Trustwave DbProtect User Guide · Trustwave DbProtect 6.4.9 User Guide - January 6, 2017 • Organizations

Trustwave DbProtectUser Guide

Version 6.4.9

Trustwave DbProtect 6.4.9 User Guide - January 6, 2017

Legal Notice

Copyright © 2017 Trustwave Holdings, Inc.

All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or

decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document

may be reproduced in any form or by any means without the prior written authorization of Trustwave. While

every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility

for errors or omissions. This publication and features described herein are subject to change without

notice.

While the authors have used their best efforts in preparing this document, they make no representation or

warranties with respect to the accuracy or completeness of the contents of this document and specifically

disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be

created or extended by sales representatives or written sales materials. The advice and strategies

contained herein may not be suitable for your situation. You should consult with a professional where

appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial

damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.

The most current version of this document may be obtained from:

www.trustwave.com/Company/Support/

Trademarks

Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used,

copied, or disseminated in any manner without the prior written permission of Trustwave.

Legal NoticeCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. ii

https://www.trustwave.com/company/support/


Formatting Conventions

This manual uses the following formatting conventions to denote specific information.

Format and Symbols

Meaning

Blue Underline A blue underline indicates a Web site or email address.

Bold Bold text denotes UI control and names such as commands, menu items, tab and field names, button and check box names, window and dialog box names, and areas of windows or dialog boxes.

Code Text in this format indicates computer code or information at a command line.

Italics Italics are used to denote the name of a published work, the current document, or another document; for text emphasis; or to introduce a new term. In code examples italics indicate a placeholder for values and expressions.

[Square brackets] In code examples, square brackets indicate optional sections or entries.

Note: This symbol indicates information that applies to the task at hand.

Tip: This symbol denotes a suggestion for a better or more productive way to use the product.

Caution: This symbol highlights a warning against using the product in an unintended manner.

Formatting ConventionsCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. iii


Table of Contents

Legal Notice. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii

Formatting Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii

List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

1 Introduction 11

1.1 Document Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.2 DbProtect Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.2.1 Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.2.2 Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.2.3 Users, Organizations, and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.2.4 Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.2.5 Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.2.6 Penetration Testing and Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.2.7 Rights Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.2.8 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.2.9 Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.3 DbProtect Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.3.1 Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.3.2 Scan Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.3.3 Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.4 Permissions and Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.4.1 Network Access for DbProtect Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.4.2 User Permissions and Network Access for Target Assets . . . . . . . . . . . . . . . . . . . . . . 14

1.5 Understanding the DbProtect Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

1.5.1 Logging In to the Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

1.5.2 Troubleshooting Your DbProtect Console Login. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

1.5.2.1Session Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

1.5.3 Adding the DbProtect URL to Your List of Trusted Intranet Sites In Internet Explorer . 18

1.5.4 Pages in the DbProtect Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

1.5.4.1Report Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

1.5.4.2Manage Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1.5.4.3Set Up Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1.5.5 Global Navigation in DbProtect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1.5.6 Selecting Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Copyright © 2017 Trustwave Holdings, Inc. All rights reserved. iv


2 DbProtect Workflow 22

2.1 Product Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.1.1 Installing the Console and Enterprise Services Host . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.1.2 Installing Sensors and Scan Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.2 Adding Users and Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.2.1 Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.2.2 Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.3 Adding Database Assets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.3.1 Asset Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.3.2 Adding Assets Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.4 Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.5 Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.6 Rights Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.7 Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2.8 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2.9 Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2.10 Investigation and Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3 Working with Reports 28

3.1 Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.1.1 Details and Drill-down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.2 On Demand Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.2.1 Report Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

3.3 Report History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

3.4 Report Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

3.5 Report Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.5.1 Running a Report In a Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3.6 Common Questions About Report Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.6.1 Differences between On Demand Reports and Job Reports . . . . . . . . . . . . . . . . . . . . 33

4 Working with Assets 34

4.1 Adding an Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

4.2 Importing Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

4.3 Editing an Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

4.4 Deleting Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

4.5 Asset Details and Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

4.6 Managing Organization Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

4.7 Managing Attributes for Multiple Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

4.8 Managing Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

4.8.1 Importing and Exporting Credentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

4.8.2 Managing Per-Asset Credential Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

4.8.3 Managing Shared Credential Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

4.9 Searching Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Copyright © 2017 Trustwave Holdings, Inc. All rights reserved. v


4.9.1 Facets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

4.9.2 Search Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

4.9.3 Saved Search Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5 Working with Monitoring 43

5.1 Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5.1.1 Refreshing Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

5.1.2 Filtering Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

5.1.3 Acknowledging and Archiving Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

5.1.4 Viewing Archived Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

5.1.5 Deleting Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

5.1.6 Un-Archiving Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

5.1.7 Viewing Alert Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

5.2 Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

5.3 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

5.4 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

5.4.1 Default Monitoring Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

5.4.2 Deploying a Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

5.4.3 Re-Deploying More Than One Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

5.4.4 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

5.4.5 Editing a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5.4.6 Deleting Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

5.4.7 Exporting and Importing Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

5.5 Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

5.5.1 Creating Audit Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

5.5.2 Creating Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

5.5.3 Creating Advanced Filters and Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

5.5.4 Editing a Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

5.5.5 Deleting a Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

5.5.6 Importing a Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

5.5.7 Exporting Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

5.6 Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

5.6.1 Viewing Sensor Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

5.6.2 Viewing Sensor Configuration Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

5.6.3 Registering a Sensor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

5.6.4 Configuring or Reconfiguring a Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

5.6.5 Unregistering a Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

5.6.6 Deploying Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

5.7 Monitoring Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

5.7.1 Email Forwarding Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

5.7.2 Creating Or Modifying a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

5.7.3 Forwarding Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

5.7.4 Email Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Copyright © 2017 Trustwave Holdings, Inc. All rights reserved. vi


6 Working with Jobs 62

6.1 Reviewing Job Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

6.1.1 Jobs tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

6.1.2 In Progress Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

6.1.3 Completed Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

6.1.4 Scheduled Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

6.2 Creating a Job. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6.2.1 Audit, Pen Test, or Rights Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6.2.2 Credential Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

6.2.3 Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

6.2.4 Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

6.3 Scheduling or Un-Scheduling a Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

6.4 Running a Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

6.5 Editing a Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

6.6 Cloning a Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

6.7 Deleting a Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

7 Working with Users and Organizations 72

7.1 Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

7.1.1 Adding An Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

7.1.2 Editing An Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

7.1.3 Copying Organization Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

7.1.4 Deleting An Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

7.1.5 Managing Policies For An Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

7.2 Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

7.2.1 System Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

7.2.2 Organization Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

7.2.3 Adding a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

7.2.4 Editing a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

7.2.5 Deleting a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

8 Working with System Settings 79

8.1 About DbProtect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

8.2 Scan Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

8.2.1 Registering a Scan Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

8.2.2 Unregistering a Scan Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

8.2.3 Configuring a Scan Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

8.2.4 Updating the SHATTER Knowledgebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

8.3 Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

8.4 Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

8.5 Warehousing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

8.6 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Copyright © 2017 Trustwave Holdings, Inc. All rights reserved. vii


9 Working with Policies 84

9.1 Built-In Audit Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

9.2 Built-In Penetration Test Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

9.3 Viewing a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

9.4 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

9.5 Editing a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

9.6 Renaming a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

9.7 Searching Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

9.8 What are Report Filters? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

9.8.1 Report Filter Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

9.8.2 Adding Report Filters Through the Policy Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

9.8.3 Configuring Asset-Level Report Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

9.8.4 Adding Report Filters by Loading a Report Filters File . . . . . . . . . . . . . . . . . . . . . . . . . 94

9.8.5 Viewing Report Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

9.8.6 Editing Report Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

9.8.7 Deleting Report Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

9.9 Importing a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

9.10 Exporting a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

9.11 Deleting a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Appendix A Monitoring Filter Name Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

A.1 Name Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

A.2 SQL Server Name Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98A.3 DB2 Name Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102A.4 Sybase Name Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102A.5 Oracle Name Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Copyright © 2017 Trustwave Holdings, Inc. All rights reserved. viii


List of TablesCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. ix

List of Tables

Table 1: DbProtect Network Connectivity Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Table 2: Common List Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Table 3: Search Query Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Table 4: Some Pre-Defined Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Table 5: Filter Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Table 6: DbProtect System Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Table 7: DbProtect Organization Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Table 8: DbProtect Name Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Table 9: SQL Server Name Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Table 10: DB2 Name Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Table 11: Sybase Name Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Table 12: Oracle Name Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102


List of FiguresCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. x

List of Figures

Figure 1: DbProtect Console Initial View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Figure 2: Sample DbProtect Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Figure 3: Sample Report Catalog Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Figure 4: DbProtect Assets Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Figure 5: DbProtect Monitoring Home Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Figure 6: DbProtect Jobs Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62


1 Introduction

DbProtect is a data security platform for data stores, including relational databases and Big Data.

Supported databases include on-premise and cloud services. DbProtect uncovers conditions that could

lead to escalation of privileges attacks, data leakage, denial-of-service (DoS), or unauthorized modification

of data. The conditions checked include database configuration mistakes, identification and access control

issues, missing patches, and other settings.

DbProtect provides multi-user/role-based access, distributed architecture, and enterprise-level analytics.

DbProtect enables organizations to secure all of their relational databases and Big Data stores throughout

their environment, on premise or in the cloud.

1.1 Document AudienceThis guide is intended for persons using DbProtect on a day-to-day basis. For more information about

initial setup and configuration, see the DbProtect Installation Guide, Getting Started Guide, and Sensor

Installation and Configuration Guide.

1.2 DbProtect ConceptsTo use DbProtect you should understand the following basic concepts and tasks.

1.2.1 WorkflowDbProtect is a complex system. Many tasks can only be performed if a previous task has been completed.

Particular tasks will usually be delegated to different users. Network staff and DBAs will normally be

involved in the setup process as well as to apply changes based on test results.

The following sub-sections give a brief overview of DbProtect tasks and components. For more details

about tasks, see “DbProtect Workflow” on page 22. For full coverage of the user interface, see the main

sections of this Guide.

1.2.2 AssetsAn Asset is a database or scanning component known to DbProtect. You manage Assets using the

Console. Assets include:

• Databases that you scan and monitor

• Database related endpoints such as SQL redirectors

• DbProtect Scan Engines and Sensors (not scannable)

For more information about Assets, see “Working with Assets” on page 34.

1.2.3 Users, Organizations, and RolesDbProtect allows you to delegate tasks such as systems administration, scanning, and reporting. You

control permissions with Users and Organizations.

• Users are accounts that you import from the Windows domain or local machine environment.

IntroductionCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 11


• Organizations are containers that you use to organize Assets. You can place an Asset in one or more

Organizations.

• Roles are permission sets that you apply to grant Users power over the DbProtect installation or Orga-

nizations. For example, you can allow users permission to:

• view reports for one or more organizations

• run jobs

• grant permission over one or more organizations to other users

• manage the entire installation

For more information about Users and Organizations, see “Working with Users and Organizations” on

page 72.

1.2.4 PolicyA DbProtect Policy is a group of scanning or monitoring rules. Policies are defined to validate best

practices or regulatory requirements. DbProtect applies Policies to database Assets to check

configuration, audit historical activity, and monitor activity in real time. You can customize Policies to meet

your requirements.

For more information about Pen Test and Audit Policies, see “Working with Policies” on page 84. For more

information about Monitoring Policies, see “Policies” on page 48.

1.2.5 DiscoveryDiscovery is the activity of scanning your network to find database Assets. Typically you perform Discovery

when you are setting up DbProtect, to quickly populate the Assets in your environment. You also perform

Discovery periodically to scan for new or unknown (possibly unauthorized) database servers.

Discovery is performed by Jobs that you can run on a schedule, or immediately. The results of Jobs are

available as Reports that you can distribute and review.

After initial Discovery you can set up the structure of Organizations that allows you to perform further

testing.

For more information about Discovery Jobs, see “Discovery” on page 69.

1.2.6 Penetration Testing and AuditingPenetration Testing and Auditing apply Policies to validate the security of Assets and the data they hold.

Penetration Testing generally investigates the security of data and systems against outside attack. Auditing

validates the security of systems against internal users.

Penetration Testing and Auditing is performed by Jobs that you can run on a schedule, or immediately. The

results of Jobs are available as Reports that you can distribute and review.

For more information about Audit and Pen Test Jobs, see “Audit, Pen Test, or Rights Review” on page 66.



1.2.7 Rights ReviewRights Review performs a check of user permissions over Assets and the objects they include, such as

tables and stored procedures. You can use the output of Rights Review jobs to understand who has

access to Assets. You can use this information in discussion with application owners to help in setting

access policy.

For more information about Rights Review Jobs, see “Audit, Pen Test, or Rights Review” on page 66.

1.2.8 MonitoringMonitoring allows you to watch Assets for specific behaviors in real time. You can use Monitoring to watch

for system problems or malicious activity. You can forward the results of Monitoring to other systems for

enterprise asset management.

For more information about Monitoring, see “Working with Monitoring” on page 43.

1.2.9 ReportingDbProtect Reporting allows you to review the results of other activities and maintain a complete view of

your Assets. Reporting includes job output, on demand detailed reports, and a Dashboard to provide a

quick overview of important information.

For more information about Reports, see “Working with Reports” on page 28.

1.3 DbProtect ComponentsA DbProtect installation includes a Console server and one or more Scan Engines and Sensors.

1.3.1 ConsoleThe Console is the web browser-based, graphical component of DbProtect that allows you to navigate to

the various features of DbProtect. The Console Server also hosts a standalone Policy Editor that allows

you to create customized Policies for Penetration Tests and Audit, as well as a number of central services

to control scanning, provide reporting, and manage the warehousing of data.

1.3.2 Scan EnginesDbProtect’s network-based, vulnerability management scan engines discover database applications within

your infrastructure and assesses their security strength. Backed by a proven security methodology and

extensive knowledge of application-level vulnerabilities, DbProtect locates, examines, reports, and fixes

security holes and mis-configurations. Scan engines scan your databases for vulnerabilities, and allow you

to perform penetration (pen) tests and audits against them.

Supported target databases include recent versions of the following:

• Oracle

• Microsoft SQL Server

• Microsoft Azure SQL Database

• SAP Sybase ASE



• IBM DB2 LUW

• IBM DB2 z/OS (IBM DB2 for Mainframe)

• MySQL

• Hadoop

• Teradata Database

• MongoDB

To view a complete list of database versions supported, see the README document for a specific

DbProtect release.

1.3.3 SensorsSensors deliver database-specific monitoring and alerting for best-in-class protection of enterprise

organizations. You can fine-tune your event detection parameters and customize which audit and security

events are monitored by DbProtect. This helps you focus security efforts on relevant information, while

bypassing false positives and irrelevant events.

1.4 Permissions and PrerequisitesTo use DbProtect successfully you must allow specific network access and user permissions.

1.4.1 Network Access for DbProtect ComponentsDbProtect components communicate on the network ports listed in the table below. For full details of

required access, see the DbProtect Installation Guide and Getting Started Guide.

1.4.2 User Permissions and Network Access for Target AssetsDbProtect scanning and auditing jobs require specific access to the Operating Systems and databases

scanned. For the latest list of required access (including scripts to set required values), see the readme file

MongoDB assets must be manually added. Discovery of MongoDB is not supported in this release of DbProtect. Scanning requires Scan Engine 3.2 or above.

Table 1: DbProtect Network Connectivity Requirements

Component Default Listening Port Type Purpose

Console 20080

20081

TCP

TCP

Console browser connections

Receives Activity Monitoring Alerts/Events from Sensors. Used by Message Collector.

SQL Service Repository

1433 TCP Verify this port assignment with the SQL Server Administrator

Scan Engine 20001 TCP Console communication with the scan engine

Sensor 20000 TCP Console communication with the sensor



installed with the current SHATTER Knowledgebase. You can find the Readme file on the Console server,

within the DbProtect installation.

DbProtect installs by default in the following location:

%ProgramFiles(x86)%\Trustwave\DbProtect\ (64 bit systems)

%ProgramFiles%\Trustwave\DbProtect\ (32 bit systems)

The User Creation Scripts and Readme are in the subfolder:

Resources\ShatterKnowledgebase\UserCreationScripts\

1.5 Understanding the DbProtect InterfaceThe Console is the primary user interface for DbProtect. The Console is a web browser-based, graphical

interface that allows you to navigate to the various features of DbProtect.

1.5.1 Logging In to the ConsoleTo use a browser to connect to the DbProtect Console:

1. Enter https://[ConsoleServer]:[Port] in the Address line, where:

• ConsoleServer is the hostname or IP Address of the Console server

• Port is the port number where the Console Management Server has been configured to provide

service. The default port as installed is 20080.

Example: https://DbProtect_server:20080

2. A Security Alert message may display, warning you of an invalid security certificate. DbProtect uses a

self-generated SSL certificate by default to encrypt communications. You can safely continue.

3. The DbProtect Console login page displays.

DbProtect is designed to use only Secure Sockets Layer (SSL) communication, which encrypts your user name and credentials prior to transmission to DbProtect. DbProtect then uses the Windows Authentication subsystem to verify the credentials. For information about how to generate and install a valid certificate, see Trustwave Knowledge Base article Q18830.


https://www3.trustwave.com/support/kb/article.aspx?id=18830


.

4. From the Log In menu, select Use Windows Authentication or Manually.

5. If you select Use Windows Authentication, DbProtect uses your Windows login credentials to log on

to DbProtect.

6. If you select Manually, you are prompted to enter your login credentials.

• In the Username field, enter your DbProtect user name. You can also enter the domain informa-

tion in this field in usual Windows formats such as domain\username

• In the Password field, enter the password that matches the user name.

• Use the Domain menu to select the domain for the user name, or manually enter a domain in this

field.

7. Click Log In. If the credentials you entered are valid, the DbProtect Console displays.



Figure 1: DbProtect Console Initial View

1.5.2 Troubleshooting Your DbProtect Console LoginIf you have trouble logging on to the DbProtect console, you may need to troubleshoot your security

settings or change your browser configuration.

• With Internet Explorer, if Integrated Windows Authentication is enabled the Windows users will be

authenticated automatically if possible

• Ensure that JavaScript is enabled in the browser.

• The Console provides basic functionality in current versions of major browsers. You may see slight

variations in presentation of pages between browsers. Internet Explorer for Windows is the fully sup-

ported and tested browser.

1.5.2.1 Session TimeoutWhen there is no activity on your machine for a specified period of time, you are logged out. You must log

in again by returning to the login screen.



1.5.3 Adding the DbProtect URL to Your List of Trusted Intranet Sites In Internet ExplorerIn order for single sign-on (SSO) to function properly, you may need to configure Internet Explorer by

adding the DbProtect URL to your list of trusted intranet sites.

To add the DbProtect URL to your list of trusted intranet sites:

1. Choose Tools > Internet Options to display the Internet Options dialog box.

2. Select the Security tab.

3. Select Local Intranet from the list of zone sites (at the top of the Internet Options dialog box).

4. Click Sites to display a Local intranet dialog.

5. Click Advanced to display a second Local intranet dialog that allows you to enter URLs.

6. Add https://[dbprotecturl] to the Add this website to the zone field, where

[dbprotecturl] is the DbProtect Console URL.

7. Click Add to add DbProtect to your list of trusted local intranet sites.

8. Click Close.

9. Click OK.

10. On the Internet Options dialog, click OK.

1.5.4 Pages in the DbProtect ConsoleThe application tabs in the upper part of the page allow you to use all the functions of DbProtect.

Depending on user permissions and licensing, some tabs may not display. The tabs are divided into three

sections.

1.5.4.1 Report SectionThe Report section of the Console allows you to generate, view, and save detailed information on product

activity and findings. The tabs in this section include:

Dashboard

Provides an overview of DbProtect findings in graphical format. For more information, see “Dash-

board” on page 28.

On Demand

Provides a list of available report types that you can generate at any time. Also includes a special

report that lists and describes all report types available in the current Analytics Content update. For

more information, see “On Demand Reports” on page 29.

The following steps explain how to configure Internet Explorer 11. Steps may vary slightly for other browser versions.



History

Lists previously generated reports that you can access. For more information, see “Report History” on

page 30.

1.5.4.2 Manage SectionThe Manage section of the Console allows you to find and list scannable databases, and set up DbProtect activities for those databases.The tabs in this section include:

Assets

Allows you to create asset (database) entries manually, import entries form a file, and edit existing

entries. For more information, see “Working with Assets” on page 34.

Monitoring

Allows you to edit monitoring policies for databases, and set up real time monitoring and alerting based

on the policies. For more information, see “Working with Monitoring” on page 43.

Jobs

Allows you to create testing and review activities for a database or group of databases, and run these

activities on demand or on a schedule. For more information, see “Working with Jobs” on page 62.

1.5.4.3 Set Up SectionThe Set Up section of the Console allows you to manage user permissions, set up grouping for users and

servers, and manage licensing and other overall server settings. The tabs in this section include:

Users & Orgs

Allows you to create organizational containers for permission purposes and assign policies to the orga-

nizations. Also allows you to add Windows users to the DbProtect system, and assign permissions to

the users. For more information, see “Working with Users and Organizations” on page 72.

System Settings

Allows you to review system performance, manage licensing and email sending settings, and manage

Scan Engine registrations. For more information, see “Working with System Settings” on page 79.

1.5.5 Global Navigation in DbProtectFor a typical view of the basic DbProtect Console screen layout, see Figure 1 on page 17.

The upper right portion of the screen shows the account ID of the logged-in user, help and new feature

information, and the log out link.

Many panes of the console show data in lists. Common tools for list views include:



1.5.6 Selecting OrganizationsReport dashboards, on demand reports, and Monitoring show data from specific organizations as shown at

the top right of the content pane. To change the Organization, click Edit and then make selections on

the Organization Selector window.

Table 2: Common List Tools

Feature Function

Refresh the list

Click to enable or disable Auto-Refresh of the list

For views with a hierarchy, expand or collapse all descendants

Click any column heading to sort

Click the down arrow at the right of any column header to:

• Sort ascending or descending

• Show or hide columns

• Filter by text in any column

For views with a top and bottom pane, place the cursor over the space between panes. When the pointer displays as shown, click and drag to change the amount of space used by each pane

For lists with many entries, move through multiple pages of the list, and adjust the number of items on each page. If the selected number of items does not fit in the pane, scroll through items using the scroll bar at the right side of the pane.



• To expand or collapse the tree view of descendant organizations, click .

• Select an organization.

• For reports, you can choose to include all descendant organizations of the selected organization.

• You can choose to apply the selection to both reporting and monitoring, or only to the part of the Con-

sole where you opened this window.

• To apply your selections, click OK.



2 DbProtect Workflow

This section of the User Guide is an overview of typical steps involved in using the product.

DbProtect allows you to delegate these steps to a number of users.

User access to perform actions in the Console depends on the user’s Role (permissions) for the DbProtectapplication, and for the Organization that an Asset is associated with.

2.1 Product Installation

2.1.1 Installing the Console and Enterprise Services HostThe core of the DbProtect system is the data warehouse, data processing server, and web user interface

server. You install these components using the main installation package. For details, see the DbProtect

Installation Guide.

2.1.2 Installing Sensors and Scan EnginesSensors are the software components that monitor database activity. Sensors can be network based

(scanning remote databases) or host based (scanning databases on the same server). For details of

sensor requirements and installation, see the DbProtect Sensor Installation and Configuration Guide.

Scan Engines are the software components that perform database discovery, penetration testing, auditing,

and rights review. For details of scan engine requirements and installation, see the DbProtect Installation

Guide.

2.2 Adding Users and Organizations

2.2.1 UsersDbProtect Users are imported from Microsoft Active Directory or from the local server where the DbProtect

Console is installed. A user logs on to DbProtect with their Windows credentials.

All functions of DbProtect are restricted by role-based access. Access to each function is controlled by

particular permissions that are granted to a user through a role assigned to the user. The typical users of

the product have been separated into two groups, system and organization. These groups mirror the

typical scopes of access control in most environments.

As part of initial setup, the initial user should import additional users and grant role access to them.

For more information, see “Users” on page 74.

2.2.2 OrganizationsAn Organization contains scannable Assets (database servers), as well as scanning Assets such as

Sensors.

DbProtect WorkflowCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 22


Typically an Organization groups servers that have similar check requirements based on the server type

and/or regulatory environment. You can assign Policies that will apply to all Assets. You can grant Users

one or more specific Roles in one or more Organizations.

As part of initial setup, the initial user should create Organizations to reflect the known and expected

structure of databases in the enterprise.

Once Users are granted permissions in the Organizations, additional tasks such as asset management,

job creation, and reporting can be delegated to the users.

For more information, see “Organizations” on page 72.

2.3 Adding Database AssetsAn Asset is a scannable database or scanning component known to DbProtect. Before you can perform

other activities such as penetration tests or monitoring, you must add the target databases as Assets.

You manage Assets using the Console. You can add database instance entries manually, import entries

form a file, and edit existing entries. For general information about Assets, see “Working with Assets” on

page 34.

2.3.1 Asset DiscoveryYou can add assets by running a Discovery job. Discovery actively scans network segments, collecting an

inventory of database components.

To create an Asset Discovery job:

1. On the main Jobs tab, click New Job to open the Create a Job wizard.

2. On the first page of the wizard, select the Discovery template. Enter a name, and select the

organization to use for this job. Optionally add a verbose description to help document the job purpose.

Click Continue.

3. Add criteria for discovery. For more information, see “Discovery” on page 69.

4. Asset discovery jobs do not have any specifically associated reports. You may want to run an Asset

Inventory report as part of the job, or run the New Assets report after the job completes.

5. When you have entered the settings, click Create to save the job.

To run the Asset Discovery job, select it on the Jobs page and click Run now.

Discovered assets display in the Assets list. After the job completes you should review the list and update

attributes of each asset.

2.3.2 Adding Assets ManuallyYou can add assets individually using the Console. For more information, see “Adding an Asset” on

page 35.

You can import asset definitions in bulk from a file. For more information, see “Importing Assets” on

page 36.



2.4 Penetration TestingA Penetration (Pen) Test assesses the security of your applications by running security checks, based on a

policy you choose.

Penetration Tests:

• are run from an “outside-in” perspective

• give a good analysis of what a hacker or intruder might discover when attempting to bypass your appli-

cation’s defenses

• commonly uncover mis-configuration errors in addition to well-known application vulnerabilities.

A Penetration Test probes your database from an external or “outside-in” perspective. The test queries

network services anonymously to look for a variety of information. When you set up a Pen Test you do not

provide a username or password.

During the course of a Pen Test, DbProtect can run tests which could result in acquiring a valid username

and password that any anonymous attacker could discover and potentially use to authenticate to the

application. In such cases, DbProtect performs the authentication in order to gather additional information

from the application. The test may connect to the database and gather username and password hashes, or

configuration values. A Penetration Test does not make any updates or changes to your database.

A Pen Test is created as a job that you can run immediately, or schedule to run one tome or repeatedly.

To create a Pen Test job:


2. On the first page of the wizard, select the Pen Test template. Enter a name, and select the


Click Continue.

3. Add a list of assets to be tested.

4. Select one or more policies to use. For more information about Policies, see “Working with Policies” on

page 84.

5. On the Reports page, set up one or more reports to run as part of this job.

• Click Add Report.

• Choose a report from This Job’s Results (recommended), or another report. (“Other” reports

gives access to all available reports, whether or not they provide output related to the job.)


To run the job, select it on the Jobs page and click Run now.

To schedule the job, use the schedule button on the Jobs page.

For more information about creating Pen Test jobs, see “Audit, Pen Test, or Rights Review” on page 66.

For general information about Jobs, see “Working with Jobs” on page 62.



2.5 AuditingAn Audit tests the security of your application using an “inside out” approach. Audits require that you have

authenticated access to the target database systems. An Audit checks the selected Assets for password

configurations, table access, user roles, and other areas that could have vulnerabilities.

To create an Audit job:


2. On the first page of the wizard, select the Audit template. Enter a name, and select the organization to

use for this job. Optionally add a verbose description to help document the job purpose. Click

Continue.


4. On the Credentials page, review the credential status for each selected Asset. Each Asset should

display a green circle, or green check mark for one type of credential, indicating adequate

permissions.

• You can provide credentials in a number of ways: in the Asset definition, as an Override within the

wizard, or interactively when the job is running. For more information see the respective sections

in this Guide.

• You can run a Credential Test job to check the available credentials for any saved job.


page 84.








For more information about creating Audit jobs, see “Audit, Pen Test, or Rights Review” on page 66.


2.6 Rights ReviewRights Review is a deep analysis of user and role entitlements on a database. This type of scan analyzes

database user and role privileges, to help guard against the possibility of unauthorized access to data.

Rights Review scans identify “privileged users” and access to sensitive database objects.

To create a Rights Review job:




2. On the first page of the wizard, select the Audit template. Enter a name, and select the organization to

use for this job. Optionally add a verbose description to help document the job purpose. Click

Continue.


4. On the Credentials page, review the credential status for each selected Asset. Each Asset should

display a green circle, or green check mark for one type of credential, indicating adequate

permissions.

• You can provide credentials in a number of ways: in the Asset definition, as an Override within the

wizard, or interactively when the job is running. For more information see the respective sections

in this Guide.

• You can run a Credential Test job to check the available credentials for any saved job.


page 84.








For more information about creating Rights Review jobs, see “Audit, Pen Test, or Rights Review” on

page 66.


2.7 DiscoveryYou can use a Discovery job to check periodically for unknown database instances.

Set up a job to scan selected network segments and database types. Set up a schedule for the job.

For more information about creating Discovery jobs, see “Discovery” on page 69.




2.8 MonitoringDbProtect Database Activity Monitoring allows you to set up real time monitoring and alerting for database

activity based on built in policies, and policies that you customize. Monitoring has very powerful

capabilities. You can monitor activity for a specific user, table, or field, or any combination.

For full information about Monitoring, see “Working with Monitoring” on page 43.

2.9 ReportingDbProtect provides detailed Reporting on the results of tests and monitoring. One or more Reports can be

run as part of a test or audit Job. Reports can also be run as stand-alone jobs, or created on demand.

Reports can be delivered by email to users.

The DbProtect Dashboard gives quick access to an overview of assets, monitoring, and testing status.

• For more information about Reporting, see “Working with Reports” on page 28.

The Assets tab of the Console also allows you to search the list of known Assets by criteria such as

database type and network location.

• For more information about searching Assets, see “Searching Assets” on page 40.

2.10 Investigation and RemediationDbProtect is designed to help you to learn about the strengths and weaknesses of your database assets. It

is up to the organization to review the results of testing and monitoring. The goal of the review will be to

identify items that require action, as well as to validate the appropriate access to assets.

This investigation usually requires input from database owners and application developers, as well as the

organization’s security team.

Based on the investigation of results, the organization will:

• Take action to resolve security issues (for example, updating service packs and security policies)

• Document allowed database activity

• Update DbProtect Policies to minimize alerting on allowed activity



3 Working with Reports

The Report section of the DbProtect Console allows you to generate, view, and save detailed information

on product activity and findings.

Before you can run meaningful Reports, you must configure Assets and scan or monitor the Assets. See

“DbProtect Concepts” on page 11

DbProtect provides a large number of Reports. New reports might be added when you update Analytics

Content. You should always update to the latest available version of Analytics Content to ensure that you

have the most up to date reporting functionality.

The Report section of the Console has three sub-sections: the Dashboard, On Demand Reports, and

Report History.

You can also run Reports from a Report Job, and as part of some other Job types. Reports in Jobs allow

you to select result filtering and scope before running the Report. You can access the output of these

report jobs from the Report History list. You can also choose to send report links by email. For details, see

“Working with Jobs” on page 62.

3.1 DashboardTo open the Dashboard, click Report > Dashboard.

The Dashboard includes four sets of summary data based on features of DbProtect. The summaries

include:

Security Position

Shows “most hackable” (assets at risk), weak passwords, findings by severity, findings by trend over

time, and age of scans.

Rights Review

Shows privileged users, top explicit permission grants, grant trends and privileged user trends.

Activity Monitoring

Shows threats by severity, compensating controls, and database inactivity trends.

To generate a list of all available reports, including descriptions of purpose and output formats, run the Report Catalog from On Demand Reports. See “Report Catalog” on page 30.

User access to Reports depends on the user’s Role (permissions) for the DbProtect application, and for the Organization that an Asset is associated with.

Working with ReportsCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 28


Asset Inventory

Shows assets by type and by scan status (scanned or never scanned).

Select an option to view the available graphs.

Figure 2: Sample DbProtect Dashboard

The Dashboard includes data from a specific organization, as shown at the right above the graphs. To

change the Organization, click Edit and then make selections on the Organization Selector

(see“Selecting Organizations” on page 20). To refresh the graphs, click Refresh .

3.1.1 Details and Drill-downIn dashboard graphs, hover the mouse pointer over a region on a graph to see details of the data. Click the

region to drill down to details of the data.

In some cases you can drill down to more complete information by clicking View Detail or View full list.

3.2 On Demand ReportsTo open the On Demand Reports list, click Report > On Demand.

This page lists reports that you can generate in real time. The list is grouped by report type. You can

search for reports by entering part of a report name in the Find A Report field and then clicking the search

button.

On Demand Reports include data from a specific organization, as shown at the right above the list of

reports. To change the Organization, click Edit and then make selections on the Organization Selector

(see“Selecting Organizations” on page 20).

Some graphs might not be available if the required scanning or monitoring to provide data has not been completed.



To run any report, click the report name. The report opens in a new browser tab or window.

Some reports require filter input (such as date ranges) to display data. Many reports offer additional filters

that you can specify once the report is generated. For details, see “Report Output” on page 30.

3.2.1 Report CatalogThe Report Catalog is a special report that lists all available reports in the currently installed Analytics

Content release. To run this report, from the On Demand Reports list, choose Learn more about all

available reports (top right of the On Demand listing).

Figure 3: Sample Report Catalog Output

3.3 Report HistoryTo open the Report History list, click Report > History.

This page lists reports that were generated and delivered by jobs.

The list shows the date of delivery, report name and template, job name, organization reported on, and

report output type.

To view or download the report, click on the report type link.

To delete one or more reports, select them using the checkboxes at the left. The header checkbox selects

all items. When you have selected items, click Delete to delete them.

3.4 Report OutputReport output from the On Demand page or drill down reports from the Dashboard displays in a web

browser window similar to that shown below.



Common features of all reports include:

• Report title and properties at top left.

• View Filters link. For more information about filters, see Section 3.5.

• Report description.

• Graphical presentation. To drill down (if available), click a region on the graphs.

• Table of details. Click a column heading to sort by that column. From a sorted view, you can go back

to the default presentation by clicking revert to default sort at the top of the table.

• Page navigation controls at the bottom left (if the report includes more than one page of output)

3.5 Report FiltersAfter you run a report from the On Demand page or in some cases from the Dashboard, you can customize

the output by adding filters to the report.

To filter your report:

1. Run the report.



2. Click the Filter link at the top of the report.

• The filters available depend on the type of report. Options might include filtering results by asset

type, category type, result status, risk level, asset name, and logical expression.

3. Specify your preferences in the filter window.

• Set month/year or quarter/year dates to filter by date.

• Select (or clear) the boxes for each asset type to specify the Asset Types to include.

• Select (or clear) the boxes for each check category, risk level, and result status to specify the

results to include.

• Click All or None above any set of items to select or clear all items.

• Choose to include Knowledgebase Articles that provide details of checks and vulnerabilities.

• Specify one or more advanced options, and specify how the advanced options should be com-

bined. You can click the + at the right of the advanced option line to add another line.

The image below shows some (but not all) of the available report filters.

4. When you have finished configuring report filters, click Apply. DbProtect re-generates your report using

the filters you specified.

5. You can alter the filters as often as you wish and click Apply to re-generate the output.

3.5.1 Running a Report In a JobWhen you have created report filters, you can re-use the filters to create a Report Job.

1. From the Report Filters pane, click View options to run this report in a job.

2. Choose either Report Job or Filter Shortcut.

3. For Report Job, choose a report output type and then click Create Job to open the job management

page for further inputs. See “Working with Jobs” on page 62.



4. For Filter Shortcut, click Generate Shortcut and then copy the result. You can use this output to

create or edit a job with customized filtering.

3.6 Common Questions About Report Output

3.6.1 Differences between On Demand Reports and Job ReportsOn Demand Reports and Job Reports on the same Assets might show different results.

• When an On Demand report is requested, DbProtect calculates an effective Policy based on all Poli-

cies available to the Organization. The report output shows the last result of all checks that were run

against all the Assets, based on that Policy.

• When a report is generated as part of a specific audit job, the report output show only results from that

run of the job. These results will usually have a much more focused effective Policy.



4 Working with Assets

The Assets section of the DbProtect Console allows you to create, view, and manage assets in the

DbProtect repository. Assets include scannable database instances, redirectors, and DbProtect Sensors.

You can add database instance entries manually, import entries form a file, and edit existing entries.

To scan for database instances and add them to the asset list automatically, use a Discovery Job.

To open the Assets page, click Manage > Assets.

Figure 4: DbProtect Assets Page

By default the asset list shows only scannable assets. To see all assets, use the View menu at the right of

the list heading.

You can sort and filter the list using standard tools (see “Global Navigation in DbProtect” on page 19). You

can search for specific assets (see “Searching Assets” on page 40).

User access to add, view, and manage Assets depends on the user’s Role (permissions) for the DbProtect application, and for the Organization that an Asset is associated with.

Working with AssetsCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 34


4.1 Adding an AssetTo add a single asset manually:

1. Click New Asset to open the Create an Asset window.

2. On the Create an Asset window, enter the required information:

• Name: A friendly name for this asset.

• Organization Associations: Click Select to choose an organization.

• Type: Select the database server type.

• Database/Instance/SID: Enter the instance or SID name of the database.

• Endpoints: Enter a host name or IP address and port, and then click Add Endpoint Below. You

can repeat this action to add additional endpoints if required.

• If you add multiple endpoints, you can set one as preferred, or allow the system to choose.

• Version (optional): Enter the database software version.

For additional details about expected values for some fields, click

To associate an asset with more than one organization, after creating it use the Manage Org Associations function.

Although the Version selection is optional, the value can affect the results of a scan. You should select the version if known.



• Platform (optional): Enter the operating system.

• Attributes (optional): For each attribute you want to add, enter a name and value, and then click

Set. You can use Attributes to refine searches. For a list of attribute names that have special

meanings, click View system attribute names.

3. If you want to create additional assets, check the box Create another asset.

4. Click Create. The asset is added to the list.

4.2 Importing AssetsYou can import multiple assets by pasting a list in Comma Separated Value format (CSV). The CSV data

must include a header row and a number of fields. Additional fields are optional.

To import assets:

1. Click Import.

2. In the Assets field, paste CSV formatted data. For more information about the data format, click View

Sample File.

3. In the Asset Identity Descriptors field, optionally enter a list of fields in the imported data that will be

treated as part of the unique asset identifier. By default the required fields host name, port, and

instance name are used.

4. In the Organization pane, select the Organization where new assets will be created. You can also

include Organization information in the CSV input.

5. Click Test Import. If the test is not successful, make required changes to the data.

6. When the test is successful, click Import.

4.3 Editing an AssetTo edit the basic properties of an asset, such as the name, instance, endpoints, and attributes, select the

asset and then click Edit.

4.4 Deleting Assets

To delete one or more assets, select them using the checkboxes at the left of the list, and then click

Delete.

Although the Platform selection is optional, the value can affect the results of a scan. You should select the platform if known.

If an identical asset already exists, the new asset is not added. Assets are uniquely identified by the Host Name, Instance Name, and Port.



4.5 Asset Details and CredentialsTo view details of an existing asset, highlight it in the list. The lower pane of the window displays the asset

details on two tabs (Details and Credentials).

• To view basic information about testing and monitoring activity for this asset, click View Summary

Report. From the Summary Report window you can generate a number of drill-down reports showing

detailed information.

• To view credentials that are configured for the asset, click the Credentials tab.

• The list shows the type of credential (shared, or for an individual asset), the credential group and

organization, service type (Windows or database), and the date and results of credential testing.

• To add credentials:

1.Click New Credentials and then select the type. Available type depend on the database type.

2.Select a Credential Group and Authentication Type

3.Enter the credential information appropriate for the type, and then click Test.

4.If the test is successful, click Save to save the credentials for this asset.

• To delete credentials for this asset, select one or more items using the checkboxes, and then click

Delete.

• To test one or more sets of credentials, select them using the checkboxes, and then click Test.

4.6 Managing Organization AssociationsTo add or remove organization associations for one or more assets:

1. Select the assets using the checkboxes at the left of the list

2. Click Manage Org Associations.

3. On the Organization Selector window, select one or more organizations using the checkboxes, and

then click OK.

4.7 Managing Attributes for Multiple AssetsTo add or remove attributes for one or more assets:

1. Select the assets using the checkboxes at the left of the list.

2. Click Manage Attributes.




3. On the Manage Attributes window, existing attributes and values are listed. If an attribute has different

values for different assets, click the arrow to list all values.

4. Select an attribute to populate the name and value fields. Edit the entries, and then click Set.

5. To delete an existing attribute, click Delete for the line in the list.

6. When you have set all attributes, click Save to apply the changes.

4.8 Managing CredentialsDbProtect can use three types of credentials to run scans that require them. Since credentials can be

defined at various levels of scope, jobs will evaluate and use credentials in an order of precedence as

follows:

• Job-based Credentials: defined as part of a job.

• Asset-based Credentials: defined for a particular asset.

• Shared Credentials: defined for a group of assets matching a search expression.

To manage credentials, use the Manage Credentials menu at the top right of the Assets window.

• If an individual asset is already selected, click Manage Credentials for Asset to view the credential

listing in the bottom pane of the asset page. See “Asset Details and Credentials” on page 37.

4.8.1 Importing and Exporting CredentialsTo import credentials in CSV format:

1. Click Import Organization Credentials.

2. Paste CSV data. For a sample of the data format, click View sample file.

3. Select an organization.

4. Click Test Import. If the test is not successful, edit the CSV data.

5. If the test is successful, click Import.

To export credentials in CSV format:

1. Click Export Organization Credentials.

2. Select an organization, and then click Export Credentials...

If more than one credential is defined for an asset, jobs will evaluate the credentials in the above order. Credentials can only be used in the same organization in which they are defined.

If credentials for an asset are not correct at job run time, you can update the credentials and continue the job (depending on job settings).



3. Copy the resulting CSV data.

4.8.2 Managing Per-Asset Credential GroupsMost management for Per Asset credentials is performed by selecting the asset and then using the

Credentials tab in the lower pane.

From the Manage Credentials menu, you can see a list of per-asset credential groups with the number of

credentials each contains. You can delete any group.

To view and work with the per-asset groups, from the Manage Credentials menu click Manage Per Asset

Groups.

4.8.3 Managing Shared Credential GroupsDbProtect allows you to create shared credential groups that contain credentials common to a set of

assets. Whenever a job requires credentials for an asset and no per-job or per-asset credential is

successfully applied, the job will attempt to use shared credentials.

To manage shared groups:

1. From the Manage Credentials menu click Manage Shared Groups.

2. To add a group, click New Group. Give the group a name, select an organization, and define the group

using an asset search query (see Section 4.9). Click Create to create the group.

3. To edit group membership, select a group and then click Edit. Modify the name and/or the asset query,

and then click Save.

4. To add credentials to a group, select it and then use the Add Credentials menu to choose a credential

type. Make appropriate entries on the Add Credentials window, and then click Save.

5. To delete a credential or a group, select it in the list and then click Delete.

6. To close the shared groups window, click OK.

Passwords are included in encrypted format.

Use of shared credentials is not best security practice. You might use shared credentials in a pre-production or testing environment.


The shared credential window does not provide a test option. Before running jobs that use shared credentials you should test the credentials for some or all of the assets selected, by selecting the asset from asset search results and using the credential tab on the lower pane.



4.9 Searching AssetsYou can limit the list of assets presented on the Assets page by performing a search. Search queries can

be defined using either or both of the following options:

• One or more “facets”. Facets are specific features of assets that have a limited number of possible val-

ues, such as database type and network location.

• A search expression, optionally using Boolean, likeness, string, and arithmetic operators.

You can save a search query for later use.

To construct and use search queries see the left pane of the Assets page (see Figure 4 on page 34). If this

pane is hidden, click the arrow at the top left of the search results to expand it.

4.9.1 FacetsYou can limit the search by one or more of the following facets:

• Databases: Database technologies and versions, such as Microsoft SQL Server 2012 Express

• Networks: IPv4 class A or class B networks such as 10.*.*.* or 10.2.*.*

• Platforms: Operating System versions such as SCO Unix or Microsoft Windows x86

• Organizations: Groupings of assets that you have created

To select facet entries, click the arrows to expand each facet. Choose the types to include by checking the

boxes.

• To view all possible types in a facet, click more. To select all types, click all. To clear all types, click

clear.

To apply the facet and search expression selections, click Update Search Results.

To reset all facet and search expression selections, click Reset at the bottom of the pane.

To save the facet and search expression selections, click Save Search Query As at the bottom of the

pane.

4.9.2 Search ExpressionsYou can enter plain text to search for the text in any text field.

• For example, if you enter express and click Update Search Results, the results include assets with

a name or a database instance name that contains the string EXPRESS.

If you define both an expression and facets, only items matching both will display in the results.



You can enter a search expression. Expressions must be enclosed in parentheses ( ) and can include

operators and asset attributes.

To apply the search expression and facet selections, click Update Search Results.

To reset all facet and search expression selections, click Reset at the bottom of the pane.

To save the facet and search expression selections, click Save Search Query As at the bottom of the

pane.

The tables below show valid operators and some available attributes.

• An expression must be surrounded by parentheses.

• An expression using a 'like' operator that does not include explicit % characters (any substring) assumes that they are present at the beginning and at the end of the pattern. For example, ~ 'test' is treated as ~'%test%'.

• The operators 'exists' and 'not exists' can only be used with attribute names.

• Single or double quotes can be used when writing strings (the opening and closing quote must be the same). For example, 'test' is the same as "test".

Table 3: Search Query Operators

Operator Meaning and example

=!=

Equals, does not equal

• (type != 'oracle') matches items that are not type Oracle

~!~

Like, not like

• (type ~ 'sql')matches items where the type contains the string sql

>>=<<=

Greater than, Greater or Equal, Less than, Less or Equal

Performs string comparison

• (host > '10.1')matches items with network (host) string of 10.2.*.* and above, or alphabetic host names

exists Attribute is defined for the item

• (not exists scanGroup) matches items that do not have a scanGroup attribute

in Value is one of the listed values

• (scanGroup in ('west', 'north'))matches items that have a scanGroup attribute with one of the two listed values

and&&

Logical AND

• (type=’Microsoft SQL Server’ && administrator = ’mike’)

or||

Logical OR

• (type = ’Microsoft SQL Server’ or name like ‘IBM’)



4.9.3 Saved Search QueriesYou can save search queries to quickly return to a custom view of the asset search results. You can also

use saved queries when you create Jobs.

To save the search query (facet and search expression selections):

1. Click Save Search Query As at the bottom of the pane.

2. Enter a name, and select an organization to associate the query with.

3. Click Save.

To use a saved query, click Saved Search Queries at the top of the pane, and select an item from the list.

The results will be updated to match the query. You can modify the query and then save changes using the

Save tab above the search expression field.

To return to an unfiltered view, click the Close tab above the search expression field.

not!

Logical NOT

• (osType = 'windows' and type != "Microsoft SQL Server")

% Wildcard (zero or more characters)

• (name ~ 'houston%')matches items with names beginning houston

_ Wildcard (exactly one character)

• (name ~ 'route_6')matches (for example) route66 or route76

Table 4: Some Pre-Defined Attributes

Attribute Name Function

type Database Server Type

osType Operating System

name Asset Name

host Networks

scanGroup Optional Scan Group attribute to control association of scannable assets with Scan Engines

Table 3: Search Query Operators

Operator Meaning and example



5 Working with Monitoring

The Monitoring section of the DbProtect Console allows you to edit monitoring policies for databases, and

set up real time monitoring and alerting based on the policies.

To open the Monitoring page, click Manage > Monitoring.

Figure 5: DbProtect Monitoring Home Page

To select the Organization you want to work with, use the selector at the top right.

The Monitoring pages share a set of navigation tabs that allow you to configure and review monitoring. The

tabs include:

• Home: Displays a graphical introduction to monitoring setup and workflow, and includes quick links for

common tasks.

• Alerts: Displays a list of recent alerts from monitoring, and allows you to search and acknowledge

alerts. Also provides a listing of archived alerts.

User access to monitor Assets depends on the user’s Role (permissions) for the DbProtect application, and for the Organization that an Asset is associated with.

Working with MonitoringCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 43


• Dashboard: Provides a quick overview of sensor health, unacknowledged alerts, and count of infor-

mational alerts.

• Reports: Directs you to the Latest Activity report in the main On Demand Report section of the con-

sole.

• Policies: Provides a view of existing Monitoring policies, and allows you to import, export, edit, and

deploy policies.

• Filters: Allows you to add filter rules to refine database monitoring policies.

• Sensors: Allows you to register and configure monitoring sensors, and to deploy policies in bulk.

• Monitoring Settings: Allows you to configure email notifications based on Alerts.

5.1 Alerts On this tab of the Monitoring section you can review alerts generated by monitoring sensors.

• To sort the list, click any column heading.

• To view details of an alert, click the alert ID number.

• To work with multiple alerts, check the boxes at the left.

The page allows you to take a number of actions.



5.1.1 Refreshing AlertsTo refresh the alert list, click Refresh.

To refresh automatically, set a time in seconds and then click Start. To stop refreshing, click Stop.

To change the auto-refresh interval, enter a time in seconds and then click Update.

5.1.2 Filtering AlertsTo filter alerts shown, make selections from the menus and/or enter parameters and then click Apply

Criteria.

• You can set the count of alerts to display.

• You can enter SQL text to search for. SQL text is the text of a SQL query that executed and triggered

the alert.

• You can choose to hide acknowledged alerts (default) or show them.

5.1.3 Acknowledging and Archiving AlertsAcknowledging an alert indicates that you have reviewed it, and hides it by default in the list of alerts.

Archiving an alert moves the alert to the Archive list and also acknowledges the alert if it has not yet been

acknowledged.

To archive or acknowledge alerts in bulk, use the buttons below the list.

1. Filter the alerts if required.

2. Select specific alerts, if required, using the checkboxes.

3. To archive or acknowledge all alerts shown, click Archive All Alerts or Acknowledge All Alerts.

4. To archive or acknowledge only the alerts selected, click the appropriate button.

5.1.4 Viewing Archived AlertsTo view the list of alerts that have been archived, click the Archive tab on the Alerts page. To return to the

active list, click the Alerts tab.

5.1.5 Deleting AlertsTo delete archived alerts in bulk, use the buttons below the list.

1. Filter the alerts if required.

2. Select specific alerts, if required, using the checkboxes.

You can also perform these actions for a specific alert from the detail window.

You can only delete alerts from the Archive list and not from the active alerts list.



3. To delete all alerts shown (or only the selected alerts), click Delete All Alerts or Delete Selected

Alerts.

5.1.6 Un-Archiving AlertsTo restore an individual alert from the archive to the active list, open the alert in the detail window, and click

Unarchive.

5.1.7 Viewing Alert DetailsTo view details of an alert, click the alert ID number. The detail window provides a full listing of all available

information about the alert.

You can choose to acknowledge or archive the alert.

You can create an exception based on the alert. An exception is a filter that closely matches the alert. The

exception will be available to add to policies. For more information about creating exceptions, see “Filters”

on page 52. For more information about adding filters to policies, see “Policies” on page 48.



5.2 Dashboard The Monitoring Dashboard shows sensor health and alert status at a glance.

Sensors’ Health:

This section shows the number of registered sensors. If any sensors are not responding to the console

a list of details displays. For the most accurate information about unresponsive sensors, see the Alerts

listing.

Unacknowledged Security Alerts:

This section includes two graphs. One shows the total number of unacknowledged alerts, and the

other shows the number of unacknowledged alerts received today.

Informational Alerts:

This section shows the number of informational alerts received today.

5.3 Reports In this version of DbProtect, all reports are managed from the Report section of the main user interface. To

generate on-demand reports of monitoring activity, see Report > On Demand > Monitored Events.



5.4 Policies This tab allows you to manage and deploy policies for sensors. A Policy is a collection of rules or activity

monitoring checks. Trustwave provides a number of default Policies. You can also create your own Policies

to meet your organization's security requirements.

5.4.1 Default Monitoring PoliciesThe following Policies are provided by default in this version of DbProtect.

• Accessing OS Resources: This Policy monitors attempts to access Operating System resources.

• Attacks Level 1, Attacks Level 2, and Attacks Level 3: These Policies monitor activity that could

indicate attempts to attack the database. The Level 1 monitoring is the most basic; Level 3 is most

comprehensive.

• Auditing Level 1, Auditing Level 2, Auditing Level 3, and Auditing Level 4: These Policies audit

activity on your database. Level 1 audits are the least comprehensive; Level 4 audits are the most

comprehensive.

• Buffer Overflows: This Policy implements all Rules related to buffer overflow attempts.

• FERC/NERC CIP Policy: This Policy is designed to monitor activity in line with the Critical Infrastruc-

ture Protection initiatives of the Federal Energy Regulatory Commission and North American Electric

Reliability Corporation.

• FISMA Policy: The Federal Information Security Management Act (FISMA) provides a comprehensive

framework for ensuring effective information security controls for all federal information and assets.

This Policy includes the baseline rules and events to monitor all access to Federal databases.

• Gramm-Leach-Bliley Policy: This policy is structured following Gramm-Leach-Bliley Act (GLBA)

standards and is recommended for use in a GLBA compliance assessment.

• HIPAA Policy: The Health Insurance Portability and Accountability Act (HIPAA) is designed to protect

all forms of personal health information (PHI), by defending the patients’ rights to have their health

information kept private and preserving control of how their PHI data is used and when it is disclosed.

This Policy includes the baseline rules and events to facilitate monitoring all access to PHI by unique

ID.

• Miscellaneous: This Policy selects all Rules that detect attacks and events that do not fall within any

of the other provided Policies.

• Password Attacks: This Policy includes all Rules that detect attempts to guess passwords by trying

likely combinations of characters or exploiting certain vulnerabilities.

• PCI Data Security Standard: The Payment Card Industry (PCI) Data Security Standard offers a com-

mon framework for protecting sensitive cardholder data for all card brands. This Policy includes the

baseline rules and events to facilitate monitoring all access to cardholder data by unique ID.

To review the specific rules included in each Policy, edit the Policy and expand the rule tree.



• Privilege Escalation: This default Policy includes all Rules that detect attempts to exploit known vul-

nerabilities to achieve privilege escalation, and in doing so perform tasks they are not authorized to

perform.

• Sarbanes-Oxley Policy: The Sarbanes-Oxley Act (SOX) sets requirements for the integrity of finan-

cial Reporting. This Policy includes the baseline rules and events to facilitate monitoring all access to

SOX-relevant databases.

• Security Tools: This Policy includes all Rules that check for tools that scan your database, in order to

determine who is running these tools, when, and against which database.

• Web Application Attacks: This default Policy includes all Rules that monitor against possible access-

related attacks.

The sensors will send alerts triggered by the rules you enable in a policy. When you make changes to a

policy, you must re-deploy the policy to sensors.

The Policy Manager page shows available policies and policy actions.

• The column “Deployment Count” indicates the number of sensors where the policy is deployed. Policies marked with * are “stale” (the latest edited version is not deployed).

Only one policy at a time can be deployed to each Sensor.



5.4.2 Deploying a PolicyTo deploy a Policy:

1. Click the Deploy button for a named policy in the list.

2. On the Policy Deployment page, the list of available database applications shows configured

Sensors and the currently deployed Policy for each (if any).

• You can limit the list by server type and search for text in the description

• You can limit the list to sensors with stale policies.

3. Select one or more items and use the arrows to move the selected items into or out of the Deploy list.

4. Click Deploy to deploy the policy to the selected Sensors.

5. You can wait for deployment success or failure to be confirmed, or you can continue to work by clicking

other tabs.

5.4.3 Re-Deploying More Than One PolicyTo re-deploy the currently configured Policy for more than one Sensor:

1. Click Deploy Policies in Bulk.






4. Click Deploy to deploy the configured policies to the selected Sensors.

You can wait for deployment success or failure to be confirmed, or you can continue to work by clicking

other tabs.

5.4.4 Creating a PolicyTo create a Policy:

1. Click Create New Policy to open the Policy Details window. This window shows a tree view of

available policy rules.

Exceptions that you have created display in the tree as branches below (within) the rule that you created an exception to.



• Expand the tree to see available rules for each server type and category.

• Click the rule name to view details of the threats or behaviors covered in the right pane.

2. Include items in your Policy by checking the boxes.

3. Set the risk level for each rule using the menu for that rule.

4. When you have completed your selections, enter a name for the Policy at the top, and then click Save.

The new Policy displays in the list of available Policies. You can choose to deploy this Policy.

5.4.5 Editing a PolicyTo edit a Policy:

1. Click the Edit button for a named policy in the list.to open the Policy Details window.

• Expand the tree to see available rules for each server type and category.

• Click the rule name to view details of the threats or behaviors covered in the right pane.

2. Include items in your Policy by checking the boxes.

3. Set the risk level for each rule using the menu for that rule.

4. When you have completed your selections:

• If you edited a custom policy that you created, you can click Save to save changes, or enter a new

name and click Save As to save a new Policy and keep the existing policy.

• If you edited a built-in policy, you can only Save As (you cannot change built-in Policies).



The new or edited Policy displays in the list of available Policies.

5.4.6 Deleting PoliciesTo delete a Policy that you created, click the Delete button for the policy in the list.

You cannot delete a policy that is deployed. Before deleting a policy, “un-deploy” it by deploying a different

policy to any sensors where you were using it.

5.4.7 Exporting and Importing PoliciesTo export a Policy, click the Export button for the policy in the list. Save the XML file.

To import a Policy:

1. Click Import Policy.

2. Select a valid Policy XML file.

3. If you want to overwrite an existing Policy with the same name, check the box Import with overwrite.

4. Click Import.

5.5 FiltersThis tab allows you to create and manage filters that can be included in Policies.

Filters allow you to create exceptions to rules and alerts. Filters also allow you to create rules specific to

your environment (for instance, to monitor a specific function or procedure).

After editing a Policy that is deployed, you must re-deploy the Policy to apply any changes to Sensors.

The file name is not the Policy name. The name is found within the file.



5.5.1 Creating Audit FiltersTo create an Audit Filter:

1. In the Audit Filter Wizard pane, click Create.

2. Choose the database type and then click Next.

3. Choose one or more types of actions to audit, and then click Next. Available actions include SELECT,

INSERT, UPDATE, and DELETE actions on tables and views, and EXECUTION of Stored Procedures

and Functions.

4. Select the Database Instance to audit, and then click Next.

5. Select the Database to audit, and then click Next.

6. Select the objects to audit. Use ctrl-click to select multiple items from a list. For tables choose whether

to audit on the column level. Click Next to continue.

7. If you chose to audit on the column level, select the columns to audit (for each table you selected).

8. Enter a title and other descriptive information for the audit. Select a Risk Level.

9. Review the detail of your Audit Filter. Click Back to make changes, or Save to create the filter.

10. To use the filter, add it to a Policy.

Items with Info level do not display in detail in the console.



5.5.2 Creating ExceptionsTo create an Exception:

1. In the Exception Wizard pane, click Create.


3. Select the rule that you want to create the exception for. If you want to create a global exception (not

limited to specific rules), select All [database type] Activity.

4. Click Next.

5. Add one or more conditions that define the situations where the parent rule should not fire.

6. Edit the title and other descriptive information for the exception. The default values are based on the

parent Rule.

7. Review the detail of your Exception. Click Back to make changes, or Save to create the filter.

8. To use the Exception, edit a Policy. Navigate to and expand the parent Rule, and select the Exception.

5.5.3 Creating Advanced Filters and ExceptionsTo create an Advanced Filter:

1. In the Advanced Filter Wizard pane, click Create.


3. Select the rule that you want to create the filter or exception for. If you want to create a global item (not

limited to specific activity types), select All [database type] Activity.

4. Click Next.

5. Choose whether to trigger ONLY on the conditions, or EXCEPT when the conditions are met.

If you add more than one condition, the exception will only apply when ALL conditions are true.

• To make exceptions for several different single conditions, the preferred method for readability is to create an exception for each condition.

• You can also edit the expression using the Advanced Editor and change the <and> condition to <or>.



6. Enter expressions and conditions that define the filter.

• The filter is saved in an XML document and must be valid XML

• Each Expression consists of a name, an operator, and a value. The Legend shows available oper-

ators and some common names

• For a full list of names, see “Monitoring Filter Name Attributes” on page 98.

• Expressions can be combined using the operators AND and OR.

• Table 5 on page 55 provides explanations of the available Operators.

The expression editor performs some basic checking of the XML format and the contents of the expressions. The editor does not check for valid tag names.

A good way to understand the format of filters is to create some filters or exceptions using the wizards, and then edit them in the advanced editor to see how the information is saved.

Table 5: Filter Operators

Operator Usage

equals Performs a case sensitive string comparison of the value and the named element. The value must match exactly.

notEquals Performs a case sensitive string comparison of the value and the named element. The value must NOT match exactly.

equivalent Performs a NON-case sensitive string comparison of the value and the named element. The value must match exactly, but letter case is ignored.

notEquivalent Performs a NON-case sensitive string comparison of the value and the named element. The value must NOT match exactly, and letter case is ignored.

containsCase Performs a case sensitive string comparison of the value and the named element. The value must be found anywhere in the element.



7. Click Next.

8. Edit the title and other descriptive information for the filter. The default values are based on the parent

Rule.

9. Review the detail of your filter. Click Back to make changes, or Save to create the filter.

10. To use the filter, edit a Policy. Navigate to and expand the parent Rule, and select the Exception.

5.5.4 Editing a FilterTo edit a Filter, click the Edit button for the item in the list. The item will be presented for editing in the

Advanced Editor (see above). Make changes as required, and then click Save.

5.5.5 Deleting a FilterTo delete a Filter, click the Delete button for the item in the list. You will be asked for confirmation.

notContainsCase Performs a case sensitive string comparison of the value and the named element. The value must NOT be found anywhere in the element.

Contains Performs a case sensitive string comparison of the value and the named element. The value must be found anywhere in the element, and letter case is ignored

notContains Performs a case sensitive string comparison of the value and the named element. The value must NOT be found anywhere in the element, and letter case is ignored

likenotLike

Performs a string comparison (not case sensitive) of the value and the named element. Supports two wildcards:

• % (matches zero or more characters)

• _ (matches exactly one character)

regexnotRegex

Treats the value as a Regular Expression test (not case sensitive) that is applied to the named element.

Regular Expression matching provides very powerful searching abilities but would rarely be required. As a starting point for help with Regular Expression syntax, see Wikipedia.

lessThanlessThanEqualgreaterThangreaterThanEqual

Performs an integer comparison of the value and the named element. You cannot apply these operators to alphabetic values or real numbers.

If the Filter is active in any Policies, you must re-deploy the Policies to apply your change on Sensors. Policies that require deployment are marked as “stale” on the Policy Manager tab.

You cannot delete a Filter that is actively used in a Policy. If you attempt to delete an active Filter you will be informed of the policy or policies where it is used.

Table 5: Filter Operators

Operator Usage


https://en.wikipedia.org/wiki/Regular_expression


5.5.6 Importing a FilterTo import a file containing filters:

1. Click Import.

2. Select a valid Filters XML file.

3. If you want to overwrite existing Filters with the same names as filters found in the file, check the box

Import with overwrite.

4. Click Import.

5.5.7 Exporting FiltersTo export filters:

1. Select one or more filters using the checkboxes at the left of the My Filters list. To select all items,

check the box at the top.

2. Click Export, and then save the file using the browser dialog.

5.6 Sensors This tab allows you to register and configure Sensors.

For full information about installing and configuring Sensors see the DbProtect Sensor Installation and

Configuration Guide.

The main page of the Sensors tab lists registered sensors on the left pane. The listing shows the status of

each registered Sensor.

5.6.1 Viewing Sensor DetailsTo see details of a sensor, click the sensor name in the left pane to show details in the right pane.

Sensors that cannot be contacted or that have a configuration issue display a red X.

If many sensors are configured, you can filter the list by entering text in the Filter field and clicking Apply.



5.6.2 Viewing Sensor Configuration DetailsTo view a summary of configuration for all Sensors, click View Sensor Configuration Details.

The result lists the availability, network location, version, database instance monitored, and policy

deployed for each Sensor alias.

To download the information, click Download CSV.

To return to the main page, click Back.

5.6.3 Registering a SensorBefore registering a Sensor, you must install the Sensor software on the appropriate system.

To register an installed Sensor:

1. Click Register New Sensor to open the Registration Manager page.

2. Enter the IPv4 address or Host Name of the Sensor machine.

3. Enter the TCP Port where the sensor is listening (by default, port 20000).

4. Click Next.

5. On the summary screen, click Finish to accept the settings, or click Back to adjust settings.

6. DbProtect attempts to contact the Sensor. If the sensor can be contacted, registration is successful. If

the sensor cannot be contacted, you are notified and the registration information is not saved.

5.6.4 Configuring or Reconfiguring a SensorTo configure or reconfigure database instances on an installed sensor:

1. Select the Sensor in the left pane to view details in the right pane.

2. Click Reconfigure to display the details of the configured instances on the sensor.

3. To reconfigure a defined instance, click Reconfigure for that instance. For detailed procedures, see

the DbProtect Sensor Installation and Configuration Guide.

4. To remove a defined instance, click X for that instance.

5. To configure a new instance, click Configure New Instance. For detailed procedures, see the

DbProtect Sensor Installation and Configuration Guide.

6. To modify logging for the sensor, in the Advanced Settings frame click Modify. Select a logging level,

and then click OK.

You cannot reconfigure a sensor that cannot be contacted.



7. When you have completed all required changes, click Deploy to Sensor.

5.6.5 Unregistering a SensorUnregistering stops Sensor activity for all database instances configured on that Sensor, and removes the

connection between the Console and the Sensor.

To unregister a sensor:

1. Select the Sensor in the left pane to view details in the right pane.

2. Click Unregister. You will be asked for confirmation.

5.6.6 Deploying PoliciesTo re-deploy the currently configured Policy for more than one Sensor:

1. Click Deploy Policies in Bulk.






4. Click Deploy to deploy the configured policies to the selected Sensors.

You can wait for deployment success or failure to be confirmed, or you can continue to work by clicking

other tabs.

5.7 Monitoring Settings

5.7.1 Email Forwarding RulesThis tab allows you to define alerts that you want DbProtect to report to users by email. Available actions

are listed on the page.

If you do not deploy the changes, they will be lost.

Unregistering does not uninstall the Sensor software. AFter unregistering you should proceed to uninstall the software from the server where it is installed.

If no Rules are defined, the first page of the rule creation wizard displays as the default item of the tab.



5.7.2 Creating Or Modifying a RuleTo create an Email Forwarding Rule:

1. Click the link below the list of rules, or click the Modify button of an existing rule.

2. On the first page of the wizard, enter a name for the rule (Template Name), and enter a list of email

addresses to notify. Click Next to continue.

3. On the criteria page of the wizard, select:

• One or more server aliases (ctrl-click to select more than one; click ALL to select all)

• One or more alert titles (ctrl-click to select more than one; click ALL to select all)

• A time range (any time, or a starting and ending time in 24 hour format)

• One or more risk levels

Click Next to continue.



4. On the fields page of the wizard, select a list of fields to include in the message. Highlight items and

use the arrow buttons to move them between the Possible Fields and Fields to Send. Click Next to

continue.

5. On the summary page of the wizard, review the rule and then click Back to make changes, or Save to

save the rule. New rules are active by default.

5.7.3 Forwarding SettingsThis tab allows you to specify settings for email alerting checks.

• Polling Frequency: Enter the number of minutes between checks by DbProtect for new Alerts that

match the Forwarding Rules. The default polling frequency is 5 minutes.

• Maximum Alerts to Handle: Enter the maximum number of Alerts you want DbProtect Activity Moni-

toring to send in each email.

5.7.4 Email Server SettingsIn this version of DbProtect, email server settings are managed on the Set Up > System Settings > email

page. See “Email” on page 81.



6 Working with Jobs

The Jobs section of the DbProtect Console allows you to create testing and review activities for a database

or group of databases, and run these activities on demand or on a schedule.

Figure 6: DbProtect Jobs Page

DbProtect provides the following types of jobs:

• Discovery: Discovery actively scans network segments, collecting an inventory of database compo-

nents. Discovery jobs are useful for collecting a list of databases running on your network, for finding

rogue database installations, and for validating existing database inventory data.

• Pen Test: A Pen Test (short for Penetration Test) is an unauthenticated (outside-in) scan of your data-

bases that searches for vulnerabilities and misconfigurations that leave your system exposed to attack

from an individual who does not have valid credentials to login to the database. Pen Testing requires

DbProtect Vulnerability Management licenses.

• Audit: An Audit (Security Audit) is an authenticated scan that requires an account with read-only privi-

leges. It performs a deep assessment, checking the configuration of your database for known vulnera-

bilities and configuration issues. Auditing requires DbProtect Vulnerability Management licenses.

User access to Jobs depends on the user’s Role (permissions) for the DbProtect application, and for the Organization that each Asset is associated with.

Working with JobsCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 62


• Rights Review: Rights Review is a deep analysis of user and role entitlements on a database. This

type of scan analyzes database user and role privileges, to help guard against the possibility of unau-

thorized access to data. Rights Review scans identify “privileged users” and access to sensitive data-

base objects. Rights Review requires DbProtect Rights Management licenses.

• Report: A Report job allow you to generate and distribute one or more of a library of common reports

available through DbProtect Analytics. Reports can be presented in a variety of formats and generated

then distributed on a recurring schedule.

The steps for running jobs differ depending upon the type of job you run, and the type of assets

(databases) being scanned.

6.1 Reviewing Job InformationThe Jobs page includes four tabs that allow you to see a list of currently available jobs, as well as

information about jobs in progress completed jobs, and jobs scheduled to run in the future.

You can refresh the list in any tab by clicking Refresh. Toggle between automatic and manual refresh

by clicking Auto or Manual.

6.1.1 Jobs tabThe Jobs tab shows jobs that are available to run, including scheduled and un-scheduled jobs. For more

information about adding, editing, and scheduling jobs, see the following sections of this Guide.

6.1.2 In Progress TabThis tab lists jobs that are currently running. The Progress and Status fields give important information

about the health of the job.



To cancel a job in progress, click Cancel in the toolbar above the list.

If a job has been paused due to service restart, you can resume the job by clicking Resume in the toolbar

above the list.To review details of a job in the list, select it. Details display in the lower pane.

To see a full troubleshooting description of the job, click at the top right of the details pane.

In the details pane, each step of the job is listed. If a step shows a + icon at the left, click to see more

details.

If a step cannot be completed and the job is not set to skip tasks that require input, the detail status shows

Waiting for Input. You can review the details of the step to learn about the problem.

You can select the action to take (retry or skip) using the menu at the right. If you are able to correct the

problem (for instance by updating credentials or scan engines) then click Retry to try the step again. If you

are not able to correct the problem you can Skip the step, but the job will not produce complete results.

6.1.3 Completed TabThis tab shows jobs that have been run in the past. Select an item to view details of steps in the lower

pane. If a job include generation of a report, the report is linked from a step detail as seen in the screenshot

below. Click the link to open the report.



6.1.4 Scheduled Tab

This tab shows jobs that are scheduled to run in the future, including recurring instances and one-time

schedules. By default the list includes jobs scheduled in the next seven days. To list jobs for 30 days, or to

select dates, use the control above the list.



6.2 Creating a JobTo create a job:


2. On the first page of the wizard, select a template (type of job). Enter a name, and select the


Click Continue.

The next steps depend on the job type.

6.2.1 Audit, Pen Test, or Rights ReviewTo continue creating an Audit Job, Pen Test Job, or Rights Review Job:

1. On the Assets page, specify the Assets that you want to audit. You can select assets in any of three

ways:

• Specific Asset Selection: Click Add Assets to open the asset selector. Select assets by

checking the boxes in the asset list, and then clicking Add Assets. You can limit the list of assets

visible to you by selecting facets and entering a query in the left pane. You can repeat the asset

selection. You can remove assets from the selected list by selecting them and clicking Delete.



• Saved Query: Choose a named query from the list. Assets matching the query display in the right

pane. You cannot modify the query within the wizard. To modify named queries use the Assets

page. Some users that have permission to create jobs do not have permission to edit queries on

the Assets page.

• Ad Hoc Query: Select facets and/or a text query in the left pane. Assets matching the query dis-

play in the right pane.


2. On the Credentials page (not shown for Pen Test jobs), review the credential status for each selected

Asset. Each Asset should display a green circle, or green check mark for one type of credential,

indicating adequate permissions.

• For any Asset that shows “needs attention” or “failed”, expand the Asset to see all associated cre-

dentials. You can override the credentials using the Add Override Credential menu at the

right of the row.

• You can change the credential group for one or more assets by selecting them and using the

Change Group menu in the toolbar at the top.

• To test credentials for an asset, select it using the checkbox and click Test Credentials in the

toolbar at the top.

• You can reset any overridden credentials using the Reset All button in the toolbar at the top.

You can continue to create a job without complete credentials. Depending on later settings, it may request attention at run time or some steps might fail.




3. On the Policy page, select one or more audit policies using the menu. To select multiple policies, select

them one at a time. You can also delete policies from the selected list. Click Next to continue.





• Select a Report Template.

• Enter a name and format, and optionally enter email addresses to be notified when the report is

ready.

• For Other reports, you can select from the list, or enter a filter shortcut to create a custom report.

You can also choose to run the report for a child organization to reduce the scope of data reported

on.


5. On the Advanced Settings page, enter settings as required.

You can:

• Provide email addresses to be notified at job completion, or if credential problems occur.

• Choose not to synchronize report filters (not recommended unless you experience significant

delays)

• Choose to ignore the state of SHATTER updates on scan engines (this might affect scan accu-

racy)

• Choose to skip any task that requires further input such as credentials (this can be useful if jobs

must complete in a specific time frame and manual intervention will not be possible)

• Choose an encoding for dictionary files. Dictionary files are used in some Policy checks (such as

weak password checks) to provide input.

• Ignore Scan Group restrictions

• Select additional jobs to run after this job runs

6. Click Create to create the job.

6.2.2 Credential TestTo continue creating a Credential Test Job:

Some advanced settings are not available for Rights Review Jobs.



1. Select a single Job that you want to test. Credentials used in the selected job will be tested. Click Next

to continue.

2. Provide email addresses to be notified at job completion.

3. Choose whether the job reports failure if some credentials are valid for connection, but missing

required permissions for the job tasks.


6.2.3 DiscoveryTo continue creating a Discovery Job:

1. On the Discovery Criteria page, click Add Criteria to open the Add Discovery Criteria window.

2. Enter Network Destinations. For examples, see the text and link below the field

3. Select Port options.

• Add defaults to check the default ports for database types

• Add specific ports if you know that databases listen on non-standard ports

4. Choose to bypass port scanning if scanning is not possible in the environment (this option can cause

discovery to be less efficient)

5. Choose at least one asset type

6. Click Add. You can add additional criteria. You can edit or delete existing criteria sets.

7. Click Next to continue.


• Click Add Report. For discovery jobs, only the “other” report option is available.

• Select a Report Template.

• Enter a name and format, and optionally enter email addresses to be notified when the report is

ready.

• Select from the list, or enter a filter shortcut to create a custom report. You can also choose to run

the report for a child organization to reduce the scope of data reported on.


9. On the Advanced Settings page, enter settings as required. You can:

• Provide email addresses to be notified at job completion, or if credential problems occur.

• Add one or more known database instance names (this option can help to find databases if secu-

rity restrictions are in place, such as SQL Browser being stopped)

• Add one or more Oracle listener passwords



• Choose to scan unresponsive hosts (hosts that do not respond on closed ports). This option

ensures full coverage

• Save additional information gathered as asset attributes

• Update asset version information if it is updated at the database server

• Ignore duplicates and errors

• Replace existing endpoints for identical assets


6.2.4 ReportTo continue creating a Report Job, set up one or more reports to run as part of this job.

1. Click Add Report.

• Choose a report. You can select from the list, or enter a filter shortcut to create a custom report.

You can also choose to run the report for a child organization to reduce the scope of data reported

on.


2. Additional options vary for each report. For example:

• For some reports, you can select an organization for the report. You can choose the organization

specified in the job, or an available descendant. You can choose to include descendants of the

selected organization.

• For some reports, you can select an asset to report on and a specific user to report on.

• For asset reports, you can choose to include non-scannable assets.

• For some reports you can specify the results filtering and scope of the report.

• Select a type of filtering, and then select the detailed values. For example:

• In the Check Results Summary, you can choose to filter by assets, attributes, or a specific job,

or an organization.

• You can also choose to filter through a specific Audit or Pen Test policy (“Policy Lens”).

• You can choose to include SHATTER Knowledgebase articles in the report.

3. Enter a name for the report, and select an output format. Optionally enter email addresses of users to

receive a link to the completed report.

When reports are generated at the scope of an organization, all check results for all assets in the organization are considered. These results are first filtered by checks that are available to policies associated with the organization. If different policies include different report filters on the same check, all report filters on each check will be applied.

It can be useful to limit the report to specific assets, or to report on check results based on a specific policy or even a specific audit job. When reports are filtered through a specific policy (“Policy Lens”), only the checks from that policy are included and the report filters specified in that policy are applied.



4. Click Save to add the report to the list.

5. You can add more reports or clone an existing report to re-use some settings. You can edit an existing

report or change its output settings. To perform these functions, use the buttons in the toolbar.

6. When you have completed the report setup, click Next to continue.

7. On the Advanced Settings page, optionally provide email addresses to be notified at job completion.


6.3 Scheduling or Un-Scheduling a JobTo manage scheduling for a job, select it in the list and use the Schedule and Un-Schedule buttons in the

toolbar.

A scheduled job can be set to run once, or recurring.

6.4 Running a JobYou can run any job immediately by selecting it and clicking Run in the toolbar.

6.5 Editing a JobTo edit a job, select it and then click Edit in the toolbar. For help with the available settings see the sections

on creating a job, above.

6.6 Cloning a JobTo clone (make a copy of) a job, select it and then click Clone in the toolbar. Cloning does not copy the job

schedule. After cloning a job, edit it as required and schedule it if required.

6.7 Deleting a JobTo delete a job, select it and then click Delete in the toolbar.



7 Working with Users and Organizations

The System Settings section of the DbProtect Console allows you to:

• Create organizational containers for permission purposes, and assign policies to the organizations.

• Add Windows users and groups to the DbProtect system, and assign permissions to the users.

7.1 OrganizationsTo view the Organizations page of the DbProtect Console, under Set Up click Users & Orgs >

Organizations.

This page allows you to add and edit Organizations. An Organization contains Assets (database servers).

You can assign Policies that will apply to all Assets. You can grant Users one or more specific Roles in one

or more Organizations.

Typically an Organization groups servers that have similar check requirements based on the server type

and/or regulatory environment.

The top pane of the page lists organizations. The bottom pane of the page provides details of the

organization selected on the top pane, on four tabs:

• Details: Shows the description of the organization

• Users: Lists all users or groups that have roles in the organization, and the roles for each user

• Assets: Shows the assets that have been added to the organization

• Policies: Shows the policies that have been configured for the organization.

If a tab list contains many items, you can use the paging controls below the list to view more items.

Working with Users and OrganizationsCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 72


If an organization has dependants, cluck the arrow next to the name to expand the dependant list. You can

also use the Expand all and Collapse all buttons at the top right of the list.

7.1.1 Adding An OrganizationTo add an organization:

1. Click New Organization.

2. On the Create an Organization window, enter a name for the organization.

3. Choose the parent organization.

• If you choose a parent, optionally choose to copy all policies that are selected for the parent. This

is a one time action (changes in policy selection for a parent do not affect descendants).

• You can also choose to create a top level organization that has no parent. Top level organizations

are created with all available policies selected.

4. Choose at least one Owner for the organization. The Owner will have access to all operational and

data view functions for the organization.

5. Optionally enter a description.

6. Click Create to add the organization.

7.1.2 Editing An OrganizationTo edit an organization:

1. Select an organization, and then click Edit.

2. On the Edit Organization window, you can change the name, owner list, and description.

3. Click Save to apply the changes to the organization.

7.1.3 Copying Organization FeaturesYou can copy assets or child structures from one organization to another.

To copy assets:

1. Select the source organization.

2. Click Copy > Copy Assets To.

3. Select the target organization and then click Copy.

If you select an organization in the main list before you click New Organization, the parent defaults to the selected organization.

Any changes to ownership and other user rights take effect at the next login of a user. This is also true for the administrator making the changes.



To copy child structure:

1. Select a source organization that has descendants.

2. Click Copy> Copy Child Structure To.

3. Select the target organization and then click Copy.

7.1.4 Deleting An Organization

To delete an organization, select it and then click Delete.

7.1.5 Managing Policies For An OrganizationPolicies are collections of checks that are used to run jobs. To add or remove policies from an organization:

1. Select the organization and then click Manage Policies.

2. On the Manage Policies window, select policies and use the arrows to add or remove them from

Selected Policies.

3. Click Save to save changes.

7.2 UsersTo view the Organizations page of the DbProtect Console, under Set Up click Users & Orgs > Users.

On the Users page:

• The top pane lists users and groups. If there are a large number of entries you can view them using the

pager below the list.

• The bottom pane lists the roles and effective permissions of the selected user or group.

Deleting an organization also deletes child organizations.

Deleting an organization deletes all associated jobs and history from DbProtect. Deleting an organization can result in discovered assets being completely deleted from DbProtect (if the assets are not associated with any other organization).

Before deleting an organization, carefully review the warning presented and ensure you know what assets will be affected.



DbProtect Users are imported from Microsoft Active Directory or from the local server where the DbProtect

Console is installed. Both users and groups can be imported. Users can be granted a set of roles within the

product. A user logs on to DbProtect with their Windows credentials. If the credentials are valid, the user is

authorized to use functions in the product matching the role(s) granted to the user and/or Windows groups

they belong to.

All functions of DbProtect are restricted by role-based access. Access to each function is controlled by

particular permissions that are granted to the user through a role. The typical users of the product have

been separated into two groups, system and organization. These groups mirror the typical scopes of

access control in most environments.

7.2.1 System RolesThese roles apply to the setup, configuration and maintenance of the system. They do not affect access to

operations or reporting.

The available system roles are:

Table 6: DbProtect System Roles

System Role Permissions

Administrator Grants access to all administrative functions.

• Primary functions: User definition, organization definition, management of licenses, scanners and sensors.

Administrative Data Viewer Grants access to view specific types of report results.

• Primary functions: Consume dashboard and report content for Scans (Checks), Rights Review, and Monitoring for all Organizations.

Auditor Grants view-only access to all administrative functions.

• Primary functions: Internal or external auditor needing to verify proper organization, user and role definition.



7.2.2 Organization RolesThese roles affect access only within a specific organization in which they are applied. A user that is

associated with more than one organization can have different roles within each organization. Use of

product functions for assets in each organization is limited by the user’s roles in that organization.

The available organization roles are:

Org Owner Used in conjunction with an Owner role for a particular organization. Allows an organization owner to create descendant organizations.

• Primary functions: Delegation of setup and maintenance of the DbProtect organizational structure for lines of business or multi-tenancy.

Table 7: DbProtect Organization Roles

Organization Role Permissions

Owner Grants access to all operational and data view functions within an organization.

• Primary functions: All non-administrative functions.

Job Manager Grants access to all job operations functions within an organization.

• Primary functions: Creation and management of jobs, including scheduling, handling error conditions, setting up operational notifications for stakeholders, performing all data collection functions.

Credential Manager Grants access to all credential management functions within an organization.

• Primary functions: Creation and management of credentials, including export and import.

Data Viewer Grants access to all dashboard and reporting functions within an organization.

• Primary functions: Consume dashboard and report content, view generated reporting content from jobs, provide appropriate data artifacts to management and operational stakeholders.

Asset Manager Grants access to all asset management functions within an organization.

• Primary functions: Creation and management of assets including asset import.

Auditor Grants view-only access to all functions within an organization.

• Primary functions: Internal or external auditor needing to verify proper operational use and report production.

Check Results Viewer Grants view-only access to Scan (Check) results for an Organization.

• Primary functions: Consume dashboard and report content for Scans (Checks).

Table 6: DbProtect System Roles

System Role Permissions



7.2.3 Adding a UserTo add one or more Users or Groups:

1. Click New User to open the Create a User window

2. In the Grant Access To section, type a user or group name and select a domain if any. Optionally enter

a description.

3. Click Add to add the user to the list.

4. Repeat steps 1 and 2 for any additional users or groups you want to add with identical roles.

5. In the Add Roles section, click Add. Select one or more organizations and associated roles for the

listed users, and then click Add.

6. Select a System Role using the menu.

7. Repeat steps 5 and 6 as required.

8. To remove selected roles, click Delete for any role.

9. Finally to create the users in DbProtect, click Create.

7.2.4 Editing a UserTo edit a User or Group:

1. Select the entry and click Edit to open the Edit User window.

2. Optionally enter a description.

3. To add new organization roles for the user, in the Add Roles section, click Add. Select one or more

organizations and associated roles for the listed users, and then click Add.

4. To add new system roles for the user, select them using the menu.

5. Repeat steps 5 and 6 as required.

6. To remove selected roles, click Delete for any role.

Rights Review Results Viewer Grants view-only access to Rights Review results for an Organization.

• Primary functions: Consume dashboard and report content for Rights Review.

Monitoring Results Viewer Grants view-only access to Monitoring results for an Organization.

• Primary functions: Consume dashboard and report content for Monitoring.

If you enter user or group names that cannot be found by Windows, they will not be added. If some entries are found and some are not found, then the found items will be added.

Table 7: DbProtect Organization Roles

Organization Role Permissions



7. Finally to update the users, click Save.

7.2.5 Deleting a User

To delete a User or Group, select it and then click Delete.



8 Working with System Settings

The System Settings section of the DbProtect Console allows you to review system performance, manage

licensing and email sending settings, and manage Scan Engine registrations.

8.1 About DbProtectThis page displays a list of components installed locally to the DbProtect server, and components such as

sensors and scan engines that are remotely installed and registered.

8.2 Scan EnginesThis page allows you to register, un-register, and configure scan engines.

You can also update the version of the SHATTER Knowledgebase on all registered scan engines, if you

have downloaded a new version to the Console server.

Working with System SettingsCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 79


8.2.1 Registering a Scan EngineBefore registering, you must install the Scan Engine software. The required network port must be open

between the DbProtect Console server and the scan engine host.

To register a new Scan Engine:

1. Click Register New Scan Engine.

2. Enter a friendly name used for Console display.

3. Enter the Hostname or IP address and the TCP port (normally 20001).

4. Click Register.

• When a new scan engine is registered successfully, by default the Configure Scan Engine window

opens. If you do not need to perform additional configuration you can simply close this window, or

you can select not to open it.

8.2.2 Unregistering a Scan Engine

To unregister a Scan Engine, select it in the list, and then click Unregister.

8.2.3 Configuring a Scan EngineTo configure a Scan Engine:

1. Select a Scan Engine in the list, and then click Configure.

2. On the Configure Scan Engine window, you can perform the following tasks:

• Set the network interface to be used by the Scan Engine (if more than one is available on the

server). This option allows you to direct the scanning to a specific subnet.

• Set the Scan Engine as available or unavailable (for instance, if the server is overloaded or you do

not want to scan specific subnets).

• Set the Organizations that can use this Scan Engine.

• Set an asset Group to restrict this Scan Engine to perform scanning only on assets in the Group.

The Group restriction is evaluated at run time along with any other restrictions made in the scan-

ning Job.

8.2.4 Updating the SHATTER KnowledgebaseTrustwave typically provides a new version of the SHATTER Knowledgebase every four to six weeks.

You can update the SHATTER Knowledgebase on the DbProtect Console server by downloading the latest

package from Trustwave and installing it.

Unregistering does not un-install the scan engine software. In most cases you should unregister first, and then un-install the software by running the uninstallation from the Start menu on the scan engine host.



Once a new Knowledgebase is available, to update the Knowledgebase on a Scan Engine, select it in the

list and then click Update Knowledgebase.

When a new Scan Engine is registered, the latest SHATTER Knowledgebase is always used.

8.3 EmailThis page allows you to configure an email server, used by all DbProtect components to send notification

emails.

To add or edit the email server information:

1. Click Edit to open the Outgoing Email Server Settings window.

2. Enter the IP address or resolvable name of the SMTP server.

3. Enter the port where mail is accepted (normally port 25).

4. If a login is required to send mail, enter the username and password.

5. Optionally enter a limit, in Megabytes, on the size of email attachments (such as PDF report files).

6. Optionally enter the From and Reply-To information. If you do not enter these addresses the messages

will be sent with a blank From address.

The email server you configure must accept messages:

• sent from the “from” address you specify, and from the network locations of all the DbProtect components

• sent to the addresses you specify (normally addresses in your internal organization)

You may need to configure the target server to accept these messages.



7. If you want to send a test email (recommended), click Send test email, enter the address you want to

send mail to, and then click Send Email.

• The window shows whether the message was sent. If the message could not be sent, a new win-

dow displays the error.

8. To save the configuration, click OK.

8.4 DiagnosticsThis page displays information about the status of DbProtect components.

8.5 WarehousingThis page allows you to view the status of data synchronization and warehousing, and to start a manual

update or warehousing window.

Caution: DbProtect does not prevent saving of an invalid configuration. Test carefully.



8.6 LicensingThis page displays the details of licensing for this DbProtect installation. For more information about

licensing, refer to the Installation Guide and Getting Started Guide.

To add a license:

1. Click Add License to open the Add A License window.

2. Paste the contents of the ARxx.lic or ADxx.lic file in the field, and then click Add.

To see a report of license utilization by asset, organization, and usage details, click the link Get license

utilization report.



9 Working with Policies

A Policy is a set of security checks used by DbProtect to perform a Penetration Test or Audit.

DbProtect includes a number of built-in policies that you can use immediately. The built-in policies are

designed to meet externally defined criteria and regulatory requirements.

DbProtect also allows you to save and use customized Policies. Customized Policies can include Report

Filters for some types of security checks..

9.1 Built-In Audit PoliciesDbProtect includes the following built-in audit policies. .

• Base Line: This policy provides an adequate level of security for most applications in the government,

financial services, and healthcare industries. Provides maximum security without sacrificing

performance and functionality.

• FISMA: This policy is structured following NIST standards and is recommended for use in a FISMA

compliance assessment.

• Basel II: This policy is structured for use in a Basel II compliance assessment.

• Integrity: This policy is used to Audit the integrity of an application and the underlying operating

system.

• Best Practices for Federal Government: This policy is based on CIS, NSA SNAC, DISA Database

STIG, NIST 800-53, and Best Practices defined by Trustwave SpiderLabs.

• Operating System: This Policy checks the service, registry, and file portions of a database. It

requires an authenticated account for the operating system on the machine where the database

resides.

• Download: This is a default policy that allows an evaluator to test specific checks.

• MITS: This policy is structured following CoBIT, ISO, and NIST standards and is recommended for

use in a MITS compliance assessment.

• Passwords: This policy is used to Audit password strength and settings.

• DISA-STIG Database Security - Audit: This policy has been created with guidance of the

configuration parameters outlined by the DISA-STIG for Microsoft SQL Server and Oracle only.

Default policies are updated, and new policies may be provided, with an update to the SHATTER Knowledgebase. For the most recent list of policies, see Trustwave Knowledgebase article Q20440. For more information about how to update the SHATTER Knowledgebase on your DbProtect installation, see “Updating the SHATTER Knowledgebase” on page 80.

You cannot modify a built-in policy. However, you can edit a built-in policy and “save as” to save the edited policy under a different name. For more information, see “Editing a Policy” on page 89.

Working with PoliciesCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 84

https://www.trustwave.com/support/kb/KnowledgebaseArticle20440.aspx


• DISA-STIG Platform Specific Policies: DbProtect provides a number of policies that implement

DISA-STIG checks for specific Microsoft SQL Sever and Oracle database versions.

• Authorization: This policy is used to Audit permissions and access controls.

• PCI Data Security Standard: This policy is structured following the PCI Data Security Standard and

is recommended for use in a compliance assessment.

• Sarbanes-Oxley: This policy is structured following CoBIT and ISO 17799 standards and is

recommended for use in a Sarbanes-Oxley compliance assessment.

• Strict: This policy provides a maximum level of security. This policy is much more restrictive than

required by most applications and would usually be used by only the most top secret applications. The

policy will have a significant impact on functionality.

• Massachusetts 201 CMR 17.00: This policy is structured following the standards for the protection of

personal information of residents of the Commonwealth of Massachusetts.

• MiFID: This policy is structured for use in a Markets in Financial Instruments Directive (MiFID)


• EU Data Protection Directive: This policy is structured following EU 95/46/EC standards and is

recommended for use in a EU Data Protection Directive compliance assessment.

• Gramm-Leach-Bliley Act: This policy is structured following Gramm-Leach-Bliley Act (GLBA)


• HIPAA: This policy is structured following NIST standards and best practices for database security

and is recommended for use in a HIPAA compliance assessment.

• Big Data: This policy helps to enforce best practices for cloud and Big Data systems.

• CIS Benchmark - Audit: This policy has been created with guidance of the security configuration

benchmarks defined by the Center for Internet Security.

• CIS Platform Specific Policies: DbProtect provides a number of policies that implement CIS

benchmark checks for specific database platforms and versions.

• Cloud Database: This policy helps to enforce best practices for cloud database instances.

• CNIL - Audit: This policy provides guidance for database assessments for organizations needing to

comply with the data protection law of France known as CNIL Act No78-17.

• FedRAMP - Audit: This policy is structured following the standardized approach to security

assessment, authorization, and continuous monitoring for cloud products and services defined by the

Federal Risk and Authorization Management Program.



9.2 Built-In Penetration Test PoliciesDbProtect includes the following built-in Penetration Test policies.

• HIPAA: This policy is structured following NIST standards and best practices for database security

and is recommended for use in a HIPAA compliance assessment.

• PCI Data Security Standard: This policy is structured following the PCI Data Security Standard and

is recommended for use in a compliance assessment.

• Gramm-Leach-Bliley Act: This policy is structured following Gramm-Leach-Bliley Act (GLBA)


• Demo: Runs a demonstration of DbProtect Vulnerability Management features. This demo runs

quickly, returning a maximum number of vulnerabilities in a short period of time.

• Sarbanes-Oxley: This policy is structured following CoBIT and ISO 17799 standards and is

recommended for use in a Sarbanes-Oxley compliance assessment.

• Evaluation: Performs a Penetration Test using basic checks, allowing you to evaluate DbProtect

Vulnerability Management.

• FISMA: This policy is structured following NIST standards and is recommended for use in a FISMA


• Safe: Runs safe checks only. This policy does not perform Brute Force or Denial of Service checks

that cannot be run safely.

• Basel II: This policy is structured for use in a Basel II compliance assessment.

• Full: Performs a complete Penetration Test of your application using all available checks.

• EU Data Protection Directive: This policy is structured following EU 95/46/EC standards and is

recommended for use in a EU Data Protection Directive compliance assessment.

• Brute Force: Performs a Penetration Test designed to test the strength of your applications’

passwords as well as other mechanisms that may be breached by brute force methods.

• Heavy: Performs a detail-level Penetration Test on your applications. Adds a heavy amount of usage.

May take more than one hour to run.

• Download: A default policy that allows you to test specific checks.

• MiFID: This policy is structured for use in a Markets in Financial Instruments Directive (MiFID)


• Light: Performs a first-level Penetration Test on your application. Adds a minimal amount of usage.

This test should take less than one minute to run.

• Medium: Performs a second level Penetration Test on an application. Adds a moderate amount of

usage on the application. This test should take less than 15 minutes to run.

You cannot modify a built-in policy. However, you can edit a built-in policy and “save as” to save the edited policy under a different name. For more information, see “Editing a Policy” on page 89.



• Denial of Service: This policy checks whether your applications are vulnerable to any known Denial

of Service (DoS) attacks by checking the version and platform of the database or listener.

9.3 Viewing a PolicyDbProtect Vulnerability Management allows you to view a policy (for either a Penetration Test or an Audit).

You can se what security checks are enabled in the policy, and see detailed information about each check.

Details include suggested fix information if it is available. The suggested fix could be a system patch, SQL

update query, or general policy suggestion.

To view a policy:

1. Choose Start > Programs > Trustwave > DbProtect > Policy Editor to display the Policies window.

2. Click the Pen Test Policies or Audit Policies tab.

3. Select a policy.

4. Click View Selected to display the Policy in the Policy Editor.

5. Use the controls on the left side to explore the policy:

• Select a database type to see checks that apply to that database.

• Expand the check list to see individual checks. The Security checks marked with a checkmark are

active in the policy.



6. Click an individual security check to display its detailed description.

9.4 Creating a PolicyDbProtect Vulnerability Management allows you to create a policy (for either a Penetration Test or an

Audit), by defining the security checks it contains. This is known as a user-defined policy.

To create a policy:



3. Click New Policy to display the Policy Editor.



4. Activate security checks by selecting a type of database, expanding the list of checks, and checking

the corresponding checkboxes.

5. When a check is selected, in some cases you can configure additional properties of the check.

Properties you can configure display at the top of the right frame, above the text description.

• For some checks, you can choose a risk level.

• For some checks you can configure additional properties, such as the length of passwords to

guess, or the dictionary file to use for a dictionary based check.

• Some checks allow you to customize your policies with Report Filters that exclude individual

checks from reporting. You can only add Report Filters to user-defined policies, not built-in poli-

cies. A check must be enabled in order for you to add or delete a Report Filter. For more informa-

tion, see “What are Report Filters?” on page 91.

6. Click Save on the toolbar to display the Save New Policy window.

7. Enter the new policy name in the Policy Name field (required).

8. Enter the new policy description in the Policy Description field (optional).

9. Click OK.

10. To make the new Policy available for use, you must edit the permissions for each individual

Organization and each individual User. For more information, see “Editing An Organization” on

page 73 and “Editing a User” on page 77.

9.5 Editing a PolicyDbProtect Vulnerability Management allows you to edit a policy. You cannot modify built-in policies.

However, you can edit a built-in policy and use “save as” to save the edited policy under a different name.

To edit a policy:





3. Select a policy.

4. Click View Selected to display the Policy Editor.

5. Make selections as described above.

6. Save the edited policy.

• If the policy is built-in, click Save As to save the edited policy under a different name.

• If the policy is user-defined, click Save to save the changes to the existing policy, or Save As to

save the edited policy under a different name.

9.6 Renaming a PolicyTo rename a policy:

1. On the Pen Test Policies or Audit Policies tab of the Policy Editor, select the user-defined policy you

want to rename.

2. Click Rename to display the Rename Policy dialog.

3. Enter the new policy name.

4. Click OK.

9.7 Searching PoliciesDbProtect Vulnerability Management allows you to search policies for checks that match specified criteria

(text in the description of the check). For instance, you can search for a specific CVE reference number.

To search policies:



3. Select a policy.

4. Click View Selected.

5. On the Policy Editor window, click Search.

6. Enter text to search for. If you have a specific CVE number, enter it as the target string.

7. Search results display in a new window.

8. Click a search result to open the specific security check in the Policy Editor.



9.8 What are Report Filters?DbProtect allows you to include Report Filters to some checks in user-created Pen Test and Audit policies.

A Report Filter excludes parameter value(s) from being reported as a violation if found during a Pen Test

or Audit. You can only add Report Filters to user-created policies. You cannot add Report Filters for built-in

policies. A check must be enabled in order for you to add or delete Report Filters.

You can add Report Filters to user-defined policies from the Policy Editor interface, or by loading a file of

Report Filters.

9.8.1 Report Filter Examples Report Filters are a way of filtering out possible finding violations at scan time. Applying Report Filters will

prevent these violations from appearing in the scan results. Report Filters are generally used when running

Access Control checks, since many of these checks provide a list of all possible access points, including

access points that are acceptable or required for an application to function.

Following are some examples of Report Filters.

• Oracle Check: Role granted WITH ADMIN Option

Report Filter: Role=DBA

This will result in DbProtect not reporting violations found for the DBA role for this check.

• Oracle Check: Easily-guessed database password

Report Filter: Username=John

This will result in DbProtect not reporting violations found for Username: John for this check.

• Oracle Check: Easily-guessed database password

Report Filter: Username=John

Report Filter: Password=12345

This will result in DbProtect not reporting violations found for Username: John or any username with

the Password as '12345'.

9.8.2 Adding Report Filters Through the Policy EditorTo add a Report Filter through the Policy Editor:

1. On the Policy Editor, click the enabled check where you want to add a Report Filter.

2. Click Report Filters to display the Report Filters window.

3. Click Add on the Report Filters window to display the Create Report Filter window. From here, you can

add Report Filters and their associated risk acceptance information. A list of all possible parameters is

displayed.



4. Check the box to the left of each parameter you want included as an Report Filter and enter value(s) in

the Parameter Value field (for example: 'DBA' as the value for the 'Granted To' parameter).

5. Repeat this step for each Parameter Value you wish to include in the Report Filter.

6. Click OK.

7. (Optional) To add risk acceptance information, check the 'Optionally, enter risk acceptance

information for the Report Filter' box.



8. Enter the name of the user creating the Report Filter in the Creator field. This is a mandatory field.

9. (Optional) Enter the name of the user authorizing the Report Filter in the Authorizer field.

10. (Optional): Add Name and Value pairs as Change Control fields by entering values in the Name and

Value fields.

11. (Optional): Check Expiration Date to include an expiration date. Provide a date and time in the field. .

12. (Optional): Enter text in the Comments field.

13. Click OK.

9.8.3 Configuring Asset-Level Report FiltersBy default Report Filters apply whenever the affected check triggers. You can set a Report Filter to apply

only for certain assets (database instances).

For example, if an employee who has permission to set up jobs discovers ten databases and runs a pen

test on those databases, certain checks (for example, “easily guessed passwords”) produce data that

would make it easy for an individual to gain inappropriate access to a database. To prevent this security

risk, you can specify that results for those particular database checks are not reported.

The expiration date is for informational purposes only. It does not remove the Report Filter automatically.

The Last Updated field is updated automatically.



To specify an Report Filter on a check for a particular database:

1. When adding or editing a Report Filter, navigate to the Application Scope tab on the lower frame of

the window and clear (un-check) the Apply above report filter to all assets check box as shown

above.

2. Add the Database and Instance information for the Database you wish this Report Filter to apply to as

a new row in the table. You must specify Application Type, IP Address and either Port or Name. You

may add several Databases in the table and the Report Filter will apply to all of them.

9.8.4 Adding Report Filters by Loading a Report Filters File

1. On the Policy Editor, click the enabled check where you want to add a Report Filter.

2. Click Report Filters to display the Report Filters window.

3. Click Load From File on the Report Filters window to display the Load Report Filters from file dialog,

which allows you to select a .txt or .csv file that contains Report Filters.

The content of each line in the file must use the following syntax and rules:

• For Report Filters only:

[ParamName]=[ParamValue] (for example: Granted To=DBA) .

• For Report Filters and risk acceptance information:

[ParamName]=[ParamValue];Creator=[CreatorValue],Authorize=[AuthValue], Comments=[CommentsValue],Expiration Date=2016-08-30 23:59:22; [Change-ControlName]=[ChangeControlValue].

You can add multiple pairs of [ChangeControlName]=[ChangeControlValue] separated by

commas. For example:

name1=value1, name2=value2;

Granted To=DBA;Creator=S. Green,Authorizer=J. Olzewski,Comments=Insert Comments,Expiration Date=2015-12-31 23:59:22;name1=value1,name2=value2

4. Click OK.

9.8.5 Viewing Report FiltersTo view a Report Filter:

1. Click the enabled check where you want to view the Report Filter.

2. Click Report Filters.

[ParamName] must be an available parameter in the Parameter Names table for the check. [ParamValue] cannot be empty.

[ParamName] must be an available parameter in the Parameter Names table for the check. [ParamValue] cannot be empty. [CreatorValue] cannot be empty.



3. The Report Filters window opens, displaying a list of Report Filters in a tree view. Click the '+' icon to

expand the details of each Report Filter. Any Report Filter with a '+' contains risk acceptance

information that can be viewed.

4. Click OK to close the Report Filters window.

9.8.6 Editing Report FiltersTo edit an Report Filter:

1. Click the enabled check where you want to view the Report Filter.

2. Click Report Filters.

3. The Report Filters window opens, displaying a list of Report Filters in a tree view. Click on the Report

Filter you want to edit.

4. Click Edit. A window opens, displaying editing options for the Report Filter.

5. Make your desired edits and click OK.

6. Click OK to close the Report Filters window. Your edits are automatically saved.

9.8.7 Deleting Report FiltersTo delete a Report Filter:

1. Click the enabled check where you want to delete the Report Filter.

2. Click Report Filters. Select the Report Filter you want to delete.

3. Click Delete.

4. Click Yes to verify the deletion. This will delete the Report Filter and any risk acceptance information

you included for the selected Report Filter.

5. Click OK to close the Report Filters window.

9.9 Importing a PolicyTo import a policy using the Policy Editor:

1. In the Policy Editor, click Import/Export to go to the Import/Export window.

2. Click the Import tab.

3. In the Enter Path of File to Import field, specify the path and file name of the XML file you want to

import (or click Browse to locate the file).

4. In the Select Data to Import field, select “all data”. The policy (or policies) available appear in the field

below.

5. Check the box for each policy you want to import.

6. Click Import.



A message appears, notifying you that the import is complete and giving you the option to view the import

file.

9.10 Exporting a PolicyDbProtect allows you to export policy data from a database. This is useful if you want to transfer policies

between machines. Exported policies include any User-defined checks that are part of the policy.

To export a policy:

1. In the Policy Editor, click Import/Export to go to the Import/Export window.

2. Click the Export tab.

3. Enter the location of, or browse to, the folder where you want to export data.

4. For Export Type, select Policy.

5. In the Data to Import field, select All Data. The policy (or policies) available appear in the field below.

6. Check the box for each policy you want to export.

7. Click Export. A message displays informing you that your export operation succeeded.

9.11 Deleting a PolicyTo delete a user-defined policy:

1. In the Policy Editor, click the Purge Policy tab.

2. Select the policy you want to delete.

3. Select (check) the option Permanently Delete Selected Policy.

4. Click Purge.

You can only export user-defined policies. You cannot export built in polices.





Appendix A Monitoring Filter Name Attributes

A.1 Name AttributesThe following table includes valid DbProtect name attributes, which are common for all Activity Monitoring

expressions across all supported database platforms.

A.2 SQL Server Name AttributesThe following table includes valid Microsoft SQL Server name attributes (for Microsoft SQL Server

2000/2005/2008). An expression can contain SQL Profiler Data Columns, and DbProtect Activity

Monitoring-defined values.

Table 1: DbProtect Name Attributes

DbProtect Name Attribute Details

Application Name of the client application that created the connection to an instance of a given database type (i.e., Microsoft SQL Server 2000/2005/2008, DB2, Sybase, or Oracle). This column is populated with the values passed by the application rather than the displayed name of the program.

ColumnName The name of the column of a table in which the user statement is running.

DbUser Database user name.

HostName The name of the machine (host) from which the client application is run.

ObjectName Name of the referenced object.

SqlText The SQL text command presented for execution by the client.

AbsDate (yyyy/mm/dd) Absolute date.

DayOfWeek The day of the week.

Date (mm/dd) Date (month and date).

TimeOfDay (hh:mm) Time of day in military time (e.g., 20:00 = 8 P.M.).

RecordsAffected Indicates how many rows have been queried/updated as the result of executing a SQL statement.

Table 2: SQL Server Name Attributes

SQL Server Name Attribute Details

ClientProcessID ID assigned by the host computer to the process where the client application is running. This data column is populated if the client process ID is provided by the client.

DatabaseName Name of the database in which the user statement is running.

Error Indicates if the SQL command yielded an error.

Monitoring Filter Name AttributesCopyright © 2017 Trustwave Holdings, Inc. All rights reserved. 98


EventSubClass Type of event subclass, providing further information about each event class. For example, event subclass values for the Execution Warning event class represent the type of execution warning:

1 = Query wait. The query must wait for resources (for example, memory) before it can execute.

2 = Query time out. The query timed out while waiting for required resources to execute. This data column is not populated for all event classes.

NestLevel The nesting level of the stored procedure call. For example, my_proc_a stored procedure calls my_proc_b. In this case, my_proc_a has a NestLevel of 1, my_proc_b has a NestLevel of 2.

NTUserName Windows NT 4.0 user name.

ObjectOwner User who owns the referenced object.

ObjectType Value representing the type of the object involved in the event.

Values for Microsoft SQL Server 2000:

1 = Index2 = Database5 = Default8 = Stored Procedure9 = Function10 = Rule12 = System Table13 = Trigger17 = User Table18 = View19 = Extended Stored Procedure





ObjectType Values for Microsoft SQL Server 2005 and 2008:

8259 = Check Constraint8260 = Default (constraint or standalone)8262 = Foreign-key Constraint8272 = Stored Procedure8274 = Rule8275 = System Table8276 = Trigger on Server8277 = (User-defined) Table8278 = View8280 = Extended Stored Procedure16724 = CLR Trigger16964 = Database16975 = Object17222 = FullText Catalog17232 = CLR Stored Procedure17235 = Schema17475 = Credential17491 = DDL Event17741 = Management Event17747 = Security Event17749 = User Event17985 = CLR Aggregate Function17993 = Inline Table-valued SQL Function18000 = Partition Function18002 = Replication Filter Procedure18004 = Table-valued SQL Function18259 = Server Role18263 = Microsoft Windows Group19265 = Asymmetric Key19277 = Master Key19280 = Primary Key19283 = ObfusKey19521 = Asymmetric Key Login19523 = Certificate Login19538 = Role19539 = SQL Login19543 = Windows Login20034 = Remote Service Binding20036 = Event Notification on Database20037 = Event Notification20038 = Scalar SQL Function20047 = Event Notification on Object20051 = Synonym20549 = End Point20801 = Adhoc Queries which may be cached20816 = Prepared Queries which may be cached





ObjectType (cont’d) Values for Microsoft SQL Server 2005 and 2008 (cont’d)

20819 = Service Broker Service Queue20821 = Unique Constraint21057 = Application Role21059 = Certificate21075 = Server21076 = Transact-SQL Trigger21313 = Assembly21318 = CLR Scalar Function21321 = Inline scalar SQL Function21328 = Partition Scheme21333 = User21571 = Service Broker Service Contract21572 = Trigger on Database21574 = CLR Table-valued Function21577 = Internal Table (For example, XML NodeTable, Queue Table.)21581 = Service Broker Message Type21586 = Service Broker Route21587 = Statistics21825, 21827, 21831, 21843, 21847 = User22099 = Service Broker Service22601 = Index22604 = Certificate Login22611 = XMLSchema22868 = Type

Permissions Integer value representing the type of permissions checked. Values are:

1 = SELECT ALL

2 = UPDATE ALL

4 = REFERENCES ALL

8 = INSERT

16 = DELETE

32 = EXECUTE (procedures only)

4096 = SELECT ANY (at least one column)

8192 = UPDATE ANY

16384 = REFERENCES ANY

SPID Server Process ID assigned by SQL Server to the process associated with the client.

SQLSecurityLoginName

Name of the login of the user (either SQL Server security login or the Windows login credentials in the form of DOMAIN\Username).

StartTime Time when the event started, when available.

Success Indicates if the SQL command yielded ran successfully.

TargetLoginName For actions which target a login (for example, adding a new login), the name of the targeted login.





For more information about SQL Server Profiler Data Columns, see your SQL Server documentation.

A.3 DB2 Name AttributesThe following table includes valid DB2 name attributes. An expression can contain these DbProtect Activity

Monitoring-defined values.

A.4 Sybase Name AttributesThe following table includes valid Sybase name attributes. An expression can contain these DbProtect

Activity Monitoring-defined values.

A.5 Oracle Name AttributesThe following table includes valid Oracle name attributes.

Table 3: DB2 Name Attributes

DB2 Attribute Details


OsUser Name of the login of the operating system user running the database client.

SqlTextSize The size of the SQL text command presented for execution by the client.

Table 4: Sybase Name Attributes

Sybase Attribute Details




Table 5: Oracle Name Attributes

Oracle Attribute Details




About Trustwave®Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three

million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers

automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered

in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com.

https://www.trustwave.com

Documents

Trustwave DbProtect User Guide · Trustwave DbProtect 6.4.9 User Guide - January 6, 2017 • Organizations