortiDB software on the same computer as FortiDB.
See also
l Configuring a PostgreSQL repository on page 33
l Configuring an Oracle repository on page 34
l Configuring an Microsoft SQL Server repository on page 35
Configuring a PostgreSQL repository
When you use a PostgreSQL 8.x repository, FortiDB requires a language pack for its archive feature. 1. Create a database to use for FortiDB the repository (for example, “fortidb”) with UTF-8 encoding. Make note the following information, which is required for FortiDB installation:
l Database name
l User name
l Password 2. To create the language pack "plpgsql", execute the following command: createlang -h 127.0.0.1 -d
l
l
l
l The row plpgsql is displayed in the pg_language table.
FortiDB 5.1.13 Admin Guide 33 Fortinet Inc. Installation (software-only)
Configuring an Oracle repository
1. Create a tablespace for with the following values:
Block Size (B) Minimum 16K
Total SGA size Minimum 500MB
Total PGA size Minimum 100MB
Segment Space AUTO (Automatic) Management
Extent Management LOCAL
2. Create a FortiDB user for that has the following privileges:
l CREATE SESSION
l CREATE TABLE
l CREATE SEQUENCE
l UNLIMITED QUOTA for the FortiDB tablespace. 3. Make any changes to your configuration that can reduce the risk of competition for input/output resources (I/O contention). For example, put your database and log files on separate disks. 4. Create a datafile for the FortiDB tablespace. For example:
File Name FORTIDB.DBF
File Directory C:\oralce\product\10.2.0\oradata\orcl\
Tablespace FORTIDB
File Size 500M
AUTOEXTEND ON (automatically extends datafile when it is full)
Here is an example of the parameters in init.ora (for Oracle 10g): *.db_name='fortidb' *.db_block_size=8192 *.sga_target=584M *.pga_aggregate_target=194M *.db_create_file_dest='/home/oracle/product/10.2.0/db_1/oradata/fdb' *.db_recovery_file_dest='/home/oracle/product/10.2.0/db_1/flash_recovery_area' *.db_recovery_file_dest_size=2G *.undo_management='AUTO' *.undo_tablespace='UNDOTBS1' *.audit_file_dest='/home/oracle/product/10.2.0/db_1/admin/fdb/adump' *.user_dump_dest='/home/oracle/product/10.2.0/db_1/admin/fdb/udump' *.core_dump_dest='/home/oracle/product/10.2.0/db_1/admin/fdb/cdump' *.background_dump_dest='/home/oracle/product/10.2.0/db_1/admin/fdb/bdump' *.compatible='10.2.0.3.0' *.control_files='/home/oracle/product/10.2.0/db_1/oradata/fdb/control01.ctl' *.db_file_multiblock_read_count=16 *.job_queue_processes=10 *.open_cursors=300 *.processes=150
FortiDB 5.1.13 Admin Guide 34 Fortinet Inc. Installation (software-only)
Configuring an Microsoft SQL Server repository
This procedure illustrates how to configure a repository using Microsoft SQL Server 2008 Management Studio.
The user ID and schema name must have the same name as the FortiDB repository.
Create a SQL database
1. Log in as sa. 2. Right-click Databases. 3. Click New Database. 4. For the database name, enter fortidb. 5. Configure the database using the following values:
Initial data-file size 300 MB (minimum)
Initial log-file size 20 MB (minimum)
Collation value A value that supports case-sensitivity The characters “CS” in a collation value indicate that it is case- sensitive. For example, the collation value SQL_Latin1_General_ CP1_CS_AS is for U.S. English systems and is case-sensitive.
6. Click OK.
Create a SQL login
1. Go to Security. 2. Right-click Logins. 3. Click New Login. 4. For Login name, enter fortidb. 5. Select SQL Server authentication, and then enter and confirm a password. 6. Clear Enforce password expiration. 7. For Default database, select fortidb. 8. On the User Mapping page, for Users mapped to this login, select fortidb. In the User column for the fortidb list item, fortidb is displayed. 9. Select the fortidb item in the list of users, and then, for Database role membership for: fortidb, select db_ owner. 10. Click OK.
Create the fortidb schema
Ensure that the schema uses the same name as login name that you created in the previous step.
FortiDB 5.1.13 Admin Guide 35 Fortinet Inc. Installation (software-only)
1. Log in using the user (fortidb) and password. 2. Go to Databases > fortidb > Security. 3. Right-click Schemas, and then select New Schema. 4. For both Schema name and Schema owner, enter fortidb. 5. Click OK. 6. Go to Databases > fortidb > Security > Users. 7. Right-click the fortidb user, and then click Properties. 8. For Default schema field, enter fortidb. 9. Click OK.
Verify that the login is mapped to the correct schema and user
1. Log in as sa. 2. Go to Security > Logins. 3. Right-click fortidb, and then select Properties. 4. On the User Mapping page, verify that "fortidb" is both the user and default schema value for the fortidb item.
UNIX/Linux installation
You install FortiDB software on Unix and Linux using a console user interface, or command-line interface (CLI). You can use a non-root user account to install FortiDB on the following operating systems:
l Solaris
l AIX
l Linux installations that use an Oracle repository database To install FortiDB on UNIX/Linux, the following hardware and operating system are required:
l Solaris with SPARC-based platform
l 64-bit Linux system with Intel-based platform, and 2.6 kernel
For detailed platform requirements, see the release notes for your version of FortiDB.
Obtain one of the following FortiDB installer files:
Solaris fdb-install-{version}-solaris-sparc.bin
Linux (without RPM Package Manager) fdb-install-{version}-linux-x64.bin
Unix fdb-install-{version}-unix.bin
Execute the installer file supplied using the following command: sh
FortiDB 5.1.13 Admin Guide 36 Fortinet Inc. Installation (software-only)
l Obtain the installer file fdb-install-{version}-linux-x64.rpm
l Execute the installer file using the following command:
l rpm -ivh
See also
l Confirming the installation on page 37
Windows installation
For detailed information on Windows installation requirements, see the release notes for your version of FortiDB. To install FortiDB on Windows, you use the graphical user interface (GUI) and an Administrator account. Obtain one of the following FortiDB installer files:
Windows 64-bit fdb-install-{version}-windows-x64.exe
Windows 32-bit fdb-install-{version}-windows-x86.exe
Log in as a user with administrator privileges, run the installer, and then follow the instructions provided by the installer. Use the Add/Remove Programs control panel to uninstall FortiDB.
See also
l Confirming the installation on page 37
Confirming the installation
To test whether your installation was successful, enter the following URL in your browser: http://
l fortidb_ip is FortiDB host name or IP address
l port_int is the port number on which the application server listens If your installation is successful, the login page is displayed. The default administrator user name is admin and the default password is fortidb1!$.
After you log in successfully, go to Administration > Administrators to change the password for the admin account. For more information on changing passwords, see Changing the "admin" account password on page 46.
FortiDB 5.1.13 Admin Guide 37 Fortinet Inc. Installation (software-only)
need to find the right spot for the following information -- sounds like it could go with administrators but be x-ref when they change their admin password. or maybe setup should note that they need to create roles as next steps information If using DAM (Database Activity Monitoring), use the FortiDB "admin" account. If using VA (Vulnerability Assessment), the FortiDB "admin" account should be used only to perform administrative tasks such as making backups and new accounts. In order to maintain separation of duties, you should create other accounts, and assign appropriate roles to them for using FortiDB VA.
Starting or stopping FortiDB
In some situations, it is necessary to start and or stop FortiDB manually. For example, when you update or replace your FortiDB license file, or reboot UNIX. When FortiDB stops, it saves state information in the internal database. When log in again, it retrieves this information and reopens the databases that were open at the time of the shutdown. Since state information is periodically saved during your session, FortiDB can restore most of the state, even if it goes down due to a power failure or similar problem.
To manually start on Windows
Do one of the following:
l Execute the < FortiDB install directory>\bin\start.bat batch file.
l Click Start > Programs > FortiDB > Start FortiDB.
To manually start FortiDB on UNIX
Use the < FortiDB install directory>/bin/start script.
To manually stop on Windows
Do one of the following:
l Execute the < FortiDB install directory>\bin\stop.bat batch file.
l Click Start > Programs > FortiDB > Stop FortiDB.
To manually stop on UNIX
Use the < FortiDB install directory>/bin/stop script.
Installing a new license
FortiDB requires a license key in order to operate and ships with a temporary one. In some cases, a notice warning you that your license is about to expire is displayed about two weeks before your license expires. If this happens, contact your Fortinet sales representative to extend the license.
FortiDB 5.1.13 Admin Guide 38 Fortinet Inc. Installation (software-only)
To install a new license
For information on starting and stopping , see Starting or stopping FortiDB on page 38. 1. Stop FortiDB. 2. In < FortiDB install directory>/conf, replace license.properties with the new license file. 3. Restart .
Managing disk space
FortiDB log, archive, and report files all consume disk space. To help conserve disk space, you can backup, delete, and restore these files, as required.
See also
l Useful directories, files, and folders on page 39
l Log files for troubleshooting on page 40
Useful directories, files, and folders
The folders that the FortiDB installation directory contains include the following: FortiDB directories
Directory Contents
FortiDB 5.1.13 Admin Guide 39 Fortinet Inc. Installation (software-only)
Directory Contents
The files that the FortiDB installation directory contains include the following:
FortiDB files and folders
File or folder name Description
l Pentest dictionary and db-type-specific files
l XML files with samples of information that can be imported from a target-database
l FortiDB-specific MIB file for SNMP notifications
See also
l Managing disk space on page 39
l Log files for troubleshooting on page 40
Log files for troubleshooting
FortiDB produces the following log files that are useful for troubleshooting and can help Fortinet Technical Support to assist you:
General logs
FortiDB 5.1.13 Admin Guide 40 Fortinet Inc. Installation (software-only)
Tomcat logs
You can troubleshoot installation problems by reviewing information in Tomcat log files that are located in the following directories:
See also
l Useful directories, files, and folders on page 39
Upgrading FortiDB
For supported upgrade versions, see the release notes for your version of FortiDB.
To upgrade from an earlier version of FortiDB
1. Backup your repository database. This step is optional, but recommended. 2. Shut down your existing FortiDB process or service. For detailed steps, see Starting or stopping FortiDB on page 38. 3. Execute the FortiDB installer file. For detailed information, see UNIX/Linux installation on page 36 or Windows installation on page 37. 4. Specify the directory that contains your existing FortiDB installation as the destination directory. 5. Follow the subsequent instructions to complete upgrade installation, follow the remaining steps provided for an initial installation.
FortiDB 5.1.13 Admin Guide 41 Fortinet Inc. How to set up your FortiDB
How to set up your FortiDB
The basic setup instructions include information on planning network connections for FortiDB, connecting to the web UI or command line interface, and ensuring you have the latest version of the firmware (for appliance versions). After the inital set up is complete, for example configurations for assessing and monitoring databases, see tutorials on page 1.
See also
l Planning the network topology for database activity monitoring (DAM) on page 42
l Connecting to the web UI and CLI on page 43
l Updating the firmware on page 43
l Changing the "admin" account password on page 46
l Setting the system time on page 47
l Configuring the network settings on page 49
Registering your FortiDB
Before you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site: https://support.fortinet.com Many Fortinet customer services such as firmware updates, technical support, and FortiGuard services require product registration. For more information, see the Fortinet Knowledge Base article Registration Frequently Asked Questions.
Planning the network topology for database activity monitoring (DAM)
Database activity monitoring (DAM) using the TCP/IP sniffer (also known as packet capture or network analyzer) is available for the appliance version of FortiDB only. It provides functions like policy-based activity auditing, activity profiling, and security alerts. To use DAM with the TCP/IP sniffer, connect one or more of your FortiDB appliance's ports to the SPAN port of the switch that is connected to your database server. This configuration allows the appliance to monitor all traffic passing to and from the server.
See also
l Tutorial: Monitoring a database table using the TCP/IP sniffer on page 19
FortiDB 5.1.13 Admin Guide 42 Fortinet Inc. How to set up your FortiDB
Connecting to the web UI and CLI
The default IP address and subnet of port1 is 192.168.1.99/255.255.255.0. To connect to the appliance's web UI on port1, for example, go to https://192.168.1.99/. To connect to the appliance's CLI, connect your computer’s serial communications (COM) port to the FortiDB appliance’s console port. Use terminal emulation software to connect with the appliance using the following configuration:
Serial line to connect to COM1 (or, if your computer has multiple serial ports, the name of the connected serial port)
Speed (baud) 9600
Data bits 8
Stop bits 1
Parity None
Flow control None
The default administrator account name and password is admin and fortidb1!$.
See also
l Changing the "admin" account password on page 46
Updating the firmware
Your new FortiDB appliance ships with the latest operating system (firmware). However, if Fortinet has released a new version since it shipped your appliance, install the new firmware before you continue the installation. Fortinet periodically releases FortiDB firmware updates with enhancements and to address issues. Before you can download firmware updates for your FortiDB appliance, you must first register it with Fortinet Technical Support. For details, go to https://support.fortinet.com/ or contact Fortinet Technical Support. FortiDB firmware is available for download at: https://support.fortinet.com New firmware can also introduce new features which you must configure for the first time. For late-breaking information specific to the firmware release version, see the release notes for the release. When you update the firmware image, FortiDB keeps existing data and configuration. However, Fortinet recommends that you back up all FortiDB data and configuration settings before you upgrade. The backup operation safeguards data and configuration settings in case power is lost during the upgrade. For information on backup and restore procedures, see Backups on page 52.
FortiDB 5.1.13 Admin Guide 43 Fortinet Inc. How to set up your FortiDB
See also
l Upgrading the firmware on page 44
l Installing FortiDB firmware on page 45
Upgrading the firmware
When installing firmware, FortiDB keeps existing data and configuration. If you want to reset all device settings and configuration and delete log data on the hard drive, the execute format disk CLI command. For details, see execute format disk on page 253.
To upgrade your firmware using the web UI
1. Download the firmware image file to your management computer. For appliances with a valid technical support contract, you can download firmware images from the Fortinet Technical Support web site, https://support.fortinet.com. 2. Log in as admin. 3. Go to System > System Information. 4. Under System Information, in the Firmware Version information, click Update. 5. Do one of the following to select the firmware image file:
l Enter the path and file name of the file.
l Click Choose File to navigate to and select the file. 6. Click Update. After your browser uploads the firmware image file, FortiDB upgrades to the new firmware version, and then restarts. This process takes a few minutes.
To upgrade your firmware using the CLI
When you upgrarding the firmware using the CLI, FortiDB requires a TFTP or FTP server that it can connect to. 1. Start the FTP or TFTP server. 2. Copy the new firmware image file to the FTP or TFTP server. 3. Log in to the CLI as admin. 4. Verify that FortiDB can connect to the FTP or TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168, enter the following command: execute ping 192.168.1.168 5. Enter the following command to copy the firmware image from the TFTP server to FortiDB: execute restore image ftp
l
l
FortiDB 5.1.13 Admin Guide 44 Fortinet Inc. How to set up your FortiDB
Do you want to continue? (y/n) 6. Type y. FortiDB downloads the firmware image file, upgrades to the new firmware version, and then restarts. This process takes a few minutes. 7. Reconnect to the CLI. 8. To confirm that the new firmware image is successfully installed, enter: get system status
See also
l Updating the firmware on page 43
l Installing FortiDB firmware on page 45
Installing FortiDB firmware
You can use the boot loader menu to install a specific firmware image and reset FortiDB to default settings. Use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware version. This procedure reverts the FortiDB system to its factory default configuration. Installing a specific firmware image requires you to connect to the CLI using the FortiDB console port and a RJ-45 to DB-9 or null-modem cable. A TFTP server that you can connect from the FortiDB interface and that is on the same subnet as the internal interface is also required.
To install firmware using boot loader menu
1. Connect to the FortiDB CLI through your console port. 2. To get and copy your current network settings for reference, execute the following command: show
The process of installing a new image resets your network settings to the factory defaults. To access the web-based manager, re-configure network settings.
3. Verify that the TFTP server is running. 4. Copy the new firmware image file to the TFTP server. 5. Verify that the internal interface is connected to the same network as the TFTP server. To test the connection, enter the following command: execute ping
FortiDB 5.1.13 Admin Guide 45 Fortinet Inc. How to set up your FortiDB
Immediately press any key to interrupt the system startup.
You have only 3 seconds to press any key. After 3 seconds, FortiDB reboots and you must log in and repeat the execute reboot command.
If you successfully interrupt the startup process, one of the following messages appears: [G]: Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default [C]: Configuration and information [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,B,C,Q,or H: 8. Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: 9. Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: 10. Type an IP address that FortiDB can use to connect to the TFTP server. The IP address can be any IP address that is valid for the network the interface is connected to. Verify that you do not enter the IP address of another device on this network. The following message appears: Enter firmware image file name [image.out]: 11. Enter the firmware image file name (and location) and press Enter. The TFTP server uploads the firmware image file to the FortiDB unit. Some unit models may display the following message: Save as Default firmware/Backup firmware/Run image without saving:[D/B/R] 12. Type D. FortiDB installs the new firmware image and restarts. The installation can take a few minutes to complete. If the installation is successfully, the FortiDB CLI prompt is displayed. 13. Configure your network settings. To configure your network settings, please refer to Configuring network settings using the CLI on page 51.
See also
l Updating the firmware on page 43
l Upgrading the firmware on page 44
Changing the "admin" account password
1. Log in to the web UI. 2. Select the Change Password link at the top of any page. 3. Enter your current password and new password, and then confirm your new password. When you create a password, use the following rules:
FortiDB 5.1.13 Admin Guide 46 Fortinet Inc. How to set up your FortiDB
Category Description
Mandatory Length By default, no mandatory length is set. For information on setting the minimum length, see User Profile/Security properties on page 65.
Mandatory contents l At least one number
l At least one special character from the following set: !@#$%^&* ()_+|~-=\`{}[]:";'<>?,./
Prohibited contents l Spaces
l User name
l User name reversed
For example, wru2rxy? is a valid password. 4. Click OK.
See also
l Administrators on page 53
Setting the system time
Setting the system time ensure correct report time ranges, scheduling, and logging.
To set the system time using the web UI
1. In the left-side navigation menu, click System > System Information. 2. In the System Time information, click Change. The Time Settings page is displayed. 3. Use the following options to change the time settings:
Refresh Updates the display with the current FortiDB system date and time.
Time Zone Select the FortiDB unit's time zone. Select Automatically adjust clock for daylight saving changes to automatically switch the clock between daylight saving time and standard time. Note: Changes to the time zone setting do not take affect until after you reboot FortiDB.
Set Time Sets the FortiDB system date and time using the values you specify for Year, Month, Day, Hour, Minute and Second.
Synchronize with NTP Configures FortiDB to automatically update its system date and time Server using an NTP server. For Server, enter the IP address or domain name of an NTP server. To find an NTP server that you can use, go to http://www.ntp.org.
FortiDB 5.1.13 Admin Guide 47 Fortinet Inc. How to set up your FortiDB
For Sync Interval, specify how often the FortiDB unit synchronizes its time with the NTP server, in minutes. For example, to synchronize its time once a day, enter 1440.
4. Select OK.
To set the system time using the CLI
1. To set the time zone, execute the following command: config system global set daylightsavetime {enable | disable} set timezone
l {enable | disable} specifies whether automatically switches to daylight savings time
l
l
l {enable | disable} specifies whether the server is enabled
l
See also
l System information and settings on page 59
FortiDB 5.1.13 Admin Guide 48 Fortinet Inc. How to set up your FortiDB
Configuring the network settings
You can configure the FortiDB unit to operate in your network using either the web UI Network Configuration page or the CLI. These basic network settings include interfaces, DNS settings and static routes.
You can use either of the following formats to specify IP address/network-mask pairs:
l Dotted-decimal (for example, 192.168.1.1/255.255.255.0)
l Bit representation (for example, 192.168.1.1/24)
See also
l Configuring network settings using the CLI on page 51
Configuring network settings using the web UI
To configure the network interfaces using the web UI
1. Go to System > Network Setting. On Network Configuration page, the Interfaces tab displays the current configuration of the network interfaces.
Interface The name of the network interface on the FortiDB unit.
Device IP/Netmask The IP address and network mask configured for the interface.
Access A list of the administrative access methods available on the interface.
Status A green arrow indicates that the network interface is up.
Select the edit button to disable the port. A red arrow indicates the interface is down.
Select the edit button to enable the port.
Modify Select the edit button to change the interface settings.
2. For the interface you want to configure, in the Modify column, click (edit icon). 3. Configure the following options:
Enable check box Specifies whether the interface is enabled or disabled
Interface Name Cannot be changed
Device IP/Netmask Enter an IP address and network mask (for example, 192.168.10.3/255.255.255.0)
Access Select the methods of administrative access that are available on this interface.
l HTTP allows HTTP connections to the FortiDB. HTTP
FortiDB 5.1.13 Admin Guide 49 Fortinet Inc. How to set up your FortiDB
connections are not secure and can be intercepted by a third party.
l HTTPS allows secure HTTPS connections to the FortiDB.
l PING allows FortiDB to respond to ICMP pings, which are useful for testing connectivity.
l SSH allows SSH connections to the FortiDB CLI.
l TELNET allows Telnet connections to the FortiDB CLI. Telnet connections are not secure, and can be intercepted by a third party.
4. Select the Save button to save the interface settings.
To configure DNS using the web UI
You can configure primary and secondary DNS servers to provide the name resolution required by FortiDBfeatures. 1. Go to System > Network Setting, and then click the DNS tab. 2. Enter an IP address for a primary and secondary DNS server. 3. To save and apply the DNS settings, click the Apply button .
To configure static routes using the web UI
To forward packets from FortiDB to the default gateway through a specified interface, you add a default static route entry. For example, to allow FortiDB to access Internet in your private subnet, add a static route with a destination address of 0.0.0.0/0.0.0.0 and specify the gateway address to forward the packet to.
1. Go to System > Router. The Static Route page displays the current static routes configuration.
Destination IP/Netmask The destination IP address and netmask for packets that FortiDB sends to.
Gateway The IP address of the router where FortiDB forwards packets.
Interface The name of the FortiDB interface through which intercepted packets are received and sent.
Modify Click (edit icon) to change the route settings. Click (delete icon) to deleting the route.
2. Cick Add, and then configure the following options:
Destination IP/Netmask Enter the destination IP address and netmask of packets that FortiDB intercepts. Enter 0.0.0.0/0.0.0.0 to specify any and all destinations.
Gateway Enter the IP address of the next-hop router that FortiDB routes traffic to.
Interface Select the FortiDB network interface for incoming and outgoing packet traffic.
FortiDB 5.1.13 Admin Guide 50 Fortinet Inc. How to set up your FortiDB
Configuring network settings using the CLI
For details about each command, see Overview of commands on page 235. 1. To set the IP address and netmask of a network interface, execute the following command: config system interface edit {port1 | port2 | port3 | port4 } set ip
l {port1 | port2 | port3 | port4 } is the network interface
l
l
l {http https ping ssh telnet} specifies the types of administrative access that are permitted For example: config system interface edit port1 set ip 192.168.100.159 255.255.255.0 set allowaccess ping https ssh end 2. To set the DNS servers, execute the following command. The secondary DNS server is optional: config system dns set primary
l
l
l
FortiDB 5.1.13 Admin Guide 51 Fortinet Inc. Backups
Backups
A configuration backup file allows you to reset FortiDB to its default configuration, if required. When you update the firmware image, FortiDB keeps existing data and configuration. However, Fortinet recommends that you back up all FortiDB data and configuration settings before you upgrade. The backup operation safeguards data and configuration settings in case power is lost during the upgrade. You should also back up the configuration before you use the execute format disk CLI command, which resets all device settings and configuration and deletes log data on the hard drive.
Always backup the configuration before installing firmware or when you reset FortiDB to factory defaults.
To back up your configuration settings using the CLI
Backing up data and the current configuration using the CLI requires an FTP server. 1. Log into the CLI. For more information, see Connecting to the web UI and CLI on page 43. 2. Enter the following command to back up your local database, system-configuration settings, archives and reports: execute backup all-settings
To restore your configuration settings using the CLI
The following steps restore your FortiDB configuration settings using the CLI. 1. Log into the CLI. 2. Enter the following command to copy the backup configuration settings to restore the file on the FortiDB unit: execute restore all-settings
This operation replaces your current settings and requires you to reboot FortiDB. For details about backup and restore using the CLI, see execute backup all-settings on page 247 and execute restore all-settings on page 255.
Use the show shell command to verify your settings are restored, or log into the web-based manager.
FortiDB 5.1.13 Admin Guide 52 Fortinet Inc. Administrators
Administrators
The Administrators page allows you to add, delete, enable and disable FortiDB administration users. You can display administrators by roles using the View By Role dropdown list.
Column Description
l indicates a disabled administrator. An administrator who has the Security Administrator role can disable an account at any time.
l indicates a locked administrator account. FortiDB locks out an account after unsuccessful login attempts
User Name The FortiDB user name for the administrator
First Name The user's first name
Last Name The user's last name
Email Address The user's email address
To add or modify an administrator
When you add FortiDB administrators, you assign them one or more roles. The built-in FortiDB roles determine which FortiDB operations the administrator can perform. 1. Go to Administration > Administrators. 2. Do one of the following:
l To create an administrator, click Add.
l To edit the settings for an existing administrator, click the appropriate user name. 3. On the General tab, for User Authentication Type, select one of the following options:
Normal Specifies an administrator that FortiDB authenticates using the password in the administrator settings
LDAP Specifies an administrator that FortiDB authenticates by connecting to the LDAP server specified in Global Configuration
4. Complete or edit the remaining General tab settings as required. Settings marked with an asterisk (*) are mandatory. 5. If you are creating a new user and do not want the administrator to be able to log in after you save its settings, select Set user status as "disabled" immediately. To disable an existing user, on the Administrators page, select the check box to the left of the administrator, and then click Disable.
FortiDB 5.1.13 Admin Guide 53 Fortinet Inc. Administrators
6. Click the Roles tab, and then, in the Available Roles list, select one or more items. Click >> (right arrows) to add selected items to the Assigned Roles list. To unassign roles, select the role in the Assigned Roles list and click << (left arrows). For a description of the roles, see Configuring permissions on page 54. 7. Click the Targets tab, and then do one of the following:
l Select Manage All Targets.
l Select Manage Limited Targets, select one or more of the items in the Available Targets list, and then click >> (right arrows) to add the selected items to the Assigned Targets list. To unassign targets, select the target in the Assigned Targets list and click << (left arrows).
The targets that an administrator can manage also depends on its role. For example, to edit any target, an administrator requires the Target Manager role.
8. Click Save.
See also
l Configuring permissions on page 54
l Privileges by license type (software-only FortiDB) on page 55
l Viewing and exporting an administrator report on page 56
Configuring permissions
The FortiDB roles allow you to assign privileges to administrators. For information on assigning roles to administrators, see To add or modify an administrator on page 53. If you are using the software-only version of FortiDB, the privileges that are available depends on the FortiDB license. For more information, see Privileges by license type (software-only FortiDB) on page 55.
Administrator privileges by role
Role Privileges
Operations Manager l Review target-database connection information.
l Review target group connection information
l View pre-defined policies and user-defined policies
l View DAM Policies (Data, Metadata, Privilege, PCI, SOX, and HIPAA policies)
l Create, modify, delete, and run assessments
l Start/Stop monitoring
l View DAM Alerts
l Read results of FortiDB-shipped reports
l Read results of Custom reports
l Perform penetration tests
l View the Privilege Summary
FortiDB 5.1.13 Admin Guide 54 Fortinet Inc. Administrators
Role Privileges
Policy Manager l Import/export and enable/disable pre-defined policies (pre-defined policies) for VA
l Import/export and enable/disable Metadata, Privilege, PCI, SOX, and HIPAA policies for DAM
l Import/export and enable/disable user-defined policies for VA and Data Policies for DAM
l Add policy groups for VA and DAM
l Create, modify and delete user-defined policies for VA and Data Policies for DAM
Report Manager l Review target-database connection information.
l Review target group connection information
l Review Assessment settings
l Read results of FortiDB-shipped reports
l Generate DAM PCI, SOX, and HIPAA compliance reports
l Read results of Custom reports
l View the Privilege Summary
Security Administrator l Create, modify, delete, and enable/disable FortiDB users
l Configure and modify user-role assignments
l View the Entitlement report
System Administrator l Import/export and enable/disable pre-defined policies (pre-defined policies)
l Import/export and enable/disable user-defined policies
l Archive and restore assessment results
l Change system properties
l Enable/View Audit trail
Target Manager l Create, modify, and delete and import/export connections to target databases
l Create, modify , and delete target groups
l Perform Auto Discovery of target databases
l Review Assessment settings
l Review the Privilege Summary
See also
l Administrators on page 53
l Privileges by license type (software-only FortiDB) on page 55
l Viewing and exporting an administrator report on page 56
Privileges by license type (software-only FortiDB)
For the software-only version of FortiDB, the type of license that you use determines which privileges are available.
FortiDB 5.1.13 Admin Guide 55 Fortinet Inc. Administrators
Privileges by license type
License Type Privileges
VA Only l Policy Manager: View/Modify VA policies
l Operations Manager: Create, modify, delete, and run assessments
l Report Manager: Generate VA reports
l Target Manager: All privileges for this role enabled
l System Administrator: All privileges privileges for this role enabled
l Security Administrator: All privileges for this role enabled
DAM Only l Policy Manager: View/Modify DAM policies
l Operations Manager: start/stop monitoring, view DAM Alerts, view/edit DAM Alert Groups
l Report Manager: Generate DAM reports
l Target Manager: All privileges for this role enabled
l System Administrator: All privileges for this role enabled
l Security Administrator: All privileges for this role enabled
VA and DAM l All privileges for the different roles enabled
See also
l Administrators on page 53
l Configuring permissions on page 54
l Viewing and exporting an administrator report on page 56
Viewing and exporting an administrator report
The Entitlement Report tab displays all FortiDB administrators, their account status, and their roles. To sort the entitlement report, click any column header. The header is used as your sort key. For example, to sort by status value, click Status.
The sorted result is preserved when you export a report.
To export the entitlement report as a PDF, Excel, comma-delimited, or tab-delimited file, for Export as, select a format and then click Export.
Entitlement Report tab
Column Description
Status indicates an enabled administrator
FortiDB 5.1.13 Admin Guide 56 Fortinet Inc. Administrators
Column Description
indicates a disabled administrator indicates a locked administrator
Username Displays the user name from the Administrator tab
First Name Displays the first name from the Administrator tab
Last Name Displays the last name from the Administrator tab
Other Displays other information specified for administrator
System Administrator role
indicates that the user is assigned the role.
indicates that the user is not assigned the role.
Security Administrator role
indicates that the user is assigned the Security Administrator role.
indicates that the user is not assigned the Security Administrator role.
Target Manager role
indicates that the user is assigned the role.
indicates that the user is not assigned the role.
Policy Manager role
indicates the user has the Policy Manager role.
indicates the user does not have the Policy Manager role.
Operations Manager role
indicates the user has the Operations Manager role.
indicates the user does not have the Operations Manager role.
Report Manager role
indicates the user has the Report Manager role.
indicates the user does not have the Report Manager role.
See also
l Administrators on page 53
l Configuring permissions on page 54
l Privileges by license type (software-only FortiDB) on page 55
FortiDB 5.1.13 Admin Guide 57 Fortinet Inc. Administrators
FortiMonitor administrator
You can configure FortiDB to collect audit and alert data for FortiMonitor and transmit it via SSH File Transfer Protocol (SFTP). To enable FortiMonitor integration with FortiDB, create a FortiDB administrator with the name fortisiem. Ensure that the fortisiem administrator password and the FortiMonitor password that the FortiDB FTP server uses are the same. By default, FortiMonitor uses the password fortidb1!$ for the FortiDB FTP server.
Because FortiDB ignores any settings for this administrator other than the name and password, you can enter any value for the other mandatory administrator settings. For information on additional FortiMonitor settings for FortiDB, see config system mapping on page 243.
FortiDB 5.1.13 Admin Guide 58 Fortinet Inc. Advanced/optional system settings
Advanced/optional system settings
The System Information page displays basic information and settings for the FortiDB appliance, including the setting that allows you to view and change the FortiDB host name. The Global Configuration page allows you to change general assessment and monitoring settings. For example, you can specify settings that are used for any assessment that FortiDB performs.
See also
l System information and settings on page 59
l Changing the FortiDB host name on page 60
l Global configuration on page 60
System information and settings
The System Information page displays basic information and settings for the FortiDB appliance. FortiDB administrators have access profiles that permit read and write access for maintenance tasks and change the FortiDB firmware.
Item Description
Host Name The name of the host name of FortiDB. For details on changing the name, see Changing the FortiDB host name on page 60. Firmware Version The version of the firmware installed on the FortiDB unit. Click Update to upload a new version of the firmware. For details on updating the firmware, see Connecting to the web UI and CLI on page 43.
Serial Number The serial number of the FortiDB unit. The serial number is specific to the FortiDB unit and does not change with firmware upgrades. Use this number to register your FortiDB appliance with Fortinet. System Time The current time according to the FortiDB internal clock. Click Change to change the time. For details on changing the time, see Setting the system time on page 47.
Uptime The time in days, hours, and minutes since the FortiDB was last started or rebooted.
Hard Disk RAID The RAID information. Check your hardware specification for RAID support For raid creation and information, see config system raid on page 244.
FortiDB 5.1.13 Admin Guide 59 Fortinet Inc. Advanced/optional system settings
Changing the FortiDB host name
1. In the navigation menu, go to System > System Information. 2. Under System Information, in the Host Name information, click Change. The Edit Host Name dialog box is displayed. 3. For Host Name field, enter the new host name. 4. Click OK. 5. The new host name is displayed in the Host Name field.
See also
l System information and settings on page 59
Global configuration
The Global Configuration page allows you to FortiDB change system property values using the following tabs. To make changes to the global properties, log in as an administrator who is assigned the System Administrator role.
Tab Description
All Displays properties as read-only. Select a tab to add or change property values.
Assessment Properties related to assessment
Notification Properties related to Email, SNMP and Syslog
Reporting Properties related reports generation
User profile/Security Properties related to user profile and security
Target Properties for additional JDBC settings for each database type
LDAP Server Properties related LDAP server for user authentication
Monitor A property that specifies the number of the records that each SOX Audit File contains
To restore the default values of global properties, on the appropriate tab, select one or more items using their checkbox, and then click Restore Defaults(s).
You cannot restore default values for the properties on the LDAP and Monitor tabs.
FortiDB 5.1.13 Admin Guide 60 Fortinet Inc. Advanced/optional system settings
See also
l Assessment properties on page 61
l Notification properties on page 63
l Reporting properties on page 65
l User Profile/Security properties on page 65
l Target properties on page 66
l LDAP Server properties on page 67
l Monitor properties on page 68
Assessment properties
Property Description Default
Enable Enables FortiDB to run auto discovery on the false Localhost machine where the FortiDB application Auto resides. Discovery Valid values are true or false.
Number of Total number of assessments which can run 5 Concurrent simultaneously. Assessments The optimum value of this parameter depends on your environment but tuning this parameter affects assessment performance and CPU usage by FortiDB. Note: Assuming that each assessment has at least one target database, the value of Number of Concurrent Assessments can never exceed the Number of Concurrent Target Assessments value.
Number of Total number of target databases that can be 20 Concurrent assessed simultaneously during Target assessments. Assessments The optimum value of Number of Concurrent Target Assessments depends on your environment, but tuning this parameter affects assessment performance and CPU usage by FortiDB. Note: Assuming that each assessment has at least one target database, the value of Number of Concurrent Assessments can never exceed the Number of Concurrent Target Assessments value.
SSH Key File For Oracle OSVA and DB2 databases only, - (appliance the file that contains the private key used for version) all SSH connections.
FortiDB 5.1.13 Admin Guide 61 Fortinet Inc. Advanced/optional system settings
Property Description Default
Click Browse to select your SSH key file, and then click Save. You can upload an RSA or DSA private key file type. If you upload a key file and a key file already exists in the appliance, FortiDB replaces the old key with the new key. Uploaded key files are renamed id_rsa or id_ dsa, depending on the type of key that was uploaded. Warning: If you click Restore Default(s) and then Save button, FortiDB deletes your key file. Please keep a copy of the file in a safe place.
MSSQL Server A comma-separated list of databases that model,tempdb,pubs,msdb,Northwind Level FortiDB does not scan when it performs a Exclusions Server Level scan of a Microsoft SQL database.
Sybase Server A comma-separated list of databases that model, tempdb, pubs2, pubs3,jpubs, Level FortiDB does not scan when it performs a sybsyntax,sybsecurity,sybsystemdb, Exclusions Server Level scan of a Sybase database. sybsystemprocs
Enable Pen When set to true, the penetration test false Test (pentest) capability is enabled. When set to false, the pentest capability is disabled. For more information on penetration tests, see Penetration tests on page 120.
Enable Pen Specifies whether FortiDB uses the user true Test For All names in
Pen Test Specifies the method that FortiDB uses to 3 (hybrid) Method connect to databases to perform penetration tests (pentests). Caution: If the penetration test login attempts are unsuccessful, the database may prevent any users, including valid users, from logging in. Valid values are:
l 1 -FortiDB logs in to your target databases to perform pentests.(login
FortiDB 5.1.13 Admin Guide 62 Fortinet Inc. Advanced/optional system settings
Property Description Default
method)
l 2 -FortiDB uses the hash-based method. A 'hash' is the value obtained after encrypting a clear-text string.
l 3 -FortiDB attempts the best available method. FortiDB uses the hash-based method is available. For more information on these methods, see Connection options for penetration tests on page 121
Pen Test Specifies either the default password Password dictionary or a file that contains the Dictionary passwords to check when the penetration test uses the Dictionary policy. Click Choose File to select your dictionary file, and then click Save button to complete your selection. FortiDB does not display the name of the uploaded file. To restore the default dictionary, select the Pen Test Password Dictionary item, click Restore Default(s), and then click Save. Your dictionary file is deleted. Note: When you restore the default dictionary by checking the checkbox, and selecting Restore Default(s) and then Save, FortiDB deletes your dictionary file. For more information on the password dictionary file, see Files used for penetration tests on page 121.
See also
l Auto-discovery on page 100
l Adding or modifying assessments on page 159
l Configuring SSH connections to Oracle and DB2 databases on page 94
l Adding (or modifying) a target connection on page 93
l Penetration tests on page 120
Notification properties
Property Description Default
Email Server The SMTP email server hostname or IP address.
FortiDB 5.1.13 Admin Guide 63 Fortinet Inc. Advanced/optional system settings
Property Description Default
Host Name If no value is specified, FortiDB does not send email notifications.
Email Server The server port number associated with Email 25 Port Server Host Name.
Email Server The user name associated with Email Server - User Name Host Name. The user name and password are required if the email server requires authentication to send email.
Email Server The password associated with Email Server Host - Password Name. The user name and password are required if the email server requires authentication to send email.
SNMP The SNMP community name. public Community String
SNMP Receiver The SNMP receiver host name. - Host If no value is specified, FortiDB cannot send SNMP-trap notifications.
SNMP Receiver The SNMP receiver port number. 162 Port
Syslog Receiver The Syslog receiver host name or IP address. - Host If no value is specified, FortiDB cannot send Syslog notifications.
Syslog Receiver The Syslog receiver port number. 514 Port
ArcSight Syslog The ArcSight Syslog receiver host name or IP partner.arcsight.com Receiver Host address.
ArcSight Syslog The ArcSight Syslog receiver port number. 514 Receiver Port
From Address The email address FortiDB uses in the 'From' field - in email notification.
See also
l Sending alert notifications on page 183
FortiDB 5.1.13 Admin Guide 64 Fortinet Inc. Advanced/optional system settings
Reporting properties
Property Description Default
Company Name The company name to display on VA reports. Fortinet
Company Logo An image file that is included in the layout of - generated reports. Click Choose File to select the image file, and then click Save. FortiDB places the image file that you select in
DAM Report The charactor encoding that FortiDB uses when it UTF-8 Encoding generates DAM reports.
See also
l Reports on page 208
User Profile/Security properties
Property Description Default
Idle Account The number of days an administrator account can -1 Expiration be inactive before FortiDB locks the account. When the value is -1 (the default), FortiDB does not lock administrator accounts because of inactivity. This expiry mechanism does not apply to the admin account. An administrator that is assigned the Security Administrator role can unlock an expired account.
Max Number of The number of login attempts FortiDB allows -1 Failed Login before it locks an administrator account. Attempts When the value is -1 (the default), FortiDB allows an unlimited number of login attempts. This limitation does not apply to the admin account.
Days Until The number of days that a password remains valid. -1 Password After the password expires, administrators are Expiration required to change their password. FortiDB displays messages to warns administrators that their password is going to expire. When the value is -1 (the default), passwords do not expire.
FortiDB 5.1.13 Admin Guide 65 Fortinet Inc. Advanced/optional system settings
Property Description Default
Minimum The minimum length of an administrator password. -1 Password When the value is -1 (the default), passwords can Length be any length. To be valid, passwords are required to have the minimum number of characters and satisfy all other rules for passwords. For more information, see Changing the "admin" account password on page 46.
Enable Local When the value is true, the FortiDB local audit trail false Audit Trail is enabled. When the value is false, the local audit trail is disabled. For more information on the local audit trail, see Local audit trail on page 205.
See also
l Administrators on page 53
l Local audit trail on page 205
Target properties
FortiDB uses JDBC to connect to target databases. You can configure the JDBC settings for a target using the Target page General tab. (For more information, see Adding (or modifying) a target connection on page 93.) If you do not specify JDBC settings on the General tab, FortiDB uses the values of the following properties:
Property Description
Additional Oracle JDBC A list of one or more key-value pairs to use for Oracle database Settings connections. Use a semicolon to separate list entries.
Additional SQL Server A list of one or more key-value pairs to use for Microsoft SQL database JDBC Settings connections. Use a semicolon to separate list entries. If you use NTLM version 2 authentication, in the list, enter useNTLMv2=true. In some cases, for Microsoft SQL server, ForceEncryption is set to No. To force the server to use SSL encryption, in the list, enter SSL=require.
Additional Sybase JDBC Enter one or more additional key-value pairs to use for Sybase database Settings connections. Use a semicolon to separate list entries.
FortiDB 5.1.13 Admin Guide 66 Fortinet Inc. Advanced/optional system settings
Property Description
To use a Sybase Encrypted Password connection (in Sybase server, set net password encryption reqd to 1 or 2), enter: ENCRYPT_PASSWORD=true;RETRY_WITH_NO_ENCRYPTION=true; JCE_PROVIDER_ CLASS=org.bouncycastle.jce.provider.BouncyCastleProvider To support an SSL-encrypted connection to the Sybase database, enter the following: SYBSOCKET_ FACTORY=com.fortinet.fortidb.target.internal.connection.SybaseSSL Note: Database activity monitoring (DAM) using the TCP/IP sniffer is not available when FortiDB connects to Sybase using SSL.
Additional DB2 JDBC A list of one or more key-value pairs for DB2 database connections. Settings Use a semicolon to separate list entries.
Additional MySQL JDBC A list of one or more additional key-value pairs for MySQL database Settings connections. Use a semicolon to separate list entries.
See also
l Adding (or modifying) a target connection on page 93
LDAP Server properties
The LDAP Server properties specify the server that authenticates FortiDB administrators when User Authentication Type is LDAP. Click Test Connection to test the LDAP server configuration.
Property Description Default
Server Name/IP LDAP server name or IP address -
Port LDAP server port 389
Common Name Name of user identifier in LDAP user path. Identifier For example, if the path to the user is cn=username,ou=dept,dc=com, enter cn. If the user path is un=username,ou=dept,dc=com, enter un.
Distinguished Distinguished name of LDAP user, which identifies - Name its unique path. For example, if the path to the user is cn=username,ou=dept,dc=com, enter ou=dept,dc=com.
FortiDB 5.1.13 Admin Guide 67 Fortinet Inc. Advanced/optional system settings
Property Description Default
Bind Type LDAP authentication type. Simple
Use Secure Use SSL for secure connection. False Connection(SSL) Valid values are True or False.
See also
l Administrators on page 53
Monitor properties
Property Description
Records contained by single The number of the records 400000 Compliance Audit File that each Compliance Audit File contains. Enter a value between 100,000 and 400,000.
See also
l SOX audit on page 204
FortiDB 5.1.13 Admin Guide 68 Fortinet Inc. Connecting to target databases
Connecting to target databases
To allow FortiDB to assess and monitor your databases, you first pre-configure the target database, and then configure the connection between FortiDB and the database. FortiDB can also look for databases on the network automatically.
See also
l Pre-configuration for monitoring target databases on page 69
l Privileges required by the database user on page 83
l Adding (or modifying) a target connection on page 93
l Managing target groups on page 99
l Auto-discovery on page 100
Pre-configuration for monitoring target databases
The pre-configuration that is required for target databases is determined by the type of database and the method that FortiDB uses for monitoring.
See also
l Network requirements for monitoring using the TCP/IP sniffer on page 69
l Oracle target database pre-configuration on page 70
l Microsoft SQL Server target database pre-configuration on page 83
l Sybase target database pre-configurations on page 75
l DB2 target database pre-configuration on page 80
l MySQL target database pre-configuration on page 74
Network requirements for monitoring using the TCP/IP sniffer
For more information about the TCP/IP sniffer, see Tutorial: Monitoring a database table using the TCP/IP sniffer on page 19.
l Your target database and its clients connect via TCP/IP protocols.
l Both FortiDB and the target databases are connected to the same switch. FortiDB is connected to the switch's mirroring (SPAN) port. For example:
l port1 on FortiDB and the machines of administrators are connected to a LAN, which is also the LAN that the target databases use for management connections.
l port2 on FortiDB is connected to the switch's mirror port, where it receives copies of all network traffic associated with the target databases.
See also
l Configuring monitoring using the TCP/IP sniffer (all database types) on page 177
FortiDB 5.1.13 Admin Guide 69 Fortinet Inc. Connecting to target databases
Oracle target database pre-configuration
Required privileges for monitoring or auditing Oracle databases
To prepare for database monitoring, ensure the FortiDB database user has the following privileges:
Policy type Required privileges
Data For DB, EXTENDED and XML File Agent collection methods:
l CREATE SESSION
l SELECT_CATALOG_ROLE
l DELETE_CATALOG_ROLE
l AUDIT ANY
l AUDIT SYSTEM
l SELECT SYS.AUD$
l SELECT on the monitored tables or SELECT ANY TABLE For TCP/IP Sniffer collection method (privileges required for browsing database to define data policy):
l CREATE SESSION
l SELECT_CATALOG_ROLE
l SELECT on the monitored tables or SELECT ANY TABLE
Privilege l CREATE SESSION
l SELECT_CATALOG_ROLE
l DELETE_CATALOG_ROLE
l AUDIT SYSTEM
Metadata l CREATE SESSION
l SELECT_CATALOG_ROLE For activity auditing:
l CREATE SESSION
l AUDIT SYSTEM
l SELECT_CATALOG_ROLE
To grant privileges to your database user, use a GRANT statement. For example: GRANT SELECT_CATALOG_ROLE TO username GRANT DELETE_CATALOG_ROLE TO username
See also
l Configuring an Oracle database for PCI, SOX, and HIPAA policies on page 70
l Enabling to delete audit records on page 71
l Oracle XML file agent installation and configuration (UNIX, Windows, AIX) on page 71
l Adding (or modifying) a target connection on page 93
l Configuring Oracle monitoring on page 181
Configuring an Oracle database for PCI, SOX, and HIPAA policies
Regulatory compliance policies capture all types of activities and store the data in FortiDB's repository.
FortiDB 5.1.13 Admin Guide 70 Fortinet Inc. Connecting to target databases
In some cases, this information does not appear in alerts as expected. To avoid this problem, you can execute "create trigger" commands. 1. On your Oracle target database, add a file that contains the following script: CREATE OR REPLACE TRIGGER FORTIDB_get_application AFTER LOGON ON DATABASE WHEN (user != 'SYS') DECLARE l_program VARCHAR2(50); l_computer VARCHAR2(50); BEGIN SELECT substr(program, 1, 43), substr(computer, 1, 20) INTO l_program, l_ computer FROM v$session WHERE audsid = sys_context('USERENV','SESSIONID'); dbms_session.set_identifier(l_program || ':' || l_computer); EXCEPTION WHEN OTHERS THEN ROLLBACK; END; / 2. Log into your Oracle instance as sys as sysdba. 3. Execute the file.
See also
l PCI, SOX, and HIPAA alert policies on page 154
Enabling to delete audit records
To delete audit records from the SYS.AUD$ table, the FortiDB database user requires delete privileges on the SYS.AUD$ table.
Because the SYS.AUD$ contains all audit records, when FortiDB deletes audit records, it deletes all audit records, not only the audit records generated for FortiDB monitoring. Therefore, grant this privilege to the FortiDB user only if you understand the implications.
Use the following statement to grant the FortiDB user delete privileges on the SYS.AUD$ table: grant delete on SYS.AUD$ to
See also
l Adding (or modifying) a target connection on page 93
Oracle XML file agent installation and configuration (UNIX, Windows, AIX)
You can use FortiDB's Oracle XML file agent to monitor multiple Oracle databases. When it is active, the agent periodically transmits Oracle's audit log data to FortiDB for further processing.
To configure and run the Oracle XML file agent
1. Obtain login credentials for a user that has read and write access for the Oracle database audit log directories that you want to monitor.
FortiDB 5.1.13 Admin Guide 71 Fortinet Inc. Connecting to target databases
Using the SQL*Plus utility, run show parameters audit_file_dest to view the location of the Oracle database audit directory. If Oracle is installed on Windows, ensure that the user is a member of the Administrators group. You can remove the user from this group after installation is complete. 2. Ensure that Java Virtual Machine (JVM) 1.6 or greater is installed, the JAVA_HOME environment variable is correctly configured, and that the bin directory is first on the execution path. 3. Complete the Oracle target database pre-configuration. See Oracle target database pre-configuration on page 70. 4. Configure a target that connects to the Oracle database. See Adding (or modifying) a target connection on page 93. 5. As the user with the credentials specified earlier, log in to the machine where the Oracle database is located, and then unpack a copy of the Oracle XML file agent installer into a directory. 6. Copy the agent.properties.sample file from agent's doc directoryto the agent's conf directory, and then change the file name to agent.properties. 7. Open the agent.property file in a text editor and edit the following values:
Parameter Description Required?
agentType Enter ORA_XML. Yes
brokerAddress Enter IP address or resolvable host Yes name for FortiDB.
brokerPort Enter the port FortiDB uses to listen No for transmissions from the agent. The default value is 9116.
agentDBAddress Enter the IP address of the target Yes database. Use the same value that is specified by the target configuration (General tab).
agentDBPort Enter the listening port on the target Yes database. Use the same value that is specified by the target configuration (General tab).
pollingInterval Enter a positive integer that specifies No the polling interval in milliseconds. For the Oracle XML file agent, the default value is 60000 (60 seconds).
removeAuditFile Not used for Oracle databases. No
8. If Oracle is installed on Windows, do the following:
l In the agent's bin directory, execute the following command:
l fdbagent install
l In the Windows Services Control Panel, configure the FortiDB Database Monitoring Agent to run using the same login credentials that you used to unpack the FortiDB agent installation file.
FortiDB 5.1.13 Admin Guide 72 Fortinet Inc. Connecting to target databases
9. To start the FortiDB agent, do one of the following:
l For Windows, Linux, or Solaris: In the agent's bin directory, execute the following command:
l $ fdbagent start
l To stop the agent, execute the following command:
l $ fdbagent stop
l For other platforms (for example, AIX):
l In the agent's bin directory, execute the following command:
l $ nohup ./fdbagentapp & 10. Configure target monitoring for the database where the agent is installed. For detailed instructions, see Configuring Oracle monitoring on page 181.
Monitoring encrypted Oracle traffic
FortiDB can monitor encrypted Oracle database activity using its TCP/IP sniffer.To make the database’s SSL configuration compatible with FortiDB DAM, ensure that Advanced Security is enabled and generate the security credentials using Oracle Wallet Manager. In addition, ensure the cipher suite RSA 3DES_EDE_CBC SHA and one or more of the following cipher suites are enabled in the SSL configuration for the Oracle client:
l AES_256_CBC_SHA
l AES_128_CBC_SHA
l RSA_DES_CBC_SHA
l RSA_RC4_128 SHA
l RSA RC4_128 MD5 When you configure monitoring using the TCP/IP sniffer, you upload to FortiDB the self-signed certificate that you exported from the Oracle server wallet manager and imported into the wallet manager on the Oracle client machine. Depending on your SSL configuration, the certificate information is stored in PKCS #12 or X.509 format. See Configuring monitoring using the TCP/IP sniffer (all database types) on page 177.
Using the SYSLOG utility to collect audit data
If required, you can configure the Oracle auditing feature to use the SYSLOG utility to write audit records to the system audit log. In SQL*Plus, you can use the show parameter audit command to view the current audit option values.
To enable SYSLOG data collection, set the audit options in the following table to the specified values:
Parameter Value
audit_file_dest Specify the operating system directory into which the audit trail is written.
audit_sys_operations TRUE
audit_syslog_level LOCAL1.DEBUG
audit_trail OS
FortiDB 5.1.13 Admin Guide 73 Fortinet Inc. Connecting to target databases
MySQL target database pre-configuration
To set the MySQL general log table
1. To add the required parameters to server configuration file, go to the %MYSQL_HOME directory, open my.cnf (for UNIX) or my.ini (for Windows) in a text editor, and then add the following parameters under [mysqld]: general_log=1 log_output=TABLE 4. Restart the MySQL database. 5. To change the definition of the mysql.general_log table, use the following command to change the storage engine to MyISAM: mysql> SET GLOBAL general_log = 'OFF'; mysql> ALTER TABLE mysql.general_log ENGINE = MyISAM; 6. To view the definition of the mysql.general_log table, use the following SQL command: mysql> show create table mysql.general_log; The structure of the log table is displayed. For example: +------+------+ | Table | Create Table------+ | general_log | CREATE TABLE `general_log` ( `event_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_ TIMESTAMP, `user_host` mediumtext NOT NULL, `thread_id` int(11) NOT NULL, `server_id` int(11) NOT NULL, `command_type` varchar(64) NOT NULL, `argument` mediumtext NOT NULL ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='General log' | +------+------7. To verify that the database is logging data, use the following command: mysql> select * from mysql.general_log; Logging data is displayed. For example: +------+------+------+------+------+------+ | event_time | user_host | thread_id | server_ id | command_type | argument | +------+------+------+------+------+------+ | 2009-07-29 16:44:23 | root[root] @ localhost [127.0.0.1] | 1 | 0 | Connect | root@localhost on mysql | | 2009-07-29 16:44:23 | root[root] @ localhost [127.0.0.1] | 1 | 0 | Query | select @@version_comment limit 1 | | 2009-07-29 16:44:37 | root[root] @ localhost [127.0.0.1] | 1 | 0 | Query | show create table general_log | | 2009-07-29 16:45:19 | root[root] @ localhost [127.0.0.1] | 1 | 0 | Query | set global general_log='OFF' | | 2009-07-29 16:46:18 | root[root] @ localhost [127.0.0.1] | 1 | 0 | Query | select * from mysql.general_log | +------+------+------+------+------+------+ 5 rows in set (0.00 sec)
FortiDB 5.1.13 Admin Guide 74 Fortinet Inc. Connecting to target databases
See also
l Configuring MySQL monitoring on page 180
Required privileges for monitoring via SQL Trace
The following privileges are required when you monitor a Microsoft SQL Server database using the SQL Trace collection method and privilege and metadata policies.
Policy type Required privileges
Privileges SELECT on:
l sys.columns
l sys.database_role_members
l sys.database_permissions
l sysobjects
l sys.database_principals
l sys.sql_logins EXECUTE on:
l sp_helpsrvrolemember
Metadata SELECT on:
l information_schema.columns
l sysindexes
l sysobjects
l information_schema.routines
l sys.objects obj
l sys.sql_modules information_schema.views
See also
l Adding (or modifying) a target connection on page 93
l Configuring Microsoft SQL Server monitoring on page 178
Sybase target database pre-configurations
FortiDB database activity monitoring (DAM) features require you to pre-configure a Sybase target database but not a Sybase IQ database. For Sybase IQ databases. FortiDB supports vulnerability assessment only, and not DAM. Therefore, Sybase IQ targets do not require pre-configuration.
FortiDB 5.1.13 Admin Guide 75 Fortinet Inc. Connecting to target databases
Configuring the Sybase audit system and FortiDB database user
To create the sybsecurity database
Execute the following command. The physname parameter specifies the sybase path (in this example, C:\sybase\data\): disk init name = "auditdev", physname = "C:\sybase\data\sybaud.dat", size = 5120 go disk init name = "auditlog", physname = "C:\sybase\data\sybaudlog.dat", size = 1024 go create database sybsecurity on auditdev log on auditlog go
To install the installsecurity script
The installsecurity SQL script contains all required stored procedures and audit tables. 1. Go to the scripts directory. For example, $SYBASE/ASE-15_0/scripts. 2. Execute the following command: isql -Usa -P
To grant the mon_role role to the database user
To grant the mon_role role to the FortiDB database user, use the following script: grant role mon_role to
The mon_role role is applied the next time the user logs in. If you are currently logged in with that account, log out and log in again to allow the new privileges to take effect.
See also
l Configuring the Sybase Monitoring and Diagnostic (MDA) tables on page 76
l Adding (or modifying) a target connection on page 93
l Configuring Sybase monitoring on page 179
Configuring the Sybase Monitoring and Diagnostic (MDA) tables
To set the size of tempdb for MDA
it seems to me that we say MDA when we mean the Sybase audit system For best results, ensure the temporary database (tempdb) has more than 100MB of free space. 1. Connect to the master database as the sa user. 2. Check the size of tempdb. For example, execute the following command: sp_helpdb go
FortiDB 5.1.13 Admin Guide 76 Fortinet Inc. Connecting to target databases
name db_size owner dbid created status ------master 13.0 MB sa 1 Dec 07, 2007 mixed log and data model 4.0 MB sa 3 Dec 07, 2007 mixed log and data sybmgmtdb 75.0 MB sa 4 Dec 07, 2007 select into/bulkcopy/pllsort, trunc log on chkpt, mixed log and data sybsystemdb 3.0 MB sa 31513 Dec 07, 2007 mixed log and data sybsystemprocs 120.0 MB sa 31514 Dec 07, 2007 trunc log on chkpt, mixed log and data tempdb 4.0 MB sa 2 Nov 11, 2008 select into/bulkcopy/pllsort, trunc log on chkpt, mixed log and data text_db 5.5 MB sa 5 Dec 07, 2007 trunc log on chkpt, mixed log and data 3. Allocate an appropriate amount of disk space to tempdb. For example, to allocate 500 MB, which is 256000 pages, execute the following command: disk init name = "tempdb_data01", physname = "/export/home/sybase/data/tempdb_data01.dat", size = 256000 go 4. Allocate disk space on the new device to tempdb. For example, execute the following command: alter database tempdb on tempdb_data01 = 500 go Extending database by 256000 pages (500.0 megabytes) on disk tempdb_data01
To configure the login trigger for session policies
Login triggers execute a specified stored procedure every time a user logs in. 1. Drop any existing FortiDB_audit table. For example, to drop the table FortiDB_audit, use the following command: drop table master.dbo.FortiDB_audit go 2. Create a table to store login information in. For example, to create the table FortiDB_audit in the master database, use the following command: create table master.dbo.FortiDB_audit ( spid smallint, kpid int, suid int, loginname varchar(30), dbusername varchar(30), dbid smallint, dbname varchar(30), program_name varchar(30) null, hostprocess varchar(30) null, ipaddr varchar(64) null , loggedindatetime datetime ) go
FortiDB 5.1.13 Admin Guide 77 Fortinet Inc. Connecting to target databases
3. Create a procedure for the login trigger. For example, to create the procedure login_proc, use the following script: use master go drop procedure login_proc go create procedure login_proc as begin insert into master.dbo.FortiDB_audit select S.spid, S.kpid, S.suid, suser_name(), user_name(), S.dbid, db_name(), S.program_name, S.hostprocess, S.ipaddr, S.loggedindatetime from master.dbo.sysprocesses S where S.spid = @@spid end go 4. Create the login trigger. For example, use the following command: sp_logintrigger 'master.dbo.login_proc' go Global login trigger updated. If sp_logintrigger is not installed, recreate the master database procedures. For example, for UNIX, execute the following script: isql -Usa -P
To set the MDA parameters
1. Configure MDA parameters. For example, for Linux, use the following commands (for Windows, enter "go" for each execution): sp_configure "enable cis", 1 sp_addserver loopback, null, @@servername (not required for 15.0.2 or later) set cis_rpc_handling on (not required for 15.0.2 or later) exec loopback...sp_who (note: 3 dots) sp_configure "errorlog pipe active", 1
FortiDB 5.1.13 Admin Guide 78 Fortinet Inc. Connecting to target databases
sp_configure "deadlock pipe active", 1 sp_configure "wait event timing", 1 sp_configure "process wait events", 1 sp_configure "object lockwait timing", 1 go For the monSysStatement table: sp_configure "statement statistics active",1 sp_configure "statement pipe max messages",30000 sp_configure "per object statistics active",1 sp_configure "statement pipe active" ,1 go For the monSysSQLText table: sp_configure "max SQL text monitored" , 8192 sp_configure "SQL batch capture", 1 sp_configure "sql text pipe max messages", 30000 sp_configure "sql text pipe active", 1 go Additional parameter values to set: sp_configure "max memory" , 256000 sp_configure "event buffers per engine", 2000 sp_configure "plan text pipe max messages", 100 sp_configure "errorlog pipe max messages", 30000 sp_configure "deadlock pipe max messages", 100 go 2. Restart the database. 3. To configure the monitoring table to collect data, use the following command: sp_configure "enable monitoring" , 1 go
To connect to the Sybase database and clear the MDA buffer
Clear the MDA buffer only after the FortiDB database user has made an initial connection to the database. 1. Connect to the Sybase database that you have configured for monitoring by FortiDB. See Adding (or modifying) a target connection on page 93. 2. To clear the MDA buffer, use the following commands: select top 1 * from dbo.monSysSQLText go select top 1 * from dbo.monSysStatement go
See also
l Configuring the Sybase audit system and FortiDB database user on page 76
l Adding (or modifying) a target connection on page 93
l Configuring Sybase monitoring on page 179
FortiDB 5.1.13 Admin Guide 79 Fortinet Inc. Connecting to target databases
DB2 target database pre-configuration
Users and privileges required by the DB2 agent
The FortiDB DB2 agent periodically sends a request to the DB2 database to transmit its audit data to a file system location that belongs to the agent’s temporary directory. The agent then transmits the audit files to the FortiDB repository. You can also configure the agent to remove the audit data from the DB2 database. To perform these tasks, the FortiDB DB2 agent requires read and write access to the audit data files. To give the agent this access, you configure it to run using the login credentials of the database instance owner. In addition, to install the agent on Windows, the database user that runs the DB2 agent is required to be a member of the DB2ADMINS user group. You can remove the user from this group after installation is complete.
Required DB2 users Purpose Required privileges
DB2 instance owner DB2 instance owner Default DB2 instance owner privileges
FortiDB DB2 database Connects FortiDB to the DB2 target Security administration authority (SECADM), which user database is required to configure and manage database auditing For databases installed on Windows:
l DB2 instance owner
l Membership in DB2ADMNS or DB2USERS user group
DB2 user for installing Runs the DB2 agent DB2 instance owner and running the agent For installing on Windows, be a member of the DB2ADMNS user group
See also
l Configuring the DB2 database and installing the agent on page 80
l Adding (or modifying) a target connection on page 93
l Configuring DB2 monitoring on page 179
Configuring the DB2 database and installing the agent
To configure the DB2 target database to work with the DB2 agent
1. If the database already has an audit configuration, to reset the instance level audit, use the following command: db2audit configure reset 2. To start the audit facility administrator tool, use the following command: db2audit start 3. To configure the audit facility to audit for failed logins, use the following command: db2audit configure scope context status failure 4. To set the size of the audit buffer, use the following command: db2 update dbm cfg using AUDIT_BUF_SZ 10000
FortiDB 5.1.13 Admin Guide 80 Fortinet Inc. Connecting to target databases
The default audit buffer is 0 (no setting).
5. To grant security administration authority (SECADM) to the user FortiDB uses to connect to the database, use the following command: db2=> GRANT SECADM ON DATABASE TO USER
For Windows, the FortiDB connection user needs to belong to the DB2ADMNS or DB2USERS group. For UNIX, AIX, or Linux, the FortiDB connection user does not need to be an instance owner. By default, the db2admin user does not have the SECADM authority.
6. Connect to FortiDB for monitoring. For details about connecting to FortiDB, go to "Managing Target Databases". (maybe they should configure the agent, first?)
To configure and run the DB2 agent
1. Ensure that Java Virtual Machine (JVM) 1.6 or greater is installed, the JAVA_HOME environment variable is correctly configured, and that the bin directory is first on the execution path. 2. Obtain a copy of the FortiDB agent installer. For information on obtaining the installer, contact Fortinet technical support. 3. Ensure that the DB2 target database has the required configuration. See To configure the DB2 target database to work with the DB2 agent on page 80. 4. As the database user that runs the agent, log in to the machine where the DB2 database is located, and then unpack a copy of FortiDB agent installer to a directory. For information on the premissions this user requires, see Users and privileges required by the DB2 agent on page 80. 5. Copy the agent.properties.sample file from
Parameter Description Required?
agentType Enter DB2. Yes
brokerAddress Enter the IP address or resolvable host name for Yes FortiDB.
brokerPort Enter the port FortiDB uses to listen for No transmissions from the agent. The default value is 9116.
agentDBAddress Enter the IP address of the target database. Yes Use the same value that is specified by the target configuration (General tab).
agentDBPort Enter the listening port on the target database. Yes
FortiDB 5.1.13 Admin Guide 81 Fortinet Inc. Connecting to target databases
Parameter Description Required?
Use the same value that is specified by the target configuration (General tab).
pollingInterval Enter the listening port on the target database. No Use the same value that is specified by the target configuration (General tab).
removeAuditFile Enter true or false. No To remove DB2 audit file outputs after the agent sends them to FortiDB, enter true (the default value).
7. To install the DB2 agent, go to
l For Windows, Linux, or Solaris:
l In
l $ fdbagent start
l To stop the agent, execute the following command:
l $ fdbagent stop
l For other platforms (for example, AIX):
l In
l $ nohup ./fdbagentapp & 10. To confirm that the audit data path and audit archive path are correct, execute the following command: db2audit describe The audit settings are displayed. For example: DB2 AUDIT SETTINGS: Audit active: "TRUE" Log audit events: "FAILURE" Log checking events: "FAILURE" Log object maintenance events: "FAILURE" Log security maintenance events: "FAILURE" Log system administrator events: "FAILURE" Log validate events: "FAILURE" Log context events: "FAILURE" Return SQLCA on audit error: "FALSE " Audit Data Path: "C:\DB2\fdbagent\bin\..\tmp\db2audit\flush\" Audit Archive Path: "C:\DB2\fdbagent\bin\..\tmp\db2audit\archive\" AUD0000I Operation succeeded. 11. Configure target monitoring for the database where the agent is installed. For detailed instructions, see Configuring DB2 monitoring on page 179.
FortiDB 5.1.13 Admin Guide 82 Fortinet Inc. Connecting to target databases
See also
l Users and privileges required by the DB2 agent on page 80
Microsoft SQL Server target database pre-configuration
Database user account requirement
To monitor a Microsoft SQL Server database, FortiDB requires a database user that is a member of the sysadmin server role. Use the following query to add a databaser user that is a member of sysadmin: sp_addsrvrolemember 'username', 'sysadmin'
See also
l Adding (or modifying) a target connection on page 93
Privileges required by the database user
When you configure a target that allows FortiDB to connect to a target database, you specify a database user. This user requires specific privileges to allow it to perform assessments or monitor database activity. To grant privileges to the FortiDB user, use the GRANT statement. For example: GRANT SELECT_CATALOG_ROLE TO
See also
l Privileges for VA assessments, privilege summaries, and penetration tests on page 83
l Privileges for monitoring data on page 88
l Privileges for monitoring privileges on page 89
l Privileges for monitoring metadata on page 90
l Adding (or modifying) a target connection on page 93
Privileges for VA assessments, privilege summaries, and penetration tests
The FortiDB database user for a target database requires the following privileges to run assessments and related tasks:
FortiDB 5.1.13 Admin Guide 83 Fortinet Inc. Connecting to target databases
Task Required privileges
DB2
Run VA Assessment (except CREATE TABLE penetration test) SELECT on the following SYSIBM tables:
l SYSCOLAUTH
l SYSDBAUTH
l SYSINDEXAUTH
l SYSPLANAUTH
l SYSSCHEMAAUTH
l SYSTABAUTH
l SYSTBSPACEAUTH
View a Privilege Summary SELECT on the following SYSCAT tables:
l COLAUTH
l DBAUTH
l INDEXAUTH
l PACKAGEAUTH
l SCHEMAAUTH
l TABAUTH
l TBSPACEAUTH SELECT on the following SYSIBM tables:
l SYSCOLAUTH
l SYSDBAUTH
l SYSINDEXAUTH
l SYSPLANAUTH
l SYSSCHEMAAUTH
l SYSTABAUTH
l SYSSYSTABLESPACES
l SYSTBSPACEAUTH
l SYSUSERAUTH
Run Penetration Test SELECT on the following SYSCAT tables:
l COLAUTH
l DBAUTH
l INDEXAUTH
l PACKAGEAUTH
l SCHEMAAUTH
l TABAUTH
l TBSPACEAUTH SELECT on the following SYSIBM tables:
l SYSCOLAUTH
l SYSDBAUTH
l SYSINDEXAUTH
l SYSPLANAUTH
l SYSSCHEMAAUTH
l SYSTABAUTH
FortiDB 5.1.13 Admin Guide 84 Fortinet Inc. Connecting to target databases
Task Required privileges
l SYSTBSPACEAUTH
l SYSUSERAUTH
Microsoft SQL Server 2000
Run VA assessment (except SELECT on:
penetration test) l MASTER.DBO.SPT_VALUES
l MASTER.DBO.SYSALTFILES
l MASTER.DBO.SYSDATABASES
l MASTER.DBO.SYSLOGINS
l MASTER.DBO.SYSXLOGINS
l SYSCOLUMNS
l SYSMEMBERS
l SYSOBJECTS
l SYSPROTECTS
l SYSUSERS EXECUTE on:
l MASTER.DBO.XP_CMDSHELL
l MASTER.DBO.XP_INSTANCE_REGENUMVALUES
l MASTER.DBO.XP_INSTANCE_REGREAD
l MASTER.DBO.XP_LOGINCONFIG
l MASTER.DBO.XP_LOGININFO
l MASTER.DBO.XP_REGENUMVALUES
l MASTER.DBO.XP_REGREAD The database user requires the MS-SQL sysadmin role to use the following policies in assessments:
l DVA MSSQL 01.01 password field empty
l DVA MSSQL 01.02 password is the same as login name
View a Privilege Summary For each individual MS-SQL 2000 database you want to connect to, SELECT on:
l MASTER.DBO.SYSDATABASES (for MS-SQL 2000 server-level connections)
l SYSMEMBERS
l SYSOBJECTS
l SYSPROTECTS
l SYSUSERS
Run Penetration Test SELECT on:
l MASTER.DBO.SYSDATABASES (for MS-SQL 2000 server-level connections)
l MASTER.DBO.SYSXLOGINS
l SYS.DATABASE_ROLE_MEMBERS
l SYSMEMBERS
l SYSOBJECTS
l SYSPROTECTS
l SYSUSERS (for each individual MS-SQL 2000 database you want to
FortiDB 5.1.13 Admin Guide 85 Fortinet Inc. Connecting to target databases
Task Required privileges
connect to)
Microsoft SQL Server 2005 or 2008
Run VA Assessment (except SELECT on:
penetration test) l MASTER.DBO.SPT_VALUES
l MASTER.DBO.SYSALTFILES
l MASTER.DBO.SYSDATABASES
l MASTER.DBO.SYSLOGINS
l MASTER.DBO.SYSXLOGINS
l SYS.COLUMNS
l SYS.MEMBERS
l SYS.OBJECTS
l SYS.PROTECTS
l SYS.USERS EXECUTE on:
l MASTER.DBO.XP_CMDSHELL
l MASTER.DBO.XP_INSTANCE_REGENUMVALUES
l MASTER.DBO.XP_INSTANCE_REGREAD
l MASTER.DBO.XP_LOGINCONFIG
l MASTER.DBO.XP_LOGININFO
l MASTER.DBO.XP_REGENUMVALUES
l MASTER.DBO.XP_REGREAD The database user requires the MS-SQL sysadmin role to use the following policies in assessments:
l DVA MSSQL 01.01 password field empty
l DVA MSSQL 01.02 password is the same as login name
l DVA MSSQL 05.36 List database logins that are part of the local Administrators group
l DVA MSSQL 05.37 Verify SQL Server not run as local System Administrator
l DVA MSSQL 05.42 Default Microsoft SQL Listener Port Report
View Privileges Summary SELECT on:
l MASTER.SYS.DATABASES (for Microsoft SQL 2005 Server server- level connections) For each individual Microsoft SQL 2005 Server database that you want to connect to, SELECT on:
l SYS.DATABASE_PERMISSIONS
l SYS.DATABASE_PRINCIPALS
l SYS.DATABASE_ROLE_MEMBERS
l SYS.OBJECTS
Run Penetration Test SELECT on:
l MASTER.SYS.DATABASES (for Microsoft SQL 2005 Server server- level connections)
l SYS.DATABASE_PERMISSIONS
FortiDB 5.1.13 Admin Guide 86 Fortinet Inc. Connecting to target databases
Task Required privileges
l SYS.DATABASE_PRINCIPALS (for each individual Microsoft SQL 2005 Server database that you want to connect to)
l SYS.DATABASE_ROLE_MEMBERS
l SYS.OBJECTS
l SYS.SQL_LOGINS
Oracle
Run VA Assessment (except CREATE SESSION penetration test) SELECT_CATALOG_ROLE SELECT on:
l SYS.AUDIT$
l SYS.LINK$
l SYS.REGISTRY$HISTORY (Oracle 10g only)
l SYS.USER$
l SYSTEM.SQLPLUS_PRODUCT_PROFILE
View Privilege Summary SELECT on:
l ALL_USERS
l DBA_COL_PRIVS
l DBA_ROLE_PRIVS
l DBA_ROLES
l DBA_SYS_PRIVS
l DBA_TAB_PRIVS
Run Penetration Test SELECT on:
l ALL_USERS
l DBA_COL_PRIVS
l DBA_ROLE_PRIVS
l DBA_ROLES
l DBA_SYS_PRIVS
l DBA_TAB_PRIVS
l SYS.USER$
Sybase and Sybase IQ
Run VA Assessment (except SSO_ROLE for penetration test) If the Sybase server is using SybSecurity:
l On the MASTER database, add the FortiDB user to the database and grant it SELECT permission on the following tables:
l SYSSRVROLES
l SYSLOGINROLES
l SYSSECMECHS
l SYSDATABASES (AUDFLAGS column)
l SYSLOGINS (AUDFLAGS column)
l On any user-defined databases, add the FortiDB user to the database and grant it SELECT permission on the following table:
FortiDB 5.1.13 Admin Guide 87 Fortinet Inc. Connecting to target databases
Task Required privileges
l SYSUSERS If the Sybase server is not using SybSecurity, grant the database user SELECT permission on the following tables:
l SYSSRVROLES
l SYSLOGINROLES
l SYSSECMECHS
l SYSDATABASES (AUDFLAGS column)
View a Privilege Summary For each individual database you want to connect to, grant SELECT on:
l MASTER.DBO.SYSDATABASES (for server-level connections)
l SYSOBJECTS
l SYSPROTECTS
l SYSUSERS
Run Penetration Test Grant SELECT on:
l MASTER.DBO.SYSDATABASES (for server-level connections)
l SYSOBJECTS
l SYSPROTECTS
l SYSUSERS (for each individual database that you want to connect to)
MySQL
Run a VA Assessment SELECT on:
(including penetration test) l mysql.user
l mysql.db
l mysql.columns_priv
l mysql.tables_priv
View a Privilege Summary SELECT on:
l `INFORMATION\_SCHEMA`.*
l mysql.user SHOW DATABASES
See also
l Adding or modifying assessments on page 159
l Viewing and exporting a privilege summary on page 168
l Penetration tests on page 120
Privileges for monitoring data
To monitor data, the FortiDB user for your target database requires the following privileges:
FortiDB 5.1.13 Admin Guide 88 Fortinet Inc. Connecting to target databases
RDBMS Type Required Privilege(s)
Oracle For DB, EXTENDED and XML File Agent collection methods:
l CREATE SESSION
l SELECT_CATALOG_ROLE
l DELETE_CATALOG_ROLE
l AUDIT ANY
l AUDIT SYSTEM
l SELECT SYS.AUD$
l SELECT on the monitored tables or SELECT ANY TABLE For the TCP/IP Sniffer collection method (to support browsing database to define data policy):
l CREATE SESSION
l SELECT_CATALOG_ROLE
l SELECT on the monitored tables or SELECT ANY TABLE
Microsoft SQL Server Member of sysadmin
Sybase For the MDA collection method:
l No privilege is required for the MDA table For the TCP/IP Sniffer collection method (to support browsing database to define data policy):
l User who can browse database object
DB2 For the DB2 Agent collection method:
l SECADM privilege For the TCP/IP Sniffer collection method (to support browsing database to define data policy):
l User who can browse database object
See also
l Data policies on page 130
l Configuring target database monitoring on page 176
Privileges for monitoring privileges
To monitor privileges, the user for your target database requires the following privileges:
RDBMS Type Required Privilege(s)
Oracle l CREATE SESSION
l SELECT_CATALOG_ROLE
l DELETE_CATALOG_ROLE
l AUDIT SYSTEM
Microsoft SQL Server For the SQL Trace collection method: SELECT on:
l sys.columns
FortiDB 5.1.13 Admin Guide 89 Fortinet Inc. Connecting to target databases
RDBMS Type Required Privilege(s)
l sys.database_role_members
l sys.database_permissions
l sysobjects
l sys.database_principals
l sys.sql_logins EXECUTE on:
l sp_helpsrvrolemember For TCP/IP Sniffer and Net Agent collection methods:
l No privilege is required
Sybase No privilege is required for the MDA table or TCP/IP Sniffer
DB2 SECADM privilege for DB2 Agent No privilege is required for TCP/IP Sniffer
See also
l Privilege policies on page 146
l Configuring target database monitoring on page 176
Privileges for monitoring metadata
To monitor metadata, FortiDB target database users need the following privileges:
RDBMS Type Required Privilege(s)
Oracle l CREATE SESSION
l SELECT_CATALOG_ROLE for use with auditing:
l CREATE SESSION
l AUDIT SYSTEM
l SELECT_CATALOG_ROLE
Microsoft SQL Server For the SQL Trace collection method: SELECT on:
l information_schema.columns
l sysindexes
l sysobjects
l information_schema.routines
l sys.objects obj
l sys.sql_modules
l information_schema.views For the TCP/IP Sniffer and Net Agent collection methods:
l No privilege is required
Sybase No privilege is required for the MDA table or TCP/IP Sniffer
FortiDB 5.1.13 Admin Guide 90 Fortinet Inc. Connecting to target databases
RDBMS Type Required Privilege(s)
DB2 UDB SECADM privilege for DB2 Agent No privilege is required for TCP/IP Sniffer
See also
l Metadata policies on page 150
l Configuring target database monitoring on page 176
Managing targets
To assess and monitor your databases using FortiDB, you first create connections to them. The completed configuration is called a target. Use the Targets page to organize your targets.
Columns
The Target page displays the following columns:
Column Description
Status (Connection status) l indicates a target database for which the information is not complete
l indicates a target database for which the information is complete
Name User defined target connection name. Clicked to display the target configuration settings (General tab).
DB Name The name of the target database
DB Host Name/IP Database host name or IP address the computer where the target database is located
Port Port number to use for the connection
DB Type One of the following types of databases: ORACLE, MSSQL, DB2, SYBASE, or MYSQL
Action Click the Edit icon to modify the target, same as click the DB Name.
Buttons and fields
The Target page displays the following buttons and fields:
FortiDB 5.1.13 Admin Guide 91 Fortinet Inc. Connecting to target databases
Buttons and Fields Descriptions
View dropdown Filters the list of targets by database type
Search / New Group Search the list of targets and, optionally, create a new target group using the search results
Add Create a target
Delete Delete one or more selected targets
Import Import targets using an XML-format file
Export selected to XML Export selected targets as XML-format file
Export all to XML Export all targets as XML-format file
Export all to PDF Export the target list as a PDF file
See also
l Searching or filtering the target list on page 92
l Adding (or modifying) a target connection on page 93
l Exporting target information on page 97
Searching or filtering the target list
You can search the list of targets or to create a filtered list of targets that you can place in a named group. 1. Do one of the following: Click Target Database Server > Targets, and then click Search/New Group. Click Target Database Server > Target Groups, and then click Add. 2. For Column, Operator, and Value, select and enter values that specify the targets that you want in the list. To add additional filtering criteriah, click + (plus sign) and complete the settings for the new row. Click - (minus sign) to delete a row.
The value you enter for Value is case-sensitive. You cannot use the same Column value in multiple rows. For example, you cannot create a row for Location = 'London' and a row for Location = 'New York'.
For example:
Attribute Operator Value Return Possibilities
Location Contains nd all databases in London
Database Type Equals DB2 all DB2 databases
3. Click Search to apply the criteria. 4. Continue working with the filtered list, as required. For example, click the name of a target to edit its properties. To use the list to create a target group, enter a name and click Save Group.
FortiDB 5.1.13 Admin Guide 92 Fortinet Inc. Connecting to target databases
See also
l Managing targets on page 91
l Adding (or modifying) a target connection on page 93
Adding (or modifying) a target connection
1. Go to Target Database Server > Targets. 2. Do one of the following:
l To create a target, click Add.
l To modify a target, click the name of a target database. 3. On the General tab, complete the following settings:
Name Do not use spaces in the name.
Type If you select Oracle, complete the settings on the SSH tab. If you select DB2, on the DB2 Options tab, do one of the following:
l Select SSH, and then complete the settings on the SSH tab.
For more information on SSH tab settings, see Configuring SSH connections to Oracle and DB2 databases on page 94.
l Select an option other than SSH. For more information on these settings, see Configuring DB2 options on page 94.
DB Host Enter the DB host name or IP address of the computer where the target database is Name/IP located.
Port Enter the number of the port the database uses; the default port is 1521
Connect Displayed for Microsoft SQL Server or Sybase only. At Select Database Level or Server Level. Select Server Level to exclude the databases specified by the MSSQL Server Level Exclusions or Sybase Server Level Exclusions global properties.
Addition By default, the target uses the additional JDBC settings values that you set in the Target al JDBC global properties. For more information on these properties, see Target properties on Settings page 66. To use different values, enter one or more key-value pairs separated by a semicolon. For Microsoft SQL Server or Sybase databases only, you can also do the following:
l Microsoft SQL Server — To support an SSL-encrypted connection, in SQL Server, set ForceEncryption to Yes. Then, for Additional JDBC Settings, enter SSL=require.
(To connect without encryption, in SQL server, set ForceEncryption to No.)
If you use NTLM version 2 authentication, enter useNTLMv2=true.
l Sybase — To support an SSL-encrypted connection, enter SYBSOCKET_ FACTORY=com.fortinet.fortidb.target.internal.connection.S
FortiDB 5.1.13 Admin Guide 93 Fortinet Inc. Connecting to target databases
ybaseSSLSQL Note: Database activity monitoring (DAM) using the TCP/IP sniffer is not available when FortiDB connects to Sybase using SSL.
DB Select to monitor this database. Activity Monitori ng
4. (Optional) Enter information on the Classification and Contact Info tabs. You can use this information to filter the list of targets when you search the list of targets or create target groups. 5. To test your connection, select Test Connection. 6. Click Save.
See also
l Managing targets on page 91
l Configuring DB2 options on page 94
l Configuring SSH connections to Oracle and DB2 databases on page 94
l SSH environment requirements (software-only version) on page 95
l Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX on page 96
l Auto-discovery on page 100
Configuring DB2 options
When you configure a connection to a DB2 database, on the DB2 Options tab, for Retrieval Method, select one of the following options. After you have completed the required settings, click Test Connection to verify them:
SSH Select to configure FortiDB to connect to the database using Secure Shell (SSH), and then complete the settings on the SSH tab. For more information on the SSH tab, see Configuring SSH connections to Oracle and DB2 databases on page 94.
DB2 Level Command Select to configure FortiDB to connect to the database using the output from DB2 commands. Then, complete the following settings:
l db2level Output — Enter the output of the db2level command (show DB2 service level command).
l dbm cfg Output — Enter the output of the db2 get dbm cfg command (get database manager configuration command).
Use SQL query for Select to configure FortiDB to use a SQL query to connect to the DB2 connection server. To use this option, ensure that the FortiDB database user is granted EXECUTE permission on the stored procedure.
Configuring SSH connections to Oracle and DB2 databases
You can configure FortiDB to connect to Oracle and DB2 target databases using Secure Shell (SSH).
FortiDB 5.1.13 Admin Guide 94 Fortinet Inc. Connecting to target databases
If you are using the software-only version of FortiDB and connecting using SSH, additional configuration is required. For more information on these requirements, see SSH environment requirements (software-only version) on page 95.
To configure a SSH connection
1. On the Target page, click the SSH tab. 2. Specify a port number. The default port is 22. 3. For Access Method, select one of the following values:
Password Select to connect using the name of the database user and a password, and then enter the user information.
Implicit Key Pair Select to connect using the name of the database user and the SSH key file specified by the SSH Key File global property, and then enter the user name.
Explicit Key Pair Select to connect using a private key and passphrase (if you provided (software-only version) one when you generated the key), and then complete the following settings:
l User Name — Enter the FortiDB SSH user.
l Key Path — Enter the directory on your SSH client computer where the private key is located. Then, in the specified directory, create the directory ./ssh and copy the private key to it.
l Pass Phrase — Enter an optional passphrase. You enter a passphrase when you generate a private key.
4. If you want to use the operating system vulnerability assessment (OSVA) feature and the target is an Oracle database running on Solaris or AIX, select Enable OSVA, and then compete the required settings. For more information on these settings, seeEnabling operating system vulnerability assessment (OSVA) for Solaris and AIX on page 96. 5. To test the connection, click Test SSH Connection.
SSH environment requirements (software-only version)
When you use the software-only version of FortiDB, the following SSH environment is required to allow FortiDB to connect to target databases using a SSH connection. In addition, for some Oracle databases, additional configuration is required to use the operating system vulnerability assessment (OSVA) feature. If you need help setting up a working SSH environment, contact your System Administrator. The target configuration SSH tab provides two Access Method options: Implicit Key Pair (key pair is specified by the SSH Key File on page 61 global property) and Explicit Key Pair (the key pair information is specified on the SSH tab). For more information on the SSH tab, see Configuring SSH connections to Oracle and DB2 databases on page 94.
Item Description
Public Key handling For either the Explicit Key Pair on page 95 or Implicit Key Pair on page 95 methods, use secure copy (SCP) to copy the public key that you generate
FortiDB 5.1.13 Admin Guide 95 Fortinet Inc. Connecting to target databases
Item Description
on the SSH client to your SSH server. Then, append the key to the authorized_keys file located in the .ssh directory within the home directory of the FortiDB SSH user.
Private Key handling For either the Explicit Key Pair on page 95or Implicit Key Pair on page 95methods, generate id_dsa or id_rsa private keys and copy them to the .ssh directory under user's home directory on the SSH client machine. In a Windows environment, the private key resides in the /.ssh directory under the user's home directories. The exact directory depends on the OS version. For example, C:\Documents and Settings\All Users.
SSH Client Location The SSH client runs on your FortiDB machine.
SSH Server Location The SSH server runs on your target database machine.
User account for SSH User To configure a SSH connection, a user account on your target database machine is required.
DB2 Target Specific In some cases, additional configuration is required for the FortiDB OS Instructions user that you created on a DB2 target database machine. For example, if the user is db2inst3 and you use the bash shell, add the following entry to your .bashrc file: if [ -f /home/db2inst3/sqllib/db2profile ]; then . /home/db2inst3/sqllib/db2profile fi
Operating system If the target is an Oracle database on Solaris, to use the FortiDB vulnerability assessment operating system vulnerability assessment (OSVA) feature, specify the (OSVA) with Oracle targets Home Directory, Owner, and owner's Group of your target database. For more information on these settings, see Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX on page 96.
Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX
If the target is an Oracle database running on Solaris or AIX, additional configuration is required to use the operating system vulnerability assessment (OSVA) feature. For information on other SSH settings, see Configuring SSH connections to Oracle and DB2 databases on page 94.
To enable operating system vulnerability assessment (OSVA)
1. On your target computer, ensure that the opatch command path is included in the $PATH environment variable. 2. On the SHH tab, select Enable OSVA, and then complete the following settings. If you do not have this information, contact your Oracle administrator:
Operating System Select Solaris or AIX.
Home Directory Enter the Oracle home directory ($ORACLE_HOME).
FortiDB 5.1.13 Admin Guide 96 Fortinet Inc. Connecting to target databases
Owner Enter the name of the Oracle owner.
Group Enter the name of the Oracle user group. In most cases, it is dba or oinstall.
3. Click Save.
Exporting target information
You can use the Targets page to export all targets or targets you select. You can also use the page to import targets using an XML format file. When you export target information in PDF format, the file contains only parts of the target information and you cannot use it to import targets.
To export information for all targets as an XML or PDF file
1. On the Targets page, for View, select All. 2. Do one of the following:
l Click Export all to XML.
l Click Export all to PDF.
To export one or more selected targets as an XML file
1. On the Targets page, do one of the following:
l For View, select a target group.
l Click Search/New Group and use the filters to search for targets. For information on using the filter options, see Searching or filtering the target list on page 92. 2. Do one of the following:
l Select the checkbox beside one or more target names, and then click Export selected to XML.
l Select the checkbox in the column heading to select all list items.
l Click Export all to XML.
See also
l Managing targets on page 91
l Importing targets on page 97
Importing targets
You can use the Targets page to import target information in XML format. For example, you can import targets that you exported from another FortiDB appliance. When you export target information in PDF format, the file contains only parts of the target information and you cannot use it to import targets.
FortiDB 5.1.13 Admin Guide 97 Fortinet Inc. Connecting to target databases
To view an example of a file that you can import, export an existing target. The software-only version of FortiDB provides example files in the following directory:
Before you import a target, do the following:
l Ensure that the target name is unique. If you import a target with the same name as an existing target, FortiDB overwrites the existing target information with the information in the imported file.
l Ensure that the file provides values for all required elements. If an imported XML file does not have all the required values, FortiDB displays it in the list of targets with an incomplete status icon . Do not change any encrypted values. For passwords, use clear text. FortiDB encrypts this text during the importing process. Do not change the value of
To import a target
1. In the navigation menu, go to Target Database Server > Targets. 2. Click Import. The Target Import page is displayed.
FortiDB imports target information based on the value of Name. If the Name value already exists in the target list, FortiDB overwrites the existing target with the imported data.
3. Click Choose file, and then navigate to the file and select it. 4. Select Import. The following information is displayed.
Column Description
Name The value of the
Complete Indicates whether one or more required elements are missing a value Message Indicates the reason why Failed is displayed in the Results column
5. Click the Continue button to complete the import.
See also
l Managing targets on page 91
l Exporting target information on page 97
FortiDB 5.1.13 Admin Guide 98 Fortinet Inc. Connecting to target databases
Managing target groups
The Target Database Server > Target Groups page displays all pre-defined and user-defined target groups. Use it to complete the following tasks:
l To add a target group, select Add. For more information, see Adding or modifying a target group on page 1.
l To modify a target group, click its name.
l To delete a user-defined target group, select it, and then click Delete. You can select more than one target group for deletion.
You can modify or delete a pre-defined target group. However, you cannot revert a target group to its original content or restore a target group you deleted.
See also
l Pre-defined target groups on page 99
l Adding or modifying a target group on page 99
Pre-defined target groups
FortiDB provides the following pre-defined target groups:
l DB2 Database Group
l MySQL Database Group
l Oracle Database Group
l Microsoft SQL Server Database Group
l Sybase Database Group
l Sybase IQ Database Group
l MungoDB Database Group
See also
l Managing targets on page 91
l Adding or modifying a target group on page 99
Adding or modifying a target group
1. On the navigation menu, go to Target Database Server > Targets. 2. Do one of the following:
l To create a target group, click Add.
l To modify a target group, click the name of the group.
FortiDB 5.1.13 Admin Guide 99 Fortinet Inc. Connecting to target databases
3. On the Targets page, complete the required settings. For Group Name, enter or edit the name that is displayed in the list of target groups. For Description, enter an description. For example, your filtering or grouping criteria. To cancel the target group creation process, click Cancel. 4. Use the filtering options to display the targets you want in the group in the list of targets. For information on filtering the list, see Searching or filtering the target list on page 1. 5. Click Save Group. The new group is displayed in the Target Groups page.
See also
l Managing targets on page 91
l Pre-defined target groups on page 99
Auto-discovery
Auto-discovery facilitates the creation of target-database connections by searching your network for potential target databases. Auto-discovery scans for potential target databases according to your specified IP address range, database-type specification, and port numbers.
See also
l How to discover DB2 databases on page 100
l How to discover Microsoft SQL Server on page 100
l Running auto-discovery on page 101
l Adding targets from auto-discovery on page 101
How to discover DB2 databases
When attempting to discover DB2 target databases:
l The appliance must be able to connect to TCP port 523. If the connection fails, examine firewall policies, router rules, and other causes.
l The DB2 Administration Server (DAS) must be running.
How to discover Microsoft SQL Server
When attempting to discover Microsoft SQL Server target databases, in order to display the correct database version, verify that:
l Your SQL Server instance is running.
l Your SQL Server Browser service is running.
FortiDB 5.1.13 Admin Guide 100 Fortinet Inc. Connecting to target databases
Running auto-discovery
This topic describes how to perform auto-discovery.
To run auto-discovery, the FortiDB Administrator (the admin user that ships with FortiDB) or an administrator with the Target Manager role is required.
1. Go to Target Database Server > Auto Discovery of the left-side menu. 2. In order to discover a single database, enter the IP address in the From field and leave the To field blank. If you want to discover multiple databases, enter a range of IP addresses by using both the From field and To field. 3. Select the Add button. The discovered IP address(es) should be added to the list of IP addresses.
In order to delete an IP address (or address range) already on the list, select the check box on the left of the IP address or range and select the Remove button
4. Specify database types to attempt discovery for and their respective port ranges to discover from the list. a. Select or clear the check box(es) on the left of the list. b. Add or edit the port ranges in the To and From fields. 5. Select one or more IP address rows and then select the Begin Discovery button. One of the following status messages will be displayed at the top of the screen
Status Meaning
Running... This status appears on the right side of the view header next to the "Status". The "processing" icon appears next to the page title. The Discovery Result page will display.
No databases found There was no database of the specified IP address found.
Idle Has one of these meanings:
l User cancelled the auto-discovery process before completion.
l This is the status after Running...
l This is the status after No databases found
To stop running auto-discovery before the process is complete, select Abort.
6. The Auto Discovery Results page is displayed.
l indicates that this database was discovered.
l indicates that this database was added to the targets list.
Adding targets from auto-discovery
This topic describes how to add target-database configuration to the Targets page from the Auto Discovery Results.
FortiDB 5.1.13 Admin Guide 101 Fortinet Inc. Connecting to target databases
1. Run auto-discovery. 2. Mark the check box(es) next to the targets you want to add to your list of target databases. 3. Select the Add to Targets button at the bottom. 4. Go to the Targets page where you should see that the auto-discovered targets databases have been added to the Targets list.
FortiDB 5.1.13 Admin Guide 102 Fortinet Inc. Vulnerability assessment (VA) policies
Vulnerability assessment (VA) policies
Vulnerability assessment (VA) policies are best-practice business rules that FortiDB uses to assess databases. FortiDB has hundreds of pre-defined policies that address industry and governmental compliance requirements, as well as security best practices.
See also
l Types of VA policies on page 103
l Managing VA pre-defined policies on page 106
l VA user-defined policies on page 114
l VA policy groups on page 118
Types of VA policies
You can use the following two types of policies for database vulnerability assessments:
l Pre-defined policies — Fortinet adaptation of best practice database security policy. In addition to numerous database vulnerability policies, Fortinet also provides policies that help you perform OS-level assessments, such as making sure that your OS version is appropriate for the version of your target database.
l User-defined policies — Customer or third-party adaptation of an industry or company-specific security policy. You create these types of policies using conventional or procedural SQL. You can use the policy groups that ship with FortiDB or create your own.
See also
l Managing VA pre-defined policies on page 106
l VA user-defined policies on page 114
Updates to VA policies
Fortinet updates its policies several times a year with an XML file containing new or enhanced policies. Fortinet recommends that you import this list to keep your policies current. You can download the latest policies from FortiGuard Center. For more information, see Managing VA pre-defined policies on page 106.
FortiDB 5.1.13 Admin Guide 103 Fortinet Inc. Vulnerability assessment (VA) policies
Exporting and importing VA policies
If you want to move FortiDB policies to another computer, you can export the source from the FortiDB repository as XML files and then import them into the target FortiDB repository.
Before you import policies, verify that the XML file contains the correct elements. FortiDB does not validate Database Type, Severity, and Classification when it imports policies. To view a sample of correct content, export one or more policies.
See also
l Exporting user-defined policies on page 117
l Importing user-defined policies on page 117
VA policy version
The policy version tracks the following information:
l Pre-defined policies you imported and used for assessments. The policy version number is incremented when you import pre-defined policies updates.
l User-defined policies you updated. When you use the Modify User Defined Policy page to update a user-defined policy, FortiDB does not change the policy version number. To update the policy version number, export your user-defined policy, change the policy version number, and then import the policy. You cannot import a user-defined policy that has a policy number that is equal to or lower than the original policy number.
When you restore data restored from an old archive (prior to FortiDB version 3.2.1), the data has the latest version of policies at the time you restored.
See also
l Exporting user-defined policies
l Importing user-defined policies
VA policy groups
You add policies to assessments using policy groups. A policy group must contain at least one policy. FortiDB has the following pre-configured policy groups:
l DB2 Policy Group
l MySQL Policy Group
FortiDB 5.1.13 Admin Guide 104 Fortinet Inc. Vulnerability assessment (VA) policies
l Oracle Policy Group
l Pen Test Policy Group
l SQL Server Policy Group
l Sybase Policy Group
l Sybase IQ Policy Group
See also
l VA policy groups on page 104
VA policy states
A FortiDB policy can have one of the following states:
State and icon Description
Enabled ( ) FortiDB is currently using this policy when it runs assessments.
Disabled ( ) FortiDB is currently not using this policy when it runs assessments.
Modified and Enabled ( ) The policy has been modified and FortiDB is currently using it when it runs assessments.
Modified and Disabled ( The policy has been modified but FortiDB is not currently using it when it runs assessments. )
New and Enabled ( ) The policy is new and FortiDB is currently using it when it runs assessments.
New and Disabled ( ) The policy is new but FortiDB is not currently using it when it runs assessments.
See also
l Managing VA pre-defined policies on page 106
Keywords and user keywords for VA policies
Keywords are read-only, pre-defined policy keywords. User Keywords are keywords specified by you. You can use keywords to help you create policy groups.
See also
l Adding user-defined policies on page 115
FortiDB 5.1.13 Admin Guide 105 Fortinet Inc. Vulnerability assessment (VA) policies
Managing VA pre-defined policies
Use the Pre-Defined Policies tab to manage pre-defined policies. To view only certain policies, you can use the View dropdown list at the top of the page. You can also import additional polices or updates to existing policies. The pre-defined policies list has the following columns:
Columns Descriptions
Status Enabled ( ) Disabled ( ) New and Enabled ( ) New and Disabled ( )
Modified and Enabled ( )
Modified and Disabled ( )
Name Pre-defined policy name
DB Type Oracle, Sybase, DB2, Microsoft SQL Server, MySQL, or SYBASEIQ.
Severity User defined severity level. There are 5 levels of severity:
l Informational (default)
l Cautionary
l Minor
l Major
l Critical
Classification Unclassified, Configuration, Password, Privilege, Database server, Host System.
l To view policies in a specific policy group only, for View, select the name of the group.
l Click Search/New Group to create a new policy group.
l To enable or diable a policy, select the policy in the list and then click Enable or Disable.
l Click Import button to import new or updated policies into the FortiDB repository.
l Click Export to export the all policies in the current list as an XML file.
To export pre-defined policies
1. In the navigation menu, go to Policy > VA Policies. 2. On the Pre-Defined Policies tab, for View, select All or a policy group you want to export.
The state of the checkboxes next to the individual policies does not effect which policies FortiDB exports. FortiDB always exports all items in the current list.
3. Click Export. Your browser downloads the XML file.
FortiDB 5.1.13 Admin Guide 106 Fortinet Inc. Vulnerability assessment (VA) policies
See also
l Importing pre-defined policies (appliance) on page 107
l Importing pre-defined policies (software-only FortiDB) on page 108
l Managing VA pre-defined policies on page 106
Importing pre-defined policies (appliance)
To keep your policy sets current and effective, you can use the the Fortinet Distribution Network (FDN) to import new and updated policies that FortiDB periodically offers its customers. 1. In the navigation menu, go to Policy > VA Policies.
Alternatively, go to Policy > VA Policy Groups, and then click the name of a policy group.
2. Click Import. The Pre-Defined Policy Update page is displayed. 3. Do one of the following:
l To automatically disable any new or modified policies you import, select the Disable new and modified rules after import.
l To automatically enable any new or modified policies you import, clear the Disable new and modified rules after import. 4. Do one of the following:
l To use icons that identify whether a policy is new or modified with the imported policies, select Identify new and modified rules with icons.
l To use icons that do not indicate whether a policy is new or modified with the imported policies, clear Identify new and modified rules with icons.
Fortinet recommends that you select Identify new and modified rules with icons.
5. Select Import Updates from FortiGuard Center. FortiDB connects to FortiGuard Center and downloads any updates. Then, a message like “0 Updated 12 policies of 544 found in file” is displayed. The downloaded update file contains all policies. However, FortiDB only updates modified policies. For example, in the sample message, the downloaded update file contains a total of 544 policies only 12 of which needed to be updated in your system. The other 532 policies in the update file are identical to those already in your system.
Appliance users can also import policy updates by using the Select XML file to be uploaded field. After clicking the Browse button and selecting the xml file to upload, and select the Import button.
See also
l Managing VA pre-defined policies on page 106
l Importing pre-defined policies (software-only FortiDB) on page 108
FortiDB 5.1.13 Admin Guide 107 Fortinet Inc. Vulnerability assessment (VA) policies
Importing pre-defined policies (software-only FortiDB)
You can import pre-defined policies (pre-defined policies) by uploading XML files containing these policies. Before performing this task, you may need to download one or more XML files from a designated web or FTP site. This task includes importing those new and updated policies that FortiDB periodically offers its customers in order to keep their policy sets current and effective. 1. In the navigation menu, go to Policy > VA Policies.
Alternatively, go to Policy > VA Policy Groups, and then click the name of a policy group.
2. Click Import. The Pre-Defined Policy Update page is displayed. 3. For Select XML file to be uploaded, click Choose File, and then navigate to and select the update file. 4. Do one of the following:
l To automatically disable any new or modified policies you import, select the Disable new and modified rules after import.
l To automatically enable any new or modified policies you import, clear the Disable new and modified rules after import. 5. Do one of the following:
l To use icons that identify whether a policy is new or modified with the imported policies, select Identify new and modified rules with icons.
l To use icons that do not indicate whether a policy is new or modified with the imported policies, clear Identify new and modified rules with icons.
Fortinet recommends that you select Identify new and modified rules with icons.
6. Select Import. The policies are added to the list on the VA Policies page.
See also
l Managing VA pre-defined policies on page 106
l Importing pre-defined policies (appliance) on page 107
OS-Level pre-defined policies
The FortiDB OS-Level pre-defined policies gather and evaluate information about the target database's operating system (OS). They use SSH and a client-side script that contains OS commands. To assess Oracle target computers using OS-Level pre-defined policies, see Enabling operating system vulnerability assessment (OSVA) for Solaris and AIX on page 1. (consider moving this information in with the other preconfigurations, or else x-ref to this section from that section) The OS-Level pre-defined policies require the following permissions:
FortiDB 5.1.13 Admin Guide 108 Fortinet Inc. Vulnerability assessment (VA) policies
Guarded Item Description Purpose Required Permissions (proposed change)
OSVA ORCL 01.01 Oracle Returns: Oracle 9i, 10g, 11g, 12c:
Critical Patches (opatch) l opatch version l The SSH user needs execute
l applied critical patch permission on opatch
numbers l The SSH user's PATH variable should include the location of opatch Oracle 10g, 11g, 12c:
l The SSH user needs read, write, and execute permissions on opatch
l The SSH user needs read, write, and execute permissions on $ORACLE_ HOME/cfgtoollogs/opatch/lsinv
SVA ORCL 01.02 Oracle Alerts if Oracle owner, which The SSH user needs read Owner-Login Check is specified on the FortiDB permission on /etc/passwd with cat Database Connection GUI, and grep commands is not in /etc/passwd.
OSVA ORCL 01.03 Oracle Alerts if dba is not in The SSH user needs read DBA-Group Check /etc/group file permission on /etc/group with cat and grep command
OSVA ORCL 01.04 Oracle Returns a list of members of The SSH user needs read DBA-Group-Member List the dba group from permission on /etc/passwd and /etc/passwd and /etc/group /etc/group with cat and grep command
OSVA ORCL 01.05 Oracle Alerts if Oracle process is The SSH user needs execute Process-Owner Check being run by a non-Oracle permission ps and grep command user such as root, or bin.
OSVA ORCL 01.06 Oracle Alerts if other permissions, The SSH user needs other read and Excessive Directory & File on the Oracle Home execute permissions on the Permissions Check directory (and its contents) $ORACLE_HOME directory. For specified on the example setup instructions, see Create/Modify Database Using Minimally-Privileged User Connection screen, include with an ACL. both read and write (and not execute)
FortiDB 5.1.13 Admin Guide 109 Fortinet Inc. Vulnerability assessment (VA) policies
Guarded Item Description Purpose Required Permissions (proposed change)
OSVA ORCL 01.07 Oracle Alerts if files and directories The SSH user needs other read and Correct Directory/File Owner & under the Oracle Home execute permissions on the Group Check directory specified on the $ORACLE_HOME directory. For Create/Modify Database example setup instructions, see Connection screen, do not Using Minimally-Privileged User have correct owner and with an ACL. group permissions. Exempt from this check are:
l $ORACLE_ HOME/bin/oracle
l $ORACLE_ HOME/bin/oradism
l $ORACLE_ HOME/bin/dbsnmp
OSVA ORCL 01.08 Oracle Alerts if setuid or setgid The SSH user needs other read and setuid/setgid File Check permissions are assigned to execute permissions on the files and directories under $ORACLE_HOME directory. For the Oracle Home directory example setup instructions, see see specified on the Using Minimally-Privileged User Create/Modify Database with an ACL. Connection screen. Exempt from this check are:
l $ORACLE_ HOME/bin/oracle
l $ORACLE_ HOME/bin/oradism
l $ORACLE_ HOME/bin/dbsnmp
OSVA ORCL 01.09 Oracle This policy checks if these l The SSH user needs execute Database-Configuration- database configuration files permission on ls for the Change Check change between the $ORACLE_HOME/dbs/ previous and current directory
assessments: l The SSH user needs read
l init.ora permission on the $ORACLE_
l spfle.ora HOME/dbs/ directory
OSVA ORCL 01.10 Oracle This policy check if network l The SSH user needs execute Network-Configuration-Change configuration files changed permission for ls on the Check between between the $ORACLE_ previous and current HOME/network/admin/ assessments directory
l listener.ora l The SSH user needs read
l tnsnames.ora permission on the $ORACLE_
l sqlnet.ora HOME/network/admin/ directory
FortiDB 5.1.13 Admin Guide 110 Fortinet Inc. Vulnerability assessment (VA) policies
Guarded Item Description Purpose Required Permissions (proposed change)
OSVA ORCL 01.11 Oracle Returns OS name and l The SSH user needs execute Installed-Operating-System version permission for cat on the Info /etc/release file
l The SSH user needs read permission on the /etc/release file
OSVA ORCL 01.12 Oracle Alert if external-procedure The SSH user needs execute External-Procedure Processes process is running on target permission for ps and grep Running Check server.
OSVA ORCL 01.13 Oracle Alerts if any EXTPROC l The SSH user needs execute EXTPROC settings are listed in permission for cat on the listener.ora. listener.ora file
For example: l The SSH user needs read (SID_NAME = PLSExtProc) permission on the listener.ora file
OSVA ORCL 01.14 Oracle Alerts if a PASSWORD l The SSH user needs execute Missing-Listener-Password setting is missing in permission for cat on the Check listener.ora. listener.ora file
l The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.15 Oracle Alerts if a ADMIN_ l The SSH user needs execute Missing-Listener- ADMIN_ RESTRICTIONS setting is permission for cat on the RESTRICTIONS Check missing in listener.ora. listener.ora file
l The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.16 Oracle Alerts if default LISTENER is l The SSH user needs execute Default-Listener Check set in listener.ora. permission for cat on the listener.ora file
l The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.17 Oracle Alerts if default PORT is set l The SSH user needs execute Default-Port (1521) Check in listener.ora. permission for cat on the listener.ora file
l The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.18 Oracle Alerts if any Oracle l The SSH user needs execute Advanced-Listener-Security Advanced Security settings permission for grep the Settings Check are missing in sqlnet.ora. sqlnet.ora file
FortiDB 5.1.13 Admin Guide 111 Fortinet Inc. Vulnerability assessment (VA) policies
Guarded Item Description Purpose Required Permissions (proposed change)
For example, the presence l The SSH user needs read of the following would not permission on the sqlnet.ora cause an alert: file SQLNET.ENCRYPTION_ SERVER = Requested
OSVA ORCL 01.19 Oracle Display all listener names l The SSH user needs execute Configured Listener List permission for cat on the listener.ora file
l The SSH user needs read permission on the listener.ora file
OSVA ORCL 01.20 Oracle Alerts if password in l The SSH user needs execute Unencrypted Listener listener.ora is unencrypted. permission for cat on the Password Check Encrypted passwords should listener.ora file
be 16 characters long and l The SSH user needs read consist only of upper-case permission on the listener.ora letters from A to F or file numbers. For example, the following is an acceptably encrypted password and would not generate an alert: PASSWORDS_LISTENER = F56401ADBA6810DS
Use your known_hosts file to give access to certain hosts only.
See also
l Setting an access control list (ACL) for minimally-privileged users on page 112
Setting an access control list (ACL) for minimally-privileged users
To provide more secure access to target databases, create an access control list (ACL). For example, an ACL that enables a minimum-permission user to perform, via SSH, the OS-level operations used by the FortiDB OS-level pre- defined policies. In general, you create a user, belonging to the nobody group, on your target database machine. Then, use ACL to give that user only the specific permissions necessary to execute the OS-level pre-defined policies that you are interested in. The following examples grant the SSH user read and execute permissions on the $ORACLE_HOME directory, which is required by some operating system vulnerability assessment (OSVA) pre-defined policies.
FortiDB 5.1.13 Admin Guide 112 Fortinet Inc. Vulnerability assessment (VA) policies
Example one: Set ACL on an Oracle 10g target server for OSVA ORCL 01.01
1. Assume the SSH user is fortidb. $setfacl -m user:fortidb:rwx,mask:rwx $ORACLE_HOME/cfgtoollogs/opatch/lsinv 2. To confirm permissions: $getfacl $ORACLE_HOME/cfgtoollogs/opatch/lsinv This command returns something like the following response: # file: /export/home/ora1020/product/10.2.0/Db_1/cfgtoollogs/opatch/lsinv # owner: ora1020 # group: oinstall user::rwx user:fortidb:rwx #effective:rwx <--- Please check it group::r-x #effective:r-x mask:rwx other:r-x
Example two: Set ACL on an Oracle 9, 10g, 11g, or 12c target server for OSVA ORCL 01.06, 01.07, and 01.08
This example describes how to set ACL on an Oracle 10g target server for OSVA ORCL 01.01. 1. In order to find the directories within $ORACLE_HOME for which the required permissions do not exist, execute the following, as the Oracle owner (see o_owner), on your target-database machine: $ find $ORACLE_HOME \( -type d \) -a \( ! -perm -o+rx \) -ls|awk '{print $3,$11}' which might return something like: drwx------/oracle/db1/Apache/Apache/conf/ssl.key drwxr-x--- /oracle/db1/.patch_storage 2. Using the File Access Control List program, grant the appropriate permissions to sshuser: $ setfacl -m user:sshuser:r-x,mask:r-x /oracle/db1/Apache/Apache/conf/ssl.key $ setfacl -m user:sshuser:r-x,mask:r-x /oracle/db1/.patch_storage 3. (Optionally) confirm that correct permissions were granted with: $ getfacl /oracle/db1/Apache/Apache/conf/ssl.key $ getfacl /oracle/db1/.patch_storage which would return something like: # file: /export/home/ora1020/product/10.2.0/Db_1/.patch_storage # owner: ora1020 # group: oinstall user::rwx user:mitagaki:rwx #effective:r-- group::r-- #effective:r-- mask:r-- other:--- 4. (Optionally) you can revoke permissions with: $ setfacl -d user:sshuser:r-x,mask:r-x oracle/db1/Apache/conf/ssl.key $ setfacl -d user:sshuser:r-x,mask:r-x /oracle/db1/.patch_storage
If you can not give read(r)/exec(x) permission to the directory, FortiDB VA will produce a "Permission denied" error on the report which you can ignore.
See also
l OS-Level pre-defined policies on page 108
FortiDB 5.1.13 Admin Guide 113 Fortinet Inc. Vulnerability assessment (VA) policies
VA user-defined policies
On the Policies page, you can manage user-defined policies in the User-Defined Policies tab. Use the View list at the top of the page to filter the list. You can also import additional polices or updates to existing policies.
Columns Descriptions
Status l Enabled ( )
l Disabled ( )
l New and Enabled ( )
l New and Disabled ( )
l Modified and Enabled ( )
l Modified and Disabled ( )
Name User-defined policy name
DB Type Oracle, Sybase, DB2, Microsoft SQL Server, MySQL or SYBASEIQ
Severity User defined severity level. There are 5 levels of severity:
l Informational (default)
l Cautionary
l Minor
l Major
l Critical
Classification Unclassified, Configuration, Password, Privilege, Database server, Host System.
l The View dropdown enables you to limit the policies that you view to only those within a certain policy group
l The button enables you to create a new policy group.
l The Add button enables you to create your own User-Defined policy.
l The Delete button enables you to delete the policies for which a check box has been checked.
l The Enable button enables you to activate the policies for which a check box has been checked.
l The Disable button enables you to deactivate the policies for which a check box has been checked.
l The Import button enables you to import new or updated policies into the FortiDB repository.
l The Export button enables you to export all policies on the screen as an XML file.
See also
l Adding user-defined policies on page 115
l Deleting user-defined policies on page 116
l Exporting user-defined policies on page 117
l Importing user-defined policies on page 117
FortiDB 5.1.13 Admin Guide 114 Fortinet Inc. Vulnerability assessment (VA) policies
Adding user-defined policies
1. Go to Policy > VA Policies of the left-side menu. 2. Select the User-Defined Policies tab. 3. Select the Add button. 4. Fill in the appropriate fields. Some of the fields to note are:
Field Name Descriptions
ID Enter a unique designator that can include any character, including alphanumerics, special characters, and white spaces.
SQL query Enter the query that will be used when this User-Defined Policy is applied during an assessment.
Result Column Name(s) Entries in this field are the column names referred to in the SQL query field. Multiple entries are delimited by semicolons. The names can either be actual column names in your query, like empno in 'SELECT empno FROM scott.emp' or aliases like enumber in 'SELECT empno AS " enumber" FROM scott.emp' Leading or trailing spaces in the alias expression must also be specified in this field for the column's values to appear in your report. For example, if there are two leading spaces in " enumber", include both spaces in the Result Column Name(s) value. You can use the '*' column wild card in your queries; however, you must separately specify the name of each column for which you want report results. If, for example, you use 'SELECT * FROM scott.emp' against an Oracle target database, you must enter "empno;ename;job;mgr;hiredate;sal;comm;deptno" in this field in order to get a report on all columns in scott.emp Note: Do not put spaces before or after the semicolons unless your aliased column names also have leading or trailing spaces, respectively.
Result Column Label(s) Entries in this field are the column names that you would like to see in your reports. Multiple entries are delimited by semicolons. Note: If you don't populate this field, your report's column headers will be the entries used for the Result Column Name(s) field.
Keywords Entries in this field can be used when using a filter to create policy groups.
5. Select the Save button. 6. Here is an Oracle example, which assumes you have access to the SCOTT schema: a. Create a policy with these entries:
l ID: unique designator
l Database type: Oracle
l SQL query: SELECT empno, ename from scott.emp
l Result Column Name(s): empno;ename
FortiDB 5.1.13 Admin Guide 115 Fortinet Inc. Vulnerability assessment (VA) policies
l Result Column Label(s): Employee Number;Employee Name
l Severity: Informational
l Classification: Unclassified b. Select Save to save myOracleUDP1. c. Create a policy group, myUDPGroup, containing the new policy. d. Create an assessment that runs against an Oracle target group and which uses myUDPGroup. e. Run a Detailed (Pre-Defined) Report against your assessment and you should see several rows of Scan Results like this in the Informational Vulnerabilities section:
l Employee Number 7369 Employee Name: SMITH 7. Here is another, slightly different, Oracle example, which uses column-name aliasing and, again, assumes you have access to the SCOTT schema: a. Create a policy with these entries:
l ID: can be any value
l Name: myOracleUDP2
l Database type: Oracle
l SQL query: SELECT empno as "EmpID", ename as "Worker" from scott.emp
l Result Column Name(s): EmpID;Worker
l Result Column Label(s): Employee Number;Employee Name
l Severity: Informational
l Classification: Unclassified b. Select the Save in order to save myOracleUDP1. c. Create a policy group, myUDPGroup, containing the new policy. d. Create an assessment that runs against an Oracle target group and which uses myUDPGroup. e. Run a Detailed (Pre-Defined) Report against your assessment and you should see several rows of Scan Results like this in the Informational Vulnerabilities section:
l Employee Number 7369 Employee Name: SMITH
See also
l VA user-defined policies on page 114
l Deleting user-defined policies on page 116
l Exporting user-defined policies on page 117
l Importing user-defined policies on page 117
Deleting user-defined policies
This topic describes how to delete user-defined policies. 1. Go to Policy > VA Policies of the left-side menu. 2. Select the User-Defined Policies tab. 3. Mark the check box(es) corresponding to the user-defined policy you want to delete. 4. Select the Delete button.
FortiDB 5.1.13 Admin Guide 116 Fortinet Inc. Vulnerability assessment (VA) policies
See also
l VA user-defined policies on page 114
l Adding user-defined policies on page 115
l Exporting user-defined policies on page 117
l Importing user-defined policies on page 117
Exporting user-defined policies
This topic describes how to export user-defined policies. 1. Go to Policy > VA Policies of the left-side menu. 2. Select the User-Defined Policies tab. 3. In the View dropdown list, select All or a policy group you want to export.
The checkboxes next to the individual policies have no effect when exporting. FortiDB exports all policies in the list regardless of whether the checkbox for an item is selected.
4. Select the Export button. 5. Save the XML file.
See also
l VA user-defined policies on page 114
l Adding user-defined policies on page 115
l Deleting user-defined policies on page 116
l Importing user-defined policies on page 117
Importing user-defined policies
This topic describes how to import user-defined policies. 1. Go to Policy > VA Policies of the left-side menu. 2. Select the User-Defined Policies tab. 3. Select the Import button. 4. Enter the path to the XML file you want to import, or select the Browse button and select the XML file you want to import. To successfully import your policies, you mustincrease the value of the version attribute (for example, you must change from version="3" to version="4") which can be found in >VaPolicy> element. 5. Select or clear the Deactivate new and modified rules after import check box.
l If you select this, the new and modified rules after import are deactivated.
l If you clear this, the new and modified rules after import are activated. 6. Select or clear the Identify new and modified rules with icons check box.
l If you select this, you can identify new and modified rules with icons.
l If you clear this, you cannot identify new and modified rules with icons. 7. Select the Import button.
FortiDB 5.1.13 Admin Guide 117 Fortinet Inc. Vulnerability assessment (VA) policies
See also
l VA user-defined policies on page 114
l Adding user-defined policies on page 115
l Deleting user-defined policies on page 116
l Exporting user-defined policies on page 117
VA policy groups
The Policy Groups page displays all policy groups with groups names and descriptions. Use the Policy Groups page to perform the following tasks:
l Add a new policy group by selecting Add. See Adding VA policy groups on page 118.
l Modify the policy group by selecting the group name. See Modifying VA policy groups on page 119.
l Delete policy groups by selecting the group check box, and click Delete. The following pre-defined policy groups are available:
Groups/Policies Policies included
DB2 Policy Group DB2 policies
MySQL Policy Group MySQL policies
Oracle Policy Group Oracle policies
SQL Server Policy Group SQL Server policies
Sybase Policy Group Sybase policies
Pen Test Policy Group Penetration tests on page 1
CIS Policy Group CIS benchmark policies
Sybase IQ Policy Group Sybase IQ policies
See also
l Adding VA policy groups on page 118
l Modifying VA policy groups on page 119
l Deleting VA policy groups on page 120
Adding VA policy groups
This topic describes the task of creating groups for predefined or user-defined policies by using filtering criteria. 1. Go to Policy > VA Policy Groups of the left-side menu. 2. Select the Add button. 3. On the subsequent Policies page, choose either the Pre-Defined Policies tab or the User-Defined Policies tab and then fill in the text boxes
FortiDB 5.1.13 Admin Guide 118 Fortinet Inc. Vulnerability assessment (VA) policies
a. Use the Policy Type dropdown in order to create a group consisting of just pre-defined policies, user-defined policies, or both (All). b. Use the Group Name text box to enter a name that will show up in the saved policy-group list. Use the optional Description text box to describe your filtering/grouping criteria. c. To create a filtering condition, enter an Column on which you would like to filter, an Operator that associates the Column with a Value, and a Value that the Column must match. d. You can add or subtract, respectively, filtering criteria rows by selecting the + (plus) or - (minus) buttons.
You cannot use the same Column in multiple rows. For example, you cannot establish a criteria that includes all the policies with a Severity of Minor and all the policies with a Severity of Major. In order to cancel creating a new policy-group filter and go back to the main Policies page, select the icon.
Attribute Operator Value Return Possibilities
Severity Equals Minor all policies with a Severity of Minor
Database Equals DB2 all policies associated with DB2 databases Type
4. To test your filtering criteria, select the Apply button.
5. To save the group you created, select the icon.
In order to modify an existing group, select the Name of the group on the Policy Groups page.
See also
l VA policy groups on page 118
l Modifying VA policy groups on page 119
l Deleting VA policy groups on page 120
Modifying VA policy groups
This topic describes modifying the existing policy group. 1. Go to Policy > VA Policy Groups from the left-side menu. 2. In the Policy Groups page, click the name of a policy group that you want to modify. 3. Modify the policy name or description if necessary. 4. Select the Policy Type from the dropdown list (All, Pre-efined, or User) 5. To create a filtering condition, enter an Column on which you would like to filter, an Operator that associates the Column with a Value, and a Value that the Column must match . 6. You can add or subtract, respectively, filtering criteria rows by selecting the + (plus) or - (minus) buttons.
FortiDB 5.1.13 Admin Guide 119 Fortinet Inc. Vulnerability assessment (VA) policies
You cannot use the same Column in multiple rows. For example, you cannot establish a criteria that includes all the policies with a Severity of Minor and all the policies with a Severity of Major. In order to cancel modifying the policy-group filter and go back to the main Policies page, select the icon.
7. To test your filtering criteria, select the Apply button.
8. Click to save.
See also
l VA policy groups on page 118
l Adding VA policy groups on page 118
l Deleting VA policy groups on page 120
Deleting VA policy groups
This topic describes how to delete a policy group. 1. Go to Policy > VA Policy Groups of the left-side menu. 2. Check the check box(es) corresponding to the policy group(s) you want to delete. 3. Click the Delete button.
See also
l VA policy groups on page 118
l Adding VA policy groups on page 118
l Modifying VA policy groups on page 119
Penetration tests
A penetration test (or pentest) examines your target databases for weak passwords. Like any other type of assessment, you can run pen tests either immediately or schedule them for a convenient time. FortiDB does not support penetration tests for Sybase IQ target databases.
See also
l Connection options for penetration tests on page 121
l Files used for penetration tests on page 121
l Configuring and running penetration test assessments on page 122
FortiDB 5.1.13 Admin Guide 120 Fortinet Inc. Vulnerability assessment (VA) policies
Connection options for penetration tests
For penetration tests, FortiDB uses one of the following options to connect to target databases:
l Login — The login connection method is available for all target database types.
l Hash-based — A 'hash' is the value that is the result of encrypting a clear-text string. The hash-based method is a safer, offline approach, but it is available for Oracle and Microsoft SQL target databases only. If you use the hash- based method for Sybase or DB2 targets, cannot apply any of the pentest polices, the assessment result is essentially empty, and no error is reported.
l Hybrid — FortiDB uses the hash-based method if it is available (that is, when the database is Oracle or Microsoft SQL). Otherwise, it uses the login method.
If the penetration test login attempts are unsuccessful, the database may prevent any users, including valid users, from logging in.
See also
l Configuring and running penetration test assessments on page 122
Files used for penetration tests
Penetration test policies use username and password information stored in a set of text files to assess databases. For the Dictionary pen test policy, FortiDB allows you to select a password dictionary text file to use instead of the default dictionary. In addition, if you are using the software version of FortiDB, you can customize the other pentest policy text files. The custom files allow you to specify the usernames and passwords to use in the test instead of testing all database usernames. These files are
l ora for Oracle
l sql for MS-SQL
l db2 for DB2
l syb for Sybase
l mysql for MySQL
If you are using either the appliance or software version of FortiDB, you can use the Assessment properties to select an alternative password dictionary file. However, appliance version users cannot access or change the default dictionary.txt,
Policy File Content evaluated name
Default
FortiDB 5.1.13 Admin Guide 121 Fortinet Inc. Vulnerability assessment (VA) policies
Policy File Content evaluated name
Dictionary
Number
Same as
Username
Username
See also
l Configuring and running penetration test assessments on page 122
Configuring and running penetration test assessments
To configure and run penetration testing against target databases
1. Ensure that the FortiDB database user specified in the target configuration for the database you want to test has the required privileges. For more information see Privileges for VA assessments, privilege summaries, and penetration tests on page 83. 2. In the navigation menu, go to Administration > Global Configuration, and then click the Assessment tab. 3. Complete the following settings:
Enable Pen Test Select True.
Enable Pen Test For All When set to false, all pentest policies except Default Password test the Users in Database database using the usernames in
Pen Test Method Specify the method that FortiDB uses to connect to databases for penetration tests using one of the following values:
l 1 - Login method
l 2 - Hash-based method (available for Oracle or Microsoft SQL databases only)
l 3 - Hybrid method (FortiDB uses the hash-based method when it is available)
FortiDB 5.1.13 Admin Guide 122 Fortinet Inc. Vulnerability assessment (VA) policies
For more information on these settings, see Connection options for penetration tests on page 121.
Pen Test Password Specify the file that contains the passwords that the Dictionary policy checks. Dictionary If you do not select a file, the policy uses the default dictionary. The Browse button allows you to select a dictionary file. Click Save to complete your selection. FortiDB does not display the name of the uploaded file. To restore the default dictionary, select the Pen Test Password Dictionary item, click Restore Default(s), and then click Save. Your dictionary file is deleted. For software-only versions of FortiDB, for information on creating the dictionary.txt file, see step Configuring and running penetration test assessments on page 122. For more information on the password dictionary file, see Files used for penetration tests on page 121.
4. To make your pentest settings take effect, restart FortiDB. 5. For software version users:
l If you set Enable Pen Test For All Users in Database to false, copy the
l For the oradefault.txt file, ensure that the system account and password values are in uppercase.
l If you want the Default Password policy to use a custom list of system accounts with default passwords instead of the default list, copy the
l For the orauser.txt file, ensure that the usernames and passwords are in uppercase.
l If you did not use the Pen Test Password Dictionary property to select a password dictionary file and want the Dictionary policy to use a custom dictionary, copy the dictionary.txt file from
FortiDB 5.1.13 Admin Guide 123 Fortinet Inc. Vulnerability assessment (VA) policies
"Failed" means your passwords are weak and may not protect you from malicious login attempts.
See also
l Connection options for penetration tests on page 121
l Files used for penetration tests on page 121
Data discovery policies and policy groups
The FortiDB sensitive data discovery feature uses the data discovery policies to search a target database for sensitive information located in tables and columns. You use data discovery policy groups to add these policies to the sensitive data discovery configuration for a target database. For information on running sensitive data discovery, see Sensitive data discovery on page 170.
Managing data discovery policies
Go to Policy > Data Discovery Policies to perform data discovery policy tasks such as adding or enabling a policy. To edit a policy, click its name. To create a policy, click Add. The Data Discovery Policies and Edit Alert Policy pages display the following columns and settings.
Column/settings Descriptions
Status (policy list only) (enabled) (disabled) To enable or disable policies, select the checkbox for one or more policies, and then click Enable or Disable.
Policy Name Policy name
Policy Type Either BUILT_IN or USER_DEFINED. You cannot delete built-in policies.
Match Rule Specifies the type of data FortiDB searches for:
l TEXT — Simple text
l CREDIT_CARD — 16-digit number
l EMAIL — Email address
l SSN — 9-digit Social Insurance number (SSN) FortiDB searches for this criteria after any specified Column Name Pattern and Data Pattern criteria.
FortiDB 5.1.13 Admin Guide 124 Fortinet Inc. Vulnerability assessment (VA) policies
Column/settings Descriptions
Column Name Pattern Specifies the pattern FortiDB searches for in table column names. Can be a specific value or a regular expression. If left blank, FortiDB does not search table column names.
Data Pattern Specifies the pattern FortiDB searches for in the first 40 rows of the database. Can be a specific value or a regular expression. If left blank or the value is .+ (decimal followed by plus sign), FortiDB does not search the sample set of rows.
(checkbox) Specifies whether search results include matches for either the value of If checked, either column Column Name Pattern and Data Pattern, or matches for both name pattern or data patterns. pattern matched lead to result. Or, both matched lead to result. (edit policy only)
Description (edit policy A description of the policy. only)
To export a policy as an XML format file, select the checkbox for one or more policies, and then click Export. Your web browser downloads the file. To import a policy, click Import, use the file selection option to navigate to and select an XML format file, and then click Import.
Data discovery policy groups
You add data discovery policy groups to a target’s Sensitive Data Discovery configuration to specify the types of data FortiDB searches for. Go to Policy > Data Discovery Policy Groups to manage data discovery policy groups. Click a group name to edit group or Add to add new group. To delete a group, select the check box for one or more groups, and then click Delete.
See also
l Sensitive data discovery on page 170
FortiDB 5.1.13 Admin Guide 125 Fortinet Inc. Database Activity Monitoring (DAM) policies
Database Activity Monitoring (DAM) policies
Database activity monitoring policies specify the database activities that can generate security alerts or audit records.
See also
l Types of DAM policies on page 126
l Managing DAM policies on page 127
Types of DAM policies
There are two types of DAM policies:
l Alert — Policies that generate an alert when database activity violates a policy rule.
l Audit — Policies that generate an audit record when FortiDB detects the database activity specified in the policy rules. FortiDB uses these policies only when it monitors target databases with the TCP/IP sniffer. The following sub-types are available for both alert and audit policies:
l Metadata Policies — Pre-defined policies that generate alerts or audit logs when FortiDB detects metadata activity.
l Privilege Policies — Pre-defined policies that generate alerts or audit logs when FortiDB detects privilege activity.
l Sys Operations Policy — Pre-defined policy that generate alerts or audit logs when FortiDB detects SYS user operations.
l Data Policy — Policies that you create to generate alert or audit logs when FortiDB detects data manipulation activity. The following table describes the differences between the two types of DAM policy.
Alert Policy Audit Policy
Used For Generates an alert if an activity Logs the specified activity violates a policy rule
Available All DAM collection methods TCP/IP sniffer collection method only With
Types of Data Table Database Policies Table and Column Table Session Table and Column User Session Database Query Policy User
Data Policy "Read and Write" audit actions for "Select/Insert/Update/Delete/Truncate" audit Configuration Table, Table and Column actions for Table
FortiDB 5.1.13 Admin Guide 126 Fortinet Inc. Database Activity Monitoring (DAM) policies
Alert Policy Audit Policy
Options "Alert Rule" for violations "Select/Insert/Update/Delete" audit actions “SQL query” for "Database Query for Database, Table and Column Policy" No "Alert Rule" settings
PCI, SOX, Yes No and HIPAA Policies
Severity Yes No Attribute
See also
l Managing DAM policies on page 127
l Data policies on page 130
l Privilege policies on page 146
l Metadata policies on page 150
l PCI, SOX, and HIPAA alert policies on page 154
l Alert and audit policy groups on page 156
Managing DAM policies
The DAM Alert Policy and DAM Audit Policy pages display all policies with status, policy name, and supported databases information. Use these pages to perform the following tasks:
l Use the Data Policies list at the bottom of the page to create a new policy (see Data policies on page 130).
l Modify the pre-defined policies by clicking the policy name . (See Privilege policies on page 146, Metadata policies on page 150, PCI, SOX, and HIPAA alert policies on page 154, and Alert and audit policy groups on page 156).
l Delete user-defined policies by selecting the policy's check box, then clicking Delete.
l Filter the view by selecting an option from the View list.
l Navigate to the modifying the group page by clicking the Edit button.
l Search and create a new group page by clicking the Search / New Group button. The following table describes each icon in the policy table list.
Columns Descriptions
Type Data Policy:
l Table Policy monitors/audits suspicious reads and writes on specific tables
l Table and Column Policy monitors/audits suspicious reads and writes on specific table columns
l Session Policy monitors/audits suspicious session behavior
FortiDB 5.1.13 Admin Guide 127 Fortinet Inc. Database Activity Monitoring (DAM) policies
Columns Descriptions
l User Policy monitors/audits suspicious reads and writes by specific users
l Database Policy(for Auditing) audits activities reads and writes on specific databases
l Database Query Policy(for Alert) queries database data value at intervals that you specify indicates a privilege policy indicates a metadata policy indicates a PCI, SOX, and HIPAA
Status l indicates the policy has a problem.
l indicates the policy is disabled.
l indicates the policy is enabled.
Policy Name User defined policy name, or pre-defined name
Severity User configurable severity level (Not available for Audit Policy). There are 5 levels of severity:
l Informational (default)
l Cautionary
l Minor
l Major
l Critical
Supported Databases All, or specify database type, or have fixed setting for each database
Configuring policy information for a policy
When you add or edit a policy, complete the following settings under Policy Info:
l Policy Name — Enter unique name for policy, duplicate with exist policy name is not allowed.
l Description — Enter a description if necessary.
l Enable — Select to enable the policy.
l Create new policy group for policy —FortiDB automatically creates a policy group and adds it to the monitoring configuration for the target database (This option is available for the target-based configuration: Data Access Monitoring > Monitors > click on the target name > Alert/Audit Policies tab > Data Policies dropdown).
l Severity — For alert policies only. Specifies a severity.
l Supported Database — For data policies, select the type of target database the policy is used with. PCI, SOX, and HIPAA policies are supported on all database types. Privilege and metadata policies are restricted to specific database types.
You cannot change the value of Supported Database if FortiDB is currently using the policy to monitor a target database. Use the target monitoring settings (DB Activity Monitoring > Monitoring Management) to stop monitoring, change the value of Supported Database, and then re-start monitoring.
FortiDB 5.1.13 Admin Guide 128 Fortinet Inc. Database Activity Monitoring (DAM) policies
See also
l Types of DAM policies on page 126
l Data policies on page 130
l Privilege policies on page 146
l Metadata policies on page 150
l PCI, SOX, and HIPAA alert policies on page 154
l Alert and audit policy groups on page 156
Automatically generating alert policies
You can use the Start Generate Alert Policies option to automatically create table, session, and user policies for Oracle and Microsoft SQL Server target databases. The policies work with all the collection methods that are available for these database types. When you activate the option, FortiDB starts to track target database activity. When you stop the option, FortiDB analyzes the information it has gathered. It considers the activity it observed during the monitoring period to be normal activity and generates policies that are appropriate for the target. The Start Generate Alert Policies option creates a DAM Alert policy group that has the same name as the target database. You can manage and modify these policies and policy groups the same way you manage other used-defined policies. The names of the user and session policies in the group use the following format:
To automatically generate data policies
1. Go to DB Activity Monitoring < Monitoring Management, and then click a target name. 2. On the General tab, click Start Generate Alert Policies. 3. After FortiDB has monitored the target for an appropriate length of time, click Stop Generate Alert Policies. 4. To view the generated policies, go to Policy < DAM Alert Policy Groups.
See also
l Managing DAM policies on page 127
l Data policies on page 130
l Alert and audit policy groups on page 156
FortiDB 5.1.13 Admin Guide 129 Fortinet Inc. Database Activity Monitoring (DAM) policies
Data policies
uses data policies to monitor or audit reads and writes on specific database objects. It also uses them to monitor database access that takes place via your application server, location, or OS user.
To configure a data policy
1. Do one of the following:
l To configure a policy that is available to add to multiple target monitoring configurations, go to Policy > DAM Alert Policies or Policy > DAM Audit Policies.
l To configure a policy for a specific target, go to DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the Alert Policies or Audit Policies tab. 2. In the Data Policies list, select a type of data policy. 3. Click Add, and complete the policy settings:
l For detailed information about the Policy Info settings, see Managing DAM policies on page 127.
l For information on Audit Settings settings, see the topic for the appropriate data policy type. For example, for a table policy, see Configuring audit settings for a table policy on page 131.
l For information on Alert Rule settings, see the topic for the appropriate data policy type. For example, for a table policy, see Configuring alert rules for a table policy on page 131. 4. Click Save to save the policy configuration.
See also
l Managing DAM policies on page 127
l Data policies on page 130
l Automatically generating alert policies on page 129
l Privilege policies on page 146
l Metadata policies on page 150
l PCI, SOX, and HIPAA alert policies on page 154
l Alert and audit policy groups on page 156
Configuring a table policy
For basic policy configuration information, see Data policies on page 130.
See also
l Configuring audit settings for a table policy on page 131
l Configuring alert rules for a table policy on page 131
l Table policy alert rules for different databases on page 134
FortiDB 5.1.13 Admin Guide 130 Fortinet Inc. Database Activity Monitoring (DAM) policies
Configuring audit settings for a table policy
1. Click the triangle icon of the Audit Settings section to expand it. 2. Select one of the following options:
l Manually Select Object: You enter the specific object name.
l Browse Object by Target: You can select one from the dropdown list (default). 3. If you are configuring the policy using Policy > DAM Alert/Audit Policies and selecting an object by browsing, for Target, select a target. 4. Do one of the following:
l For policies for Oracle and DB2 databases, for Schema, enter a schema name or select a name from the list.
l For policies for Microsoft SQL Server and Sybase databases, for Database, enter a database name or select a name from the list. Then, for Schema, enter a schema name or select a name from the list. 5. In the Tables list, select one or more tables. For Oracle databases, you can also select a synonym. 6. Under Audit Actions, do one of the following:
l For an alert policy, select the Read (Select), Write (Insert/Update/Delete), or both.
l For an audit policy, select one or more of the following options: Select, Insert, Update, Delete, Truncate. 7. Click > (right arrow) to move your selection to the Selected Objects table.
If you want to remove the objects from the Selected Objects list, select the object you want to remove and then click < (left arrow). To remove all objects, click << (double left arrow).
See also
l Configuring alert rules for a table policy on page 131
l Table policy alert rules for different databases on page 134
Configuring alert rules for a table policy
1. Click the triangle icon of the Alert Rules section to expand it. 2. In the Combination Rule field, select one from the dropdown list:
Options Descriptions
Issue alert if ANY of the if you select this, each rule generates alerts individually. enabled rules are triggered
Issue alert if ALL of the If you select this, the combination of selected policies generates enabled rules are alerts. triggered
3. Mark the check box of your interests from the following rules:
FortiDB 5.1.13 Admin Guide 131 Fortinet Inc. Database Activity Monitoring (DAM) policies
Options Descriptions
Security Violation Alert any failed attempt to access selected object without proper permission.
Suspicious OS User Alert any successful access to selected object by certain OS users. You can specify one or more OS usernames by typing the specific name or using a regular expression. 1. Click Add 2. Select an operator from the dropdown list. 3. Enter OS username depending on the operator you selected.
l To generate alerts for the OS user(s) you specified in the list, check "Alert any successful access if the OS user is specified in the list" check box.
l To generate alerts for the OS user(s) you didn't specified in the list, check "Alert any successful access if the OS user is not specified in the list" check box.
Suspicious Location Alert any successful access to selected object from certain locations. You can specify one or more locations by typing the specific location or using a regular expression. 1. Click Add. 2. Select an operator from the dropdown list. 3. Enter a location name depending on the operator you selected. 4. Repeat steps 1 to 3 if necessary.
l To generate alerts for any successful access from locations you specified in the list, check "Alert any successful access from locations in the list" check box.
l To generate alerts for any successful access from locations not in the list, check "Alert any successful access from locations in the list Alert any successful access from locations not in the list" check box.
Suspicious Database Alert any successful access to selected object by certain database Users users. You can specify one or more users as follows: 1. Select one or more users from the Users list. 2. Click the right arrow to move the selections the Selected Users list. Note:If you want to remove the users from the selected users list, select the users you want to remove and click the left arrow.
l To generate alerts for the database user(s) you specified in the list, check "Alert any successful access if the database user is in the list" check box.
l To generate alerts for the database user(s) you didn't specified in the list, check "Alert any successful access if the database user is not in the list" check box.
Suspicious Login Names Alert any successful access to selected object by certain login users. You can specify one or more users as follows:
FortiDB 5.1.13 Admin Guide 132 Fortinet Inc. Database Activity Monitoring (DAM) policies
Options Descriptions
1. Select one or more users from the Users list. 2. Click the right arrow to move the selections the Selected Users list. Note:If you want to remove the users from the selected users list, select the users you want to remove and click the left arrow.
l To generate alerts for login user(s) you specified in the list, check "Alert any successful access if the login user is in the list" check box.
l To generate alerts for login user(s) you didn't specified in the list, check "Alert any successful access if the login user is not in the list" check box.
Suspicious Client Alert any successful access to selected object by certain client Application (Client Id) applications. You can specify one or more client applications by typing the specific client application or using a regular expression. 1. Click Add. 2. Select an operator from the dropdown list. 3. Enter a client application depending on the operator you selected. 4. Repeat steps 1 to 3 if necessary.
l To generate alerts for the client application you specified in the list, check "Alert any successful access if the client application is in the list" check box.
l To generate alerts for the client application you didn't specified in the list, check "Alert any successful access if the client application is not in the list" check box.
Excessive Access Alert excessive access to selected object within the specified time Violation slot. You can specify the maximum accesses allowed within a certain time period. 1. Enter the number of accesses allowed. 2. Enter the number of hours, days, minutes, or seconds after selecting one from the dropdown list. Tracking Strategy - Tracking rule selection for time violation.
l The threshold you set for time violation can be incremented by OS User, Location, Client Application, or Database User separately, depending on your selection. If you don't select any rule, any access to the selected audit settings will be counted.
Time Range Violation Alert any access to selected object by certain time range. You can specify one or more time range. 1. Click Add. 2. Enter hour and minute values in "Received from" and "To" for time range, with 24 hours format. 3. Repeat above if necessary.
FortiDB 5.1.13 Admin Guide 133 Fortinet Inc. Database Activity Monitoring (DAM) policies
Options Descriptions
l To generate alerts for the access within the time range, select the "Alert any access if the timestamp is between time range".
l To generate alerts for the access out of the time range, select the "Alert any access if the timestamp is not between time range".
Suspicious Client IP Alert any successful access to selected object by certain client IPs. (only for Collection This rule only has effect for monitoring with Collection Method Method "TCP/IP Sniffer") "TCP/IP Sniffer". You can specify one or more IP address, IP address Range or subnet. 1. Click Add. 2. Enter Start/End IP address, or IP/Netmask. For example, "192.168.1.1" - "192.168.1.254" for IP range, "192.168.2.0/255.255.255.0" for subnet. 3. Repeat above if necessary.
l To generate alerts for the client which's IP is in the specified IP range or subnet, select the "Alert any successful access if the client's IP is in the list".
l To generate alerts for the client which's IP is not in the specified IP range or subnet, select the "Alert any successful access if the client's IP is not in the list".
4. Select Save.
See also
l Table policy alert rules for different databases on page 134
Table policy alert rules for different databases
The alert rules that are available for a table policy are determined by the database type.
DB Available Alert Rules
Oracle l Security Violation
l Suspicious OS User
l Suspicious Location
l Suspicious Database Users (Login Name)
l Suspicious Client Application (Client Id)
l Excessive Access Violation
l Time Range Violation
l Suspicious Client IP (only for "TCP/IP Sniffer")
Microsoft SQL Server l Security Violation
l Suspicious OS User
l Suspicious Location
l Suspicious Database Users
l Suspicious Login Names
FortiDB 5.1.13 Admin Guide 134 Fortinet Inc. Database Activity Monitoring (DAM) policies
DB Available Alert Rules
l Suspicious Client Application
l Excessive Access Violation
l Time Range Violation
l Suspicious Client IP (only for "TCP/IP Sniffer")
DB2 l Security Violation
l Suspicious OS User
l Suspicious Location
l Suspicious Database Users
l Excessive Access Violation
l Time Range Violation
l Suspicious Client IP (only for "TCP/IP Sniffer")
Sybase l Security Violation
l Suspicious OS User
l Suspicious Location
l Suspicious Login Names
l Excessive Access Violation
l Time Range Violation
l Suspicious Client IP (only for "TCP/IP Sniffer")
MySQL l Security Violation
l Suspicious Location
l Suspicious Login Names
l Excessive Access Violation
l Time Range Violation
See also
l Configuring alert rules for a table policy on page 131
Configuring a table and column policy
For basic policy configuration information, see Data policies on page 130. For information on setting rules for alert policies, see Configuring alert rules for a table policy on page 131.
To configure audit settings for a table and column policy
1. Click the triangle icon of the Audit Settings section to expand it. 2. Select one of the following options:
l Manually Select Object: You enter the object parameters.
l Browse Object by Target: You can select an object from the dropdown list (default). 3. If you are configuring the policy using Policy > DAM Alert/Audit Policies and selecting an object by browsing, for Target, select a target.
FortiDB 5.1.13 Admin Guide 135 Fortinet Inc. Database Activity Monitoring (DAM) policies
4. Do one of the following:
l For policies for Oracle and DB2 databases, for Schema, enter a schema name or select a name from the list.
l For policies for Microsoft SQL Server and Sybase databases, for Database, enter a database name or select a name from the list. Then, for Schema, enter a schema name or select a name from the list. 5. In the Tables list, select a table. For Oracle databases, you can also select a synonym. 6. In the Column list, select one or more columns for the table you selected. 7. If you are configuring an alert policy, for MatchSQL, enter a SQL string that generates alerts when FortiDB detects it. 8. Under Audit Actions, do one of the following:
l For an alert policy, select the Read (Select), Write (Insert/Update/Delete), or both.
l For an audit policy, select one or more of the following options: Select, Insert, Update, Delete, Truncate. 9. Click > (right arrow) to move your selection to the Selected Objects table.
If you want to remove the objects from the Selected Objects list, select the object you want to remove and then click < (left arrow). To remove all objects, click << (double left arrow).
10. Repeat steps 5 through 9 to add additional columns to the Selected Objects table, if required.
Configuring a session policy
For basic policy configuration information, see Data policies on page 130.
See also
l Configuring audit settings for a session policy on page 136
l Configuring alert rules for a session policy on page 137
Configuring audit settings for a session policy
1. Click the triangle icon at Audit Settings to expand it. 2. Select the Any User or Specify Users radio button 3. For Specify Users, input username in Enter user input box. Or click the Browse by target dropdown list, select one or more users from the Users selection box, and click the right arrow to move the selection to the Selected Users table.
If you want to remove the user from the selected users list, select the user you want to remove and click the left arrow.
See also
l Configuring alert rules for a session policy on page 137
FortiDB 5.1.13 Admin Guide 136 Fortinet Inc. Database Activity Monitoring (DAM) policies
Configuring alert rules for a session policy
1. Click the triangle icon at Alert Rules to expand it. 2. In the Combination Rule field, select one from the dropdown list:
l Issue alert if ANY of the enabled rules are triggered
l Issue alert if ALL of the enabled rules are triggered 3. Mark the check box of your interests from the following rules:
Options Descriptions
Login/Logout Activity Generate alerts for login/logout activity. Select option "Alert Login Failure" to alert for failure login only, or select option "Alert All Login/logout Activity".
Suspicious Login Time Time of login is beyond specified normal hours. You can specify the time, entering numbers: 1. In the From and To field, enter the starting and ending times you want to specify as suspicious login time. 2. If necessary, click + sign to add more time range, or - sign to remove the time range.
l To generate alerts for the login time you specified in the list, check "Alert if login time is within one of the time ranges in the list" check box.
l To generate alerts for the login time you didn't specified in the list, check "Alert if login time is NOT within one of the time ranges in the list" check box.
Extremely Long Session Generate alerts when duration of session is abnormally long. You can specify the threshold by entering how many hours allowed for a session.
Excessive Read Activities Generate alerts when number of logical page reads is abnormally high. You can specify the threshold by entering how many page reads are allowed for a session.
High Read Ratio Generate alerts when number of logical reads/minute is abnormally high. You can specify the threshold by entering how many page reads are allowed for a session.
Suspicious Os User Alert any successful access to selected object by certain OS users. Note:For Microsoft SQL Server, this rule is applicable for only Windows authentication. You can specify one or more OS usernames by typing the specific name or using a regular expression. 1. Click Add. 2. Select an operator from the dropdown list. 3. Enter OS username depending on the operator you selected. 4. Repeat steps 1 to 3 if necessary.
FortiDB 5.1.13 Admin Guide 137 Fortinet Inc. Database Activity Monitoring (DAM) policies
Options Descriptions
l To generate alerts for the OS user(s) you specified in the list, check "Alert any successful access if the OS user is specified in the list" check box.
l To generate alerts for the OS user(s) you didn't specified in the list, check "Alert any successful access if the OS user is not specified in the list" check box.
Suspicious Location Alert any successful access to selected object from certain locations. You can specify one or more locations by typing the specific location or using a regular expression. 1. Click Add. 2. Select an operator from the dropdown list. 3. Enter a location name depending on the operator you selected. 4. Repeat steps 1 to 3 if necessary.
l To generate alerts for location(s) you specified in the list, check "Alert any successful access from locations in the list" check box.
l To generate alerts for location(s) you didn't specified in the list, check "Alert any successful access from locations not in the list" check box.
Suspicious Client Alert any successful access to selected object by certain client Application applications. You can specify one or more client applications by typing the specific client application or using a regular expression. 1. Click Add. 2. Select an operator from the dropdown list. 3. Enter a client application depending on the operator you selected. 4. Repeat steps 1 to 3 if necessary.
l To generate alerts for the client application you specified in the list, check "Alert any successful access if the client application is in the list" check box.
l To generate alerts for the client application you didn't specified in the list, check "Alert any successful access if the client application is not in the list" check box.
Excessive Access Alert excessive access to selected object within the specified time Violation slot. You can specify the maximum accesses allowed within a certain time period. 1. Enter the number of accesses allowed. 2. Enter the number of hours, days, minutes, or seconds after selecting one from the dropdown list. Tracking Strategy - Tracking rule selection for time violation. The threshold you set for time violation can be incremented by OS User, Location, Client Application, or Database User separately, depending on your selection. If you don't select any rule, any access to the selected audit settings will be counted.
FortiDB 5.1.13 Admin Guide 138 Fortinet Inc. Database Activity Monitoring (DAM) policies
Options Descriptions
Suspicious Client IP Alert any successful access to selected object by certain client IPs. (only for Collection This rule only has effect for monitoring with Collection Method Method "TCP/IP Sniffer") "TCP/IP Sniffer". You can specify one or more IP address, IP address Range or subnet. 1. Click Add. 2. Enter Start/End IP address, or IP/Netmask. For example, "192.168.1.1" - "192.168.1.254" for IP range, "192.168.2.0/255.255.255.0" for subnet. 3. Repeat above if necessary.
l To generate alerts for the client which's IP is in the specified IP range or subnet, select the "Alert any successful access if the client's IP is in the list".
l To generate alerts for the client which's IP is not in the specified IP range or subnet, select the "Alert any successful access if the client's IP is not in the list".
4. Click Save.
See also
l Configuring audit settings for a session policy on page 136
Configuring a user policy
For basic policy configuration information, see Data policies on page 130.
See also
l Configuring audit settings for a user policy on page 139
l Configuring alert rules for a user policy on page 140
l User policy alert rules for various databases on page 143
Configuring audit settings for a user policy
1. Click the triangle icon of the Audit Settings section to expand it. 2. Select the Any User or Specify Users radio button. 3. In Specify Users, input the account name in Enter user input box. Alternatively, click the Browse by target dropdown list to browse available users from target. 4. For Alert Policy, select the Read (Select) or Write (Insert/Update/Delete) check box or both in the Audit Actions field. 5. For Audit Policy, select the Select, Insert, Update, Delete, Truncate checkboxes in the Audit Actions field.
FortiDB 5.1.13 Admin Guide 139 Fortinet Inc. Database Activity Monitoring (DAM) policies
6. Click the right arrow to move the selection to the Selected Users table.
If you want to remove the objects from the Selected Users list, select the user you want to remove, then click the left arrow.
7. Configure Alert Rule (for Alert Policy).
See also
l Data policies on page 130
l Configuring alert rules for a user policy on page 140
l User policy alert rules for various databases on page 143
Configuring alert rules for a user policy
1. Click the triangle icon of the Alert Rules section to expand it. 2. In the Combination Rule field, select one from the dropdown list:
Options Descriptions
Issue alert if ANY of the enabled rules if you select this, each rule generates alerts are triggered individually.
Issue alert if ALL of the enabled rules If you select this, the combination of selected policies are triggered generates alerts.
3. Mark the check box of your interests from the following rules:
Options Descriptions
Security Violation Alert any failed attempt to access selected object without proper permission.
Suspicious OS User Alert any successful access to selected object by certain OS users. You can specify one or more OS usernames by typing the specific name or using a regular expression. 1. Click Add. 2. Select an operator from the dropdown list. 3. Enter OS username depending on the operator you selected
l To generate alerts for the OS user(s) you specified in the list, check "Alert any successful access if the OS user is specified in the list" check box.
l To generate alerts for the OS user(s) you didn't specified in the list, check "Alert any successful access if the OS user is not specified in the list" check box.
Suspicious Object Alert any successful access to selected object(s). There are the Access following options to select objects:
l Manually Select Object
FortiDB 5.1.13 Admin Guide 140 Fortinet Inc. Database Activity Monitoring (DAM) policies
Options Descriptions
l Browse Object by Target (default) You can specify one or more objects as follows: 1. Select a target from the Target dropdown list. 2. Select a schema from the dropdown list. 3. Select one or more tables from the Tables list. 4. Select the Read (Select) or Write (Insert/Update/Delete) check box or both in the Audit Actions field. 5. Click the right arrow to move the selections the Selected Objects list. Note: If you want to remove the users from the selected objects list, select the objects you want to remove and click the left arrow.
l To generate alerts for the object(s) you specified in the list, check "Issue alert if the accessed object is specified in the list" check box.
l To generate alerts for the object(s) you didn't specified in the list, check "Issue alert if the accessed object is not specified in the list" check box.
Suspicious Location Alert any successful access to selected object from certain locations. You can specify one or more locations by typing the specific location or using a regular expression. 1. Click Add. 2. Select an operator from the dropdown list. 3. Enter a location name depending on the operator you selected. 4. Repeat steps 1 to 3 if necessary.
l To generate alerts for the location(s) you specified in the list, check "Alert any successful access from locations in the list" check box.
l To generate alerts for the location(s) you didn't specified in the list, check "Issue alert if the accessed object is not specified in the list" check box.
Suspicious Client Alert any successful access to selected object by certain client Application (Client Id) applications. You can specify one or more client applications by typing the specific client application or using a regular expression. 1. Click Add. 2. Select an operator from the dropdown list. 3. Enter a client ID depending on the operator you selected. 4. Repeat steps 1 to 3 if necessary.
l To generate alerts for the client application you specified in the list, check "Alert any successful access if the client application is in the list" check box.
l To generate alerts for the client application you didn't specified in the list, check "Alert any successful access if the client application is not in the list" check box.
FortiDB 5.1.13 Admin Guide 141 Fortinet Inc. Database Activity Monitoring (DAM) policies
Options Descriptions
Excessive Access Alert excessive access to selected object within the specified time Violation slot. You can specify the maximum accesses allowed within a certain time period. 1. Enter the number of accesses allowed. 2. Enter the number of hours, days, minutes, or seconds after selecting one from the dropdown lis Tracking Strategy - Tracking rule selection for time violation.
l The threshold you set for time violation can be incremented by OS User, Location, Client Application, or Database User separately, depending on your selection. If you don't select any rule, any access to the selected audit settings will be counted.
Time Range Violation Alert any access to selected object by certain time range. You can specify one or more time range. 1. Click Add. 2. Enter hour and minute values in "Received from" and "To" for time range, with 24 hours format. 3. Repeat above if necessary.
l To generate alerts for the access within the time range, select the "Alert any access if the timestamp is between time range".
l To generate alerts for the access out of the time range, select the "Alert any access if the timestamp is not between time range".
Suspicious Client IP Alert any successful access to selected object by certain client IPs. (only for Collection This rule only has effect for monitoring with Collection Method Method "TCP/IP Sniffer") "TCP/IP Sniffer". You can specify one or more IP address, IP address Range or subnet. 1. Click Add. 2. Enter Start/End IP address, or IP/Netmask. For example, you could enter "192.168.1.1" - "192.168.1.254" for the IP range, or "192.168.2.0/255.255.255.0" for a subnet. 3. Repeat the above step if necessary.
l To generate alerts for the client which's IP is in the specified IP range or subnet, select the "Alert any successful access if the client's IP is in the list".
l To generate alerts for the client which's IP is not in the specified IP range or subnet, select the "Alert any successful access if the client's IP is not in the list".
4. Click Save.
See also
l User policy alert rules for various databases on page 143
FortiDB 5.1.13 Admin Guide 142 Fortinet Inc. Database Activity Monitoring (DAM) policies
User policy alert rules for various databases
The alert rules that are available for user policies depends are determined by the type of database.
Database Available Alert Rules
Oracle l Security Violation
l Suspicious OS User
l Suspicious Object Access
l Suspicious Location
l Suspicious Client Application (Client Id)
l Excessive Access Violation
l Time Range Violation
l Suspicious Client IP (only for "TCP/IP Sniffer")
Microsoft SQL Server l Security Violation
l Suspicious OS User
l Suspicious Object Access
l Suspicious Location
l Suspicious Client Application
l Excessive Access Violation
l Time Range Violation
l Suspicious Client IP (only for "TCP/IP Sniffer")
DB2 l Security Violation
l Suspicious OS User
l Suspicious Object Access
l Suspicious Location
l Excessive Access Violation
l Time Range Violation
l Suspicious Client IP (only for "TCP/IP Sniffer")
Sybase l Security Violation
l Suspicious OS User
l Suspicious Object Access
l Suspicious Location
l Excessive Access Violation
l Time Range Violation
l Suspicious Client IP (only for "TCP/IP Sniffer")
MySQL l Security Violation
l Suspicious Object Access
l Suspicious Location
l Excessive Access Violation
See also
l Configuring alert rules for a user policy on page 140
FortiDB 5.1.13 Admin Guide 143 Fortinet Inc. Database Activity Monitoring (DAM) policies
Configuring a database policy
Database policies generate audit records only. You do not configure them to generate alerts.
To configure a database policy
1. Do one of the following:
l To configure a policy that is available to add to multiple target monitoring configurations, go to Policy > DAM Audit Policies.
l To configure a policy for a specific target, go to DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the Audit Policies tab. 2. In the Data Policies list, select Database, and then click Add. 3. Complete the Policy Info settings. For detailed information about the settings, see Managing DAM policies on page 127. 4. To expand Audit Settings, click the triangle icon beside the section name. 5. Do one of the following:
l Select Manually Select Object and then enter the specific database or schema name.
l Select Browse Object by Target to select a specific database or schema name from the list. 6. If you are configuring the policy using Policy > DAM Audit Policies and selecting an object by browsing, for Target, select a target. Then, select one or more items from the Database or Schema list. Enter text in the Search field to filter the list of databases and schemas. 7. For Audit Actions, select one of more of the following values: Select, Insert, Update, Delete. 8. Click > (right arrow) to move the selected items to the Selected Objects table. To remove items, select the item, and then click < (left arrow). Click << (double left arrow) to remove all items. 9. Select Save. The new policy is displayed in the list of policies.
See also
l Data policies on page 130
Configuring a database query policy
A database query policies is an alert policy that allows you to query the target database with SQL and save the result as an alert. You do not configure them to generate audit records. For example, for Microsoft SQL Server databases, create a database query policy with the following SQL Query value: select @@version which returns the following result in the alerts: Microsoft SQL Server 2012 - 11.0.2100.60 (Intel X86) Feb 10 2012 19:13:17 Copyright (c) Microsoft Corporation Express Edition on Windows NT 6.0
FortiDB 5.1.13 Admin Guide 144 Fortinet Inc. Database Activity Monitoring (DAM) policies
To configure a database query policy and add it to a target monitoring configuration
1. Do one of the following:
l Go to Policy > DAM Alert Policies.
l Go to DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the Alert Policies tab. 2. In the Data Policies list, select Database Query, and then click Add. 3. Complete the Policy Info settings. For detailed information about the settings, see Managing DAM policies on page 127. 4. Complete the following settings, which are specific to database query policies:
SQL query Enter the query text.
Return Records Count Enter the maximum number of returned records that FortiDB includes Limit in the alert that this policy generates. For example, if you enter 5, the database returns the first 5 records of the table that you queried, which FortiDB displays in the details for the corresponding alert. Default value is 1.
Targets Select the target database to query.
5. If you are creating the policy using the monitoring configuration for a specific target, you can ensure the policy is added to the configuration by selecting Create new policy group for policy. 6. To test if the SQL query is valid, click Test. If it is valid, the message "Success" is displayed. 7. Click Save. The policy you created is displayed in the data policy list. 8. Go to DB Activity Monitoring > Monitoring Management, and then click a target name. 9. On the Alert Policy Groups tab, ensure that a group that includes the database query policy that you created is selected. For example, the policy is added if the Data Policies policy group is selected. For more information on adding policies, see Adding policy groups to target database monitoring on page 158. 10. Click the Query Schedule tab, select Enable Schedule for Database Query Policy, and then use the following settings to specify a schedule:
Schedule type Specify Run Once or Recurring.
Starts at Specify a start time and date for the policy.
Recurrence pattern Specify at what interval FortiDB runs the policy. For example, select Weekly, and then select a day of the week. Displayed only when Recurring is selected.
Ends by Specify No end date or select a date. Displayed only when Recurring is selected.
11. Click Save.
FortiDB 5.1.13 Admin Guide 145 Fortinet Inc. Database Activity Monitoring (DAM) policies
Privilege policies
The target database monitoring and auditing features use privilege policies monitor or track changes to privilege settings in selected databases. You cannot create privilege policies, but you can modify some of the settings of the pre-defined privilege policies. To view predefined privilege policies, on the DAM Security Alert Policies or DAM Activity Auditing Policies page, from the View list, select Privilege Policies.
To configure a privilege policy
1. Do one of the following:
l To configure a policy that is available to add to multiple target monitoring configurations, go to Policy > DAM Alert Policies or Policy > DAM Audit Policies.
l To configure a policy for a specific target, go to DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the Alert Policies or Audit Policies tab. 2. To identify privilege policies, do one of the following:
l If you are using the DAM Security Alert Policies or DAM Activity Auditing Policies page, from the View list, select Privilege Policies.
The View menu filters policies using the pre-defined Privilege Policies group, which include privilege policies for all database types. To view privilege policies for a specific database type, modify the filter of the Privilege Policies group or create a new policy group. For details about modifying a policy group, see Alert and audit policy groups on page 1.
l If you are using the target monitoring configuration, under Type, look for the icon. 3. Click the name of the policy you want to configure. 4. On the Edit Audit Policy page, under Policy Info, enter an optional description, and then select Enable. 5. If you are configuring an alert policy, for Severity, select one of the following options:
l Informational (default, lowest severity level)
l Cautionary
l Minor
l Major
l Critical (highest severity level) 6. Click Save.
See also
l Oracle privilege policies on page 147
l Microsoft SQL Server privilege policies on page 148
l Sybase privilege policies on page 148
l DB2 privilege policies on page 149
l MySQL privilege policies on page 150
FortiDB 5.1.13 Admin Guide 146 Fortinet Inc. Database Activity Monitoring (DAM) policies
Oracle privilege policies
FortiDB provides the following privilege policies:
Policy Contents Description Names
Column Column-level privilege granting This policy generates alerts when the column privileges are Privileges modified. For example, user SCOTT can grant SELECT privileges on a column of a table to a user, without letting that user SELECT on other columns in the same table.
Profiles Resources (I/O, etc.) assigned to This policy generates alerts when the profiles are modified. users Changes to any profile setting could have wide-reaching effects.
Role Roles granted to users and other This policy generates alerts when the role privileges are Privileges roles modified. It also contains information about which role has been assigned to other roles. Change of user’s role means changes in user’s access privileges. Role changes should be closely monitored in order to ensure data security.
Roles Database roles This policy generates alerts when the roles are modified. Contains information about all existing roles in the database.
System All granted system privileges This policy generates alerts when the system privileges are Privileges created, deleted, or modified. Contains all granted system privileges to all users or roles. System privileges are powerful privileges and should be granted with great cautions. Monitoring system-privilege changes should be mandatory.
Table All granted schema- object This policy generates alerts when the table privileges are Privileges privileges modified. Lists all granted privileges on schema objects. These include privileges on tables, views, sequences, procedures, functions and packages.
User Database users This policy generates alerts when the users privileges are Privileges modified. Contains information about users in the database. Although this view has no privilege information, it contains the users to whom privileges may be assigned or changed.
See also
l Privilege policies on page 146
FortiDB 5.1.13 Admin Guide 147 Fortinet Inc. Database Activity Monitoring (DAM) policies
Microsoft SQL Server privilege policies
The following privilege policies are available for Microsoft SQL databases:
Policy Privileges involved Description Names
Column Column-level privilege This policy generates alerts when the column privileges are Privileges modified.
Member Role- and group-membership This policy generates alerts when the members are modified. Privileges assignments
Object Column- and table-and other This policy generates alerts when the object privileges are Privileges object-level privileges modified.
Roles All objects that are accessible by This policy generates alerts when the roles are modified. the current user Contains information about all existing roles in the database.
Server Default server roles assigned to This policy generates alerts when the server roles are modified. Roles users.
User Lists valid database users and the This policy generates alerts when the user privileges are Privileges groups to which they belong modified.
See also
l Privilege policies on page 146
Sybase privilege policies
The following privilege policies are available for Sybase databases:
Policy Names Privileges involved Description
Column Column-level privilege This policy generates alerts when the column privileges are Privileges modified.
Member Role- and group- This policy generates alerts when the members privileges are Privileges membership assignments modified.
Object Column- and table-and This policy generates alerts when the object privileges are Privileges other object-level privileges modified.
Procedures Procedure privilege This policy generates alerts when the procedures are modified.
Roles All role groups as the server This policy generates alerts when the role groups are modified. level.
Roles and All roles and groups. A This policy generates alerts when the roles and groups are Groups group is a user group as the modified. database level.
System All granted system This policy generates alerts when the system privileges are
FortiDB 5.1.13 Admin Guide 148 Fortinet Inc. Database Activity Monitoring (DAM) policies
Policy Names Privileges involved Description
Privileges privileges modified.
User Privileges Lists valid database users This policy generates alerts when the user privileges are modified. and the groups to which they belong
See also
l Privilege policies on page 146
DB2 privilege policies
The following privilege policies are available for DB2 databases:
Policy Contents Description Names
Column column privileges Privileges
Database database system privileges Privileges
Index Index privileges This view contains the right to DROP the indfor example The Privileges creator of an index automatically has this CONTROL privilege.
Package A package is a database object CONTROL: Provides the ability to rebind, drop, execute, and Privileges grouping related procedures, extend these package privileges to others. Only SYSADM and functions, associated cursors, and DBADM authorities can grant CONTROL privilege. variables together. BIND: Provides the privilege to rebind an existing package. EXECUTE: Provides the privilege to execute a package.
Schema Objects within a schema : tables, CREATEIN: Provides the privilege to create objects within the Privileges views, indexes, packages, data schema. types, functions, triggers, ALTERIN: Provides the privilege to alter objects within the procedures, and aliases schema. DROPIN: Provides the privilege to drop objects within the schema
Table and Tables and view privileges CONTROL: Provides the privilege to DROP the table or view and View GRANT table or view privileges to somebody else. Privileges ALTER: Provides the privilege to add columns, comments, primary key or unique constraint, in order to create triggers, and create or drop check constraints DELETE: Provides the privilege to delete rows INDEX: Provides the privilege to CREATE INDEX
FortiDB 5.1.13 Admin Guide 149 Fortinet Inc. Database Activity Monitoring (DAM) policies
Policy Contents Description Names
INSERT: Provides the privilege to INSERT rows. REFERENCES: Provides the privilege to CREATE or DROP a foreign key. SELECT: Provides the privilege to retrieve data. UPDATE: Provides the privilege to change existing entries.
Tablespace tablespace privileges A SYSADM or SYSCTRL authority can create Tablespace and Privileges grant USE privilege to others
See also
l Privilege policies on page 146
MySQL privilege policies
The following privilege policies are available for MySQL databases:
Policy Privileges involved Description Names
Column Column-level privilege This policy generates alerts when the column privileges are Privileges modified.
Object Column- and table-and other object- This policy generates alerts when the object privileges are Privileges level privileges modified.
Procedures Procedure privilege This policy generates alerts when the procedures are modified.
See also
l Privilege policies on page 146
Metadata policies
The target database monitoring and auditing features use metadata policies monitor or track changes in metadata in selected databases. You cannot create metadata policies, but you can modify some of the settings of the pre-defined metadata policies. To view predefined metadata policies, on the DAM Security Alert Policies or DAM Activity Auditing Policies page, from the View list, select Metadata Policies.
FortiDB 5.1.13 Admin Guide 150 Fortinet Inc. Database Activity Monitoring (DAM) policies
To configure a metadata policy
1. Do one of the following:
l To configure a policy that is available to add to multiple target monitoring configurations, go to Policy > DAM Alert Policies or Policy > DAM Audit Policies.
l To configure a policy for a specific target, go to DB Activity Monitoring > Monitoring Management, and then click a target name. Then, click the Alert Policies or Audit Policies tab. 2. To identify metadata policies, do one of the following:
l If you are using the DAM Security Alert Policies or DAM Activity Auditing Policies page, from the View list, select Metadata Policies.
The View menu filters policies using the pre-defined Metadata Policies group, which include metadata policies for all database types. To view metadata policies for a specific database type, modify the filter of the Metadata Policies group or create a new policy group. For details about modifying a policy group, see Alert and audit policy groups on page 156.
l If you are using the target monitoring configuration, under Type, look for the icon. 3. Click the name of the policy you want to configure. 4. On the Edit Audit Policy page, under Policy Info, enter an optional description, and then select Enable. 5. If you are configuring an alert policy, for Severity, select one of the following options:
l Informational (default, lowest severity level)
l Cautionary
l Minor
l Major
l Critical (highest severity level) 6. Click Save.
See also
l Oracle metadata policies on page 151
l Microsoft SQL Server metadata policies on page 152
l Sybase metadata policies on page 152
l DB2 metadata policies on page 153
l MySQL metadata policies on page 153
Oracle metadata policies
The following metadata policies are available for Oracle databases:
Policy Names Contents Description
Packages packages This policy generates alerts when database packages are modified.
Synonyms synonyms This policy generates alerts when database synonyms are modified.
FortiDB 5.1.13 Admin Guide 151 Fortinet Inc. Database Activity Monitoring (DAM) policies
Policy Names Contents Description
Tables tables, columns and This policy generates alerts when tables, columns, or indexes are indexes modified.
Tablespaces tablespaces This policy generates alerts when table spaces are modified.
Triggers triggers This policy generates alerts when triggers are modified.
Views views This policy generates alerts when views are modified.
See also
l Metadata policies on page 150
Microsoft SQL Server metadata policies
The following metadata policies are available for Microsoft SQL Server databases:
Policy Names Contents Description
Routines routines This policy generates alerts when database packages are modified.
Tables tables, columns and This policy generates alerts when tables, columns, or indexes are indexes modified.
Triggers triggers This policy generates alerts when triggers are modified.
Views views This policy generates alerts when views are modified.
See also
l Metadata policies on page 150
Sybase metadata policies
The following metadata policies are available for Sybase databases:
Policy Names Contents Description
Indexes indexes This policy generates alerts when indexes are modified.
Stored stored procedures This policy generates alerts when stored procedures are modified. Procedures
Tables tables, columns and This policy generates alerts when tables, columns, or indexes are indexes modified.
Triggers triggers This policy generates alerts when triggers are modified.
Views views This policy generates alerts when views are modified.
FortiDB 5.1.13 Admin Guide 152 Fortinet Inc. Database Activity Monitoring (DAM) policies
See also
l Metadata policies on page 150
DB2 metadata policies
The following metadata policies are available for DB2 databases:
Policy Names Contents Description
Aliases aliases This policy generates alerts when aliases are modified
Indexes indexes This policy generates alerts when indexes are modified
Packages packages This policy generates alerts when database packages are modified.
Tables tables This policy generates alerts when tables and columns are modified.
Tablespaces tablespaces This policy generates alerts when table spaces are modified.
Triggers triggers This policy generates alerts when triggers are modified.
Views views This policy generates alerts when views are modified.
See also
l Metadata policies on page 150
MySQL metadata policies
The following metadata policies are available for MySQL databases:
Policy Names Contents Description
Events events This policy generates alerts when events are modified.
Indexes indexes This policy generates alerts when indexes are modified.
Stored Procedures stored This policy generates alerts when stored procedures are modified. procedures
Tables tables This policy generates alerts when tables and columns are modified.
Triggers triggers This policy generates alerts when triggers are modified.
Views views This policy generates alerts when views are modified.
See also
l Metadata policies on page 150
FortiDB 5.1.13 Admin Guide 153 Fortinet Inc. Database Activity Monitoring (DAM) policies
PCI, SOX, and HIPAA alert policies
Regulatory compliance policies record all types of database activities and store the data in the FortiDB repository. You can use these policies to generate the following compliance reports:
l Sarbanes-Oxley (SOX)
l Payment Card Industry Data Security Standard (PCI DSS)
l HIPAA (Health Insurance Portability and Accountability Act) You cannot create these types of policies, but you can change the configuration of the pre-defined metadata policies. For details about compliance reports, see PCI, SOX, and HIPAA reports on page 218. To view regulatory compliances policies: 1. Go to Policy > DAM Alert Policies. 2. Select the policy type from the View dropdown. For example, select PCI Policies.
For Oracle databases, if the Security Alerts pages does not display alerts generated by regulatory compliance policies as expected, you can run a script that can fix the problem. See Configuring an Oracle database for PCI, SOX, and HIPAA alert policies on page 154.
See also
l Configuring PCI, SOX and HIPAA policies on page 154
l Selecting which tables tracks for PCI, SOX and HIPAA reports (Object Audit Options) on page 155
l Select users to audit for PCI and SOX reports (User Audit Options) on page 156
Configuring PCI, SOX and HIPAA policies
Some regulatory compliance reports require you to set either Object Audit Options or User Audit Options for the corresponding policy group item. 1. Go to Policy > DAM Alert Policies. 2. For View, select PCI Policies, Sox Policies, or HIPAA Policies. 3. Click the policy name. The Edit Alert Policy page for the policy is displayed. 4. Enter the following information if necessary. a. Enter a description. b. Select Enable to enable the policy. 5. Select one of the following severity options from the dropdown list.
l Informational (default, lowest severity level)
l Cautionary
l Minor
l Major
l Critical (highest severity level)
FortiDB 5.1.13 Admin Guide 154 Fortinet Inc. Database Activity Monitoring (DAM) policies
6. For generating reports, set Object Audit Options or User Audit Options, if required. See Selecting which tables tracks for PCI, SOX and HIPAA reports (Object Audit Options) on page 155 and Select users to audit for PCI and SOX reports (User Audit Options) on page 156.
See also
l Selecting which tables tracks for PCI, SOX and HIPAA reports (Object Audit Options) on page 155
l Select users to audit for PCI and SOX reports (User Audit Options) on page 156
l PCI, SOX, and HIPAA reports on page 218
Selecting which tables tracks for PCI, SOX and HIPAA reports (Object Audit Options)
Some regulatory compliance reports require you to select the tables on which FortiDB tracks data changes. The reports display the activity in the tables you specify. You select the objects to audit for the following regulatory compliance reports using the corresponding PCI or SOX policy:
l Abnormal or Unauthorized Changes to Data
l Abnormal Use of Service Accounts
l Abnormal Termination of Database Activity
l End of Period Adjustments
l PCI - Invalid Operation
l PCI - Access to Credit Card Tables
l HIPAA Privilege Changes
l HIPAA Access to EPHI data
l HIPAA User Privileges on EPHI data
To configure the Object Audit Options settings for a policy
1. Go to the editing page for the policy. (See Configuring PCI, SOX and HIPAA policies on page 154.) 2. Under Object Audit Settings, in the Select Objects to Audit section, select one of the check boxes. The following steps are based on the default setting of this field.
l Manually Select Object: You enter the specific object name.
l Browse Object by Target: You can select one from the dropdown list (default). 3. In the Target field, select a target from the dropdown list. 4. For Oracle and DB2, in the Schema field, select one from the dropdown list. For Microsoft SQL Server and Sybase, select one from the dropdown list in the Database field, and then select one in the Schema field. 5. From the Tables selection box, select one or more tables. For Oracle databases, you can also select a synonym. 6. Select the Read (Select) or Write (Insert/Update/Delete) check box or both in the Audit Actions field. 7. Click the right arrow to move the selection to the Selected Objects table.
If you want to remove the objects from the Selected Users list, select the user you want to remove, then click the left arrow.
FortiDB 5.1.13 Admin Guide 155 Fortinet Inc. Database Activity Monitoring (DAM) policies
8. Click Save. 9. Optionally, configure the User Audit Options for the following policies: Sox Abnormal or Unauthorized Changes to Data, Sox Abnormal Termination of Database Activity, Sox Abnormal Use of Service Accounts policies, and PCI - User Audit Options. For more information, details about setting the User Audit Options, go to "Setting or Modifying User Audit Options".
See also
l Configuring PCI, SOX and HIPAA policies on page 154
l PCI, SOX, and HIPAA reports on page 218
Select users to audit for PCI and SOX reports (User Audit Options)
This action is required for the following policies to generate the corresponding reports: Abnormal Use of Service Accounts, Abnormal Termination of Database Activity, Sox Abnormal or Unauthorized Changes to Data, and PCI- Privileged User Action. 1. To edit the policy, in the list of SOX or PCI policies, click its name. For example, click Sox Abnormal or Unauthorized Changes to Data. 2. In the User Audit Options section, select a target from the Browse by target dropdown list. You can enter a username in the Enter user field. 3. Click the right arrow to move the selection to the Selected Objects table.
If you want to remove the objects from the Selected Users list, select the user you want to remove, then click the left arrow.
4. Click Save.
See also
l Configuring PCI, SOX and HIPAA policies on page 154
l PCI, SOX, and HIPAA reports on page 218
Alert and audit policy groups
FortiDB provides pages that display all DAM alert and audit policy groups with descriptions and allow you to perform the following tasks:
l Add a new policy group by selecting Add.
l Click the group name to modify the policy group, including selecting which target databases monitors using the policies in the group.
l Delete the user-defined policy groups by selecting the group and clicking Delete. Because you use filtering criteria to specify which policies are members of a group, any time you create a new policy that matches the filtering criteria, FortiDB automatically adds it to the corresponding policy group.
FortiDB 5.1.13 Admin Guide 156 Fortinet Inc. Database Activity Monitoring (DAM) policies
See also
l Creating or modifying an alert or audit policy group on page 157
l Adding policy groups to target database monitoring on page 158
l Deleting a policy group on page 158
Creating or modifying an alert or audit policy group
1. Do one of the following:
l Go to Policy > DAM Alert Policy Groups
l Go to Policy > DAM Audit Policy Groups 2. Do one of the following:
l To add a new group, click Add. Then, for Group Name, enter a name for the policy group.
l You can click Cancel to cancel creating a new policy-group filter and go back to the main policies page.
l To modify a group, click its name. 3. Optionally, for Description, add or edit text that describes your grouping criteria or other helpful information. 4. On the Filters tab, use the following settings to create or edit your filtering criteria:
Operator Values And and Or are not available for the first row.
Column Specify a column to use for filtering.
Operator Specify an operator.
Value Enter a value or select one from the list of available values. If you are using a list, click > (right arrow) to add selected items to the right-hand list.
- (minus) and + (plus) Click to add or remove rows that define criteria.
For example:
Column Operator Value Returns
Database Type Equals DB2 All policies associated with DB2 databases
Policy Type Equals Metadata Metadata policies associated with Policies DB2 databases
5. To apply your filtering criteria, click Search. 6. To save the configuration, select Save Group. 7. To associate the policy group to a target database: a. Select the Targets tab. b. In the box on the left, select targets to associate with the policy group, and then click the right arrow to move the selection to the box on the right. 8. Click Save.
See also
l Adding policy groups to target database monitoring on page 158
FortiDB 5.1.13 Admin Guide 157 Fortinet Inc. Database Activity Monitoring (DAM) policies
Adding policy groups to target database monitoring
You use the DAM Alert Policy Groups and DAM Audit Policy Groups pages to add alert or audit policy groups to the monitoring configuration for one or more target databases. Go to Policy > DAM Alert Policy Groups or Policy > DAM Audit Policy Groups, click a group name, and then use the Targets tab to select targets. Alternatively, you can use the target database monitoring configuration to add policies to an individual target. For information, see Adding alert and audit policies to monitoring on page 182 and Adding policy groups to target monitoring on page 183.
Deleting a policy group
You can delete user-defined policy groups but not pre-defined policy groups. 1. Do one of the following:
l Go to Policy > DAM Alert Policy Groups
l Go to Policy > DAM Audit Policy Groups 2. Select the check box for one or more user-defined policies. 3. Click Delete.
FortiDB 5.1.13 Admin Guide 158 Fortinet Inc. Vulnerability assessment
Vulnerability assessment
You configure and run vulnerability assessments (VAs) from the Assessments page. This assessment management page allows you to create a database group, add policy groups and a schedule, and run the scan.
See also
l Adding or modifying assessments on page 159
l View VA global summary information on page 166
l Assessment history on page 167
l Viewing and exporting a privilege summary on page 168
l Sensitive data discovery on page 170
l Viewing VA and sensitive data discovery event logs on page 171
Adding or modifying assessments
This topic describes the task of adding (or modifying) FortiDB assessments. For a successful assessment, you must:
l Create, or use an existing, target-base group which contains at least one valid target database
l Create, or use an existing, policy group which contains at least one working policy
l FortiDB does not perform an automatic session timeout after a certain period of time has elapsed. For example, if you leave assessment results on your screen while at lunch, unauthorized individuals could see this information. Therefore, you should logout or close your browser if you expect to leave your computer unattended.
l Items marked with an asterisk (*) on data-entry forms are mandatory.
1. Go to Vulnerability Assessment > Assessments. 2. Do one of the following:
l To add an assessment, click Add.
l To modify an assessment, click its name. 3. On the General tab, enter the requested items: an Assessment Name so that you can reuse it later and (optionally) a Description of your assessment. Then configure your assessment using the tabs on the web page. 4. In the Targets tab, specify which target groups you want to assess. Select one or more target groups from the Available Target Groups list on the left and click >> (right arrows) to add them to the Assigned Target Groups list. You can remove a target group from Assigned Target Groups list on the right by clicking << (left arrows). 5. In the Policies tab, specify which target groups you want to assess. a. Select one or more target groups from the Available Policy Groups list on the left and add them to the Assigned Policy Groups list by selecting the right-arrow button. (In order to remove a policy group from the Assigned Policy Groups list , select the left-arrow button.)
FortiDB 5.1.13 Admin Guide 159 Fortinet Inc. Vulnerability assessment
b. In order to see the policies associated with a policy group, select the group in either the Available Policy Groups list or the Assigned Policy Groups list. The list of policies is displayed in the Active Policies list . 6. Optionally, to specify policies to exclude from assessments by target: a. Click Vulnerability Assessment > Assessments Exempted Policies. b. Double-click the name of the target to view the list of policies you can exempt from assessments for that target. c. In the Available Exempted Policies list, select the policy to exclude, and then click >> (double arrows) to add it to the Selected Exempted Policies list. d. Click Save.
See also
l Running assessments on page 160
l Configuring assessment notifications on page 161
l Selecting the type of report an assessment generates on page 164
l Reviewing, deleting, and aborting assessment results on page 165
Running assessments
The Scheduling tab of the Assessment page provides the following options:
l Run once — Enables you to specify the time and date for a single assessment run
l Recurring — Enables you to schedule a series of assessments
Running an assessment immediately
1. Go to Vulnerability Assessment > Assessments. 2. Click the name of an assessment. 3. Click Run.
Running an assessment at a specified date and time
1. Select the Run once radio button. 2. In the Starts at field group, specify a starting date directly, use the default, or alternatively, select the calendar icon, and then select a date. 3. Select the Enable Schedule check box if you want to activate your schedule. (By default, your assessment schedule is disabled so that you can configure it without activating it.) 4. Select the Save button to save your schedule.
Running scheduled assessments
1. Select the Recurring radio button. 2. In the Starts at field group, specify a starting date directly, use the default, or alternatively, select the calendar icon, and then select a date.
FortiDB 5.1.13 Admin Guide 160 Fortinet Inc. Vulnerability assessment
3. Select one of the radio buttons in the Recurrence pattern field group.
l If you choose the Hourly radio button, you can then specify the hourly interval in the Every __ hours field.
l If you choose the Daily radio button, you can then specify the daily interval in the Every __ days field.
l If you choose the Weekly radio button, you can then specify the day(s) of the week on which you want your weekly assessments to run.
l If you choose the Monthly radio button, you can then specify which day(s) during which month(s) you want your assessment to run. The Day radio button and adjacent dropdown list allows you to specify the numeric day for your assessment to run in each specified month. Alternatively, you may specify the day in each month, such as the 'first Monday', using the two provided dropdown lists. a. In the Starts at field group, specify a starting time or use the default. b. In the Recurrence pattern field group, select the Hourly , Daily , Weekly , or Monthly radio button. c. In the Ends by field group, you can leave the default No end date radio button selected or select the End by radio button and then specify a particular date at which you want your schedule to end by selecting on the calendar icon. 4. Select the Enable Schedule check box if you want to activate your schedule. (By default, your assessment schedule is disabled so that you can configure it without activating it.) 5. In the Administrative Domains section, you can select which users this scheduled task will be applicable for. Remember that users may only manage specific targets, so this section provides a way to perform assessments on particular targets. If one or more of the selected users manages all targets, then assessments will be performed on all applicable targets for this VA scan. 6. Select the Save button to save your schedule.
See also
l Adding or modifying assessments on page 159
l Viewing VA and sensitive data discovery event logs on page 171
Configuring assessment notifications
This topic describes the task of configuring how and to whom assessment notifications will be sent. You can choose email and/or SNMP-trap notifications of these issues. 1. In the Desired Notification format(s) section of the Notifications tab, select the Target Level (default) and/or the Rule Level check box(es).
l Target-level notifications contain a target-database-level summary of issues discovered during the assessment.
l Rule-level notifications contain detail for every discovered issue. 2. Select the Enable Email and/or the Enable SNMP Trap check box(es) in order to enable email and/or SNMP notifications, respectively, of assessment-discovered issues. a. For email notifications, you must designate one or more email receivers. Select one or more of the entries in the Available Receivers list box and add them to the Selected Receivers list on the right by selecting on the right-arrow button.
FortiDB 5.1.13 Admin Guide 161 Fortinet Inc. Vulnerability assessment
l When the email receiver cannot be reached, it is your email server's responsibility to retry sending the email.
l In order to remove receiver(s), select them in the Selected Receivers list and select the left-arrow button.
l In order to see the details associated with any receiver, select the name of a receiver in either the Available Receivers or Selected Receivers lists and those details will appear in Receiver Details list on the right.
b. For SNMP notifications, you should set the Notification properties in the System Configuration component of the application.
The non-appliance version of FortiDB ships with MIB files in the $FortiDB_ HOME/etc/snmp directory.
3. (Optional) If you want to attach reports to the e-mail notification, go to the Reports tab and select the Attach reports to selected e-mail receivers check box, and make sure to select one or more report(s) and format(s). Note that the Enable Report Generation to Disk option is not required to be selected to use this capability.
See also
l Adding or modifying assessments on page 159
l Notification OIDs for target-level assessments on page 162
l Notification OIDs for Rule-Level Assessments on page 163
Notification OIDs for target-level assessments
FortiDB uses the following object identifiers (OIDs) for target-level assessment notifications:
OID Meaning
SNMPv2-SMI::enterprises.12356 Fortinet enterprise ID
SNMPv2-SMI::enterprises.12356.104 FortiDB product ID
SNMPv2-SMI::enterprises.12356.104.0.6 VA Alert Trap/Notification
SNMPv2-SMI::enterprises.12356.104.0.105 assessment Time
SNMPv2-SMI::enterprises.12356.104.0.107 Target Name
SNMPv2-SMI::enterprises.12356.104.0.123 Assessment Name
SNMPv2-SMI::enterprises.12356.104.0.124 FortiDB host name
SNMPv2-SMI::enterprises.12356.104.0.125 Policy count
SNMPv2-SMI::enterprises.12356.104.0.126 Total Failed Count
SNMPv2-SMI::enterprises.12356.104.0.127 Critical failure count
SNMPv2-SMI::enterprises.12356.104.0.128 Major failure count
FortiDB 5.1.13 Admin Guide 162 Fortinet Inc. Vulnerability assessment
OID Meaning
SNMPv2-SMI::enterprises.12356.104.0.129 Minor failure count
SNMPv2-SMI::enterprises.12356.104.0.130 Caution failure count
SNMPv2-SMI::enterprises.12356.104.0.131 Informational count
An example of a trap for a target-database-level SNMP notification: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (3) 0:00:00.03 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.12356.104.0.6 SNMPv2-SMI::enterprises.12356.104.0.105 = STRING: "Tue Dec 04 17:38:15 PST 2007" SNMPv2-SMI::enterprises.12356.104.0.107 = STRING: "Test Target" SNMPv2-SMI::enterprises.12356.104.0.123 = STRING: "Test Assessment" SNMPv2-SMI::en- terprises.12356.104.0.124 = STRING: "jdoe.fdb.com" SNMPv2-SMI::enterprises.12356.104.0.125 = STRING: "158" SNMPv2-SMI::enterprises.12356.104.0.126 = STRING: "36" SNMPv2-SMI::en- terprises.12356.104.0.127 = STRING: "10" SNMPv2-SMI::enterprises.12356.104.0.128 = STRING: "0" SNMPv2-SMI::enterprises.12356.104.0.129 = STRING: "2" SNMPv2-SMI::enterprises.12356.104.0.130 = STRING: "4" SNMPv2-SMI::enterprises.12356.104.0.131 = STRING: "20"
See also
l Adding or modifying assessments on page 159
l Notification OIDs for Rule-Level Assessments on page 163
Notification OIDs for Rule-Level Assessments
FortiDB uses the following object identifiers (OIDs) for rule-level assessment notifications:
OID Meaning
SNMPv2-SMI::enterprises.12356 Fortinet enterprise ID
SNMPv2-SMI::enterprises.12356.104 FortiDB product ID
SNMPv2-SMI::enterprises.12356.104.0.6 VA Alert Trap/Notification
SNMPv2-SMI::enterprises.12356.104.0.8 VA Target Level Alert Trap/Notification
SNMPv2-SMI::enterprises.12356.104.0.102 Severity
SNMPv2-SMI::enterprises.12356.104.0.103 Policy Name
SNMPv2-SMI::enterprises.12356.104.0.105 Assessment Time
SNMPv2-SMI::enterprises.12356.104.0.106 Application name@ server name
SNMPv2-SMI::enterprises.12356.104.0.107 Target Name
SNMPv2-SMI::enterprises.12356.104.0.123 Assessment Name
SNMPv2-SMI::enterprises.12356.104.0.107 Target Name
SNMPv2-SMI::enterprises.12356.104.0.124 FortiDB host name
FortiDB 5.1.13 Admin Guide 163 Fortinet Inc. Vulnerability assessment
OID Meaning
SNMPv2-SMI::enterprises.12356.104.0.125 Policy count
SNMPv2-SMI::enterprises.12356.104.0.126 Total Failed Count
SNMPv2-SMI::enterprises.12356.104.0.127 Critical failure count
SNMPv2-SMI::enterprises.12356.104.0.128 Major failure count
SNMPv2-SMI::enterprises.12356.104.0.129 Minor failure count
SNMPv2-SMI::enterprises.12356.104.0.130 Caution failure count
SNMPv2-SMI::enterprises.12356.104.0.131 Informational count
SNMPv2-SMI::enterprises.12356.104.0.132 Policy ID
An example of formatted traps for a rule-level SNMP notification. DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (73) 0:00:00.73SNMPv2- MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.12356.104.0.8SNMPv2- SMI::enterprises.12356.104.0.123 = STRING: "Test Assessment"SNMPv2- SMI::enterprises.12356.104.0.107 = STRING: "Test Target"SNMPv2- SMI::enterprises.12356.104.0.124 = STRING: "jdoe.fdb.com"SNMPv2- SMI::enterprises.12356.104.0.105 = STRING: "Thu Dec 06 16:26:26 PST 2007"SNMPv2- SMI::enterprises.12356.104.0.125 = STRING: "158"SNMPv2- SMI::enterprises.12356.104.0.126 = STRING: "36"SNMPv2- SMI::enterprises.12356.104.0.127 = STRING: "10"SNMPv2- SMI::enterprises.12356.104.0.128 = STRING: "0"SNMPv2- SMI::enterprises.12356.104.0.129 = STRING: "2"SNMPv2- SMI::enterprises.12356.104.0.130 = STRING: "4"SNMPv2- SMI::enterprises.12356.104.0.131 = STRING: "20"
An example of the trap with the rule information: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (84) 0:00:00.84SNMPv2- MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.12356.104.0.6SNMPv2- SMI::enterprises.12356.104.0.132 = STRING: "6501"SNMPv2- SMI::enterprises.12356.104.0.102 = STRING: "MINOR"SNMPv2- SMI::enterprises.12356.104.0.103 = STRING: "DVA ORCL 01.01 Lock and ExpireUnused Default Accounts"SNMPv2-SMI::enterprises.12356.104.0.106 = STRING: "[email protected]"SNMPv2-SMI::enterprises.12356.104.0.107 = STRING: "Test Target"SNMPv2-SMI::enterprises.12356.104.0.123 = STRING: "Test Assessment"SNMPv2- SMI::enterprises.12356.104.0.105 = STRING: "Thu Dec 06 16:26:26 PST 2007"
See also
l Notification OIDs for target-level assessments on page 162
Selecting the type of report an assessment generates
FortiDB allows you to select which reports your assessment generates. For example, it can generate a summary report, a detailed report, or both.
FortiDB 5.1.13 Admin Guide 164 Fortinet Inc. Vulnerability assessment
1. Go to Vulnerability Assessment > Assessment 2. Click the name of an assessment. 3. Click the Reports tab. 4. Specify which report you want for your assessment. a. Select one or more report groups from the Available Reports: list on the left and add them to the Selected Reports list box by clicking on the right-arrow button. (In order to remove a report from the Selected Reports list, select the left-arrow button.)
To view a report description, select the report in the Selected Reports list box and then the description should show up in the Report Description list box on the right.
b. Check the Enable Report check box. 5. In the Report formats field group, enable one or more of the following checkboxes:
l PDF (.pdf) (the default)
l Excel (.xls)
l Comma Delimited (.csv)
l Tab Delimited (.txt) 6. Select the Save button
See also
l Adding or modifying assessments on page 159
Reviewing, deleting, and aborting assessment results
The Results tab of the Assessment page allows you to view the status and other information about completed and incomplete assessments, view assessment results, and to abort assessments. When you click a Start Time value in the top table, target name and other information is displayed in the bottom table (under Results for each target). When you click a Target value in the bottom table, detailed results for the target are displayed.
Column name Description
Status The current status of the assessment
DB Type The type of your target database
Failed (Cri,Maj,Min,Cau) The number of failed policies by Severity type where:
l Cri is Critical
l Maj is Major
l Min is Minor
l Cau is Cautionary
Passed The number of passed policies
FortiDB 5.1.13 Admin Guide 165 Fortinet Inc. Vulnerability assessment
Column name Description
Informational The number of Informational policies
Errors The number of policies for which errors were returned
Total The total number of policies incorporated by the assessment
The Status column can display the following values:
Status column icon Description
Running
Idle
Queued
Completed
Error
Aborted
To delete an assessment, select one or more items in the top table, and then click Delete.
To abort an assessment
Do one of the following:
l To abort an entire assessment, check the row of interest in the top table and then, below the top table, click Abort.
l To abort the assessment of a particular target database within an assessment, click a Start Time value in the top table, select a row in the bottom table, and then, below the bottom table, click Abort.
See also
l Adding or modifying assessments on page 159
l View VA global summary information on page 166
View VA global summary information
Click Vulnerability Assessment > Assessment Summary to view the summary information for all target databases. The summary information includes statistics of assessments and vulnerabilities found by assessment. If you assess the same target more than once, this global summary only summarizes the latest one assessment.
FortiDB 5.1.13 Admin Guide 166 Fortinet Inc. Vulnerability assessment
The Vulnerability Assessment Global Summary page also displays statistics for checks that failed during the assessment, including severity, classification, and database type.
See also
l Reviewing, deleting, and aborting assessment results on page 165
l Assessment history on page 167
Assessment history
The Assessment History page displays the run assessments and scheduled reports in disk.
Assessments History tab
Display all run assessment in this list page. Click the Target link to view the Detailed Report of this assessment. Select the assessment record(s), click the Delete button to delete.
Scheduled Reports tab
When you enable the option "Save Scheduled Assessment Report to Disk File" in Assessment > Report tab, the selected report files are saved in disk after running the scheduled assessment. Go to Scheduled Reports tab page to download or delete report files.
Import or export assessment history
You can export or import the result of an assessment as an XML file.
To export assessment results to an XML file
1. On the Assessments History page, specify a date range. Assessments run between this date range, from the 1st date 0:00 to 2nd date 0:00(not include result in 2nd date). 2. Optionally, for Prefix, specify a prefix for the XML file name. 3. Click Export, and than save the downloaded XML file.
To import assessment results from an XML file
1. On the Assessments History page, click Import. The Import assessments history page is displayed. 2. Click Choose File to select an XML file. 3. Click Import. 4. Click the Back button to return to the Assessments History page.
FortiDB 5.1.13 Admin Guide 167 Fortinet Inc. Vulnerability assessment
If you import the XML from another FortiDB, it might contain information about its own target databases information, which is not managed by your current FortiDB. FortiDB imports these target databases as imported shadow targets, which it uses for assessment reporting. However, it doesn not add them to the target list and cannot manage by them.
See also
l Reviewing, deleting, and aborting assessment results on page 165
l View VA global summary information on page 166
Viewing and exporting a privilege summary
To view the privilege summary, log in to FortiDB with an administrator account that has the Operations Manager or Report Manager role. A privilege summary shows who has access to what in your target databases. As such, it can:
l Help you establish a baseline for your security system
l Show you if any users have more privileges than they need in order to do their jobs
l Show you if any roles (or, for DB2, groups) include more privileges than necessary
l Provide a common place to review privilege assignments for all FortiDB-supported target DB types
l Eliminate the need to execute the SQL statements to get privilege-assignment information 1. Click Vulnerability Assessment > Privilege Summary. 2. For Target Group, select the target group that contains the target database for which you want to see a privilege summary. 3. For Target, select the target database for which you want to see a privilege summary.
You can access Microsoft SQL Server and Sybase targets individually via database-level connections or, as a group, via server-level connections.
4. For Database Name, select the name of the database for which you want to see a privilege summary. 5. Select the Users tab in order to see a list of users, or the Roles tab in order to see a list of roles, for the specified database.
l Because MySQL does not support roles or groups of privileges, no Role tab is displayed for MySQL target databases.
l In MySQL, a user is identified by a combination of a user name and host name, such as `root@localhost’ or ‘[email protected]’. Therefore, two users with the same name but at different hosts can have different privileges.
6. After you have selected a user or role, you can then use the Privilege Type or Classification dropdown lists in order to filter the displayed information.
FortiDB 5.1.13 Admin Guide 168 Fortinet Inc. Vulnerability assessment
The subsequently available privilege information depends on:
l FortiDB-user access having already been given to certain target-database system tables, catalogs, and/or views. (See the Target Privilege Matrix for a list of the appropriate tables.)
l The particular combination of Privilege Type and Classification choices you make. (For more information on these choices, see DB-Type Distinctions on page 169.) 7. Optionally, you may export most of the privilege summary information that is displayed in one of the following file formats:
l PDF (Portrait (the default) or Landscape orientation)
l Tab-delimited text (.txt)
l Comma-separated-values (.csv)
See also
l DB-Type Distinctions on page 169
l Privileges for VA assessments, privilege summaries, and penetration tests on page 83
DB-Type Distinctions
The privilege summary information varies slightly by the type of the target database.
General differences
There are differences by RDBMS type:
l The Users tabs are used for all RDBMS types.
l The Roles tab are used for all RDBMS types, except for MySQL which does not support roles. For DB2 target database, Roles means Groups.
Filtering differences
After selecting a specific user name on the Users tab, or a specific role on the Roles tab, you can filter the displayed privilege information. For Oracle, DB2, Microsoft SQL Server, and Sybase, the Privilege Type dropdown offers these choices:
l Direct which refers to privileges that have been directly assigned (i.e., not via roles) to the selected user name
l Indirect which refers to privileges that have been assigned via roles to the selected user name
MySQL applies the Direct type only.
For Oracle, the Classification dropdown offers these choices:
l Object Privileges which refers to privileges that pertain to a specific schema or object
l System Privileges which refers to privileges that do not pertain to a specific schema or object For DB2, the Classification dropdown offers these choices:
l Column Auth which refers to privilege information on certain columns
l DB Authwhich refers to privilege information on certain databases
FortiDB 5.1.13 Admin Guide 169 Fortinet Inc. Vulnerability assessment
l Index Auth which refers to privilege information on certain indexes
l Package Auth which refers to privilege information on certain packages
l Schema Auth which refers to privilege information on certain schemas
l Table Auth which refers to privilege information on certain tables
l Tablespace Auth which refers to privilege information on certain tablespaces For MySQL, the Classification dropdown offers these choices:
l Column Level which refers to privilege information on certain columns. Granting/Revoking grant option is applied for all privileges within the same table only.
l Schema Level which refers to privilege information on certain databases. Granting/Revoking grant option is applied for all privileges.
l Table Level which refers to privilege information on certain tables. Granting/Revoking grant option is applied for all privileges within the same table only.
l User Level which refers to privilege information applied to all databases on the database server. Granting/Revoking grant option is applied for all privileges.
Column and column value differences
The column names and values used by the privilege summary vary by the DB type of your target database. For more information, see the documentation provided by your database vendor for system tables, views, and/or catalogs.
See also
l Viewing and exporting a privilege summary on page 168
Sensitive data discovery
The sensitive data discovery feature searches a target database for sensitive information located in tables and columns. It works with Oracle and Microsoft SQL Server target databases only. Before you configure and run a sensitive data discovery scan, complete the following configurations:
l A connection to the target database. See Adding (or modifying) a target connection on page 93.
l One or more data discovery policies. See Data discovery policies and policy groups on page 124.
Manage sensitive data discovery
Go to Vulnerability Assessment > Sensitive Data Discovery to manage data discovery. In the list page:
l Status: indicates discovery is running (active) or not(inactive).
l Data Discovery Policy Group: which policy groups are assigned to this discovery.
l Last Discovery: Last discovery time and found result, click to view detail report. Click 'Target Name' in list to add/modify data discovery:
FortiDB 5.1.13 Admin Guide 170 Fortinet Inc. Vulnerability assessment
l Target tab: select database metadata as discovery object(s).
l Policy Group tab: select discovery policy group to assign to this discovery.
l Result tab: after run discovery, check this tab for result summary. And click Save to save discovery definition.
Running sensitive data discovery
In discovery add/modify page, click Save & Start Scan to save and start discovery. In discovery list page, select one or more discovery with check box(es), click 'Start Scan' button to start discovery, click 'Stop Scan' button to stop.
Viewing sensitive data discovery reports
There are two pre-defined data discovery reports: detailed and summary. To view a detailed report, do one of the following:
l On the discovery list page, click the link in the Last Discovery column.
l Go to Report > Pre-Defined VA Reports, click Sensitive Data Discovery Detailed Report, and then select a target and discovery time. For a summary report, go to Report > Pre-Defined VA Reports, click Sensitive Data Discovery Summary Report, and then select a target and discovery time.
See also
l Data discovery policies and policy groups on page 124
l Viewing VA and sensitive data discovery event logs on page 171
Viewing VA and sensitive data discovery event logs
The Assessment Log page lists the event logs that vulnerability assessments and sensitive data discovery scans generate. To view the log, click Vulnerability Assessment > Local Assessment Log. The assessment log information includes Date, Module (VA or SDD), Assessment, Target, Severity, Action, and Result or Description. You can use the Assessment Logs page for the following tasks:
l Display logs filtered by module (VA or SDD) that you select from the Module dropdown list.
l Display logs filtered by Assessment name(for VA only) that you select from the Assessment dropdown list.
l Display logs filtered by Target that you select from the Target dropdown list.
l Display logs filtered by Severity that you select from the Severity dropdown list.
l Display logs filtered by Action that you select from the Action dropdown list.
l Display logs filtered by the date range you select from the From and To fields.
l Display Date, Policy name, Target, Type, Severity, and description for each error.
FortiDB 5.1.13 Admin Guide 171 Fortinet Inc. Vulnerability assessment
l Export the logs view you selected, by selecting Export
l Delete all logs by selecting Delete All
l Configure the History Prune - specify the number of days after which to delete the log entries. The default number is 30 (days).
See also
l Adding or modifying assessments on page 159
l Sensitive data discovery on page 170
FortiDB 5.1.13 Admin Guide 172 Fortinet Inc. Database activity monitoring (DAM)
Database activity monitoring (DAM)
Database activity monitoring (DAM) centralizes monitoring and auditing. DAM also displays alerts and allows you to generate reports. Alert filtering criteria ranges from general classifications such as target or database type to detailed classifications such as severity and rule violation. Your filter settings can create a new alert group or modify the pre- defined alert groups. Alert groups can be exported to files in various formats such as .pdf, .xls, .csv, and .txt.
See also
l Managing target monitoring on page 173
l Configuring target database monitoring on page 176
l Viewing alerts on page 191
l Viewing audit records (activity auditing results) on page 198
l Activity profiling on page 201
l SOX audit on page 204
Managing target monitoring
The Monitoring Management page provides centralized management for monitoring target databases. You can view monitoring status, policies you configured, and start and stop monitoring. You can also associate policy groups with target databases and view generated alerts.
Monitoring Management page columns
Columns Descriptions
Status indicates the target has not been initialized for monitoring. Go to monitoring configuration page to setup monitoring. indicates the target is not monitored.
that monitoring is starting
indicates that monitoring is stopping.
indicates the target is being monitored but some of the policies could not be applied. indicates that monitoring is active.
indicates that monitoring is not running. An attempt to start the monitor failed. indicates that the FortiDB is has disconnected from the target. The target database maybe not available, or disconnected from FortiDB agent (if using agent as collection method).
FortiDB 5.1.13 Admin Guide 173 Fortinet Inc. Database activity monitoring (DAM)
Columns Descriptions
Name Target name. Click to configure monitoring.
DB Host Name/IP Database host name or IP address of your target database computer
DB Type Database type of your target. ORACLE, MSSQL, DB2, SYBASE, or MYSQL
Collection Method Collection method used for monitoring
Alert Policy Groups The group or groups of alert policies that specify the database activities that generate security alerts.
Action configure monitoring, same as click Name. show the Alerts of this target. show the Local Monitoring Logs of this target
Monitoring Management page buttons and fields
Buttons and Fields Descriptions
View dropdown Filters a display of the target list
Start Monitoring This button starts monitoring for the target database. You must select the target first.
Stop Monitoring This button stops monitoring. You must select the target first.
Restart This button stops then starts monitoring.
See also
l Configuring target database monitoring on page 176
Target monitoring configuration tabs and options
The monitoring configuration for a target database is displayed when you click the target’s name on the Monitoring Management page.
Monitoring configuration page tabs and options
Tabs Purposes
General Settings of audit configuration for each target database. You can start and stop monitoring and auditing in this page. It also shows monitoring and auditing status. See Configuring target database monitoring on page 176.
Alert Policies Shows the available alert policies with information, such as policy type,
FortiDB 5.1.13 Admin Guide 174 Fortinet Inc. Database activity monitoring (DAM)
Tabs Purposes
status, name, and severity. You can create Data policies from this page, and enable/disable policies for the target. See Adding alert and audit policies to monitoring on page 182.
Alert Policy Groups Associate the alert policy group to your target database. See Adding policy groups to target monitoring on page 183.
Audit Policies Shows the available audit policies with information. You can create Data policies, or enable/disable policies from this page. See Adding alert and audit policies to monitoring on page 182. Note: This tab is only available for collection method "TCP/IP Sniffer" for Oracle, Microsoft SQL Server, Sybase and DB2.
Audit Policy Groups Associate the audit policy group to your target database. See Adding policy groups to target monitoring on page 183. Note: This tab will be only available for collection method "TCP/IP Sniffer" for Oracle, Microsoft SQL Server, Sybase and DB2.
Query Schedule Specifies a schedule for any database query policies, which are alert policies that query the target database with SQL and save the result as an alert. See Configuring a database policy on page 144.
Alert Notification Configure Alert Notification for monitoring. See Sending alert notifications on page 183.
Real Time Blocking Enables or disables real-time blocking for monitoring configurations that use the TCP/IP sniffer, and configures blocking settings. See Blocking invalid access while monitoring on page 185
Audit Management For Oracle, this page shows the issued audit command and all audit commands for each object. For Microsoft SQL Server, this page shows audited events and audited filters used by FortiDB. This page is not applicable for Sybase. See Displaying the history of issued audit commands on page 188. Note: This tab is only available for the following collection methods:
l Oracle – "DB, EXTENDED" or "XML File Agent"
l Microsoft SQL Server – "SQL Trace"
l DB2 – "DB2 Agent”
White List In the White List tab, you can configure data policies, which will be automatically excluded from the Alert Policy settings for Oracle or Microsoft SQL Server Server. See Excluding policies from the Alert Policy settings (whitelist) on page 186. Note: This tab will be only available for collection method "DB, EXTENDED" for Oracle,"SQL Trace" for Microsoft SQL Server.After Monitor started, the SQL action matching with the white list settings, fortidb will not generante alerts for it. The SQL action matching the white list settings should be known secure action.
FortiDB 5.1.13 Admin Guide 175 Fortinet Inc. Database activity monitoring (DAM)
See also
l Configuring target database monitoring on page 176
Configuring target database monitoring
The General tab shows audit configuration information and monitoring status for each target database. The Audit Configuration settings specify how FortiDB collects audit information. The settings that are displayed depend on the database type and collection method. For more information, see the topic for the appropriate database type:
l Configuring monitoring using the TCP/IP sniffer (all database types) on page 177
l Configuring Microsoft SQL Server monitoring on page 178
l Configuring DB2 monitoring on page 179
l Configuring Sybase monitoring on page 179
l Configuring MySQL monitoring on page 180
l Configuring Oracle monitoring on page 181 The Test button is available for some collection methods. Click it to verify the connection. Click the Save button to save your Audit Configuration settings. The Monitoring settings allow you to start or stop monitoring.
Monitoring settings and messages
Setting Description
Start Monitoring/Stop Click to start or stop monitoring. Monitoring
Start monitoring when Specifies whether FortiDB starts monitoring the current target FortiDB starts automatically when it starts.
Monitoring Status Displays one of the following monitoring status values:
l Running
l Need Restart: A monitoring restart is required to apply a policy change
l Idle
l Terminating
l Terminated
l INIT (Initializing)
Status Message Displays information related to the monitoring or auditing status
See also
l Target monitoring configuration tabs and options on page 174
FortiDB 5.1.13 Admin Guide 176 Fortinet Inc. Database activity monitoring (DAM)
Configuring monitoring using the TCP/IP sniffer (all database types)
FortiDB can monitor database activity using its TCP/IP sniffer. The activity auditing and profiling features require the TCP/IP sniffer. 1. To configure a target to support database activity monitoring, on the General tab for the target, for DB Activity Monitoring, select Allow. For more information on target configuration, see Adding (or modifying) a target connection on page 93. 2. Go to DB Activity Monitoring > Monitoring Management, and then click the name of the target. 3. On the General tab, complete the following settings:
Collection Method Select TCP/IP Sniffer.
Version Select the version of the target database. FortiDB supports the following versions:
Oracle 9i, 10g, 11g, 12c
Microsoft SQL Server 2000, 2005, 2008, 2008_R2, 2012, 2014
DB2 UDB 9.1, 9.5, 9.7
Sybase ASE 12.5, 15.0, 15.5, 15.7
Postgre Postgre SQL 8.x
SSL Certificate Private For Microsoft SQL Server databases only. Key If SSL encryption is enabled, select the SSL Certificate Private Key file and enter the Key Password (if you have it) that FortiDB uses. The SSL Certificate for SSL encryption is configured on the server side.
SSL Certificate Private For Oracle databases only. Key (P12) If SSL encryption is enabled and certificate information is stored in PKCS #12 format, select the certificate file and enter the Key Password. The SSL Certificate for SSL encryption is configured on the server side. For more information, see Monitoring encrypted Oracle traffic on page 73.
SSL Certificate Private For Oracle databases only. Key (SSO) If SSL encryption is enabled, select the X.509 format certificate file and enter the Key Password. For more information, see Monitoring encrypted Oracle traffic on page 73.
Sniffer on Port Specify the FortiDB port that is connected to the switch's SPAN port.
Enable Activity Auditing Select to enable activity auditing.
Log All Select to audit all activity. Otherwise, FortiDB audits only activity
FortiDB 5.1.13 Admin Guide 177 Fortinet Inc. Database activity monitoring (DAM)
captured by the policies specified by the Audit Policies tab.
Enable Activity Profiling Select to enable activity profiling.
4. If you did not select Log All, to specify the activity that is audited, do one of the following: a. On the Audit Polices tab, create a list of one or more policies to use. b. On the Audit Policy Groups tab, select one or more policy groups to use. For information on adding audit policies and audit policy groups to the configuration, see Adding alert and audit policies to monitoring on page 182. By default, no audit policies or policy groups are specified. 5. On the General tab, under Monitoring, click Start Monitoring. For more information about monitoring, see Monitoring settings and messages on page 176 .
See also
l Target monitoring configuration tabs and options on page 174
l Network requirements for monitoring using the TCP/IP sniffer on page 69
Configuring Microsoft SQL Server monitoring
FortiDB uses either SQL Trace or the TCP/IP sniffer to collect audit information from Microsoft SQL Server databases. The TCP/IP sniffer is provided by the appliance version of FortiDB only. For detailed configuration instructions, see Configuring monitoring using the TCP/IP sniffer (all database types) on page 177.
To configure auditing for a Microsoft SQL Server database using SQL Trace
To change the collection method or polling frequency for monitoring, first stop monitoring. You cannot change these settings while FortiDB is monitoring the target database.
1. Ensure the required database pre-configuration is complete. See Microsoft SQL Server target database pre- configuration on page 83. 2. Verify that the SQL Server has an audit trace folder (for example, C:\SQLTrace). Ensure that you enter the full path to the folder. 3. In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor. 4. On the General tab, complete the following settings:
Collection Method Select SQL Trace. To change a collection method from one option to the other, first stop monitoring, change the collection method, then restart monitoring.
Trace Folder Specify the folder where your server writes the trace information. Ensure that you enter the full path.
Polling Frequency (ms) Enter the polling frequency for audit collection, in seconds
FortiDB 5.1.13 Admin Guide 178 Fortinet Inc. Database activity monitoring (DAM)
To change the polling frequency later, stop monitoring, change the value, and then re-start monitoring.
5. Click Test to confirm the connection with the method you selected. 6. On the General tab, under Monitoring, click Start Monitoring. For more information about monitoring, see Monitoring settings and messages on page 176.
See also
l Target monitoring configuration tabs and options on page 174
l Network requirements for monitoring using the TCP/IP sniffer on page 69
Configuring DB2 monitoring
FortiDB uses either a DB2 agent or the TCP/IP sniffer to collect audit information from DB2 databases. The TCP/IP sniffer is provided by the appliance version of FortiDB only. For detailed configuration instructions, see Configuring monitoring using the TCP/IP sniffer (all database types) on page 177.
To configure auditing for a DB2 database using the DB2 agent
To change the collection method, first stop monitoring. You cannot change this setting while FortiDB is monitoring the target database.
1. Ensure the required database pre-configuration is complete. See DB2 target database pre-configuration on page 80. 2. In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor. 3. On the General tab, for Collection Method, select DB2 Agent. 4. Click Test to confirm the connection with the method you selected. 5. On the General tab, under Monitoring, click Start Monitoring. For more information about monitoring options, see Monitoring settings and messages on page 176.
See also
l Target monitoring configuration tabs and options on page 174
l DB2 target database pre-configuration on page 80
Configuring Sybase monitoring
FortiDB uses either the Sybase audit system (Sybase Monitoring and Diagnostic (MDA) tables) or the TCP/IP sniffer to collect audit information from Sybase databases. The TCP/IP sniffer is provided by the appliance version of FortiDB only. For detailed configuration instructions, see Configuring monitoring using the TCP/IP sniffer (all database types) on page 177.
FortiDB 5.1.13 Admin Guide 179 Fortinet Inc. Database activity monitoring (DAM)
To configure auditing for a Sybase database using Monitoring and Diagnostic (MDA) tables
To change the collection method or polling frequency for monitoring, first stop monitoring. You cannot change these settings while FortiDB is monitoring the target database.
1. Ensure the required database pre-configuration is complete, which includes:
l Creating the sybsecurity database
l Installing installsecurity
l Configuring the MDA (Monitoring and Data Access) tables See Sybase target database pre-configurations on page 75. 2. In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor. 3. On the General tab, complete the following settings:
Collection Method Select MDA. To change the collection method, first stop monitoring, change the collection method, then restart monitoring.
Polling Frequency (ms) Enter the polling frequency for audit collection, in seconds To change the polling frequency later, stop monitoring, change the value, and then re-start monitoring.
4. Click Test to confirm the connection with the method you selected. 5. Under Monitoring, click Start Monitoring. For information about the Monitoring options, see Monitoring settings and messages on page 176.
See also
l Target monitoring configuration tabs and options on page 174
l Sybase target database pre-configurations on page 75
Configuring MySQL monitoring
FortiDB uses the MySQL general log to collect audit information from DB2 databases.
To configure auditing for a MySQL database
To change the polling frequency for monitoring, first stop monitoring. You cannot change this setting while FortiDB is monitoring the target database.
1. Ensure the required database pre-configuration is complete.See MySQL target database pre-configuration on page 74.
FortiDB 5.1.13 Admin Guide 180 Fortinet Inc. Database activity monitoring (DAM)
2. In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor. 3. On the General tab, complete the following settings:
Collection Method Select General Log. To change the collection method, first stop monitoring, change the collection method, then restart monitoring.
Polling Frequency (ms) Enter the polling frequency for audit collection, in seconds. To change the polling frequency later, stop monitoring, change the value, and then re-start monitoring.
4. Click Test to confirm the connection with the method you selected. 5. Under Monitoring, click Start Monitoring. For more information about monitoring, see Monitoring settings and messages on page 176.
See also
l Target monitoring configuration tabs and options on page 174
l MySQL target database pre-configuration on page 74
Configuring Oracle monitoring
FortiDB can use several methods to collect audit information from Oracle databases. The TCP/IP sniffer method is provided by the appliance version of FortiDB only. For detailed configuration instructions, see Configuring monitoring using the TCP/IP sniffer (all database types) on page 177.
To configure auditing for an Oracle database
To change the collection method or polling frequency for monitoring, first stop monitoring. You cannot change these settings while FortiDB is monitoring the target database.
1. Ensure the required database pre-configuration is complete.See Oracle target database pre-configuration on page 70. 2. In the navigation menu, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that connects to the database you want to monitor. 3. Obtain the value of your database’s audit_trail parameter. 4. On the General tab, for Collection Method, select one of the following options:
Oracle audit_ Collection method Agent required? trail parameter value
db, extended DB, EXTENDED No
db DB, EXTENDED No
FortiDB 5.1.13 Admin Guide 181 Fortinet Inc. Database activity monitoring (DAM)
Oracle audit_ Collection method Agent required? trail parameter value
For Oracle 9i only. Monitoring Oracle 9i databases has the following limitations:
l Table and table column policy - Cannot retrieve the SQL statement text
l Table, user, and session policy - No effect with Suspicious Location rule
l Session policy - No effect with Extremely Long Session rule and High Read Ratio rule
xml, extended XML File Agent Yes FortiDB's XML file agent provides high performance for auditing Oracle target databases. To use the XML file agent option, run the FortiDB XML file agent in your target database. For more information, see Oracle XML file agent installation and configuration (UNIX, Windows, AIX).
5. If you selected DB, EXTENDED, for Polling Frequency(secs), enter the polling frequency for audit collection, in seconds. 6. Click Test to confirm the connection with the method you selected. 7. Under Monitoring, click Start Monitoring. For more information about monitoring, see Monitoring settings and messages on page 176.
See also
l Target monitoring configuration tabs and options on page 174
l Oracle target database pre-configuration on page 70
Adding alert and audit policies to monitoring
The Alert Policies and Audit Policies tabs on the monitoring configuration page allow you to configure data policies. FortiDB can add these policies to a new policy group automatically and associate the group with the current target.
Audit policies are available only for target monitoring configurations that use the TCP/IP Sniffer collection method.
The list of policies on the tab allows you to manage the policies that FortiDB uses to monitor the target:
l To enable or disable policies, select one or more items in the list (or the checkbox in the column header to select all items), and then click Enable or Disable.
l To delete user-defined policies, select the appropriate item, and then click Delete.
l To create a data policy, in the Data Policies list, select a policy type, and then click Add. For examples of creating data policies, see the database activity monitoring tutorials in FortiDB tutorials on page 16 .
FortiDB 5.1.13 Admin Guide 182 Fortinet Inc. Database activity monitoring (DAM)
l To edit a policy name, click its name.
l Click the Restart button to restart monitoring after policy change. For detailed information on these policies, see Database Activity Monitoring (DAM) policies on page 126 .
See also
l Target monitoring configuration tabs and options on page 174
l Oracle target database pre-configuration on page 70
Adding policy groups to target monitoring
When you configure monitoring for a target database, FortiDB automatically adds the data, metadata, and privilege alert policy groups to the configuration. However, it does not automatically associate PCI, SOX, and HIPAA alert policy groups. FortiDB does not automatically associate any audit policies or audit policy groups with the target monitoring configuration. To allow FortiDB to perform policy-based activity auditing, you either select Log All on the configuration’s General tab or use the Audit Policies or Audit Policy Groups tabs to select policies. Alternatively, instead of adding a policy group to a single target, you can add groups to multiple targets. For information, see Adding policy groups to target database monitoring on page 158.
To add a policy group to target database monitoring
1. Verify that you have a target connection that allows monitoring. 2. Go to DB Activity Monitoring > Monitoring Management. 3. Click the target name. The Target Monitor:
See also
l Alert and audit policy groups on page 156
Sending alert notifications
Use the Alert Notification tab to configure FortiDB to send a notification when it receives a monitoring alert. It can send alerts via email, SNMP, and other methods. You can also generate notifications as reports, which allows you to specify what alert information to include and schedule a time for FortiDB to generate and send the report. For more information, see Reports on page 208 on page 1.
FortiDB 5.1.13 Admin Guide 183 Fortinet Inc. Database activity monitoring (DAM)
To access the Alert Notification tab, click DB Activity Monitoring > Monitoring Management, and then click the name of the target that you want to configure.
To send notifications via email
1. Go to Administration > Global Configuration > Notification, and then ensure that the host name and port of an email server are specified. For more information, see Notification properties on page 63 on page 1. 2. Go to Administration > Administrators, and then ensure that an email address is specified for the administrators that you want to send email notifications to. For more information on configuring administrators, see Administrators on page 53 on page 1. 3. Click DB Activity Monitoring > Monitoring Management, and then click the name of the target to configure. 4. On the Alert Notification tab, select Enable Email. 5. In the Available Receivers list, select an item, and then click >> (right arrows) to add it to the Selected Receivers list. 6. Click Save.
To send notifications via SNMP
1. Go to Administration > Global Configuration > Notification, and then ensure that the SNMP receiver host and port are specified. For more information, see Notification properties on page 63 on page 1. 2. Click DB Activity Monitoring > Monitoring Management, and then click the name of the target that you want to configure. 3. On the Alert Notification tab, select Enable SNMP Trap. 4. Click Save.
To send notifications to a Syslog server
1. Go to Administration > Global Configuration > Notification, and then ensure that the Syslog receiver host and port are specified. For more information, see Notification properties on page 63 on page 1. 2. Click DB Activity Monitoring > Monitoring Management, and then click the name of the target that you want to configure. 3. On the Alert Notification tab, select Enable Syslog. 4. Click Save.
To send notifications to an ArcSight Syslog server
For FortiDB event to ArcSight data field mapping information, see event to ArcSight data field mapping on page 1. 1. Go to Administration > Global Configuration > Notification, and then ensure that the ArcSight Syslog receiver host and port are specified. For more information, see Notification properties on page 63 on page 1. 2. Click DB Activity Monitoring > Monitoring Management, and then click the name of the target that you want to configure. 3. On the Alert Notification tab, select Enable ArcSight Syslog. 4. Click Save.
FortiDB 5.1.13 Admin Guide 184 Fortinet Inc. Database activity monitoring (DAM)
See also
l FortiDB event to ArcSight data field mapping on page 185
FortiDB event to ArcSight data field mapping
The following table displays the corresponding ArcSight remote logging format field for each event:
FortiDB event ArcSight Event Data Field
Hostname dhost
Source Hostname shost
Alert Timestamp rt
FortDB Hostname dvchost
Severity cat
Action act
Return Code cn1
Display ID externalId
DB Type cs1
System User suser
DB User duser
Login Name cs3
DB Object fname
Description cs4
Target Database Name cs5
Policy Name cs6
Source Application requestClientApplication
SQL Statement msg
See also
l Sending alert notifications on page 183
Blocking invalid access while monitoring
Because the real-time blocking feature uses the TCP/IP Sniffer, the Real Time Blocking tab is only available when Collection Method is TCP/IP Sniffer.
FortiDB 5.1.13 Admin Guide 185 Fortinet Inc. Database activity monitoring (DAM)
You can configure FortiDB to use a TCP/IP Reset (RST) mechanism to prevent invalid access to the server by database clients. FortiDB allows you to select which alert policies FortiDB uses to validate the connection data. Whenever it blocks access, FortiDB generates a critical security alert.
Because real-time blocking interrupts the TCP connection, it can destabilize your database client application or application server. Ensure that you understand this feature and its implications before you enable it.
You can configure FortiDB to block a client for a specified period of time after it violates access policies. During this period, instead of scanning the connection for policy violations, which uses system resources, FortiDB automatically resets connections from the client. After the blocking period expires, FortiDB resumes the scanning process. Specifying a blocking period can improve performance if is FortiDB under attack by malicious clients. The default blocking period is 5 minutes.
To enable real-time blocking
1. Go to DB Activity Monitoring > Monitoring Management, and then click the name of the target. 2. If FortiDB is currently monitoring the target, click Stop Monitoring. 3. On the Real Time Blocking tab, select Enable Real Time Blocking. 4. To configure FortiDB to continue to deny access to clients that it blocks for a specified period of time, select Block Client for [x] minutes, and then enter a value in minutes. The default value is 5 minutes. 5. For TCP RST Blocking Port, select the network port FortiDB uses to send the TCP RST packet to the client's connection. Ensure that FortiDB can reach the connection between database client and server through the port you specify. If the client is behind firewall or router with NAT, the TCP reset signal appears to be sent to the client from the firewall or router. 6. To assign alert policies for real-time blocking, select one or more policies from the Available Policies list, and then click >> (right arrows) to move them to the Selected Policies list. The items in the Available Policies list are from groups selected on the Alert Policy Groups tab. To remove items, select them and then click << (left arrows). 7. Click Save. 8. On the General tab, to re-start monitoring with the real-time blocking feature, click Start Monitoring.
See also
l Database activity monitoring (DAM) on page 173
Excluding policies from the Alert Policy settings (whitelist)
Use the White List tab to specify Oracle or Microsoft SQL Server Server database activities that do not generate alerts.
The White List tab is available only when the collection method is DB, EXTENDED (for Oracle databases) or SQL Trace (for Microsoft SQL Server databases). Because FortiDB does not generate alerts for SQL actions that match the whitelist criteria, ensure that the SQL actions in the whitelist are known, secure actions.
FortiDB 5.1.13 Admin Guide 186 Fortinet Inc. Database activity monitoring (DAM)
To enable the whitelist
1. Go to DB Monitoring Activity > Monitoring Management and click the name of the target to configure. 2. On the White List tab, select Enable White List. 3. Use the following settings to specify the whitelist criteria:
Setting Description
Object Settings Excludes from alerts any successful access to the specified objects from alerts. Select one of the following selection methods:
l Manually Select Object
l Browse Object by Target (default) Use the following options to specify one or more objects: 1. Select an item from the Target list. 2. Select an item from the Schema list. 3. In the Tables list, select one or more items and then click > (right arrow) to move your selections to the . To remove objects, select them in the Selected Objects list and then click < (left arrow).
Login Name Settings Excludes from alerts any successful access to the specified object by the specified login names. To specify one or more login names: 1. Select one or more login names from the login names list. 2. Click the right arrow to move the selections to the Selected login names list. Note: If you want to remove the login names from the selected login names list, select the login names you want to remove and click the left arrow.
DB User Settings Excludes from alerts any successful access to selected object by certain database users. You can specify one or more database users as follows: 1. Select one or more database users from the login names list. 2. Click the right arrow to move the selections to the Selected database users list. Note:If you want to remove the database users from the selected database users list, select the database users you want to remove and click the left arrow.
OS User Settings Exclude to alert any successful access to selected object by certain OS users. You can specify one or more OS user names by typing the specific name or using a regular expression. 1. Input one OS user into the textbox. 2. Click the right arrow to move the selections to the Selected users List.
FortiDB 5.1.13 Admin Guide 187 Fortinet Inc. Database activity monitoring (DAM)
Setting Description
Note: If you want to remove the OS users from the selected OS users list, select the OS users you want to remove and click the left arrow.
Source Location Settings Exclude to alert any successful access to selected object from certain locations. You can specify one or more locations by typing the specific location or using a regular expression. 1. Input one Hostname or ip address into the textbox. 2. Click the right arrow to move the selections to the Selected source locations list. Note: If you want to remove the users from the selected users list, select the users you want to remove and click the left arrow.
Application Settings Exclude to alert any successful access to selected object by certain client applications. You can specify one or more client applications by typing the specific client application or using a regular expression. 1. Input one application name or client ID into the textbox. 2. Click the right arrow to move the selections to the Selected applications list. Note: If you want to remove the users from the selected users list, select the users you want to remove and click the left arrow.
See also
l Database Activity Monitoring (DAM) policies on page 126
Displaying the history of issued audit commands
The Target’s Audit Management tab displays the history of issued audit commands. Each type of target database has a different style of audit management. The Target’s Audit Management tab is not available for Sybase or MySQL databases. For the remaining database types, it only available when Collection Method is one of the following values:
l DB, EXTENDED or XML File Agent (for Oracle)
l SQL Trace (for Microsoft SQL Server)
l DB2 Agent (for DB2)
See also
l Oracle audit management on page 189
l Microsoft SQL Server audit management on page 190
l DB2 audit management on page 190
FortiDB 5.1.13 Admin Guide 188 Fortinet Inc. Database activity monitoring (DAM)
Oracle audit management
The Target’s Audit Management page for Oracle target databases displays the history of issued audit commands.
Statement options
The Statement options section displays:
l Database User
l Audit Option
l Success
l Failure
Object options
The Object options section displays all the audit commands, including success or failure, for each object with:
l Object owner
l Object name
l Object type
l Access or Session on SELECT/INSERT/UPDATE/DELETE/EXECUTE/ALTER To update the list, click the Refresh button.
Clearing audit settings
FortiDB modifies the Oracle auditing system to monitor the policies that you define. These audit settings affect what is audited and affect how fast the SYS.AUD$ table will fill. Under normal operating conditions, FortiDB removes its settings when monitoring is stopped. However, sometimes the SYS.AUD$ table can become cluttered with other peoples' settings that were not properly removed. To correct this, use FortiDB's clear audit setting feature to remove all audit settings. If FortiDB is the only client of the audit system, then you can use this feature to clear all audit settings. But if other people need the audit settings, do not clear audit settings. To clear audit settings, you must stop monitoring. After clearing the settings, the audit statement and audit options tables will be empty. If you then start FortiDB monitoring ,you will see only FortiDB's audit settings that are necessary for enabled policies.
Audit management
When using the audit-based collection methods for Oracle, you may want to clear the audit settings from previous operations if FortiDB is used as the exclusive auditing mechanism for that target database. Also, for the DB,EXTENDED collection method, you may want to delete all previous log entries in the Oracle target database. You can do both in the Audit Settings Management section of the Audit Management tab. These options are selected by default, so be sure to deselect these options if FortiDB is not the only service that is using Oracle's auditing mechanism. For the DB,EXTENDED collection mechanism, the audit log table may periodically grow larger than the file system's capacity for that table. To periodically delete audit log entries, go to the Scheduled Maintenance section.
FortiDB 5.1.13 Admin Guide 189 Fortinet Inc. Database activity monitoring (DAM)
Warning: Using FortiDB to manage the contents of the SYS.AUD$ should be compliant with the best practices of your organization.
Microsoft SQL Server audit management
The Target’s Audit Management page for Microsoft SQL Server target databases displays a list of SQL Server events and filters used by FortiDB to audit. If you select Monitoring or Auditing from the Trace Type dropdown list then click the Refresh button, FortiDB will display the general information.
Audited events
The Microsoft SQL Server Audited Events section displays a list of SQL Server events used by FortiDB for auditing purposes with the following information:
l Column
l Event
Audited filters
The Microsoft SQL Server Audited Filters section displays a list of Microsoft SQL Server filters used by FortiDB for auditing purposes with the following information:
l Column
l Comparison Operator
l Logical Operator
l Value To update the list, click Refresh.
DB2 audit management
The Target’s Audit Management page for DB2 target databases displays the history of audit commands issued by the database.
DB2 audit settings with syscat.auditpolicies
The DB2 Audit Settings section displays DB2 syscat.auditpolicies view contents with the following information:
l Policy Name
l Policy ID
l Create Time
l Alter Time
l Audit Status
l Context Status
l Validate Status
FortiDB 5.1.13 Admin Guide 190 Fortinet Inc. Database activity monitoring (DAM)
l Checking Status
l SecMaint Status
l ObjMaint Status
l SysAdmin Status
l Execute Status
l Execute with Data
l Error Type
DB2 audit settings with syscat.audituse
The DB2 Audit Settings section also displays DB2 syscat.audituse view contents with the following information:
l Policy Name
l Policy ID
l Schema
l Object Name
l Object Type
l Sub Object Type To update the list, click the Refresh button.
Viewing alerts
The Security Alerts page displays a list of all alerts generated from all databases and their details. You can filter the list using a pre-defined alert group, an alert group that you defined, or by date. You can also export the list in a number of formats. You can also export the alert list in several different formats.
Security Alerts page columns
Column Description
ID FortiDB assigns alert identifiers sequentially.
Type indicates that a table policy generated the alert indicates that a table and column policy generated the alert indicates that a session policy generated the alert indicates that a user policy generated the alert indicates that a database query policy generated the alert indicates that a privilege policy policy generated the alert indicates that a metadata policy generated the alert
FortiDB 5.1.13 Admin Guide 191 Fortinet Inc. Database activity monitoring (DAM)
Column Description
Status One of the following types of alert status: You can change the alert status from the Alert Summary page.
l (Unacknowledged)
l (Acknowledged)
l (Error Corrected)
l (Alert has an annotation created by a FortiDB administrator) For information on changing the status value, see Viewing alerts on page 191.
Severity Severity of the policy that generated the alert: Informational, Cautionary, Minor, Major, or Critical
Received Time The date and time when FortiDB received the alert
Target Name of the target database
Source Location Hostname of source client
Policy Violation & Action The name of the policy that generated the alert the action that violated the rule
Security Alerts page filtering options
Option Description
View Filter alerts based on the alert group, per-defined or user-defined, by select group from View drop-down list.
Search Click Search / New Group to define search criteria, or click the Edit button to modify search criteria of user-defined group. When you finish search criteria configuration, click the Search button to search alerts. You can also click the Save Group button to save the search criteria to an alert group quickly. For more information on groups, see Alert group on page 195. For information on search criteria configuration, see Filtering and searching alerts on page 193.
Date Range and Entry Filters alerts based on the specified date range, and input number for Limit Limit To, then click the Refresh button to refresh alerts.
Click an alert to view its detail below the list. For more information, see Alert details on page 194.
See also
l Changing the status of and annotating alerts on page 193
l Exporting the alert list as a report on page 193
l Filtering and searching alerts on page 193
l Alert details on page 194
l Alert group on page 195
FortiDB 5.1.13 Admin Guide 192 Fortinet Inc. Database activity monitoring (DAM)
Changing the status of and annotating alerts
Select one or more alerts with checkboxes, click one of three Status Icon button, to change status to Unacknowledged, Acknowledged, or Error Corrected.Select one or more alerts with check boxes then click the Annotate icon button to add or edit exist alert's annotation. Click the Save button to save the annotation.
See also
l Viewing alerts on page 191
Exporting the alert list as a report
The alert list displayed on this page can be exported as a report in several different formats.
l PDF (.pdf)
l Excel (.xls)
l Tab (.txt)
l CSV (.csv) To export alerts, select the file format from the Export as dropdown, then click the Export button.
If you want to generate alerts report with more detail information, use the pre- defined or user-defined DAM alert feature. For detail, go to the Reports.
See also
l Viewing alerts on page 191
Filtering and searching alerts
For alerts search or group filters setting, to filter alerts by columns condition, you can define filtering criteria with one or more data filtering entries.
Exclude option
Check Exclude following filters option, if you want alerts in opposite (don't match the criteria).
Configure criteria row
One filtering criteria entry is defined in a row. Select the Operator ("And" or "Or", not available for first row), Column, Operator from dropdown list, and input Value or select from available value list to add.
Multiple criteria rows
Add or subtract, respectively, filtering criteria rows by selecting the + (plus) or - (minus) buttons.
FortiDB 5.1.13 Admin Guide 193 Fortinet Inc. Database activity monitoring (DAM)
If there are multiple filtering entries, combined both with "And" and "Or" operations, use the brackets "(" and ")" for the operations priority. Filters sample for group "Table change by non-system user": Action Equals Delete Insert Truncate Update and ( DB User Not Equal SYSTEM or Login Name Not Equal SYSTEM )
See also
l Viewing alerts on page 191
Alert details
The Alert Details section shows following details information about the alerts:
Field Name Description
ID Alert ID. This number is set sequentially
Timestamp The date and time when the alert was received by FortiDB
Target Name Target database name.
Policy Name Policy name that generated the alert. For example, Tables, Column Privileges, tablePolicy1, etc.
Action Action that was taken and caused the alert
Rule Violations Alert rules that generated the alert. For example, Suspicious location, Suspicious Login Name, etc.
Severity Short name of Severity level to which the policy is configured:
l INF - Information
l CAU - Cautionary
l MAJ - Major
l MIN - Minor
l CRI - Critical
OS User or Auth Id OS user (for Oracle, Microsoft SQL Server), Auth Id (for DB2) that accessed to the target database
DB User DB user who took an action
Login Name Login name that logged into the target database
Object Object that was accessed and caused the alert
SQL Statement SQL Statements that were executed and caused the alert
Return Code Return code from the target database
Source Location Hostname of source location that originated the action
Application Source application that originated the actions and caused alerts
Annotation Annotation text added by administrator for this alert
FortiDB 5.1.13 Admin Guide 194 Fortinet Inc. Database activity monitoring (DAM)
For Sybase target databases, the OS User field shows as "not available". For Microsoft SQL Server, the OS User is available only when you use the Windows authentication. For Sybase, and Microsoft SQL Server, the Object field may not be available for Privilege Policies: Roles and System Privileges.
See also
l Viewing alerts on page 191
Alert group
The Alerts Group page allows you to organize the security alerts that ’s monitoring activity generates. You use the alert groups to filter the list of alerts displayed on the Security Alerts page and to filter the information in a DAM report.
Add, edit, or delete an alert group
Use the Alerts Group page to perform the following tasks: To create new group, click Add. To modify group settings, click the name of the group or the Edit icon in the Action column. To delete a group, select the check box for one or more user-defined audit groups, and then click Delete. Alternatively, you can create a new group when you search the list of alerts on the Security Alert page. (See Filtering and searching alerts on page 193.)
Pre-defined alert groups
FortiDB provides pre-defined alert groups that you can use to add and modify filtering criteria.
Pre-defined alert groups Descriptions
Major and Critical Alerts Alerts that have major and critical severities.
Metadata Changes Alerts generated by triggering metadata policies.
Privilege Changes Alerts generated by triggering privilege policies.
Security Violations Alerts that are triggered by security violations.
Table changes Alerts that are triggered by inserts, updates, or deletes on tables.
Unacknowledged Alerts Alerts that have a status of 'Unacknowledged'.
FortiDB 5.1.13 Admin Guide 195 Fortinet Inc. Database activity monitoring (DAM)
Data filter for an alert group
The Filters tab allows you to define data filtering criteria for the group when you add or edit a group. You can define one or more data filtering entries that specify the criteria to match. When an alert matches the specified criteria, it is included in the group.
Exclude following filters Select to select alerts that do not match the criteria.
Operator Values And and Or are not available for the first row.
Column Specify a column value.
Operator Specify an operator.
Value Enter a value or select one from the list of available values.
- (minus) and + (plus) Click to add or remove rows that define criteria.
If there are multiple filtering entries, combined both with "And" and "Or" operations, use the brackets "(" and ")" for the operations priority. For example, to create a filter for the group "Table change by non-system user", use the following settings:
Row Operator Column Operator Value
1 - Action Type Equals Delete, Insert, Truncate, Update
2 and Database User Not Equal SYSTEM
3 and Login Name Not Equal SYSTEM
To create a filter for a group that selects alerts generated when a specific user (scott) creates a table:
Row Operator Column Operator Value
1 - Policy Type Equals Metadata Policies
2 and Action Type Equals Create Table
3 and Database User Equals scott
See also
l Viewing alerts on page 191
l User-defined DAM reports on page 214
Alerts summary
The Alerts Summary page summarizes the alerts statistics and recent trends. The DB Activity Monitoring table shows the alerts statistics for today, recent years, and all ("total"). It also displays the number of databases is monitoring and the current count of alert groups.
FortiDB 5.1.13 Admin Guide 196 Fortinet Inc. Database activity monitoring (DAM)
The alert trend charts show alerts that changed by time, include alerts trends for last 7 days, last 30 days, last 90 days, and last 12 months.
See also
l Viewing alerts on page 191
l Alerts analysis on page 197
Alerts analysis
The Alerts Analysis page allows you to analyze the alerts received within a date range that you specify.
Columns Descriptions
Status l indicates that the alert analysis is new created or edit
l indicates that the alert analysis is in queue to run
l indicates that the alert analysis is running
l indicates that the alert analysis is complete
Target Target to analyze, either a specific target or ALL
Alert Received From Start date of alerts
Alert Received To End date of alerts
Analyze Time Analyze time
Action Edit icon button. Click to edit analysis
View icon button. Click to view analysis result
To analyze results
1. Click the Add button. Click the analysis name, or click the Edit icon in the Action column to edit the analysis. 2. In the analysis add/edit page, input the name, select the target - All or one of target, specify alerts receive date range, and Save.
Include alerts received in "Received To" day, e.g. From "March 1" to "March 31" for alerts received in March.
3. Mark the check box corresponding to an analysis. 4. Click the Run button. 5. To view the results, either click the View icon button in Action column, or click the time when an analysis finished.
To view the results of an analysis
Do one of the following:
FortiDB 5.1.13 Admin Guide 197 Fortinet Inc. Database activity monitoring (DAM)
l In the Action column, click (View).
l Click an Analyze Time value. The analysis result page displays the following information:
l Analysis Summary: Target, Alerts date range, and Total alerts count in this range.
l Statistics Chart: Alerts statistics date-series chart.
l More alerts statistics by different category:
l By Target(for 'All' target analysis)
l By Severity
l By Policy
l By Action
l By DB Login
l By DB User
l By Client Location (Top 10)
l By Client Application (Top 10)
See also
l Viewing alerts on page 191
l Alerts summary on page 196
Viewing audit records (activity auditing results)
The Activity Auditing page displays a list of audit records with their details. The audit records generates when it is monitoring the database is determined by the activity auditing option you specify: Log All, or the policies selected on the Audit Policy Groups tab. To enable activity auditing, you configure to monitor the target database using the TCP/IP sniffer. For more information, see Configuring monitoring using the TCP/IP sniffer (all database types) on page 177.
Audit record list columns
Columns Descriptions
ID Audit ID. This number is set sequentially.
Type l indicates that the audit is generated by Log All option enabled for target monitoring
l indicates that the audit is generated by Table Policy
l indicates that the audit is generated by Table and Column Policy
l indicates that the audit is generated by Session Policy
l indicates that the audit is generated by User Policy
l indicates that the audit is generated by Database Policy
FortiDB 5.1.13 Admin Guide 198 Fortinet Inc. Database activity monitoring (DAM)
Columns Descriptions
l indicates that the audit is generated by Privilege Policy
l indicates that the audit is generated by Metadata Policy
Timestamp Audit timestamp
Target Target database name.
Source Hostname/IP Hostname and IP address of source client.
Action Action of database activity
DB User Database user of action.
SQL Text SQL Text.
See also
l Filtering and searching the audit record list on page 199
l Viewing audit record details on page 199
Filtering and searching the audit record list
To filter the audits by audit group, select an option from the View list. For more information on audit groups, see Audit group on page 200. To search the audits, click Search/New Group, specify the search criteria, then click Search. You can save the search criteria as an audit group. For more information on the search and group creation options, see Searching or filtering the target list on page 92. To edit your saved group, select the group from View dropdown list, click Edit, modify the search criteria, and then click Save Group. To display audit records for a specific time range, specify the Received from and To time, enter the Limit to value, and then click Refresh.
See also
l Viewing audit records (activity auditing results) on page 198
l Viewing audit record details on page 199
Viewing audit record details
Click an audit record to display its details at the bottom of the audit record list.
Field Name Description
ID Audit ID. FortiDB sets this number sequentially.
Timestamp The date and time activity audited.
FortiDB 5.1.13 Admin Guide 199 Fortinet Inc. Database activity monitoring (DAM)
Field Name Description
Target/IP Target database name and database server's IP address.
Target Service Port Target database server's service port.
Policy Type Type of audit policy that generate the audit. Shows "All" if enable Log All option.
Policy Name Name of audit policy that generated the alert. For example, Tables, Column Privileges, tablePolicy1, etc.
Action Activity action.
Source Hostname/IP Hostname and IP address of source client.
Source MAC MAC address of source client.
DB User DB user who took an action.
SQL Text SQL Statements text of activity.
See also
l Viewing audit records (activity auditing results) on page 198
l Filtering and searching the audit record list on page 199
Audit group
The Audit Group page allows you to organize audit records. You use the audit groups to filter the list of alerts displayed on the Activity Auditing page and to filter the information in a DAM report.
Add, edit, or delete an audit group
Use the Audit Group page to perform the following tasks: To create new group, click Add. To modify group settings, click the name of the group or the Edit icon in the Action column. To delete a group, select the check box of one or more user-defined audit groups, and then click Delete. Alternatively, you can create a new group when you search the list of audit records on the Activity Auditing page. (See Filtering and searching the audit record list on page 199.)
Pre-defined audit groups
FortiDB has pre-defined audit groups that you can use to add and modify filtering criteria.
FortiDB 5.1.13 Admin Guide 200 Fortinet Inc. Database activity monitoring (DAM)
Pre-defined audit groups Descriptions
All All available policies
All DB2 Policies All policies that are supported for DB2 databases
All MySQL Policies All policies that are supported for MySQL databases
All Oracle Policies All policies that are supported for Oracle databases
All SQL Server Policies All policies that are supported for Microsoft SQL Server databases
All Sybase Policies All policies that are supported for Sybase databases
Data Policies All policies that trigger on table, table-column, user, or session changes to the target database
Metadata Policies All policies that trigger on metadata changes to the target database
Privilege Policies All policies that trigger on privilege changes to the target database
SYS Operations Policies that monitor SYS operations
Data filter for an audit group
Use the Filters tab to define filtering criteria for a group. For information on the filtering options, see Data filter for an alert group on page 196.
See also
l Viewing audit records (activity auditing results) on page 198
Activity profiling
FortiDB’s activity profiling feature generates statistics about database activity by user and table. You can use these statistics as a baseline when you configure policies that identify suspicious access patterns. Activity profiling requires the appliance version of FortiDB and the TCP/IP sniffer collection method. For information on using the sniffer, see Configuring monitoring using the TCP/IP sniffer (all database types) on page 177.
See also
l Viewing status and summary information for activity profiling on page 201
l Viewing and exporting activity profiling results on page 202
Viewing status and summary information for activity profiling
The Activity Profiling page displays target profiling status and a summary of profiling results.
FortiDB 5.1.13 Admin Guide 201 Fortinet Inc. Database activity monitoring (DAM)
Activity Profiling page columns
Columns Descriptions
Status l indicates the target is not monitored.
l indicates that monitoring and profiling are active.
l indicates that monitoring is active and profiling is not enabled.
Name Target name. Click to view detailed profiling results.
DB Host Name/IP Database host name or IP address of your target database computer
DB Type The type of database
Profiling Statistics Total number of activities since profiling started
Profiling Start Time Either the time when FortiDB started to monitor the database start time or the time when you cleared the existing profiling results
Action l Click (View Profiling Detail) to view detailed profiling information for the target.
l Click (Reset Profiling Statistics) to clear the existing profiling results for the target. If monitoring with profiling is enabled, FortiDB sets Profiling Start Time to the current time. Otherwise, it sets Profiling Start Time when monitoring starts.
To display profiling status and summary information for a specific target group, in the View list, select a target group.
See also
l Viewing status and summary information for activity profiling on page 201
Viewing and exporting activity profiling results
The Target DB Activity Profiling page displays detailed profiling results. FortiDB organizes profiling results for specific targets by database login and user, source clients, and database table access. To view statistics for a login or user, in the DB Login/User list, select the appropriate name.
Source clients access list
Source clients access list columns
Columns Descriptions
Source IP IP address of database source client
FortiDB 5.1.13 Admin Guide 202 Fortinet Inc. Database activity monitoring (DAM)
Columns Descriptions
OS Hostname Hostname of source client
Source Application Application name of source client
OS User Operating system (OS) user name
Session Count Database access session count from this source client
Database tables access list
The list of database tables access displays all database tables accessed by the selected login or user and information about related access actions. The Table Name column displays the name of the database that the login or user accessed. (For Oracle databases, this can also be the name of a synonym.) The other columns display the count number for actions, which include the following actions:
l Select
l Update
l Insert
l Delete
l Create
l Alter
l Drop
l Trunc
l Grant
l Revoke
Exporting profiling results
For information on generating and exporting an activity profiling report that you can run at a scheduled time and send automatically to receipients using email, see Activity Profiling Reports on page 1.
To export the detailed profiling results as report
1. For Export as, select one of the following file formats:
l PDF (.pdf)
l Excel (.xls)
l Tab (.txt)
l CSV (.csv) 2. Click Export.
See also
l Viewing status and summary information for activity profiling on page 201
FortiDB 5.1.13 Admin Guide 203 Fortinet Inc. Database activity monitoring (DAM)
SOX audit
When you use one or policies from the Sox Policies DAM alert policy group to monitor the target database, FortiDB saves SOX compliance audit logs. The Sox Audit page displays the compliance audit logs. To filter the audit logs, in the Target list, select the appropriate target database, enter from and to dates, and then click Refresh.
See also
l PCI, SOX, and HIPAA alert policies on page 154
l PCI, SOX, and HIPAA reports on page 218
FortiDB 5.1.13 Admin Guide 204 Fortinet Inc. Logs
Logs
Local monitoring log
The Local Monitoring Log page lists monitoring events logs. The log information includes Date, Target, Policy name, Severity, and Description. In the Local Monitoring Logs page, you can:
l Display logs filtered by the severity level that you select from the Severity dropdown list.
l Display logs filtered by the target database that you select from the Target dropdown list.
l Display logs filtered by the date range you select from the From and To fields.
l Export the current list by selecting Export
l Delete all logs by selecting Delete All
l Schedule error checks using one of the following options:
l Run Once: checks for errors at the time specified by Starts at.
l Recurring: checks for errors during the interval specified by Starts at and End by.
Local audit trail
The local audit trail feature allows you to capture the following information as audit trail records:
l All administrator activities: Add/delete/update admininstrators, add/delete/update policies or policy groups, add/delete/update targets or target groups, add/delete/run assessments, archive, restore, log on, and system configuration.
l System activities: Start and stop. You can filter the list of audit trail records by date. You can also export the list as a tab-delimited text file, which you can open in spreadsheet applications such as Microsoft Excel.
To display the audit trail, an administrator requires the System Administrator role.
To enable the local audit trail
1. In the navigation menu, go to Administration > Global Configuration. 2. On the User Profile/Security tab, for Enable Local Audit Trail, select true. 3. Click Save.
FortiDB 5.1.13 Admin Guide 205 Fortinet Inc. Logs
See also
l Viewing and managing the audit trail records on page 206
l Examples of audit trail records on page 207
Viewing and managing the audit trail records
To view the local audit trail, in the navigation menu, click Administration > Local audit trail.
Column Description
Timestamp The date and time of the action.
Action The action that occured.
By The name of the account that performed the action. For example, the admin account. Note: When FortiDB invokes actions such as scheduled scan, scheduled archive, start FortiDB, and stop FortiDB, “internal” is displayed in this column.
Location The location where the action occurred. For example, local or the remote location where the account logged in, which is displayed as an IP address or host name. Note: When FortiDB invokes actions such as scheduled scan, scheduled archive, start FortiDB, and stop FortiDB, “internal” is displayed in this column.
Object Name The object that the action affected.
To filter the list of local audit records by date, either enter start and end dates or click the calendar icon to select dates, and then click Apply. To sort the list, click a column heading to sort using values in that column. Click Delete to delete the audit trail records in the selected date range.
If the Local Audit Trail global setting is enabled and you delete audit trail records, FortiDB generates an audit trail record for the delete action.
Select the Export button to export the audit trail records in the selected date range as a comma-delimited text file.
See also
l Examples of audit trail records on page 207
FortiDB 5.1.13 Admin Guide 206 Fortinet Inc. Logs
Examples of audit trail records
Timestamp:2009-02-26 16:06:47 Action: Update By: admin Location: 172.30.63.50 Object Name: VA Policy: DVA IBM DB2 UDB 02.11 Latest Fixpak not installed ------Timestamp:2009-02-26 15:36:31 Action: Scan By: jsmith Location: 172.30.63.40 Object Name: VA Scan: Latest Patch Policies ------Timestamp:2009-09-09 15:02:25 Action: Add By: admin Location: 172.30.63.50 Object Name: DAM Policy Group: tablePolicy1_2 Group ------
See also
l Viewing and managing the audit trail records on page 206
FortiDB 5.1.13 Admin Guide 207 Fortinet Inc. Reports
Reports
FortiDB can generate various reports, including pre-defined and user-defined vulnerability assessment (VA) reports and database activity monitoring (DAM) reports. For VA and DAM reports, select an item in Report menu, to manage and generate reports. For other exportable reports, go to the corresponding context page, use Export function to export the report file. Reports can be exported as a PDF file. Some reports can be exported as an Excel, tabbed text, or CSV file.
To generate VA and DAM reports, your administrator account requires the Report Manager role.
Vulnerability assessment (VA) reports
Vulnerability assessment (VA) reports include:
l pre-defined or user-defined assessment reports
l pre-defined VA policy reports
l pre-defined sensitive data discovery reports You can view and export VA reports manually. Go to a pre-defined or user-defined VA report, select the report to preview content, then click Export to export the report in PDF or other file format. You can also generate assessment report files automatically by scheduling FortiDB to generate them.
DAM reports
DAM reports include:
l pre-defined and user-defined security alert reports
l activity audit reports
l PCI, SOX, and HIPAA compliance reports
The information in activity audit reports comes from DAM activity auditing, a feature that requires the appliance version of FortiDB and the TCP/IP Sniffer collection method.
You can configure the report criteria such as data filtering, schedule, and notification of security alert reports and activity audit reports. For user-defined reports, you can also customize the display of the data table view and analysis chart view. FortiDB generates and saves security alert reports and activity audit reports in all file formats, whether you generate them manually or using a schedule.
FortiDB 5.1.13 Admin Guide 208 Fortinet Inc. Reports
Report files that saves to disk
FortiDB saves generated report files (such as PDF or Excel (.xls)) to disk when:
l FortiDB generates all file types for all DAM reports.
l You enable the Schedule and Save Scheduled Assessment Report to Disk File option for vulnerability assessment. To free disk space, delete report files after you download them.
Other reports you can export
You can export PDF report files for:
l Administrators Entitlement Report: Administration > Administrators
l Target Database Report: Target Database Server > Targets
l Database Discovery Report: Target Database Server > Auto Discovery
l VA Privilege Summary Report: Vulnerability Assessment > Privilege Summary
l VA Local Log Report: Vulnerability Assessment > Local Assessment Log
l DAM Security Alerts Summary Report for search result: DB Activity Monitoring > Security Alerts
l Activity Profiling Report: DB Activity Monitoring > Activity Profiling > Profiling Detail
l DAM Local Log Report: DB Activity Monitoring > Local Monitoring Log
See also
l Pre-defined VA reports on page 209
l User-defined VA reports on page 211
l Pre-defined DAM reports on page 213
l User-defined DAM reports on page 214
l PCI, SOX, and HIPAA reports on page 218
l Activity Profiling Reports on page 226
Pre-defined VA reports
Go to Report > Pre-Defined VA Reports to view a list of available reports and select a report template to use to view and export report information.
See also
l Assessment reports on page 210
l Policy reports on page 211
l Sensitive data discovery reports on page 211
FortiDB 5.1.13 Admin Guide 209 Fortinet Inc. Reports
Assessment reports
Assessment reports provide the results of target database assessments, including assessment statistics, vulnerabilities detail, and run result of policies. To view and export assessment reports, select report parameters include Assessment, run time and target database. Go to Preview Report tab to view the report content, and Export as file with format you selected. Pre-defined Assessment Reports:
l Global Detailed Report: this report gives the number and types of passed and failed policies and their details for all targets in the assessment
l Target Detailed Report: this report gives the number and types of passed and failed policies and their details
l Target Detailed Failed Report: this report gives the number and types of failed policies and their details
l Target Summary Report: this report summarizes the number and types of passed and failed policies
l Target Summary Failed Report: this report summarizes the number and types of failed policies
l Target Score Report: this report displays the scan results in graphical form
l Target Trend Report: this report displays the database policy progress over time
Statistics tables
With the exception of the target trend report, all report templates contain the following two statistics tables:
l Severity: Summarizes numbers of each state by policy-severity type
l Classification: Summarizes numbers of each state by policy-classification type
Vulnerabilities
With the exception of target score and trend reports, all report templates contain summary or detailed vulnerabilities information, which is sorted using the following categories:
l Critical Vulnerabilities
l Major Vulnerabilities
l Minor Vulnerabilities
l Cautionary Vulnerabilities
l Informational Vulnerabilities
Score report and trend report
The pre-defined Score Report template provides you a way to see vulnerability results in graphical form for all target databases used in an assessment. It also shows results by the RDBMS type of the assessed targets. The pre-defined Trend Report template provides you a way to see assessment results over time to assist your vulnerability planning and remediation efforts.
See also
l Adding or modifying assessments on page 159
FortiDB 5.1.13 Admin Guide 210 Fortinet Inc. Reports
Policy reports
Policy reports provide information about pre-defined and user-defined VA policies. You can choose to generate reports for all VA policies or filter by database type, classification, severity, or policy type. provides the following two types of policy reports:
l Policy Summary Report: Provides detailed information about the current vulnerability assessment policies in the system
l Policy Detailed Report: Summarizes the most current vulnerability assessment policies in the system
See also
l Vulnerability assessment (VA) policies on page 103
Sensitive data discovery reports
Sensitive data discovery reports allow you to view and export the results of sensitive data discovery. Select target database and discovery time to view and export discovery report. provides the following two types of sensitive data discovery reports:
l Sensitive Data Discovery Detailed Report: Provides detailed information about the sensitive data discovery.
l Sensitive Data Discovery Summary Report: this report gives the summary information about the sensitive data discovery.
See also
l Data discovery policies and policy groups on page 124
l Sensitive data discovery on page 170
User-defined VA reports
You can customize your report template with selected columns and data from the User-Defined VA Reports and User-Defined DAM Reports pages. The User-Defined VA Reports page lists the report(s) you created, and allows you add, modify, and delete reports.
Column or button Description
Name User defined name for report. Click name link to modify and export report.
Description User defined description
Last Modified Date and time of the report you modified last
Created By User who created the report
Add This button adds a report
FortiDB 5.1.13 Admin Guide 211 Fortinet Inc. Reports
Column or button Description
Delete This button deletes the report you checked in the check box
See also
l Managing user-defined reports on page 212
Managing user-defined reports
Click the Add button, or click the name of exist report, to go to report edit page
General tab
Naming and describing your reports.
Columns tab
Specifying which columns you want to include in your reports. Select columns from Available Columns list, add into Columns in Report list. Your report must contain at least one display column.
Grouping tab
Specifying grouping criteria: In the Group Data By dropdown list, select the column name(s) by which you want to group data results. Optionally, specify a sort order in the Order dropdown(Ascending or Descending). And specify a Day, Week, Month, Quarter, or Year value by which to group date-related report results in the Group date values by dropdown. For VA reports, you cannot group by Policy Description. You can specify two additional grouping levels, in the same way, by using the and then by and the and lastly by drop down lists.
Filtering tab
Specifying filtering criteria:
l Define a column filtering entry in a row, by selecting Column, Operator and inputing the Value.
l Add or subtract filtering criteria rows respectively by selecting the + (plus) or - (minus) buttons. In order to limit the number of rows to display, check the Enter number radio button and then specify, as your row limit, any positive number less than 1000.
Export options
Export/Save report or Cancel editing.
FortiDB 5.1.13 Admin Guide 212 Fortinet Inc. Reports
Exporting your report in a certain output format, PDF or tab-delimited text file. Click the Save button to save report, click the Cancel button to cancel.
See also
l Vulnerability assessment (VA) policies on page 103
Viewing scheduled VA reports
The Scheduled VA Reports page allows you manage report files generated by scheduled vulnerability assessments. The following VA configurations generate a scheduled VA report file and save it to disk:
l Enable schedule for Vulnerability Assessment
l Enable the report option Save Scheduled Assessment Report to Disk File For information on configuring assessments, see Adding or modifying assessments on page 159. Target database name and report filename will be list in Scheduled VA Reports page. Click the report filename to download/open the report file. Select the checkbox for one or more reports, click Download to download the ZIP archive file, and then click Delete to delete the selected report files.
See also
l Running an assessment at a specified date and time on page 160
Pre-defined DAM reports
Pre-defined DAM reports display security alerts data or activity audit events, which you can filter to exclude from the report data. Go to Report > Pre-Defined DAM Reports, select Security Alert Reports or Activity Audit Reports tab, to configure/run reports with pre-defined template, and browse generated report content and download report file(s).
Activity Audit Report is available only for FortiDB appliance, and monitoring target database with collection method of TCP/IP sniffer. For details, see Viewing audit records (activity auditing results) on page 198.
The following pre-defined report templates are available for Pre-defined DAM reports. Pre-defined Security Alert Reports:
l Security Alert Detailed report: this report shows the details for all alerts generated within the report filter criteria.
l Security Alert Summary report: this report summarizes the alerts generated within the report filter criteria.
l Security Alert Statistical report: this report summarizes statistical information about alerts generated based on rules-violations, policies, and severities.
FortiDB 5.1.13 Admin Guide 213 Fortinet Inc. Reports
Pre-defined Audit Reports:
l Activity Audit Detailed report: this report shows the details for all activity audit events generated within the report filter criteria.
l Activity Audit Summary report: this report summarizes the activity audit events generated within the report filter criteria.
See also
l Report management on page 214
l Filtering report data on page 215
l Schedule and notification on page 216
User-defined DAM reports
The User-Defined DAM Reports page allows you filter report data, configure scheduling and notification, and customize the report layout. Go to Report > User-Defined DAM Reports, click User-Defined Alert Reports or User-Defined Audit Reports tab for your report type, and then define the report.
See also
l Report management on page 214
l Filtering report data on page 215
l Schedule and notification on page 216
Report management
The Pre-Defined DAM Reports, User-Defined DAM Reports, and Activity Profiling Reports pages display a table with following columns:
Column Description
[+] [-] Click to expand or collapse the 10 most recent results for a report. When the item is expanded, you can do the following:
l Click the name of a report instance (which contains the time FortiDB generated it) to view the report contents in HTML format.
l Click the one of file format icons on the right (PDF/TXT/XLS/CSV) to download the report.
Status l indicates a report is idle
l indicates a report is running
l indicates a report is scheduled to run
Name Click to configure report
FortiDB 5.1.13 Admin Guide 214 Fortinet Inc. Reports
Column Description
Description Report description specified in the report configuration
Last Modified Date and time when an administrator last modified the report
Created By FortiDB administrator who created the report
Results The number of times FortiDB has run the report
Action l click to edit the report configuration
l click to view all instances of FortiDB running this report
To run a report
Do one of the following: On the Pre-Defined DAM Report page, use the check boxes to select one or more reports to run, and then click Run. On the User-Defined DAM Report page, if the report you want to run is not in the list, click Add and configure the report. Then use the check boxes to select one or more reports to run, and then click Run. On the Activity Profiling Reports page, click Run. For information on configuring an activity profiling report, see Activity Profiling Reports on page 226.
See also
l Pre-defined DAM reports on page 213
l Activity Profiling Reports on page 226
Filtering report data
To add or edit a DAM report, go to the Data Filter tab.
Data time range
You can choose dynamic time period, or specific time range, for report's data filtering. Select the Last Period option for dynamic time period. Input period value, and select period unit from Day, Week or Month. The dynamic time range will be calculated every time when you run the report (manually or scheduled run). For example, when you select "last 2 days" for period, FortiDB will filter the alerts (or audits) received from 48 hours early to the report running moment. To use specific time range, select Date Range option, input from date/time and to date/time.
Records limit
Input the number for records entry limit, in Limit to. This limit number is the maximum records available to display in report data table.
FortiDB 5.1.13 Admin Guide 215 Fortinet Inc. Reports
Custom data filters
Custom Data Filters allows you configure filtering criteria by columns conditions. The Filters configuration is same as configuring filtering criteria for Alert/Audit Search Group. For details, see Filtering and searching alerts on page 193. For DAM Alerts Report, you can select Alert Group option, select one group from dropdown list, to use the group's filtering setting for reporting. For DAM Audits Report, you can select Audit Group option, select one group from dropdown list, to use the group's filtering setting for reporting.
Configuring data displays
The Table View tab allows you to configure data table display and the Analysis tab allows you to configure analysis charts.
Data table view
To configure which data columns displayed in report, select columns from Available Columns list, add into Columns in Report list. You can also configure the data groups in report's data table (optional). In the Group Data By dropdown list, select the column name(s) by which you want to group data results. Optionally, specify a sort order in the Order dropdown (Ascending or Descending). And specify a Day, Week, Month, Quarter, or Year value by which to group date-related report results in the Group date values by dropdown.
Adding analysis charts and statistics tables to reports
You can add multiple analyses, each with a statistics chart and table, to a report. You define each analysis in a row in the Analysis tab. Click + (plus) or - (minus) to add or remove rows. To configure anlysis: 1. Select the Chart type: Pie or Bar. 2. Select which data column you want to count for statistics, from Column type dropdown list. 3. For DAM Alert report, you can select Severity or Status as second Column type for Bar chart. The enumeration of Severity or Status will be list as Y-axis in statistics table. 4. If the data come from multiple target databases, enable Group by target check box, to generate analysis chart and statistics table respectively for each target. 5. Input the Max item number for data column. 6. Enable Count others, will add Others into analysis chart/table as last column.
Schedule and notification
Both Pre-Defined and User-Defined DAM Report, allows you configure the schedule and Email notification.
FortiDB 5.1.13 Admin Guide 216 Fortinet Inc. Reports
FortiDB only sends email notifications for reports that run on a schedule.
Go to Schedule tab to configure schedule, and go to Notification tab to configure email notification.
Scheduling reports
The report scheduler allows you to set up when to start report generation, how often to generate reports, and when to stop. Select the Enable Schedule check box to enable scheduler. For schedule, there are two ways that you can set up the scheduler:
Scheduled Description When to Run Type
Run Once Report generation will occur once at the specific The date range used to run the report time you set in the Start at field. when the time is in the Date Range field.
Recurring Report generation will occur starting from the time The Recurrence pattern can be set in the Start at field, and continue until the End Minutely, Hourly, Daily, Weekly, or by. Monthly. Enter the value for recurring time interval.
Email notification for scheduled reports
Email Notification allows FortiDB send report file(s) via email at the scheduled time. Select Enable Email to enable email notification. For email notifications, you must designate one or more email receivers. Select one or more of the entries in the Available Receivers list box and add them to the Selected Receivers list.
You must set the Email server and user properties in the Global Configuration for Email notification.
Select the Report formats of report file(s) you want to be included in email.
See also
l Notification properties on page 63
FortiDB 5.1.13 Admin Guide 217 Fortinet Inc. Reports
PCI, SOX, and HIPAA reports
FortiDB provides the following types of compliance reports to help you achieve compliance with both internal and external requirements:
l Sarbanes-Oxley (SOX)
l Payment Card Industry Data Security Standard (PCI DSS)
l Health Insurance Portability & Accountability Act (HIPAA) Some compliance reports must be generated weekly, monthly, or quarterly.
PCI compliance report templates
Name Description Required option settings
PCI - Invalid Operation Identifies failed access attempts. This should be Object Audit reviewed on a periodic basis by IT. Options
PCI - Privileged User Tracks all access/changes by the administrative User Audit Options Action accounts. The administrative accounts need to be specified during the configuration stage. The report should be reviewed and commented on by appropriate management.
PCI - System Object Tracks all access/changes by the administrative Not required Operations accounts . The administrative accounts need to be specified during the configuration stage. The report should be reviewed and commented on by appropriate management.
PCI - Access to Credit Tracks all access/changes by the administrative Object Audit Card tables accounts . The administrative accounts need to be Options specified during the configuration stage. The report should be reviewed and commented on by appropriate management.
PCI - Tracks all successful and failed logins. Not required Successful/Unsuccessful Database Logins
Name Description Required option set- tings
Abnormal or This report shows all changes made to data by any Object Audit Options Unauthorized account other than the application user account. or User Audit Options Changes to Data
Abnormal This report shows failed database processes (i.e. Object Audit Options Termination of financial transactions or failed login attempts) or User Audit Options
FortiDB 5.1.13 Admin Guide 218 Fortinet Inc. Reports
Name Description Required option set- tings
Database Activity originating from an application server.
Abnormal Use of This report shows service accounts and the associated Object Audit Options Service Accounts or related transaction origins. For example, the use of or User Audit Options service account from an origin other than the application server would be shown.
End of Period This report shows changes to the general ledger at Object Audit Options Adjustments month-, quarter-, year-end.
History Of Privilege This report shows changes to user access rights that Not required Changes were elevated or lessened in the database over time.
Verification of Audit This report shows changes to configurable audit Not required Settings parameters.
HIPAA compliance report templates
Name Description Required option set- tings
Privilege Changes This report shows all user account additions, Object Audit Options deletions, and changes.
Logins This report shows all successful and failed login Not required attempts.
Security Incident This report shows what methods are used to Not required Procedures communicate with external systems in case of security incidents.
Access to the This report shows all activities related to the Not required Assessment Logs assessment logs.
Access to EPHI Data This report shows all access and and changes to the Object Audit Options EPHI data made by any account.
User Privileges on This report shows all users with access privileges for Object Audit Options EPHI Data EPHI data.
Privilege Summary This report shows all users with privileges. Not required
Audit Controls This report shows all audit settings. Not required
You cannot use regulatory compliance reports to monitor activity at the column level.
FortiDB 5.1.13 Admin Guide 219 Fortinet Inc. Reports
See also
l General steps for generating PCI, SOX, and HIPAA reports on page 220
l Report: Abnormal Termination of Database Activity on page 221
l Report: Abnormal or Unauthorized Changes to Data on page 221
l Report: Abnormal Use of Service Accounts on page 222
l Report: End of Period Adjustments on page 223
l Report: History of Privilege Changes on page 224
l Report: Verification of Audit Settings on page 225
General steps for generating PCI, SOX, and HIPAA reports
1. Configure your target databases. See Pre-configuration for monitoring target databases on page 69. 2. Configure the FortiDB connection to your target databases. See Adding (or modifying) a target connection on page 93. 3. Configure FortiDB compliance policies. See Configuring PCI, SOX and HIPAA policies on page 154. 4. Configure and start monitoring for the target database. For details, see Configuring target database monitoring on page 176. 5. Assuming that several violations occurred in your target database, under Reports, go to PCI Reports, Sox Reports, or HIPAA Reports. 6. Select one of the reports and export reports:
l In the Export as field, select the format type you want to generate a report from the dropdown list: PDF, Excel, or CSV.
l (Optional) Enter W/P reference and/or Customer name in each field.
l Enter the Date Range for data retrieval.
The date entered in these fields means 00:00 (midnight) of the day. For example, 9/23/09 means 00:00AM of 9/23/09.
l Select one or more target databases, or enable All Targets check box for all databases.
l (Optional) You can set filters to display the specific data in the report.
l Select the Export to generate and export report file.
See also
l PCI, SOX, and HIPAA reports on page 218
l Report: Abnormal Termination of Database Activity on page 221
l Report: Abnormal or Unauthorized Changes to Data on page 221
l Report: Abnormal Use of Service Accounts on page 222
l Report: End of Period Adjustments on page 223
l Report: History of Privilege Changes on page 224
l Report: Verification of Audit Settings on page 225
FortiDB 5.1.13 Admin Guide 220 Fortinet Inc. Reports
Report: Abnormal Termination of Database Activity
This report identifies failed database processes (that is, financial transactions) originating from the application server. This report should be reviewed on a daily basis by IT Management.
COBIT objectives
This report is designed to meet the following COBIT objectives:
Objective Number Description
DS10.1 Routine transactions and processes between the application and the database are reviewed on a daily basis for successful completion by IT Management.
Setup requirements
Sox Abnormal Termination of Database Activity policy: Object Audit Options and/or User Audit Options
Report columns
The following columns are displayed in the report body.
Columns Description
User ID The ID of the database user that conducted the flagged activity
Object The name and owner of the database object that was directly manipulated by the flagged activity
Timestamp The exact time the flagged activity was conducted
Terminal The terminal IP address or name
Origin Application The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server
Action Type The type of action successfully enacted by the User ID.
Error Code The proprietary error code generated by the originating application.
See also
l General steps for generating PCI, SOX, and HIPAA reports on page 220
Report: Abnormal or Unauthorized Changes to Data
This report tracks all changes made to data by any account other than the application user account. The report should be reviewed and commented on by appropriate management on a quarterly basis.
FortiDB 5.1.13 Admin Guide 221 Fortinet Inc. Reports
COBIT objectives
This report is designed to meet the following COBIT objectives:
Objective Number Description
AI2.3 Unauthorized changes to data by non-application[13] accounts are tracked and reviewed by IT Management on a quarterly basis.
Setup requirements
Sox Abnormal or Unauthorized Changes to Data policy: Object Audit Options
Report columns
The following columns are displayed in the report body:
Columns Description
User ID The ID of the database user that conducted the flagged activity
Object The name and owner of the database object that was directly manipulated by the flagged activity
Timestamp The exact time the flagged activity was conducted
Terminal The terminal IP address or name
Origin Application The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server
Action Type The type of action successfully enacted by the User ID.
By default, all actions are considered unauthorized. If you want, for example, to only mark UPDATEs as unauthorized actions, use Filters section in order to filter out the other action types.
See also
l General steps for generating PCI, SOX, and HIPAA reports on page 220
Report: Abnormal Use of Service Accounts
This report identifies the use of service accounts and the associated transaction origins. For example: The use of a service account from an origin other than the application server would be identified. The report should be reviewed and commented on by IT Management on a weekly basis.
FortiDB 5.1.13 Admin Guide 222 Fortinet Inc. Reports
COBIT objectives
This report is designed to meet the following COBIT objectives:
Objective Number Description
DS5.3 Database transactions from unauthorized sources are tracked and reviewed by IT Management on a weekly basis
Setup requirements
Sox Abnormal Use of Service Accounts policy: Object Audit Options and/or User Audit Options
Report columns
The following columns are displayed in the report body.
Columns Description
User ID The ID of the database user that conducted the flagged activity
Terminal The terminal IP address or name
Originating Application The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server
Number of Actions The number of actions attempted by the account associated with the User ID
Timestamp The exact time the flagged activity was conducted
See also
l General steps for generating PCI, SOX, and HIPAA reports on page 220
Report: End of Period Adjustments
This report tracks changes to the general ledger at month/quarter/year end. The report should be reviewed and commented on by appropriate management on a monthly basis.
COBIT objectives
This report is designed to meet the following COBIT objectives:
Objective Number Description
AI2.3 End of period adjustments to the general ledger are tracked and reviewed by Business Management on a monthly basis.
FortiDB 5.1.13 Admin Guide 223 Fortinet Inc. Reports
Setup requirements
Sox End of Period Adjustments policy: Object Audit Options
Report columns
The following columns are displayed in the report body.
Columns Description
User ID The ID of the database user that conducted the flagged activity
Object The name and owner of the database object that was directly manipulated by the flagged activity
Timestamp The exact time the flagged activity was conducted
Terminal The terminal IP address or name
Origin Application The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server
Action The type of action successfully completed by the User ID.
See also
l General steps for generating PCI, SOX, and HIPAA reports on page 220
Report: History of Privilege Changes
This report tracks privileged changes to database user access rights (that is, granting of privileged or escalated access rights). The report identifies the database account that was changed, the type of privilege that was granted, the date of the change, and the account that initiated the change. The report should be reviewed by both IT and Business Management on a quarterly basis.
COBIT objectives
This report is designed to meet the following COBIT objectives:
Objective Number Description
AI2.4, DS3.5, DS5.3, DS5.4 Changes to escalate database user access privileges are tracked for review on a quarterly basis by the IT manager and the application business manager
Setup requirements
Sox History of Privilege Changes policy: Just enable the policy. No settings of Object Audit or User Audit Options required.
FortiDB 5.1.13 Admin Guide 224 Fortinet Inc. Reports
Report columns
The following columns are displayed in the report body.
Columns Description
User ID The ID of the database user that conducted the flagged activity
Grantee The name of the user for whom privileges were changed
Action The type of action successfully enacted by a non-application user account. Actions include UPDATE, INSERT, and GRANT
Target The object on which the privileges were changed
Privilege Details The type of object privilege granted to, or revoked from, the grantee.
Timestamp The exact time the flagged activity was conducted.
See also
l General steps for generating PCI, SOX, and HIPAA reports on page 220
Report: Verification of Audit Settings
This report identifies any changes that have been made to the audit reporting and tracking capability of the database.
COBIT objectives
This report is designed to meet the following COBIT objectives:
Objective Number Description
DS3.5, DS5.5, DS13.3 Audit tracking is configured on all financial databases, changes to audit functionality is reviewed by IT Management on a quarterly basis.
Setup requirements
There are two requirements: 1. At least one of the following types of audit policies must be run in order to collect audit data:
l Data Policies
l Privilege Policies: using the audit data retrieval method
l Metadata Policies: using the audit data retrieval method 2. For tracking audit activity with the Data policies, run the following commands audit system audit; audit audit system; audit audit any; and then Close and Open your database connection in Data policies.
FortiDB 5.1.13 Admin Guide 225 Fortinet Inc. Reports
Report columns
The following columns are displayed in the report body.
Columns Description
User ID The ID of the database user that conducted the flagged activity
OS User The OS User that conducted the flagged activity
Object The name and owner of the database object that was directly manipulated by the flagged activity
Timestamp The exact time the flagged activity was conducted
Terminal The terminal IP address or name
Origin Application The name, or other identifier, for the originating application, if the activity originated from an external application or from an application server
Action The type of action successfully enacted by the User ID.
See also
l General steps for generating PCI, SOX, and HIPAA reports on page 220
Activity Profiling Reports
FortiDB allows you to export activity profiling information in report form. You filter the information that FortiDB includes in the report by target database and, optionally, by database user and table. For information on managing reports using the Activity Profiling Reports page, see Report management on page 214. Alternatively, you can export the profiling results displayed on the Target DB Activity Profiling page. You cannot add a schedule or configure notification for this type of report. See Viewing and exporting activity profiling results on page 202.
To configure and run an activity profiling report
1. On the navigation menu, click Report > Activity Profiling Reports. 2. On the Activity Profiling Reports page, under Name, click Activity Profiling Report. 3. On the General tab, for Name, enter a name for the report and an optional description. Alternatively, you can use the default name (Activity Profiling Report). FortiDB adds the date to the name of each report it generates to distinguish it from any other reports with the default name. 4. Click the Data Filter tab. 5. For Target, select the target database whose activity profiling results you want to include in the report. 6. For DB Login/User, select either All Users or a specific user. 7. In the All Table Name list, select an item and click > (right arrow) to add it to the Selected Table Names list. Repeat this step as required until all the tables to include in the report are in the list.
FortiDB 5.1.13 Admin Guide 226 Fortinet Inc. Reports
To select multiple items, click and item and then Shift-click a second item. Both items and any items between them are selected. Click Control-A to select all items. 8. Optionally, use the Schedule and Notification tabs to configure FortiDB to run the report at a scheduled time and send the report to one or more FortiDB administrators using email. For detailed instructions, see Schedule and notification on page 216. 9. Click Save. 10. Do one of the following:
l If you configured the report to run at a scheduled time, wait for it to run.
l Click Run to run the report immediately. 11. When the Status value shows that the report no longer running, click [+] (plus sign) to access the instance of the report that you generated.
See also
l Configuring monitoring using the TCP/IP sniffer (all database types) on page 177
l Activity profiling on page 201
FortiDB 5.1.13 Admin Guide 227 Fortinet Inc. Archiving audit data
Archiving audit data
DAM activity auditing and compliance audits that run with with alert PCI, SOX, and HIPAA policies generate data that is stored in the FortiDB repository. To conserve repository space and improve performance, you can move this data to archive files that you can return to the repository later. FortiDB allows you to archive and retrieve the following types of data:
l Assessment
l Alert
l Auditing (includes sniffer activity auditing data and SOX audit data generated by alert SOX policy) Archiving data exports it to an excrypted file. When you retrieve data, FortiDB imports it back into its repository. Depending on how often you assess or monitor databases and the number and type of policies and target databases involved, the archive files can consume a large amount of space. To make space available on your appliance, you can move the exported files to remote storage and retrieve them later, if necessary. FortiDB requires an FTP server for remote storage. You cannot use another type of server.
To generate reports using archived data, you first retrieve the data. You cannot retrieve archived data if the target associated with the data is deleted. For example, if you archive assessment data for a target database and then delete the target configuration for that database, you cannot restore the archived assessment data.
The day and time that FortiDB created the archive is displayed in the Timestamp column on Retrieve tab. You cannot retrieve any data that you have already retrieved. This limitation prevents duplicate records in the FortiDB repository.
Archiving example
In the following illustration, FortiDB archives assessments with a date between January 8, 2008 and January 10, 2008. (Because the archive interval starts at 0:00 a.m. on the start date and ends at 0:00 a.m. on the end date, FortiDB does not archive data for January 11.) The assessments for all other dates remain in the repository.
FortiDB 5.1.13 Admin Guide 228 Fortinet Inc. Archiving audit data
Archiving strategy
Plan an archiving configuration that is appropriate for your environment. For example, determine how often you archive data based on your volume of data, and when to start archiving based on that frequency. For example, if you plan to keep up to 4 months worth of data in your FortiDB repository, wait 4 months after installing FortiDB before archiving for the first time. After 4 months, in the Archive Period field of the Archive tab, select 3 Month(s) and older. This value archives all results except those that FortiDB ran during the previous three months. Schedule the archive to run immediately by specifying the current date and time. After archiving, three months' worth of data remains in your repository. To maintain this frequency, you can either repeat the process of creating a 3 Month(s) and older archive every month or schedule it to occur automatically at an interval or on a specified day of the week or month.
Archiving data
The manual archiving process allows you to archive all assessment and monitoring data using a start and stop date. The scheduled archiving process allows you to archive data based on the age of the data relative to the date on which does the archiving. To immediately archive data based on its age, use the scheduled archiving process (Enable Auto Archive) and specify the current time and date.
To configure remote archiving
1. On the navigation menu, go to Administration > Archive/Retrieve. 2. On the Remote Archive Configuration tab, enter the IP Address, port, username, password and remote path for remote FTP server. The remote archiving feature works with an FTP server only. 3. Click the Save button to save the remote server configuration.
To archive data manually
1. If you want to send the archive to a remote server, complete the settings on the Remote Archive Configuration tab. For more information, see To retrieve archived data on page 230. 2. In the navigation menu, go to Administration > Archive/Retrieve. 3. On the Archive tab, specify a start and end date for your archive.
Because the selected dates specify 0:00 a.m. on the start date and 0:00 a.m. of the end date, the archive does not include data generated on the end date.
4. Click Archive Now. The message “Archiving Completed” is displayed in the Status area in the top-right corner of the page. 5. To send the archive to a remote server, on the Retrive tab, select the archive you just created, and then click Send to remote server.
FortiDB 5.1.13 Admin Guide 229 Fortinet Inc. Archiving audit data
To archive data according to a schedule
1. If you want to send the archive to a remote server, complete the settings on the Remote Archive Configuration tab. For more information, see "To retrieve archived data" on page 260. 2. In the navigation menu, go to Administration > Archive/Retrieve. 3. On the Archive tab, select enable Enable Auto Archive. 4. Under Archive period, specify the end date for data in the archive by selecting the number of days, weeks, or months prior to the current date. For example, 3 Month(s) and older creates an archive that contains all results except those that FortiDB ran in the last 3 months. 5. Under Run time, do one of the following:
l Enter a time and date for Start at.
l Under Recurrence pattern, select Hourly, Daily, Weekly, or Monthly.
Hourly Specify the hourly interval in the Every __ hours field. Daily Specify the daily interval in the Every __ days field. Weekly Specify the weekly interval in the Every __ week(s) on field, and then specify one or more days of the week that FortiDB runs the archive on.
Monthly Specify one or months to run your archive in, and then do one of the following:
l Select Day and specify the day during the selected months FortiDB runs the archive on, using a number.
l Select The
6. To send the archive file to a remote server, select Enable remote archive. 7. To delete the archived file from FortiDB, select Delete archive file after sending to remove server. 8. Click Save Schedule.
To retrieve archived data
1. In the navigation menu, go to Administration > Archive/Retrieve. 2. On the Retrieve tab, do one of the following:
l To retrieve an archive file that is stored on the appliance, in the list of files, select the file you want to retrieve, and then click Retrieve.
l To retrieve an archive file that is stored on the remote server, for Archive file path on remote server, enter the archive file path on the remote server, and then click Get from remote server. When the retrieval process is complete, the message "Restoring Completed" is displayed in the Status area in the top-right area of the page.
See also
l Configuring monitoring using the TCP/IP sniffer (all database types) on page 177
l Activity profiling on page 201
FortiDB 5.1.13 Admin Guide 230 Fortinet Inc. Using the command line interface (CLI)
Using the command line interface (CLI)
You can use CLI commands to view system information and to change system level settings.
See also
l Connecting to the CLI on page 231
l Command syntax on page 231
l Tips & tricks on page 233
l Overview of commands on page 235
Connecting to the CLI
1. Logon to the FortiDB appliance as the admin user or as a user with the FortiDB System Administrator role via the following methods:
l Terminal to connect appliance's console port
l Remote login with SSH or Telnet (determined by 's FortiDB network interface settings) 2. Enter the CLI command of interest.
For more information on the configuration to use, see Connecting to the web UI and CLI on page 1.
See also
l Command syntax on page 231
l Tips & tricks on page 233
l Overview of commands on page 235
Command syntax
Specifying file names and locations in commands
Use only letters, numbers, hyphens, and underscores in filenames and locations. Do not use spaces or special characters. For example, my_file is an acceptable name; my&file is not.
Entering spaces in a command strings
Spaces are not allowed in strings that represent filenames or file locations.
FortiDB 5.1.13 Admin Guide 231 Fortinet Inc. Using the command line interface (CLI)
When a string value, for other than a filename or locations, contains a space, do one of the following:
l Enclose the string in quotation marks; "Security Administrator", for example.
l Enclose the string in single quotes; 'Security Administrator', for example.
l Use a backslash ("\") preceding the space; Security\ Administrator, for example.
Entering quotation marks in strings
If you want to include a quotation mark, single quote or apostrophe in a string, you must precede the character with a backslash character. To include a backslash, enter two backslashes.
Entering a question mark (?) in a string
If you want to include a question mark (?) in a string, you must precede the question mark with CTRL-V. Entering a question mark without first entering CTRL-V causes the CLI to display possible command completions, terminating the string.
Special characters that are not permitted in commands
The characters <, >, (, ), #, ’, and ” are not permitted in most FortiDB CLI fields nor are they permitted in the passwords used to protect configuration-file backups.
Specifying IP address formats in commands
You can enter an IP address and subnet using either dotted decimal or slash-bit format. For example you can type either: set ip 192.168.1.1 255 or set ip 192.168.1.1/24 The IP address is displayed in the configuration file in dotted decimal format.
Notation
This guide uses the following conventions to describe command syntax:
l Angle brackets < > indicate variables. For example: execute restore config
l Vertical bar and curly brackets { | } separate alternative, mutually exclusive required keywords. For example:
FortiDB 5.1.13 Admin Guide 232 Fortinet Inc. Using the command line interface (CLI)
set protocol {ftp | sftp} You can enter: set protocol ftp or set protocol sftp
l Square brackets [ ] indicate that a keyword or variable is optional. For example: show system interface [
l A space separates options that can be entered in any order and in any combination and that must be separated by spaces. For example: set allowaccess {https ping ssh} You can enter any of the following: - set allowaccess ping - set allowaccess https ping - set allowaccess ssh - set allowaccess https ssh - set allowaccess https ping ssh In most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.
l Special characters:
l The \ is supported to escape spaces or as a line continuation character
l The single quotation mark ' and the double quotation mark " are supported, but must be used in pairs.
l If there are spaces in a string, you must precede the spaces with the \ escape character or put the string in a pair of quotation marks.
See also
l Tips & tricks on page 233
l Overview of commands on page 235
Tips & tricks
Help
You can press the question mark (?) key to display command help.
l Press the question mark (?) key at the command prompt to display a list of the commands available and a description of each command.
l Type a command followed by a space and press the question mark (?) key to display a list of the options available for that command and a description of each option.
l Type a command followed by an option and press the question mark (?) key to display a list of additional options available for that command-option combination and a description of each option.
FortiDB 5.1.13 Admin Guide 233 Fortinet Inc. Using the command line interface (CLI)
Completing commands automatically
You can use the tab key or the question mark (?) key to complete commands.
l Press Tab at any prompt to scroll through the options available for that prompt.
l You can type the first characters of any command and press Tab or ? (question mark) to complete the command or to scroll through the options that are available at the current cursor position.
l After completing the first word of a command, you can press the space bar and then the tab key to scroll through the options available at the current cursor position.
Recalling commands
You can recall previously entered commands by using the Up and Down arrow keys to scroll through commands you have entered.
Editing commands
Use the Left and Right arrow keys to move the cursor back and forth in a recalled command. You can also use the Backspace and Delete keys and the control keys listed in the following table in order to edit the command.
Function Key combination
Beginning of line CTRL+A
End of line CTRL+E
Back one character CTRL+B
Forward one character CTRL+F
Delete current character CTRL+D
Previous command CTRL+P
Next command CTRL+N
Abort the command CTRL+C
If used at the root prompt, exit the CLI CTRL+C
Breaking a long command
To break a long command over multiple lines, use a \ at the end of each line.
Abbreviating commands
You can abbreviate commands and command options to the smallest number of non-ambiguous characters. For example, the command get system status can be abbreviated to g sy st.
FortiDB 5.1.13 Admin Guide 234 Fortinet Inc. Using the command line interface (CLI)
See also
l Command syntax on page 231
l Overview of commands on page 235
Overview of commands
Command Supported commands Description branch
l system admin setting Use config to configure objects of FortiDB functionality. Top-
l system backup all- level objects are not configurable; they are containers for more settings specific lower-level objects. For example, the system object
l system debug filter contains DNS addresses, interfaces, routes and so on. When
l system dns these objects are multiple, such as routes, they are organized in
l system global the form of a table. You can add, delete or edit the entries in the
l system interface table. Table entries each consist of keywords that you can set to particular values. Simpler objects, such as system DNS, are a l system ntp single set of keywords. config on page l system raid 237 l system route
l backup all-settings Use execute to run static commands, to reset the FortiDB unit
l backup configurations to factory defaults, or to back up or restore the FortiDB
l backup fd-tcpdump configuration. The execute commands are available only from the
l backup-remove fd- root prompt. archive
l backup-remove fd-report
l backup-remove fd- tcpdump
l date
l format disk
l generate certificate
l ping
l raid rebuild
l reboot execute on l reset page 247 l restart
l restore all-settings
l restore configurations
l restore fd-archive
l shutdown
l time
l top
l traceroute
l system admin setting Use show to display the FortiDB unit configuration. Only
FortiDB 5.1.13 Admin Guide 235 Fortinet Inc. Using the command line interface (CLI)
Command Supported commands Description branch
l system backup all- changes to the default configuration are displayed. You can use settings show within a config shell to display the configuration of that show on page l system dns shell, or you can use show with a full path to display the 259 l system global configuration of the specified shell. l system interface
l system ntp
l system route
l counter memory Use diagnose commands to set debug parameters, view
l counter misc detailed information about Ethernet interfaces or to send
l counter packet diagnostic information to an FTP server.
l counter parser
l counter session
l debug application control basic
l debug application housekeep basic
l debug application parser basic
l debug application parser packet
l debug application sniffer abnormal
l debug application sniffer basic
diagnose on l debug application sniffer page 264 block-ip
l debug application sniffer block-session
l debug application sniffer ip-reassemble
l debug application sniffer malformed-packet
l debug application sniffer packet
l debug application sniffer tcp-reassemble
l log show|tail|remove
l mapping debug
l mapping reset
l mapping status
l network interface list
l network interface detail
l network interface list
FortiDB 5.1.13 Admin Guide 236 Fortinet Inc. Using the command line interface (CLI)
Command Supported commands Description branch
l network interface detail
l system coredump check
l system coredump export
l system export fd_log
l system raid list
l tcpdump start|stop
l tcpdump status
See also
l get on page 263
l set on page 263 config
FortiDB provides the following config commands:
config system admin setting on page 237 config system backup all-setting on page 238 config system debug-filter on page 239 config system dns on page 240 config system global on page 241 config system interface on page 242 config system ntp on page 244 config system raid on page 244 config system route on page 246 config system admin setting
The config system admin setting command allows you to configure web administration settings.
Syntax
config system admin setting set http_port
FortiDB 5.1.13 Admin Guide 237 Fortinet Inc. Using the command line interface (CLI)
Variables Description Default
http_port The HTTP port number for web administration. 80
https_port The HTTPS port number for web administration. 443
idle_timeout The idle-timeout value which ranges from 1 to 480 minutes 5
Example
To sets an idle-timeout value of 2 minutes and port 444 for HTTPS web administration: config system admin setting set idle_timeout 2 set https_port 444 end
See also
l show system admin setting on page 260 config system backup all-setting
The config system backup all-settings command allows you to set or check the settings for scheduled backups.
Syntax
config system backup all-settings set crptpasswd
where:
Keywords and variables Description Default
crptpasswd
directory
passwd
protocol {ftp | The backup protocol. sftp sftp}
FortiDB 5.1.13 Admin Guide 238 Fortinet Inc. Using the command line interface (CLI)
Keywords and variables Description Default
server
status {enable | Enable or disable scheduled backups. disable disable}
time
user
week_days {monday The day(s) of the week on which to perform backups. You may None tuesday wednesday select multiple days. thursday friday}
Example
The backup server is at 172.20.120.11 using the admin account with no password and saving the backup in the /usr/local/backups directory. Backups will be done on Mondays at 1:00pm using ftp. config system backup all-settings set status enable set server 172.20.120.11 set user admin set directory /usr/local/backups set week_days monday set time 13:00:00 set protocol ftp end config system debug-filter
The config system debug-filter command allows you to filter logging of packet and SQL processes.
Enabling debug filters has an impact on system performance. For information on other debugging commands, see diagnose on page 1.
Syntax
config system debug-filter edit
FortiDB 5.1.13 Admin Guide 239 Fortinet Inc. Using the command line interface (CLI)
Keywords and variables Description Default
{port1 | port2 | Specify the interface on which FortiDB receives traffic that it None port3 | port4 | applies this filter to. port5 | port6}
{tcp | udp} Specify the packet layer 4 protocol to match. None
The config system dns command allows you to set the DNS server addresses.
Syntax
config system dns set primary
Keywords and variables Description Default
primary
secondary
Example
config system dns set primary 65.39.139.53 set secondary 65.39.139.63 end
See also
l show system dns on page 261
FortiDB 5.1.13 Admin Guide 240 Fortinet Inc. Using the command line interface (CLI) config system global
The config system global command allows you to configure global settings that affect miscellaneous FortiDB features.
Syntax
config system global set console-output {more | standard} set daylightsavetime {enable | disable} set hostname
Keywords and variables Description Default
console-output {more Select how the output is displayed on the console. Select standard | standard} more to pause the output at each full screen until keypress. Select standard for continuous output without pauses.
daylightsavetime Enable or disable daylight saving time. If you enable enable {enable | disable} daylight saving time, the FortiDB system automatically adjusts the system time when the time zone changes to or from daylight saving time.
hostname Enter a name for this FortiDB system. FD-XXX.
ssl-low-encryption Enable or disable low-grade (40-bit) encryption. disable {enable disable}
swapmem {enable | Enable or disable virtual memory. enable disable}
timezone
Example The following command turns on daylight saving time, sets the FortiDB system name to FDB1K, and chooses the Eastern timezone for US & Canada. config system global set daylightsavetime enable
FortiDB 5.1.13 Admin Guide 241 Fortinet Inc. Using the command line interface (CLI)
set hostname FDB1k set timezone 12 end
See also
l show system global on page 261 config system interface
The config system interface command allows you to edit the configuration of a FortiDB network interface.
Syntax
config system interface edit
Variable Description Default
allowaccess {http https Enter the types of management access permitted on this Varies for ping ssh telnet} interface. Valid types are: http https ping ssh telnet. each Separate multiple selected types with spaces. If you interface. want to add or remove an option from the list, retype the list as required.
ip
status {up | down} Start or stop the interface. If the interface is stopped it up does not accept or send packets. If you stop a physical interface, VLAN interfaces associated with it also stop.
Example
This example shows how to set the FortiDB port1 interface IP address and netmask to 192.168.100.159 255.255.255.0, and the management access to ping, https, and ssh. config system interface edit port1 set allowaccess ping https ssh set ip 192.168.100.159 255.255.255.0 set status up end
FortiDB 5.1.13 Admin Guide 242 Fortinet Inc. Using the command line interface (CLI)
See also
l show system interface on page 261 config system mapping
The config system mapping command allows you to configure FortiDB to collect audit and alert data for FortiMonitor and transmit it via SSH File Transfer Protocol (SFTP). FortiMonitor integration with FortiDB requires a FortiDB administrator with the name fortisiem. For more information, see FortiMonitor administrator on page 58.
Syntax
config system mapping set status {enable | disable} set limit-file
Variable Description Default
status {enable | Enable or disable data collection and transmission for disable disable} FortiDB.
limit-file
scan-cycle
set range-start Enter the date and time to start collecting data for No
l mm is the month. Valid months are 01 to 12.
l dd is the day of the month. Valid days are 01 to 31.
l yyyy is the year. Valid years are 2001 to 2037.
l hh is the hour. Valid hours are 00 to 23.
l mm is the minute. Valid minutes are 0 to 59.
l ss is the second. Valid seconds are 0 to 59.
FortiDB 5.1.13 Admin Guide 243 Fortinet Inc. Using the command line interface (CLI)
Variable Description Default
set range-end
Examples
The following example starts data collection for FortiMonitor at a specific date and time with no specified stop time. config system mapping set status enable set range-start 6/10/2014-16:26:23 end The following example specifies data collection for FortiMonitor with both a start and stop time. set status enable set range-start 6/10/2014-00:00:00 set range-start 7/10/2014-23:59:59 end config system ntp
The config system ntp command allows you to configure automatic time setting using a network time protocol (NTP) server. Syntax config system ntp set server
Variable Description Default
server
status {enable | Enable or disable NTP time setting. disable disable}
sync_interval Enter how often, in minutes, the FortiDB system synchronizes 60
The config system raid command allows you to view or configure the hard disk RAID scheme.
FortiDB 5.1.13 Admin Guide 244 Fortinet Inc. Using the command line interface (CLI)
Syntax
config system raid set level
Variable Description Default
l Implementing RAID removes all existing data from the hard disks.
l FortiDB 2000B supports raid1 and raid5 only. To determine which RAID scheme your appliance supports, see your hardware specification.
l The appliance requires a minimum of 2 hard disks to implement RAID.
l After you implement RAID, you cannot return the hard disk to its original partitions.
l Use CLI get system raid to get the RAID level information.
l Use CLI diagnose system raid list to get current RAID status information.
l If the RAID schema is corrupted, use CLI execute raid rebuild to rebuild it.
Implementing RAID 5 on 2000B
l The RAID 5 array requires at least 3 hard disks. You cannot implement RAID 5 on FortiDB 2000B if fewer than 3 hard disks are available.
l To ensure the hard disks have the same parameters, ensure they all have the same capacity, model, and vendor.
To remove the RAID 5 array
The unset operation removes the RAID 5 array and all data is lost. Perform this operation only if it is necessary. 1. Using the CLI, log in to the FortiDB 2000B as the user admin. 2. To enter RAID configuration, enter config system raid. 3. Enter unset level. FortiDB prompts you to confirm the action and warns you that all the data on all hard disks will be lost. 4. To continue, enter y. FortiDB starts the RAID 5 unset operation. 5. To format the hard disk, enter execute format disk. FortiDB reboots automatically. After the reboot, FortiDB is available on the first hard disk.
FortiDB 5.1.13 Admin Guide 245 Fortinet Inc. Using the command line interface (CLI)
Implementing RAID on 3000B
FortiDB 3000D has an integrated RAID controller that supports RAID 0, 1, 5, 10, and other standard levels. However, you cannot use the CLI commands to implement RAID on FortiDB 3000D. Instead, you set the RAID level in BIOS. To access the FortiDB 3000D BIOS, a keyboard and a display device are required. To enter the BIOS Configuration Utility, when the BIOS screen is displayed during startup, press CTRL-R. After you change RAID level, you must format the hard disk. To obtain the required format image, contact Fortinet Technical Support.
See also
l diagnose system raid list on page 274 config system route
The config system route command allows you to view or configure static routing table entries.
Syntax
config system route edit
Variable Description Default
device
dst
gateway
See also
l show system route on page 262
FortiDB 5.1.13 Admin Guide 246 Fortinet Inc. Using the command line interface (CLI) execute
FortiDB provides the following execute commands:
execute backup all-settings on page 247 execute backup configurations on page 248 execute backup fd-tcpdump on page 249 execute backup-remove fd-archive on page 250 execute backup-remove fd-report on page 251 execute backup-remove fd-tcpdump on page 251 execute date on page 252 execute format disk on page 253 execute generate certificate on page 253 execute ping on page 253 execute raid rebuild on page 254 execute reboot on page 254 execute reset on page 254 execute restart on page 255 execute restore all-settings on page 255 execute restore configurations on page 256 execute restore fd-archive on page 257 execute shutdown on page 257 execute time on page 258 execute top on page 258 execute traceroute on page 259 execute backup all-settings
The FortiDB CLI allows you to back up your local database to a FTP server.
After the backup is complete and the message “Transfer Finished” is displayed, press
Syntax
execute backup all-settings
FortiDB 5.1.13 Admin Guide 247 Fortinet Inc. Using the command line interface (CLI)
where:
Keywords and variables Description
[crptpasswd] Optional password for protecting the settings file on the FTP server.
Example
execute backup all-settings
See also
l config system backup all-setting on page 238
l execute restore all-settings on page 255
l show system backup all-settings on page 260
l execute backup configurations on page 248 execute backup configurations
The FortiDB CLI allows you to back up your FortiDB configuration without backing up log data.
After the backup is complete and the message “Transfer Finished” is displayed, press
Syntax
execute backup configurations
where:
Keywords and variables Description
FortiDB 5.1.13 Admin Guide 248 Fortinet Inc. Using the command line interface (CLI)
Keywords and variables Description
[crptpasswd] Optional password that protects the configuration file on the FTP server.
Example
This example saves the configuration file to the FTP server at 172.30.144.210 using the default file name and protects it with the password myCrptpasswd. execute backup configurations 172.30.144.210 . dzhang 123456 myCrptpasswd
See also
l execute restore configurations on page 256
l execute backup all-settings on page 247 execute backup fd-tcpdump
The execute backup fd-tcpdump command allows you to export log files generated by tcpdump to a FTP site. FortiDB compresses the files before it sends them to the specified FTP site. For information on generating tcpdump log files, see diagnose tcpdump start|stop on page 275.
Syntax
execute backup fd-tcpdump
Keywords and variables Description
[directory] Location on FTP server where you want to save the tcpdump file. If you do not specify a directory, FortiDB uses the default directory.
[filename] Username of FTP server account. If you do not specify a name, the file name is fdb-tcpdump.tgz.
Example
execute backup fd-tcpdump
FortiDB 5.1.13 Admin Guide 249 Fortinet Inc. Using the command line interface (CLI)
See also
l execute backup-remove fd-tcpdump on page 251
l diagnose tcpdump start|stop on page 275
l diagnose tcpdump status on page 276 execute backup-remove fd-archive
Allows you to backup and then remove archives to a FTP server.
To return to the original prompt after the backup is complete, when the message “Transfer Finished” is displayed, press Enter.
Syntax
execute backup-remove fd-archive
Keywords and variables Description
[directory] Location on FTP server where you want the tar file to be placed.
[filename] Name for the tar file on the FTP server where you want the archives to be placed. The default file name is FD-ARCHIVE-
Example
execute backup-remove fd-archive 2008-07-30
See also
l execute restore fd-archive on page 257
FortiDB 5.1.13 Admin Guide 250 Fortinet Inc. Using the command line interface (CLI) execute backup-remove fd-report
This FortiDB CLI allows you to backup and then remove reports to a FTP server.
Please press
Syntax
execute backup-remove fd-report
Keywords and variables Description
[directory] Location on FTP server where you want the tar file to be placed.
[filename] Name for the tar file on the FTP server where you want the reports to be placed. The default file name is FD-REPORT-
Example
execute backup-remove fd-report 2008-07-30
See also
l Reports on page 208 execute backup-remove fd-tcpdump
The execute backup-remove fd-tcpdump command allows you to export log files generated by tcpdump to a FTP site and then remove the files from the local disk. FortiDB compresses the files before it sends them to the specified FTP site. For information on generating tcpdump files, see diagnose tcpdump start|stop on page 1.
FortiDB 5.1.13 Admin Guide 251 Fortinet Inc. Using the command line interface (CLI)
Syntax
execute backup-remove fd-tcpdump
Keywords and variables Description
[directory] Location on FTP server where you want to save the tcpdump file. If you do not specify a directory, FortiDB uses the default directory.
[filename] Username of FTP server account. If you do not specify a name, the file name is fdb-tcpdump.tgz.
Example
execute backup fd-tcpdump
See also
l execute backup fd-tcpdump on page 249
l diagnose tcpdump start|stop on page 275
l diagnose tcpdump status on page 276 execute date
The execute date command allows you to get or set the system date. If you do not specify a date, the command returns the current system date.
Syntax
execute date [
Variable Description
l mm is the month and can be 01 to 12
l dd is the day of the month and can be 01 to 31
l yyyy is the year and can be 2001 to 2100 Dates entered will be validated - mm and dd require 2 digits, and yyyy requires 4 digits.
FortiDB 5.1.13 Admin Guide 252 Fortinet Inc. Using the command line interface (CLI)
Example
To set the date to 17 September 2013: execute date 09/17/2013
See also
l Setting the system time on page 47 execute format disk
The execute format disk command allows you to format the hard disk on the FortiDB system. Executing this command will erase all device settings/images, VPN & Update Manager databases, and log data on the FortiDB system's hard drive. FortiDB's IP address and routing information are preserved.
Syntax
execute format disk When you run this command, FortiDB prompts you to confirm the request. Warning: If you use this command without executing backup all settings command, you may not be able to view assessments or reports after you archive and restore your data. When you want to archive and format disk, make sure that you execute config system backup all-settings command before archiving. execute generate certificate
The execute generate certificate command allows you to regenerate the certificate for FortiDB web administration.
Syntax
execute generate certificate keysize {keysize} The variable {keysize} is the subject's public key size for certificate. Valid values are 1024 or 2048.
The FortiDB system needs to be reboot after generating new certificate.
execute ping
The execute ping command allows you to send an ICMP echo request (ping) to test the network connection between the system and another network device.
FortiDB 5.1.13 Admin Guide 253 Fortinet Inc. Using the command line interface (CLI)
Syntax
execute ping {
Variable Description
Example
To ping a host with the IP address 192.168.1.23: execute ping 192.168.1.23 execute raid rebuild
The execute raid rebuild command allows you to rebuild the hard disk raid when the raid is corrupted.
Syntax
execute raid rebuild
l Rebuild raid will clean all existing data in the second hard disk.
l If you just replace the second disk from exist raid, the new inserted disk will get raid synchronizing automatically and does not need rebuild raid. But if the second disks was part of raid volume before, usually need rebuild it. execute reboot
The execute reboot command allows you to restart the FortiDB system. It disconnects all sessions on the FortiDB system.
Syntax
execute reboot execute reset
The execute reset command allows you to reset the FortiDB system to factory defaults. It disconnects all sessions and restarts FortiDB.
FortiDB 5.1.13 Admin Guide 254 Fortinet Inc. Using the command line interface (CLI)
Syntax
execute reset {admin-password | all-settings | data} where:
Variable Description
admin-password Reset admin's password to default password.
all-settings Reset the all settings.
data Reset the database.
Example
execute reset all-settings execute restart
This FortiDB CLI allows you to restart the application server under which both FortiDB-VA (Vulnerability Assessment) and FortiDB-DAM (DB Activity Monitoring) are running.
Syntax
execute restart appserver execute restore all-settings
This FortiDB CLI allows you to restore previously backed up your local database, FortiDB system-configuration settings, archives and reports.
Syntax
execute restore all-settings
Variable Description
[crptpasswd] Optional password for protecting the settings file on the FTP server.
FortiDB 5.1.13 Admin Guide 255 Fortinet Inc. Using the command line interface (CLI)
This operation will replace your current settings and necessitate a reboot.
Example
execute restore all-settings
See also
l config system backup all-setting on page 238
l execute backup all-settings on page 247
l show system backup all-settings on page 260
l execute backup all-settings on page 247 execute restore configurations
Use this command to restore FortiDB system configuration settings that you backed up to an FTP server. This command replaces the existing configuration with the restored configuration, deletes all alert and audit data, and restarts FortiDB.
Syntax
execute restore configurations
Variable Description
[crptpasswd] Optional password for protecting the configuration file on the FTP server.
This operation replaces your current configuration and requires you to reboot FortiDB
FortiDB 5.1.13 Admin Guide 256 Fortinet Inc. Using the command line interface (CLI)
Example
execute restore configurations 172.30.144.210 ./fdb-configurations.dat dzhang 123456 myCrptpasswd
See also
l execute backup configurations on page 248
l execute restore all-settings on page 255 execute restore fd-archive
This FortiDB CLI allows you to restore previously backed up your archives.
Syntax
execute restore fd-archive
Variable Description
This operation will replace your current settings and necessitate a reboot.
Example
execute restore fd-archive
See also
l execute backup-remove fd-archive on page 250 execute shutdown
The execute shutdown command allows you to shut down the FortiDB system. This command will disconnect all sessions.
FortiDB 5.1.13 Admin Guide 257 Fortinet Inc. Using the command line interface (CLI)
Syntax
l execute shutdown on page 257 execute time
The execute time command allows you to get or set the system time.
Syntax
execute time [
Variable Description
l hh is the hour and can be 00 to 23
l mm is the minutes and can be 00 to 59
l ss is the seconds and can be 00 to 59 All parts of the time are required. Single digits are allowed for each of hh, mm, and ss.
If you do not specify a time, the command returns the current system time.
Example
To set the system time to 15:31:03: execute time 15:31:03
See also
l execute date on page 252
l Setting the system time on page 47 execute top
The execute top command allows you to view the processes running on the system.
Syntax
execute top To exit the display, type q. Other interactive commands are available while running top. For help on them, type h. The execute top command displays the following information: 15:28:03 up 2 days, 0 users, load average: 0.06, 0.04, 0.01 Tasks: 82 total, 2 running, 80 sleeping, 0 stopped, 0 zombie
FortiDB 5.1.13 Admin Guide 258 Fortinet Inc. Using the command line interface (CLI)
CPU(s): 0.0% us, 0.0% sy, 0.0% ni, 100.0% id, 0.0% wa, 0.0% hi, 0.0% si Mem: 2069772K total, 485764K used, 1584008K free, 40124K buffers Swap: 2069764K total, 0K used, 2069764K free, 7275k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 1 root 18 0 3232 1012 720 S 0 0.0 0:07.12 init 2 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/0 3 root 34 19 0 0 0 S 0 0.0 0:00.00 ksoftirqd/0 4 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/1 5 root 39 19 0 0 0 S 0 0.0 0:00.00 ksoftirqd/1 6 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/2 7 root 33 19 0 0 0 S 0 0.0 0:00.00 ksoftirqd/2 8 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/3 9 root 34 19 0 0 0 S 0 0.0 0:00.00 ksoftirqd/3 10 root 10 -5 0 0 0 S 0 0.0 0:00.00 events/0 11 root 10 -5 0 0 0 S 0 0.0 0:00.00 events/1 12 root 10 -5 0 0 0 S 0 0.0 0:00.00 events/2 13 root 10 -5 0 0 0 S 0 0.0 0:00.00 events/3 14 root 10 -5 0 0 0 S 0 0.0 0:00.00 khelper 15 root 10 -5 0 0 0 S 0 0.0 0:00.00 kthread 21 root 10 -5 0 0 0 S 0 0.0 0:00.00 kblockd/0 execute traceroute
The execute traceroute command allows you to test the connection between the FortiDB system and another network device, and display information about the network hops between the device and the FortiDB system.
Syntax
execute traceroute {
Variable Description
Example
execute traceroute
This topic contains the information about the show system commands that are available to the FortiDB user. Only changes to the default configuration are displayed.
FortiDB 5.1.13 Admin Guide 259 Fortinet Inc. Using the command line interface (CLI)
You can use the show command within a config shell to display the configuration of that shell, or you can use the show command with a full path to display the configuration of the specified shell. To display the configuration of all config shells, you can use the show command from the root prompt. FortiDB provides the following show commands:
show system admin setting on page 260 show system backup all-settings on page 260 show system dns on page 261 show system global on page 261 show system interface on page 261 show system ntp on page 262 show system route on page 262 show system admin setting
The show system admin setting command allows you to display the change of system-administration settings.
Syntax
show system admin setting
See also
l config system admin setting on page 237 show system backup all-settings
The show system backup all-settings command allows you to display the change of system backup settings.
Syntax
show system backup all-settings
See also
l config system backup all-setting on page 238
l execute backup all-settings on page 247
l execute restore all-settings on page 255
l execute backup all-settings on page 247
FortiDB 5.1.13 Admin Guide 260 Fortinet Inc. Using the command line interface (CLI) show system dns
The show system dns command allows you to display the change of the DNS server addresses.
Syntax
show system dns
Example
The following is an example of the result of the show system dns command; FD-XXX # show system dns config system dns set primary 65.39.139.53 set secondary 65.39.139.63 end
See also
l config system dns on page 240 show system global
The show system global command allows you to display the change of global settings.
Syntax
show system global
See also
l config system global on page 241 show system interface
The show system interface command allows you to display the change of a FortiDB network interface.
Syntax
show system interface
Example
FD-XXX # show system interface config system interface edit "port1"
FortiDB 5.1.13 Admin Guide 261 Fortinet Inc. Using the command line interface (CLI)
set ip 172.30.62.80 255.255.255.0 set allowaccess ping https ssh telnet http end
See also
l config system interface on page 242 show system ntp
The show system ntp command allows you to display the change of the automatic time setting using a network time protocol (NTP) server.
Syntax
show system ntp
Example
The following is an example result of show system ntp: FD-XXX # show system ntp config system ntp set server "132.246.168.147" set status enable set sync_interval 120 end
See also
l config system ntp on page 244 show system route
The show system route command allows you to display the change of the static routing table entries.
Syntax
show system route
Example
The following is an example result of show system route: FD-XXX # show system route config system route edit 1 set device "port1" set gateway 172.30.62.254
FortiDB 5.1.13 Admin Guide 262 Fortinet Inc. Using the command line interface (CLI)
end
See also
l config system route on page 246 get
The get commands allow you to retrieve system setting and activity information. They include the following commands:
l get system target-database — Displays information about all monitored database targets and the associated audit policies.
l get system session — Displays all active session information.
l get system block-ip — Displays all blocked IP addresses. When traffic matches these IP addresses, generates a TCP reset packet.
l get system block-session — Displays all blocked sessions. If traffic matches the blocked session characteristics, generates a TCP reset packet.
l get system counter — Displays current system counter information.
l get system debug-filter
Example
To retrieve the current system-administration settings: get system admin setting
The set command allows you to set specific properties within a settings category.
Example
To change a default value for a property within the system-administration settings category: show system admin setting
config system admin setting
show system admin setting
FortiDB 5.1.13 Admin Guide 263 Fortinet Inc. Using the command line interface (CLI)
config system admin setting set idle_timeout 2 end diagnose
The diagnose command displays diagnostic information that helps you to troubleshoot problems. FortiDB provides the following diagnose commands:
diagnose counter memory on page 265 diagnose counter misc on page 265 diagnose counter packet on page 265 diagnose counter parser on page 266 diagnose counter session on page 266 diagnose debug application control basic on page 267 diagnose debug application housekeep basic on page 267 diagnose debug application parser basic on page 267 diagnose debug application parser packet on page 268 diagnose debug application sniffer abnormal on page 268 diagnose debug application sniffer basic on page 268 diagnose debug application sniffer block-ip on page 269 diagnose debug application sniffer block-session on page 269 diagnose debug application sniffer ip-reassemble on page 269 diagnose debug application sniffer malformed-packet on page 270 diagnose debug application sniffer packet on page 270 diagnose debug application sniffer tcp-reassemble on page 271 diagnose mapping debug on page 272 diagnose mapping reset on page 272 diagnose mapping status on page 272 diagnose log show|tail|remove on page 271 diagnose system export fd_log on page 274 diagnose system raid list on page 274 diagnose tcpdump start|stop on page 275 diagnose tcpdump status on page 276 diagnose network interface list on page 276 diagnose network interface detail on page 276
FortiDB 5.1.13 Admin Guide 264 Fortinet Inc. Using the command line interface (CLI) diagnose counter memory
Allows you to show all memory-related counters.
Syntax
diagnose counter memory all
See also
l diagnose counter misc on page 265
l diagnose counter packet on page 265
l diagnose counter parser on page 266
l diagnose counter session on page 266 diagnose counter misc
Allows you to show miscellaneous counters.
Syntax
diagnose counter misc all
See also
l diagnose counter memory on page 265
l diagnose counter packet on page 265
l diagnose counter parser on page 266
l diagnose counter session on page 266 diagnose counter packet
Allows you to show all packet-related counters.
Syntax
diagnose counter packet {all | error | ethernet | ip | ip-reassemble | summary | tcp} where:
Keywords Description
{all | error | ethernet | ip | ip-reassemble | Specifies the type of packet counter to display. summary | tcp}
FortiDB 5.1.13 Admin Guide 265 Fortinet Inc. Using the command line interface (CLI)
See also
l diagnose counter memory on page 265
l diagnose counter misc on page 265
l diagnose counter parser on page 266
l diagnose counter session on page 266 diagnose counter parser
Allows you to show all SQL statement parser counters.
Syntax
diagnose counter parser all
See also
l diagnose counter memory on page 265
l diagnose counter misc on page 265
l diagnose counter parser on page 266
l diagnose counter session on page 266 diagnose counter session
Allows you to show session and hash-table-related counters.
Syntax
diagnose counter session {all | error | summary | table-operate |tcp-reassemble} where
Keywords Description
{all | error | summary | table- Specifies the type of session or harsh-table operate |tcp-reassemble} counter to display.
See also
l diagnose counter memory on page 265
l diagnose counter misc on page 265
l diagnose counter packet on page 265
l diagnose counter session on page 266
FortiDB 5.1.13 Admin Guide 266 Fortinet Inc. Using the command line interface (CLI) diagnose debug application control basic
Allows you to enable basic debugging for the control thread.
Syntax
diagnose debug application control basic {enable | disable}
See also
l diagnose debug application housekeep basic on page 267
l diagnose debug application parser basic on page 267
l diagnose debug application sniffer basic on page 268 diagnose debug application housekeep basic
Allows you to enable basic debugging for the housekeep thread.
Syntax
diagnose debug application housekeep basic {enable | disable}
See also
l diagnose debug application control basic on page 267
l diagnose debug application parser basic on page 267
l diagnose debug application sniffer basic on page 268 diagnose debug application parser basic
Allows you to enable basic debugging for the parser thread.
Syntax
diagnose debug application parser basic {enable | disable}
See also
l diagnose debug application control basic on page 267
l diagnose debug application housekeep basic on page 267
l diagnose debug application parser basic on page 267
l diagnose debug application sniffer basic on page 268
FortiDB 5.1.13 Admin Guide 267 Fortinet Inc. Using the command line interface (CLI) diagnose debug application parser packet
Allows you to enable packet debugging for the parser thread.
Syntax
diagnose debug application parser packet {enable | disable}
See also
l diagnose debug application parser basic on page 267
l diagnose debug application sniffer malformed-packet on page 270
l diagnose debug application sniffer basic on page 268 diagnose debug application sniffer abnormal
Allows you to enable abnormal debugging for the sniffer thread.
Syntax
diagnose debug application sniffer abnormal {enable | disable}
See also
l diagnose debug application sniffer basic on page 268
l diagnose debug application sniffer block-ip on page 269
l diagnose debug application sniffer block-session on page 269
l diagnose debug application sniffer ip-reassemble on page 269
l diagnose debug application sniffer malformed-packet on page 270
l diagnose debug application sniffer packet on page 270
l diagnose debug application sniffer tcp-reassemble on page 271 diagnose debug application sniffer basic
Allows you to enable basic debugging for the sniffer thread.
Syntax
diagnose debug application sniffer basic {enable | disable}
See also
l diagnose debug application sniffer abnormal on page 268
l diagnose debug application sniffer block-ip on page 269
l diagnose debug application sniffer block-session on page 269
FortiDB 5.1.13 Admin Guide 268 Fortinet Inc. Using the command line interface (CLI)
l diagnose debug application sniffer ip-reassemble on page 269
l diagnose debug application sniffer malformed-packet on page 270
l diagnose debug application sniffer packet on page 270
l diagnose debug application sniffer tcp-reassemble on page 271 diagnose debug application sniffer block-ip
Allows you to enable debugging for IP blocking activity in the sniffer thread.
Syntax
diagnose debug application sniffer block-ip {enable | disable}
See also
l diagnose debug application sniffer abnormal on page 268
l diagnose debug application sniffer basic on page 268
l diagnose debug application sniffer block-session on page 269
l diagnose debug application sniffer ip-reassemble on page 269
l diagnose debug application sniffer malformed-packet on page 270
l diagnose debug application sniffer packet on page 270
l diagnose debug application sniffer tcp-reassemble on page 271 diagnose debug application sniffer block-session
Allows you to enable debugging for session blocking activity in the sniffer thread.
Syntax
diagnose debug application sniffer block-session {enable | disable}
See also
l diagnose debug application sniffer abnormal on page 268
l diagnose debug application sniffer basic on page 268
l diagnose debug application sniffer block-ip on page 269
l diagnose debug application sniffer ip-reassemble on page 269
l diagnose debug application sniffer malformed-packet on page 270
l diagnose debug application sniffer packet on page 270
l diagnose debug application sniffer tcp-reassemble on page 271 diagnose debug application sniffer ip-reassemble
Allows you to enable debugging for IP reassembling activity in the sniffer thread.
FortiDB 5.1.13 Admin Guide 269 Fortinet Inc. Using the command line interface (CLI)
Syntax
diagnose debug application sniffer ip-reassemble {enable | disable}
See also
l diagnose debug application sniffer abnormal on page 268
l diagnose debug application sniffer basic on page 268
l diagnose debug application sniffer block-ip on page 269
l diagnose debug application sniffer block-session on page 269
l diagnose debug application sniffer malformed-packet on page 270
l diagnose debug application sniffer packet on page 270
l diagnose debug application sniffer tcp-reassemble on page 271 diagnose debug application sniffer malformed-packet
Allows you to enable debugging for malformed packets in the sniffer thread.
Syntax
diagnose debug application sniffer malformed-packet {enable | disable}
See also
l diagnose debug application sniffer abnormal on page 268
l diagnose debug application sniffer basic on page 268
l diagnose debug application sniffer block-ip on page 269
l diagnose debug application sniffer block-session on page 269
l diagnose debug application sniffer ip-reassemble on page 269
l diagnose debug application sniffer packet on page 270
l diagnose debug application sniffer tcp-reassemble on page 271 diagnose debug application sniffer packet
Allows you to enable packet debugging for the sniffer thread.
Syntax
diagnose debug application sniffer packet {enable | disable}
See also
l diagnose debug application sniffer abnormal on page 268
l diagnose debug application sniffer basic on page 268
FortiDB 5.1.13 Admin Guide 270 Fortinet Inc. Using the command line interface (CLI)
l diagnose debug application sniffer block-ip on page 269
l diagnose debug application sniffer block-session on page 269
l diagnose debug application sniffer ip-reassemble on page 269
l diagnose debug application sniffer malformed-packet on page 270
l diagnose debug application sniffer tcp-reassemble on page 271 diagnose debug application sniffer tcp-reassemble
Allows you to enable debugging for TCP reassembling activity in the sniffer thread.
Syntax
diagnose debug application sniffer tcp-reassemble {enable | disable}
See also
l diagnose debug application sniffer abnormal on page 268
l diagnose debug application sniffer basic on page 268
l diagnose debug application sniffer block-ip on page 269
l diagnose debug application sniffer block-session on page 269
l diagnose debug application sniffer ip-reassemble on page 269
l diagnose debug application sniffer malformed-packet on page 270
l diagnose debug application sniffer packet on page 270 diagnose log show|tail|remove
Allows you to show or remove debug logs.
Syntax
diagnose log show|tail|remove fortidb-log|tomcat-log|localhost-log where:
Keywords Description
show Show the specified log.
tail Print the tail of specified log, and continue to output appended data as the file grows.
remove Remove the specified log.
fortidb-log Log of FortiDB Application Server.
tomcat-log Initialization Log from Tomcat.
localhost-log Localhost log from Tomcat.
FortiDB 5.1.13 Admin Guide 271 Fortinet Inc. Using the command line interface (CLI)
Example
diagnose log tail fortidb-log
See also
l diagnose system export fd_log on page 274 diagnose mapping debug
Syntax
diagnose mapping debug {enable | disable}
See also
l diagnose mapping reset on page 272
l diagnose mapping status on page 272 diagnose mapping reset
Syntax
diagnose mapping reset enable
See also
l diagnose mapping reset on page 272
l diagnose mapping status on page 272 diagnose mapping status
Syntax
diagnose mapping status {alert | all | audit | control}
See also
l diagnose mapping debug on page 272
l diagnose mapping status on page 272 diagnose system coredump check
Use this command to view the results of the coredump task. FortiDB generates coredump files when the system fails.
FortiDB 5.1.13 Admin Guide 272 Fortinet Inc. Using the command line interface (CLI)
Syntax
diagnose system coredump check
Example
diagnose system coredump check This example illustrates the command output after a system failure, which provides a count of the available coredump files. Coredump check result: Flowd happened 4 times! Monitord happened 0 times! Cliproxyd happened 0 times!
See also
l diagnose system coredump export on page 273 diagnose system coredump export
Use this command to export FortiDB coredump files to a location on an FTP server. After a system failure, FortiDB generates coredump files that contain the system’s RAM at the time of the crash. This file is useful for troubleshooting problems with the TCP/IP sniffer.
Syntax
diagnose system coredump export
Keywords and variables Description
[filepath] Location on FTP server that FortiDB exports the coredump file to.
Example This example exports the coredump files to the FTP server at 172.30.144.210. diagnose system coredump export 172.30.144.210 dzhang 123456 The command generates output similar to the following message: Packaging the coredump files... Transferring the files... % Total % Received % Xferd Average Speed Time Time Time Current
FortiDB 5.1.13 Admin Guide 273 Fortinet Inc. Using the command line interface (CLI)
Dload Upload Total Spent Left Speed 100 142M 0 0 100 142M 0 11.0M 0:00:12 0:00:12 --:--:-- 11.1M Succeeded in uploading coredump files!
See also
l diagnose system coredump check on page 272 diagnose system export fd_log
Allows you to export debug log files to an FTP server
Syntax
diagnose system export fd_log
Variables Description
[directory] Location on FTP server where you want the diagnostic file to be placed.
[filename] Name of the zip file that contains several log files that will be put on the FTP server. If you don't specify a filename, you will get a default file called fortidb.zip.
Example
diagnose system export fd_log
See also
l diagnose log show|tail|remove on page 271 diagnose system raid list
Allows you to check hard disk RAID status.
Syntax
diagnose system raid list
See also
l diagnose log show|tail|remove on page 271
FortiDB 5.1.13 Admin Guide 274 Fortinet Inc. Using the command line interface (CLI) diagnose tcpdump start|stop
Allows you to use tcpdump to log packet traffic information for a target database and save it to the local disk. Like the TCP/IP sniffer, tcpdump requires a connection to a mirror port on the switch that handles TCP/IP traffic for the target database. For more information, see Network requirements for monitoring using the TCP/IP sniffer on page 69. You can export the tcpdump log files to an FTP server and remove them from the local disk. For more information, see execute backup fd-tcpdump on page 249 and execute backup-remove fd-tcpdump on page 251.
Syntax
diagnose tcpdump start|stop
Variables Description
start|stop Specifies whether to start a new tcpdump log file or stop a current monitoring session.
[minutes] Specifies the length of time tcpdump monitors packet traffic between the specfied database and client, in minutes. Maximum value is 720. If you do not specify a duration, tcpdump monitors the specified packet traffic for 60 minutes or until you enter a corresponding diagnose tcpdump start|stop command.
Example
To monitor database traffic seen on port2 for 10 minutes: diagnose tcpdump start port2
See also
l execute backup fd-tcpdump on page 249
l execute backup-remove fd-tcpdump on page 251
l diagnose tcpdump status on page 276
FortiDB 5.1.13 Admin Guide 275 Fortinet Inc. Using the command line interface (CLI) diagnose tcpdump status
Allows you to view the current status of the tcpdump packet analyzer.
Syntax
diagnose tcpdump status
Example
FD-1KC # diagnose tcpdump status Tcpdump is not running.
See also
l execute backup fd-tcpdump on page 249
l execute backup-remove fd-tcpdump on page 251
l diagnose tcpdump start|stop on page 275 diagnose network interface list
Allows you to view the status of Ethernet interfaces.
Syntax
diagnose network interface list
See also
l config system interface on page 242
l show system interface on page 261
l diagnose network interface detail on page 276 diagnose network interface detail
Allows you to view detailed information about Ethernet interfaces.
Syntax
diagnose network interface detail
Variable Description
FortiDB 5.1.13 Admin Guide 276 Fortinet Inc. Using the command line interface (CLI)
Example
diagnose network interface detail port1
See also
l config system interface on page 242
l show system interface on page 261
l diagnose network interface detail on page 276
FortiDB 5.1.13 Admin Guide 277 Fortinet Inc. Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.