symantec enterprise security manager sybase modules user ...technical support.....4 chapter 1...

Symantec™ EnterpriseSecurity Manager SybaseModules User Guide

Version 4.2

Symantec™ Enterprise Security Manager SybaseModules User Guide

Documentation version 4.2

The software described in this book is furnished under a license agreement and may be usedonly in accordance with the terms of the agreement.

Legal NoticeCopyright © 2015 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registeredtrademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Othernames may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is required toprovide attribution to the third party (“Third Party Programs”). Some of the Third Party Programsare available under open source or free software licenses. The License Agreementaccompanying the Software does not alter any rights or obligations you may have under thoseopen source or free software licenses. Please see the Third Party Legal Notice Appendix tothis Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying,distribution, and decompilation/reverse engineering. No part of this document may bereproduced in any form by any means without prior written authorization of SymantecCorporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIEDCONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ORNON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCHDISCLAIMERSAREHELD TOBE LEGALLY INVALID. SYMANTECCORPORATIONSHALLNOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTIONWITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THEINFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGEWITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer softwareas defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq."Commercial Computer Software and Commercial Computer Software Documentation," asapplicable, and any successor regulations, whether delivered by Symantec as on premisesor hosted services. Any use, modification, reproduction release, performance, display ordisclosure of the Licensed Software and Documentation by the U.S. Government shall besolely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. Technical Support’sprimary role is to respond to specific queries about product features and functionality.The Technical Support group also creates content for our online Knowledge Base.The Technical Support group works collaboratively with the other functional areaswithin Symantec to answer your questions in a timely fashion. For example, theTechnical Support group works with Product Engineering and Symantec SecurityResponse to provide alerting services and virus definition updates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the right amountof service for any size organization

■ Telephone and/or Web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

■ Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our Web site atthe following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should be atthe computer on which the problem occurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level

■ Hardware information



■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf your Symantec product requires registration or a license key, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs, DVDs, or manuals



Support agreement resourcesIf you want to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

mailto:[email protected]



Technical Support ............................................................................................... 4

Chapter 1 Introducing Symantec ESM Sybase ASE ........................ 11

About the Symantec ESM modules for Sybase ASE ............................ 11What you can do with the Symantec ESM modules for Sybase

ASE ..................................................................................... 12Template .................................................................................... 12Where you can get more information ................................................ 13

Chapter 2 Understanding ESM Sybase ASE modules ..................... 14

About the Sybase ASE Account module ............................................ 14Automatically update snapshots (UNIX) ...................................... 14Deleted logon accounts (UNIX) ................................................. 15Unlocked default logon accounts (UNIX) ..................................... 15Logon accounts (UNIX) ........................................................... 16New logon accounts (UNIX) ...................................................... 16Servers to check (UNIX) .......................................................... 17Accounts with system roles (UNIX) ............................................ 17Database user aliases (UNIX) ................................................... 18Inactive accounts (UNIX) ......................................................... 18Login triggers (UNIX) .............................................................. 20Accounts with default master database (UNIX) ............................. 21Locked accounts not manually locked by ASE (UNIX) .................... 22

About the Sybase ASE Auditing module ............................................ 23Audit queue size (UNIX) .......................................................... 23Audit segments (UNIX) ............................................................ 24Auditing enabled (UNIX) .......................................................... 24Auditing threshold procedure (UNIX) .......................................... 25Database Audit Options (UNIX) ................................................. 25Global Audit Options (UNIX) ..................................................... 26Login Audit Options (UNIX) ...................................................... 27Object Audit Options (UNIX) ..................................................... 27Procedure Audit Options (UNIX) ................................................ 28Servers to check (UNIX) .......................................................... 28Suspend audit when dev is full (UNIX) ........................................ 28

Contents

Trunc transaction log on chkpt (UNIX) ........................................ 29Multiple audit tables (UNIX) ...................................................... 29Sufficient log space (UNIX) ....................................................... 30

About the Sybase ASE Configuration module ..................................... 30Configuration parameters (UNIX) ............................................... 30Device status (UNIX) ............................................................... 32Master dev default disk status (UNIX) ......................................... 33Servers to check (UNIX) .......................................................... 34Version and product level (UNIX) ............................................... 34Net password encryption (UNIX) ............................................... 35Sample databases (UNIX) ........................................................ 36Sybase homes (UNIX) ............................................................. 37Trusted remote logins (UNIX) .................................................... 37Databases on master device (UNIX) ........................................... 38SSL encryption and strong cipher (UNIX) .................................... 39Prohibited extended stored procedures (UNIX) ............................. 39

About the Sybase ASE Object module .............................................. 40Automatically update snapshots (UNIX) ...................................... 40Database status (UNIX) ........................................................... 40Databases to check (UNIX) ...................................................... 41Deleted database (UNIX) ......................................................... 41Deleted granted object perm (UNIX) ........................................... 42Exclude granted object perm (UNIX) .......................................... 43Grantable object permission (UNIX) ........................................... 44Granted object permission (UNIX) .............................................. 44Grantors to check (UNIX) ......................................................... 45New database (UNIX) ............................................................. 45New granted object permission (UNIX) ....................................... 46Object actions to check (UNIX) .................................................. 47Object permission (UNIX) ......................................................... 48Object types to check (UNIX) .................................................... 49Objects to check (UNIX) .......................................................... 50Servers to check (UNIX) .......................................................... 50User access to database (UNIX) ................................................ 50Accounts with CREATE permission (UNIX) .................................. 50Accounts with set proxy permission (UNIX) ................................. 51Grantees to check (UNIX) ........................................................ 52Stored procedure signature (UNIX) ............................................ 52Database owners to check (UNIX) ............................................. 54Owners to check (UNIX) .......................................................... 54Object owners (UNIX) ............................................................. 54Database backups protected (UNIX) .......................................... 55

About the Sybase ASE Password Strength module ............................. 56

8Contents

Double occurrences (UNIX) ...................................................... 56Empty password (UNIX) .......................................................... 56Minimum password age (UNIX) ................................................. 56Minimum password length (UNIX) .............................................. 57Password = any login name (UNIX) ............................................ 58Password = login name (UNIX) ................................................. 59Password = wordlist word (UNIX) .............................................. 60Password contains Digits (UNIX) ............................................... 61Plural (UNIX) ......................................................................... 62Prefix (UNIX) ......................................................................... 63Reverse order (UNIX) .............................................................. 63Roles without passwords (UNIX) ............................................... 64Servers to check (UNIX) .......................................................... 64Suffix (UNIX) ......................................................................... 64Hide guessed password details (UNIX) ....................................... 65Login options(account) (UNIX) .................................................. 65Maximum failed login attempts (UNIX) ........................................ 65Maximum reported messages (UNIX) ......................................... 66Monitor password age (UNIX) ................................................... 66Password complexity parameters (UNIX) .................................... 67Roles to check (UNIX) ............................................................. 68Roles - maximum failed login attempts (UNIX) .............................. 69Roles - password expiration (UNIX) ............................................ 69Roles - minimum password length (UNIX) ................................... 69System encryption password (UNIX) .......................................... 69Encryption keys in database (UNIX) ........................................... 70Password protect encryption keys (UNIX) .................................... 71

About the Sybase ASE Patches module ............................................ 71Patch templates (UNIX) ........................................................... 72Servers to check (UNIX) .......................................................... 72

About the Sybase ASE Roles and Groups module .............................. 72Automatically update snapshots (UNIX) ...................................... 72Database groups (UNIX) .......................................................... 72Deleted groups (UNIX) ............................................................ 73Deleted roles (UNIX) ............................................................... 74Users to check (UNIX) ............................................................. 75Group members (UNIX) ........................................................... 75New groups (UNIX) ................................................................. 76New roles (UNIX) ................................................................... 76Role grantees (UNIX) .............................................................. 77Role status (UNIX) .................................................................. 78Servers to check (UNIX) .......................................................... 78Accounts to check (UNIX) ........................................................ 79

9Contents

Granted prohibited roles (UNIX) ................................................ 79Groups and group members to check (UNIX) ............................... 79

About the Sybase ASE Discovery module ......................................... 80Detect new database server (UNIX) ........................................... 81Detect deleted database server (UNIX) ....................................... 82Automatically add new database server (UNIX) ............................ 83Automatically remove deleted database server (UNIX) ................... 84Validate configuration (UNIX) .................................................... 85

Chapter 3 Troubleshooting .................................................................. 87

Encryption exception ..................................................................... 87RDL error ................................................................................... 88LiveUpdate error .......................................................................... 88

10Contents

Introducing Symantec ESMSybase ASE

This chapter includes the following topics:

■ About the Symantec ESM modules for Sybase ASE

■ What you can do with the Symantec ESM modules for Sybase ASE

■ Template

■ Where you can get more information

About the Symantec ESM modules for Sybase ASEThe Symantec Enterprise Security Manager (ESM) modules for Sybase AdaptiveServer Enterprise (ASE) servers extends Symantec ESM protection to your SybaseASE servers.

These modules implement the checks and options that are specific to Sybase ASEservers, to protect them from exposure to known security problems. The modulesmay be installed locally on the Symantec ESM agent that resides on your SybaseASE server.

The modules may also assess Sybase ASE servers over the network and beinstalled on an ESM agent that has the Sybase ASE client installed. You can usethe Symantec ESM modules for Sybase ASE server in the same way that you usefor other Symantec ESM modules.

1Chapter

What you can dowith the Symantec ESMmodules forSybase ASE

You can use the ESM Application modules to scan the Sybase ASE servers forreporting vulnerabilities.

You can perform the following tasks using the ESM console:

■ Create a policy.

■ Configure the policy.

■ Create a rules template.

■ Run the policy.

■ Review the policy run.

■ Correct security problems from the console.

■ Create reports.

TemplateSeveral of the documented modules use templates to store the Sybase ASEparameters and object settings. Differences between the current settings andtemplate values are reported when the modules run. Modules use templates tostore Sybase ASE parameters and object settings.

Table 1-1 Template name

Predefinedtemplate

Template nameCheck nameModule

noneSybase ProcedureAudit Options

Procedure AuditOptions

Sybase ASE Auditing

noneSybase ASE ObjectAudit Options

Object Audit Options

noneSybase ASE LoginAudit Options

Login Audit Options

noneSybase DatabaseAudit Options

Database AuditOptions

noneSybase ASE GlobalAudit Options

Global Audit Options

12Introducing Symantec ESM Sybase ASEWhat you can do with the Symantec ESM modules for Sybase ASE

Table 1-1 Template name (continued)

Predefinedtemplate

Template nameCheck nameModule

noneSybase ConfigurationParameter

ConfigurationParameters

Sybase ASEConfiguration

noneSybase ASE DeviceStatus

Device Status

noneSybase ASE ObjectPermissions

Object PermissionSybase ASE Object

excludegrantedobjperm.gop

Sybase Grantedobject perm

Exclude grantedobject perm

noneSybase StoredProcedure Signatures

Stored proceduresignature

sybasepatch.syqSybase ASE PatchPatch templatesSybase ASE Patches

noneSybase PasswordParameter

Password complexityparameters

Sybase ASEPassword Strength

Where you can get more informationFor more information about Symantec ESM application modules, Security Updates,Industry Standards Policies, and more, see the Symantec Security Responsewebsite at the following URL: Security Response Web site.

For detailed information about templates for ESM application modules version 4.2for Sybase ASE, see the Symantec™ Enterprise Security Manager Checks andTemplate Reference help file.

Note: Save the Symantec™ Enterprise Security Manager Checks and TemplateReference help on your local computer and then open the file.

13Introducing Symantec ESM Sybase ASEWhere you can get more information

http://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=esm

http://www.symantec.com/avcenter/security/Content/Symantec_Enterprise_Security_Manager_Checks_and_Templates_Reference.chm

http://www.symantec.com/avcenter/security/Content/Symantec_Enterprise_Security_Manager_Checks_and_Templates_Reference.chm

Understanding ESM SybaseASE modules


■ About the Sybase ASE Account module

■ About the Sybase ASE Auditing module

■ About the Sybase ASE Configuration module

■ About the Sybase ASE Object module

■ About the Sybase ASE Password Strength module

■ About the Sybase ASE Patches module

■ About the Sybase ASE Roles and Groups module

■ About the Sybase ASE Discovery module

About the Sybase ASE Account moduleThis module checks for the server account that is based on the options that youhave specified.

Automatically update snapshots (UNIX)Module: Sybase ASE Account

Enable this option to automatically update the snapshots with the current information.

2Chapter

Deleted logon accounts (UNIX)Module: Sybase ASE Account

This check reports the logon accounts that were deleted from the database afterthe last snapshot update. Use the name list to specify the logon names that shouldbe included or excluded from this check.

The following table lists the message for the check.

Table 2-1 Message for Deleted logon accounts

AdditionalInformation

Message Title andDescription

Platform andMessage NumericID

Message String IDand Category

Severity: yellow-2

Correctable: false

Snapshot Updatable:true

Template Updatable:false

Information FieldFormat: [%s]

Title: Deleted logonaccount

Description: TheSybase ASE logonaccount was deletedafter the lastsnapshot update.

UNIX (226653)String ID:ESM_SYBASE_DELETED_LOGON_ACCOUNT

Category: ChangeNotification

Unlocked default logon accounts (UNIX)Module: Sybase ASE Account

This check reports the default logon accounts that should be locked. Use the namelist to include the default logon accounts that you want the check to report on. If thename list is left empty the check reports no problems found.


15Understanding ESM Sybase ASE modulesAbout the Sybase ASE Account module

Table 2-2 Message for Unlocked default logon accounts





Severity: yellow-2

Correctable: false

Snapshot Updatable:false



Title: Unlockeddefault logon account

Description: TheSybase ASE logonaccount is unlocked.The default logonaccounts should belocked.

UNIX (226650)String ID:ESM_SYBASE_DEFAULT_LOGON_ACCOUNT

Category: PolicyCompliance

Logon accounts (UNIX)Module: Sybase ASE Account

This check reports the logon accounts and their status. Use the name list to specifythe logon names that should be included or excluded from this check.


Table 2-3 Message for Logon accounts





Severity: yellow-2

Correctable: false




Title: Logon account

Description: TheSybase ASE logonaccount.

UNIX (226651)String ID:ESM_SYBASE_LOGON_ACCOUNT


New logon accounts (UNIX)Module: Sybase ASE Account


This check reports the logon accounts that were added to the database after thelast snapshot update. Use the name list to specify the logon names that should beincluded or excluded from this check.


Table 2-4 Message for New logon accounts





Severity: yellow-2

Correctable: false




Title: New logonaccount

Description: TheSybase ASE logonaccount was addedafter the lastsnapshot update.

UNIX (226652)String ID:ESM_SYBASE_NEW_LOGON_ACCOUNT


Servers to check (UNIX)Module: Sybase ASE Account

Use the name list to specify the servers that should be included or excluded for allSybase ASE Account security checks.

Accounts with system roles (UNIX)Module: Sybase ASE Account

This check reports the accounts that have both the sa_role and sso_role assignedto them. Use the name list to include or exclude the login names that the checkshould report on.



Table 2-5 Message for Accounts with system roles





Severity: red-4

Correctable: false




Account with systemroles

Description: Rolessa_role and sso_roleshould not be grantedto all accounts.

UNIX (226660)String ID:ESM_SYBASE_SA_SSO_ROLE


Database user aliases (UNIX)Module: Sybase ASE Account

This check reports the aliases of the database users that are present on the server.Use the name list to include or exclude the database users whose aliases you wantto report.


Table 2-6 Message for Database user aliases





Severity: yellow-2

Correctable: false




Alias of the Databaseuser

Description: TheSybase ASEdatabase user hasalias.

UNIX (226654)String ID:ESM_SYBASE_ALIAS


Inactive accounts (UNIX)Module: Sybase ASE Account


This check reports the unlocked Sybase ASE logins that have not logged on to theserver for more than the days that are specified in the Days since last login textbox. Use the name list to include or exclude the login names that the check shouldreport on. Sybase ASE 15.0.2 and later supports this check.

Enable the configuration parameter 'enable the last login updates.'

The check also reports those login accounts that do not have an entry against thelast login date parameter but were created earlier than the days specified. Moreover,the check reports those login accounts as inactive whose last login date parameterindicates that there has been no login to the server for more than the days specified.

An inactive account is an easy target for those who can break into your system.Hence, you should remove or disable all inactive accounts.

Note: If you specify 0 in the Days since last login text box, the check overlooksthat value and by default reports on 30 days.


Table 2-7 Message for Inactive accounts





Severity: yellow-2

Correctable: false




Last login update notenabled

Description: Thereported Sybase ASEhas the 'enable lastlogin updates'password policyparameter asdisabled. Due to thisthe last login dateinformation is neverupdated whenever auser logs in.

UNIX (226658)String ID:ESM_SYBASE_LAST_LOGIN_UPDATE



Table 2-7 Message for Inactive accounts (continued)





Severity: red-4

Correctable: false




Inactive account

Description: Thereported loginaccount has beeninactive for more thannumber of daysspecified by yourpolicy. Those loginaccounts are reportedas inactive accountsfor which the lastlogin date parameterindicates that therehas been no login tothe server for morethan the specifiednumber of days. Alsoa login account whichdoes not have anentry against the lastlogin date parameterbut which had beencreated earlier thanthe specified numberof days would bereported as aninactive account. Aninactive account canbe an easy target forintruders trying tobreak into yoursystem. Remove ordisable the inactivelogin accounts.

UNIX (226659)String ID:ESM_SYBASE_INACTIVE_ACCOUNT


Login triggers (UNIX)Module: Sybase ASE Account


This check reports the Sybase ASE logins that have login triggers assigned to themand the global login trigger defined on the Sybase ASE server. Use the name listto include or exclude the login names that the check should report on.

The Global login trigger is useful when you want all the logins to apply the samelogin trigger.

The login triggers that the check reports are the ASE stored procedures. Thesestored procedures are automatically executed in the settings when you successfullylog on to the Sybase ASE server.


Table 2-8 Message for Login triggers





Severity: yellow-2

Correctable: false




Global login trigger

Description: TheSybase ASE has aglobal login triggerdefined. Global logintrigger can be usefulwhen you want alllogins to use thesame login trigger.

UNIX (226655)String ID:ESM_SYBASE_GLOBAL_TRIGGER

Category: SystemInformation

Severity: yellow-2

Correctable: false




Login trigger

Description: Thereported Sybase ASElogin account has alogin trigger defined.A login trigger is anASE storedprocedure which isautomaticallyexecuted in thebackground when auser successfully logson to Sybase ASE.

UNIX (226657)String ID:ESM_SYBASE_LOGIN_TRIGGER

Category: SystemInformation

Accounts with default master database (UNIX)Module: Sybase ASE Account


This check reports the accounts that have master as their default database. Usethe name list to include or exclude the login names that the check should reporton.


Table 2-9 Message for Accounts with default master database





Severity: red-4

Correctable: false




Account with defaultdatabase master

Description: It isrecommended onlyASE administratorsshould be assigneddefault database asmaster, since thisdatabase stores allsystem tables. Allstandard usersshould be associatedwith a specific homedatabase other thanmaster.

UNIX (226661)String ID:ESM_SYBASE_SA_SSO_ROLE


Locked accounts not manually locked by ASE (UNIX)Module: Sybase ASE Account

This check reports the locked logon accounts that should be locked manually byASE. The check verifies that the reason for locking reads Account locked by ASEby manually executing sp_locklogin. Use the name list to include the logonaccounts that you want the check to report on. If the name list is empty, the checkreports no problems found. The reason for locking is only available in ASE version15.0.2 and later.



Table 2-10 Message for Locked accounts not manually locked by ASE





Severity: yellow-2

Correctable: false




Title: Logon accountis not manuallylocked by ASE

Description: TheSybase ASE logonaccount is notmanually locked. Thelogon accounts mustbe locked by the ASEby manuallyexecutingsp_locklogin.

UNIX (226662)String ID:ESM_SYBASE_NOT_MANUALLY_LOCKED


About the Sybase ASE Auditing moduleThis module checks for the auditing setup that is based on the options that youhave specified.

Audit queue size (UNIX)Module: Sybase ASE Auditing

This check reports Adaptive Servers that have an audit queue size larger than thespecified value.


23Understanding ESM Sybase ASE modulesAbout the Sybase ASE Auditing module

Table 2-11 Message for Audit queue size





Severity: red-4

Correctable: false




Title: Audit queuesize

Description: TheSybase ASE server'saudit queue size islarger than thespecified value.

UNIX (226552)String ID:ESM_SYBASE_AUDIT_QUEUE_SIZE


Audit segments (UNIX)Module: Sybase ASE Auditing

This check lists audit segments in the sybsecurity database.


Table 2-12 Message for Audit segments





Severity: red-4

Correctable: false




Title: Auditingthreshold procedure

Description: TheSybase ASE serverdoes not have anauditing thresholdprocedure enabled.

UNIX (226551)String ID:ESM_SYBASE_NO_THRESHOLD_PROCEDURE


Auditing enabled (UNIX)Module: Sybase ASE Auditing

This check reports Adaptive Servers that do not have auditing enabled in theconfiguration parameters.



Table 2-13 Message for Auditing enabled





Severity: red-4

Correctable: false




Title: Auditing notenabled

Description: TheSybase ASE serverdoes not haveauditing enabled.

UNIX (226550)String ID:ESM_SYBASE_AUDITING_NOT_ENABLED


Auditing threshold procedure (UNIX)Module: Sybase ASE Auditing

This check reports the Adaptive Servers that do not have an auditing thresholdprocedure enabled.


Table 2-14 Message for Auditing threshold procedure





Severity: red-4

Correctable: false




Title: Auditingthreshold procedure

Description: TheSybase ASE serverdoes not have anauditing thresholdprocedure enabled.

UNIX (226551)String ID:ESM_SYBASE_NO_THRESHOLD_PROCEDURE


Database Audit Options (UNIX)Module: Sybase ASE Auditing


This check reports the database audit options.


Table 2-15 Message for Database Audit Options





Severity: red-4

Correctable: false




Title: Audit Option

Description: AuditOption.

UNIX (226555)String ID:ESM_SYBASE_AUDIT_OPTION


Global Audit Options (UNIX)Module: Sybase ASE Auditing

This check reports the global audit options.


Table 2-16 Message for Global Audit Options





Severity: red-4

Correctable: false




Title: Audit Option





Login Audit Options (UNIX)Module: Sybase ASE Auditing

This check reports the login audit options.


Table 2-17 Message for Login Audit Options





Severity: red-4

Correctable: false




Title: Audit Option




Object Audit Options (UNIX)Module: Sybase ASE Auditing

This check reports the object audit options.


Table 2-18 Message for Object Audit Options





Severity: red-4

Correctable: false




Title: Audit Option





Procedure Audit Options (UNIX)Module: Sybase ASE Auditing

This check reports the procedure audit options.


Table 2-19 Message for Procedure Audit Options





Severity: red-4

Correctable: false




Title: Audit Option




Servers to check (UNIX)Module: Sybase ASE Auditing

This option uses the name list to specify the servers to be included or excluded forall the Sybase ASE Auditing checks.

Suspend audit when dev is full (UNIX)Module: Sybase ASE Auditing

This check reports the Adaptive Servers that have a configuration parameter valueset to suspend the audit when a device is full that does not match the specifiedvalue. A value of 0 (zero) causes the server to truncate the next audit table andstart using tha table as the current audit table when the current audit table becomesfull. A value of 1 (one) causes the server to suspend the audit process and all userprocesses that cause an auditable event until an empty table is set as the currentaudit table.



Table 2-20 Message for Suspend audit when dev is full





Severity: red-4

Correctable: false




Title: Suspend auditwhen device is full

Description: TheSybase ASE serversuspends audit whendevice is full.

UNIX (226553)String ID:ESM_SYBASE_SUSPEND_AUDITING


Trunc transaction log on chkpt (UNIX)Module: Sybase ASE Auditing

This check reports the Adaptive Servers and their databases that are not configuredto truncate transaction logs when performing a checkpoint. Use the Databasesname list to include or exclude the databases from this check.


Table 2-21 Message for Trunc transaction log on chkpt





Severity: red-4

Correctable: false




Title: Truncatetransaction log oncheckpoint

Description: TheSybase ASE servertruncates thetransaction logs at acheckpoint.

UNIX (226554)String ID:ESM_SYBASE_TRUNCATE_LOG


Multiple audit tables (UNIX)Module: Sybase ASE Auditing


This check reports the Adaptive Servers that are not configured with more than oneaudit tables.


Table 2-22 Message for multiple audit tables





Severity: red-4

Correctable: false




Title: Multiple audittables are notconfigured

Description: Youmustconfigure multipleaudit tables.

UNIX (226557)String ID:ESM_SYBASE_NO_MULTIPLE_AUDIT_TABLES


Sufficient log space (UNIX)Module: Sybase ASE Auditing

This check reports the adaptive servers that do not have the audit physical devices,transaction log, and master database physical devices different and on differentpartitions or physical paths and drives and when such audit devices do not haveany threshold procedure attached to them.

This is a host-based check.

About the Sybase ASE Configuration moduleThis module checks for the Sybase configuration that is based on the options thatyou have specified.

Configuration parameters (UNIX)Module: Sybase ASE Configuration

This check reports the unauthorized configuration parameter values as specifiedin the enabled Sybase ASE Configuration Parameters templates.

The following table lists the messages for the check.

30Understanding ESM Sybase ASE modulesAbout the Sybase ASE Configuration module

Table 2-23 Messages for Configuration parameters





Severity: green-0

Correctable: false




Title: Unauthorizedconfigurationparameter (Greenlevel)

Description: TheSybase ASEconfigurationparameter matches agreen level templateentry.

UNIX (226151)String ID:ESM_SYBASE_SYP_GREEN_LEVEL


Severity: yellow-2

Correctable: false




Title: Unauthorizedconfigurationparameter (Yellowlevel)

Description: TheSybase ASEconfigurationparameter matches ayellow level templateentry.

UNIX (226152)String ID:ESM_SYBASE_SYP_YELLOW_LEVEL


Severity: red-4

Correctable: false




Title: Unauthorizedconfigurationparameter (Red level)

Description: TheSybase ASEconfigurationparameter matches ared level templateentry.

UNIX (226153)String ID:ESM_SYBASE_SYP_RED _LEVEL



Table 2-23 Messages for Configuration parameters (continued)





Severity: yellow-2

Correctable: false




Title: Configurationparameter not found

Description: TheSybase ASEconfigurationparameter is notfound.

UNIX (226154)String ID:ESM_SYBASE_SYP_NOT_FOUND


Device status (UNIX)Module: Sybase ASE Configuration

This check reports the device status as specified in the enabled Sybase ASEDeviceStatus templates.


Table 2-24 Messages for Device status





Severity: green-0

Correctable: false




Title: Device status(Green level)

Description: TheSybase ASE devicestatus matches agreen level templateentry.

UNIX (226156)String ID:ESM_SYBASE_SYD_GREEN_LEVEL



Table 2-24 Messages for Device status (continued)





Severity: yellow-2

Correctable: false




Title: Device status(Yellow level)

Description: TheSybase ASE devicestatus matches ayellow level templateentry.

UNIX (226157)String ID:ESM_SYBASE_SYD_YELLOW_LEVEL


Severity: red-4

Correctable: false




Title: Device status(Red level)

Description: TheSybase ASE devicestatus matches a redlevel template entry.

UNIX (226158)String ID:ESM_SYBASE_SYD_RED _LEVEL


Master dev default disk status (UNIX)Module: Sybase ASE Configuration

This check reports the servers on which the master device default disk status isset. The default disk status is turned on by a master device, allowing the userdatabases to be installed on the master device by default.



Table 2-25 Message for Master dev default disk status





Severity: yellow-2

Correctable: false




Title: Device defaultstatus

Description: TheSybase ASE masterdevice default diskstatus is set.

UNIX (226155)String ID:ESM_SYBASE_DEVICE_DEFAULT


Servers to check (UNIX)Module: Sybase ASE Configuration

Use the name list to specify the servers that are to be excluded or included for allthe Sybase ASE Configuration security checks.

Version and product level (UNIX)Module: Sybase ASE Configuration

This check reports the Sybase Adaptive Server Enterprise version and productlevel.



Table 2-26 Message for Version and product level





Severity: green-0

Correctable: false




Title: Sybase ASEversion and productlevel

Description: TheSybase ASE versionand product level.

UNIX (226150)String ID:ESM_SYBASE_VERSION_LEVEL


Net password encryption (UNIX)Module: Sybase ASE Configuration

This check reports the remote servers for which the 'net password encryption' optionis set to false.

The Net password encryption option lets you specify whether to initiate a remoteserver connection by using the client side password encryption handshake or the'unencrypted password' handshake sequence.



Table 2-27 Message for Net password encryption





Severity: red-4

Correctable: false




Title: Net passwordencryption

Description: Theremote server option'net passwordencryption' is set tofalse for the reportedremote server. The'net passwordencryption' option letsyou specify whetherto initiate a remoteserver connection byusing the client-sidepassword encryptionhandshake or the'unencryptedpassword' handshakesequence.

UNIX (226159)String ID:ESM_SYBASE_NO_NET_PASSWD_ENCRYPT


Sample databases (UNIX)Module: Sybase ASE Configuration

This check reports the sample databases that you should remove from the SybaseASE servers. Use the name list to include the database names that the check shouldreport on. If the name list is left empty the check reports no problems found.



Table 2-28 Message for Sample databases





Severity: red-4

Correctable: false




Title: Sampledatabase

Description: Thereported sampledatabase should beremoved inaccordance with thebest practice principalof attack surfacereduction.

UNIX (226163)String ID:ESM_SYBASE_SAMPLE_DB


Sybase homes (UNIX)Module: Sybase ASE Configuration

This check reports the Sybase home and the OCS directory for the Sybase ASEservers that are configured in the SybaseModule.dat file.


Table 2-29 Message for Sybase homes





Severity: green-2

Correctable: false




Title: Sybase home

Description: TheSybase home andOCS directory of theconfigured SybaseASE servers.

UNIX (226161)String ID:ESM_SYBASE_HOME_DATFILE


Trusted remote logins (UNIX)Module: Sybase ASE Configuration


This check reports any remote logins with the trusted status that are found on theSybase ASE servers.

The use of trusted mode reduces the security of your server as the passwords ofthese trusted users are not verified. Set the trusted option to false, if you want toensure user authorization.


Table 2-30 Message for Trusted remote logins





Severity: red-4

Correctable: false




Title: Trusted remotelogin

Description: Thereported remote loginhas trusted status.Using the trustedmode reduces thesecurity of yourserver as passwordsfrom such trustedusers are not verified.To ensure that userauthorization takesplace the optiontrusted should be setto false.

UNIX (226162)String ID:ESM_SYBASE_TRUSTED_REMOTE_LOGIN


Databases on master device (UNIX)Module: Sybase ASE Configuration

This check reports the databases that are present on the master device. Use thename list to include or exclude the database names.



Table 2-31 Message for Databases on master device





Severity: yellow-2

Correctable: false




Title: Databases onmaster device

Description: TheSybase ASEdatabase is presenton the master device.

UNIX (226160)String ID:ESM_SYBASE_DATABASE_ON_MASTER


SSL encryption and strong cipher (UNIX)Module: Sybase ASE Configuration

This check reports whether SSL support is enabled and that the cipher suitepreference is set to strong or FIPS. This check is supported on Sybase ASE 15.0.0and later.


Table 2-32 Message for SSL encryption and strong cipher





Severity: red-4

Correctable: false




Title: SSL supportwith strong cipher notset

Description: EnableSSL support andensure that the ciphersuite preference is setto strong or FIPS.

UNIX (226164)String ID:ESM_SYBASE_SSL_STRONG_CIPHER


Prohibited extended stored procedures (UNIX)Module: Sybase ASE Configuration


This check reports prohibited extended stored procedures that should be removedfrom the Sybase ASE Servers. Use the name list to include extended storedprocedure names. If the name list is left empty the check reports no problems found.


Table 2-33 Message for Prohibited extended stored procedures





Severity: red-4

Correctable: false




Title: Prohibitedextended storedprocedure found

Description:Prohibited extendedstored proceduresmust be removed.

UNIX (226165)String ID:ESM_SYBASE_PROHIBITED_ESP


About the Sybase ASE Object moduleThis module checks for the Sybase server for database existence and its objectpermission that is based on the options that you have specified.

Automatically update snapshots (UNIX)Module: Sybase ASE Object


Database status (UNIX)Module: Sybase ASE Object

This check reports the databases and the status levels that were configured to theSybase ASE. Use the name list to specify the database names that should beincluded or excluded from this check.


40Understanding ESM Sybase ASE modulesAbout the Sybase ASE Object module

Table 2-34 Message for Database status





Severity: green-0

Correctable: false




Title: Database

Description: TheSybase ASEdatabase.

UNIX (226351)String ID:ESM_SYBASE_DATABASE


Databases to check (UNIX)Module: Sybase ASE Object

Use the name list to specify the databases that should be excluded or included forthe Sybase ASE Object checks.

Deleted database (UNIX)Module: Sybase ASE Object

This check reports the databases that were deleted from the Sybase ASE after thelast snapshot update. Use the name list to specify the database names that shouldbe included or excluded from this check.



Table 2-35 Message for Deleted database





Severity: yellow-2

Correctable: false




Title: Deleteddatabase

Description: TheSybase ASEdatabasewas deletedafter the lastsnapshot update.

UNIX (226353)String ID:ESM_SYBASE_DELETED_DATABASE


Deleted granted object perm (UNIX)Module: Sybase ASE Object

This check reports the objects or the granted object permissions that were deletedfrom the Sybase ASE after the last snapshot update.

■ Use the Grantors to check name list to include or exclude the grantors thecheck to report on.

■ Use the Object types to check name list to include or exclude the object typesfor the check to report on.

■ Use the Databases to check name list to include or exclude the databases forthe check to report on.

■ Use the Object actions to check name list to include or exclude the objectactions for the check to report on.

■ Use the Objects to check name list to include or exclude the object names forthe check to report on.



Table 2-36 Messages for Deleted granted object perm





Severity: yellow-2

Correctable: false




Title: Deleted object

Description: TheSybase ASE objectwas deleted after thelast snapshot update.

UNIX (226359)String ID:ESM_SYBASE_DELETED_OBJECT


Severity: yellow-2

Correctable: false




Title: Deleted grantedobject actionpermission

Description: TheSybase ASE grantedobject actionpermission wasdeleted after the lastsnapshot update.

UNIX (226360)String ID:ESM_SYBASE_DELETED_OBJ_ACTION


Severity: yellow-2

Correctable: false




Title: Deleted grantedobject columnpermission

Description: TheSybase ASE grantedobject columnpermission wasdeleted after the lastsnapshot update.

UNIX (226361)String ID:ESM_SYBASE_DELETED_OBJ_COLUMN


Exclude granted object perm (UNIX)Module: Sybase ASE Object

This check excludes the granted object permissions that are reported by the Grantedobject permission check. Use the name list to specify the template that containsthe entries for exclusion. Note that this check works only if the Granted objectpermission is selected.


Grantable object permission (UNIX)Module: Sybase ASE Object

This check reports the object permissions that are grantable.







Table 2-37 Message for Grantable object permission





Severity: red-4

Correctable: false




Title: Grantable objectpermission

Description: TheSybase ASEgrantable objectpermission.

UNIX (226354)String ID:ESM_SYBASE_GRANTABLE_PERM


Granted object permission (UNIX)Module: Sybase ASE Object

This check reports object permissions that are granted.

Use the following name lists with this check:








Table 2-38 Message for Granted object permission





Severity: green-0

Correctable: false




Title: Granted objectpermission

Description: TheSybase ASE grantedobject permission.

UNIX (226355)String ID:ESM_SYBASE_GRANTED_PERM


Grantors to check (UNIX)Module: Sybase ASE Object

Use the name list to specify the grantors that should be excluded or included forthe Sybase ASE Object checks.

New database (UNIX)Module: Sybase ASE Object

This check reports the databases that were added to the Sybase ASE after the lastsnapshot update. Use the name list to specify the database names that should beincluded or excluded from this check.



Table 2-39 Message for New database





Severity: yellow-2

Correctable: false




Title: New database

Description: TheSybase ASEdatabase was addedafter the lastsnapshot update.

UNIX (226352)String ID:ESM_SYBASE_NEW_DATABASE


New granted object permission (UNIX)Module: Sybase ASE Object

This check reports the objects or the granted object permissions that were addedto the Sybase ASE after the last snapshot update.








Table 2-40 Messages for New granted object permission





Severity: yellow-2

Correctable: false




Title: New object

Description: TheSybase ASE objectwas added after thelast snapshot update.

UNIX (226356)String ID:ESM_SYBASE_NEW_OBJECT


Severity: yellow-2

Correctable: false




Title: New grantedobject actionpermission

Description: TheSybase ASE grantedobject actionpermission wasadded after the lastsnapshot update.

UNIX (226357)String ID:ESM_SYBASE_NEW_OBJ_ACTION


Severity: yellow-2

Correctable: false




Title: New grantedobject columnpermission

Description: TheSybase ASE grantedobject columnpermission wasadded after the lastsnapshot update.

UNIX (226358)String ID:ESM_SYBASE_NEW_OBJ_COLUMN


Object actions to check (UNIX)Module: Sybase ASE Object

Use the name list to specify the object actions that should be excluded or includedfor the Sybase ASE Object checks.


Object permission (UNIX)Module: Sybase ASE Object

This check reports the unauthorized object permissions as specified in the enabledSybase ASE Object Permission templates.


Table 2-41 Messages for Object permission





Severity: green-0

Correctable: false




Title: Unauthorizedobject permission(Green level)

Description: TheSybase ASE objectpermission matchesa green leveltemplate entry.

UNIX (226362)String ID:ESM_SYBASE_SYB_GREEN_LEVEL


Severity: yellow-2

Correctable: false




Title: Unauthorizedobject permission(Yellow level)

Description: TheSybase ASE objectpermission matchesa yellow leveltemplate entry.

UNIX (226363)String ID:ESM_SYBASE_SYB_YELLOW_LEVEL


Severity: red-4

Correctable: false




Title: Unauthorizedobject permission(Red level)

Description: TheSybase ASE objectpermission matchesa red level templateentry.

UNIX (226364)String ID:ESM_SYBASE_SYB_RED_ LEVEL



Table 2-41 Messages for Object permission (continued)





Severity: green-0

Correctable: false




Title: Objectexistence (Greenlevel)

Description: TheSybase ASE objectexistence matches agreen level templateentry.

UNIX (226365)String ID:ESM_SYBASE_SYB_OBJ_GREEN_LEVEL


Severity: yellow-2

Correctable: false




Title: Objectexistence (Yellowlevel)

Description: TheSybase ASE objectexistence matches ayellow level templateentry.

UNIX (226366)String ID:ESM_SYBASE_SYB_OBJ_YELLOW_LEVEL


Severity: red-4

Correctable: false




Title: Objectexistence (Red level)

Description: TheSybase ASE objectexistence matches ared level templateentry.

UNIX (226367)String ID:ESM_SYBASE_SYB_OBJ_RED_LEVEL


Object types to check (UNIX)Module: Sybase ASE Object

Use the name list to specify the object types that should be included for the SybaseASE Object checks.


Objects to check (UNIX)Module: Sybase ASE Object

Use the name list to specify the object names that should be excluded or includedfor the Sybase ASE Object checks.

Servers to check (UNIX)Module: Sybase ASE Object

Use the name list to specify the servers that should be excluded or included for allSybase ASE Object checks.

User access to database (UNIX)Module: Sybase ASE Object

This check reports the Adaptive Server databases that allow user access, such asguest. Use the Databases name list to include the databases for this check. Usethe value field to include the user names for this check.


Table 2-42 Message for User access to database





Severity: yellow-2

Correctable: false




Title: User accessdatabase

Description: TheSybase ASE allowsuser access todatabase.

UNIX (226350)String ID:ESM_SYBASE_USER_ACCESS_DATABASE


Accounts with CREATE permission (UNIX)Module: Sybase ASE Object

This check reports the database users, roles, and groups that are explicitly grantedCREATE permissions and CONNECT action permission. Use theKeys list to specifythe CREATE permissions that the check should report on. Use the Databases to


check name list to include or exclude the databases that you want the check toreport on. Use the Grantees to check name list to include or exclude the granteesthat the check should report on.


Table 2-43 Message for Accounts with CREATE permission





Severity: yellow-2



Information FieldFormat: %s

Title: Accounts withCREATE permission

Description: TheSybase ASEdatabase accountthat has beenreported hasCREATE permissionsexplicitly assigned toit. Please referinformation field formore details.

UNIX (226371)String ID:ESM_SYBASE_CREATE_PERM


Accounts with set proxy permission (UNIX)Module: Sybase ASE Object

This check reports the database users, roles, and groups that are explicitly grantedthe set proxy or set session authorization permissions. Use theGrantees to checkname list to include or exclude the grantees that the check should report on.



Table 2-44 Message for Accounts with set proxy permission





Severity: yellow-2




Title: Accounts withset proxy permission

Description: TheSybase ASEdatabase account hasa set proxy or setsession authorizationpermissions explicitlyassigned to it. Formore details, refer tothe Information field.

UNIX (226372)String ID:ESM_SYBASE_SET_PROXY_PERM


Grantees to check (UNIX)Module: Sybase ASE Object

Use the name list to specify the grantees that should be excluded or included forthe Accounts with CREATE permissions check and Proxy access permissioncheck.

Stored procedure signature (UNIX)Module: Sybase ASE Object

This check reports the occurrences of the stored procedures, whose signatures aredifferent from the signatures that you define in the template. If you do not defineany signature for the stored procedure in the template, then the check reports thesignatures of the matched stored procedure. You can use the Template updatefeature to update the template with the signatures that the check reports.

Note: This check only supports the stored procedures and does not support theextended stored procedures.

For more information on the Sybase Stored Procedure Signatures template, seethe Symantec™ Enterprise Security Manager Checks and Templates Referencehelp available at the Security Updates Website.


http://www.symantec.com/security_response/securityupdates/list.jsp?fid=esm

To update the template

1 Right-click on the message.

2 Choose Update Template.

Note: You can use the Sybase Stored Procedure Signatures template to report onthe custom stored procedure such as sp_extrapwdchecks, sp_cleanpwdchecks,and so on.


Table 2-45 Message for Stored procedure signature





Severity: red-4




Title: Storedprocedure signaturemismatch

Description: TheSybase ASE storedprocedures signaturedoes not match withthe one that has beenspecified within thetemplate. If thesignature isauthorized then youcan update the newsignature by using thetemplate updateaction.

UNIX (226368)String ID:ESM_SYBASE_SP_SIG_MISMATCH


Severity: yellow-2




Title: Hidden storedprocedure

Description: TheSybase ASE storedprocedure is hidden.

UNIX (226369)String ID:ESM_SYBASE_HIDDEN_SP



Table 2-45 Message for Stored procedure signature (continued)





Severity: red-4




Title: Missing storedprocedure

Description: Theprohibited rolesshould not be grantedto all accounts.

UNIX (226370)String ID:ESM_SYBASE_MISSING_SP


Database owners to check (UNIX)Module: Sybase ASE Object

Use the name list to include or exlcude the Sybase ASE database login names forthe Database status check to report on.

Owners to check (UNIX)Module: Sybase ASE Object

Use the name list to include or exclude the object owners for the Objectownerscheck to report on.

Object owners (UNIX)Module: Sybase ASE Object

This check reports the objects and their owners that are present in the Sybase ASEDatabase.




■ Use the Owners to check name list to include or exclude the object owners forthe check to report on.



Table 2-46 Message for Object owners signature





Severity: yellow-2




Title: Database objectowner

Description: Reviewwhether the owner ofthe Sybase ASEdatabase object is aauthorised owner.

UNIX (226373)String ID:ESM_SYBASE_OBJECT_OWNER


Database backups protected (UNIX)Module: Sybase ASE Object

This check reports the database backup files that are not password protected. Usethe name list to specify the full path of the database dump files that should beincluded in this check. If the name list is empty, this check reports no problemsfound.


Table 2-47 Message for Database backups protected





Severity: yellow-2




Title: Databasebackups are notpassword protected

Description: Thespecified databasebackup file is notpassword protected.

UNIX (226374)String ID:ESM_SYBASE_PASS_PROTECT_DBDUMP



About the Sybase ASE Password Strength moduleThis module checks for the password integrity that Sybase server account usesbased on the options that you have specified.

Double occurrences (UNIX)Module: Sybase ASE Password Strength

This option causes the password checks to report logons with passwords that matchthe double versions of logon names or entries in the enabled word files. To applythis option to the application role passwords, enable this option and the Applicationrole password check in the same policy.

Empty password (UNIX)Module: Sybase ASE Password Strength

This check reports the Sybase ASE logons with empty or NULL passwords.


Table 2-48 Message for Empty password





Severity: red-4

Correctable: false




Title: Emptypassword

Description: Thereported Sybase ASElogin has an empty orNULL password.Assign a password toit now, then instructthe user to log on withthe assignedpassword and changethe password again.

UNIX (226250)String ID:ESM_SYBASE_NULL_PASSWORD


Minimum password age (UNIX)Module: Sybase ASE Password Strength

56Understanding ESM Sybase ASE modulesAbout the Sybase ASE Password Strength module

This check reports the Sybase ASE with a system-wide password expirationconfiguration parameter that is higher than the specified number of days for thischeck.


Table 2-49 Message for Minimum password age





Severity: yellow-2

Correctable: false




Title: Minimumpassword age

Description: Thischeck reportsAdaptive Servers thathave a system-widepassword expirationconfigurationparameter setting thatis higher than thespecified numberdays for this check.

UNIX (226254)String ID:ESM_SYBASE_MIN_PASSWORD_AGE


Minimum password length (UNIX)Module: Sybase ASE Password Strength

This check reports the Adaptive Servers that have a minimum password lengthconfiguration parameter setting lower than the specified value for this check.



Table 2-50 Message for Minimum password length





Severity: yellow-2

Correctable: false




Title: MinimumPassword Length

Description: Thischeck reportsAdaptive Servers thathave a minimumpassword lengthconfigurationparameter setting thatis lower than thespecified value forthis check.

UNIX (226253)String ID:ESM_SYBASE_MIN_PASSWORD_LEN


Password = any login name (UNIX)Module: Sybase ASE Password Strength

This check reports the Sybase ASE logins with passwords that match any logonname. To apply this check to the application role passwords, enable this check andthe Application role password check in the same policy.



Table 2-51 Message for Password = any login name





Severity: yellow-2

Correctable: false




Title: Guessedpassword

Description:Symantec ESMguessed thepasswords of theseSybase ASE logins.Assign more securepasswords to theselogins or removethem. A securepassword shouldhave six to eightcharacters, shouldnot be found in anydictionary, and shouldhave at least onenon-alphabeticcharacter. A securepassword should alsonot match login orhost name.

UNIX (226251)String ID:ESM_SYBASE_GUESSED_PASSWORD


Password = login name (UNIX)Module: Sybase ASE Password Strength

This check reports the Sybase ASE logons with matching logon names andpasswords. To apply this check to the application role passwords, enable this checkand the Application role password check in the same policy.



Table 2-52 Message for Password = login name





Severity: yellow-2

Correctable: false








Password = wordlist word (UNIX)Module: Sybase ASE Password Strength

This check tries to match the Sybase ASE logon passwords with words in theenabled word files, and reports the matches. To apply this check to the applicationrole passwords, enable this check and the Application role password check in thesame policy.



Table 2-53 Message for Password = wordlist word





Severity: yellow-2

Correctable: false








Password contains Digits (UNIX)Module: Sybase ASE Password Strength

This option reports the Adaptive Servers that do not have the configuration parameterenabled to require the new passwords to contain at least one digit.



Table 2-54 Message for Password contains Digits





Severity: yellow-2

Correctable: false




Title: Passwordcontains a digit

Description: AdaptiveServer does not havethe configurationparameter enabled torequire newpasswords to containat least one digit.

UNIX (226252)String ID:ESM_SYBASE_PASSWORD_CONTAINS_DIGIT


Plural (UNIX)Module: Sybase ASE Password Strength

This option causes the password checks to report the logons with passwords thatmatch the plural forms of logon names or entries in the enabled word files. To applythis option to the application role passwords, enable this option and the Applicationrole password check in the same policy.



Table 2-55 Message for Plural





Severity: yellow-2

Correctable: false








Prefix (UNIX)Module: Sybase ASE Password Strength

This option causes the password checks to report the logons with passwords thatmatch the forms of logon names or the entries in the enabled word files with a prefix.Use the option's name list to specify the prefixes to be used. To apply this optionto the application role passwords, enable this option and the Application rolepassword check in the same policy.

Reverse order (UNIX)Module: Sybase ASE Password Strength

This option enables the module checks that guess the passwords to report thelogons with passwords that match the reverse order of the logon names or theentries in the enabled word files. To apply this option to the application role


passwords, enable this option and the Application role password check in the samepolicy.

Roles without passwords (UNIX)Module: Sybase ASE Password Strength

This check reports the roles that do not have the assigned passwords. Use theRoles list to include or exclude the roles for this check.


Table 2-56 Message for Roles without passwords





Severity: yellow-2

Correctable: false




Title: Role withoutpassword

Description: Thischeck reports rolesdefined in theAdaptive ASE thathave no passwordassigned.

UNIX (226255)String ID:ESM_SYBASE_ROLE_NO_PASSWORD


Servers to check (UNIX)Module: Sybase ASE Password Strength

Use the name list to specify the servers that are to be excluded or included for allthe Sybase ASE Password Strength checks.

Suffix (UNIX)Module: Sybase ASE Password Strength

This option affects the behavior of the enabled Password = username, Password= any username, and Password = wordlist word security checks. When this optionis enabled, the specified suffixes are added to the user names and the wordlistwords that are used to guess passwords, for example, golf -> golfball. Use theoption's name list to specify the suffixes to be used. To apply this option to theapplication role passwords, enable this option and the Application role passwordcheck in the same policy.


Hide guessed password details (UNIX)Module: Sybase ASE Password Strength

When you enable this check, the security checks no longer display the details ofthe guessed password. This check works with the Password = login name,Password = any login name, password =wordlist word,Reverse order,Doubleoccurrences, Plural, Prefix, and Suffix checks.

Login options(account) (UNIX)Module: Sybase ASE Password Strength

This check works with thePassword expiration,Minimumpassword length, andMaximum failed login attempts checks. The Login options(account) checkreports the individual login accounts that do not satisfy the condition that you specifyin the login configuration parameters-related checks. Use the name list to includeor exclude the logon accounts that the check should report on.

Maximum failed login attempts (UNIX)Module: Sybase ASE Password Strength

This check reports the Sybase ASE servers that have the system-wide 'maximumfailed login attempts' configuration parameter set higher than the value you specifyin the Maximum failed login attempts text box or that have the 'maximum failedlogin attempts' configuration parameter less than or equal to 0. Enable this checkwith the Login options(account) check to report all the login accounts that havethe 'maximum failed login attempts' configuration set higher than the value that youspecify in theMaximum failed login attempts text box or that have the 'maximumfailed login attempts' configuration parameter less than or equal to 0. Enable thischeck with the Roles to check name list to specify the roles whose members youwant to include or exclude from reporting the violations in the Maximum failedlogin attempts settings.



Table 2-57 Message for Maximum failed login attempts





Severity: yellow-2




Title: Maximum failedlogin attempts

Description: Eitherthe 'max failed_logins'setting is found to beset as 'accountsnever get locked onany number of failedlogins' or is found tobe of higher valuethan the one that hasbeen specified.Please seeinformation field formore details.

UNIX (226259)String ID:ESM_SYBASE_MAX_FAIL_LOGIN_ATMPT


Maximum reported messages (UNIX)Module: Sybase ASE Password Strength

This check limits the number of messages that the module returns.

You can specify a limit for the number of messages that the module returns. Onreaching the maximum limit for a single message, the module displays the messageagain with the number of the repeating instances of the message that are notreported.

Monitor password age (UNIX)Module: Sybase ASE Password Strength

This check reports any unlocked accounts with the passwords that are older thanthe limit that you specify. This check works with the use Roles to check name list.Use Roles to check name list to include or exclude the roles. The check Monitorpassword age reports on the members of the included roles that you include inthe name list.

This check proves to be beneficial if there is no password expiration setting presenton the server. In this case, the check Monitor password age reports the loginaccounts that have not changed their password within the specified days.



Table 2-58 Message for Monitor password age





Severity: red-4




Title: Monitorpassword age

Description: The userhas not changed thepassword for morethan the specifiednumber of days.

UNIX (226261)String ID:ESM_SYBASE_MONITOR_PASSWORD_AGE


Password complexity parameters (UNIX)Module: Sybase ASE Password Strength

This check reports the values for the password complexity options that do not matchwith the values that you specify in the template. You can use the sp_passwordpolicystored procedure to set the password complexity options. The sp_passwordpolicystored procedure is available on Sybase ASE 12.5.4 and later and 15.0.2 and laterversions.

Note: Sybase ASE 12.5.4, 15.0.2, and 15.0.3 versions support this check.

For more information on the Sybase Stored Procedure Signatures template, seethe Symantec™ Enterprise Security Manager Checks and Templates Referencehelp available at the Security Updates Website.



http://www.symantec.com/security_response/securityupdates/list.jsp?fid=esm

Table 2-59 Message for Password complexity parameters





Severity: green-0




Title: Unauthorizedpassword complexityparameter (Greenlevel)

Description: TheSybase ASEpassword complexityparameter matches agreen level templateentry.

UNIX (226256)String ID:ESM_SYBASE_SP_GREEN_LEVEL


Severity: yellow-2




Title: Unauthorizedpassword complexityparameter (Yellowlevel)

Description: TheSybase ASEpassword complexityparameter matches ayellow level templateentry.

UNIX (226257)String ID:ESM_SYBASE_SP_YELLOW_LEVEL


Severity: red-4




Title: Unauthorizedpassword complexityparameter (Red level)

Description: TheSybase ASEpassword complexityparameter matches ared level templateentry.

UNIX (226258)String ID:ESM_SYBASE_SP_RED_LEVEL


Roles to check (UNIX)Module: Sybase ASE Password Strength

Use the name list to specify the roles that you want to include or exclude fromreporting violations. Use this name list with the Login options(account) check toreport the members of the roles that you want to include or exclude from reportingviolations.


Roles - maximum failed login attempts (UNIX)Module: Sybase ASE Password Strength

This check reports the roles that have the maximum failed login attemptsconfiguration parameter set higher than the value specified in theMaximum failedlogin attempts text box or the roles that have the maximum failed login attemptsconfiguration parameter less than or equal to 0. Enable this check with the Rolesto check name list to specify the roles you want to include or exclude from reportingthe violations in the maximum failed login attempts settings.

Roles - password expiration (UNIX)Module: Sybase ASE Password Strength

This check reports the roles that have the password expiration configurationparameter higher than the value that you specify or the roles that have the passwordexpiration configuration parameter value set to 0. Enable this check with the Rolesto check name list to specify the roles you want to include or exclude from reportingthe violations in the password expiration settings.

Roles - minimum password length (UNIX)Module: Sybase ASE Password Strength

This check reports the roles that have the password length set less than the valuespecified in the Minimum password length text box. Enable this check with theRoles to check name list to specify the roles you want to include or exclude fromreporting the violations in the minimum password length settings.

System encryption password (UNIX)Module: Sybase ASE Password Strength

This check reports the databases of Sybase ASE Servers that are not configuredwith a strong system encryption password. Use the name list Databases to checkto either include or exclude the databases that are to be verified.

Note: This check is supported on Sybase ASE 15.0.1 and later.



Table 2-60 Message for System encryption password





Severity: red-4




Title: Systemencryption passwordnot set

Description: Thedatabase mastermust have a strongsystem encryptionpassword set.

UNIX (226262)String ID:ESM_SYBASE_SYSTEM_ENCRYPT_PASSWORD


Encryption keys in database (UNIX)Module: Sybase ASE Password Strength

This check reports the databases of Sybase ASE Servers that contains theencryption keys. Use the name listDatabases to check to either include or excludethe databases that are to be verified.



Table 2-61 Message for Encryption keys in database





Severity: red-4




Title: Encryption keysare in database

Description: Thedatabase of SybaseASE server containsthe encryption keys.

UNIX (226263)String ID:ESM_SYBASE_DB_ENCRYPT_KEYS



Note: If none of the databases of a configured Sybase ASE server containsencryptions keys and if the name list is empty, ESM displays the note Encryptionkeys not found in any databases.

Password protect encryption keys (UNIX)Module: Sybase ASE Password Strength

This check reports the encryption keys that are not password protected. Encryptionkey passwords are used to limit the DBO and system administrator access to thedata. Use the name list Databases to check to either include or exclude thedatabases that are to be verified.



Table 2-62 Message for Password protect encryption keys





Severity: red-4




Title: Systemencryption passwordnot set

Description: Theencryption keys in thedatabase of SybaseASE server must bepassword protected.Sybase ASE 15.0.2and later supports perencryption keypasswords that canbe used to restrictaccess to encrypteddata.

UNIX (226264)String ID:ESM_SYBASE_PASSPROTECT_ENCRYPTKEY


About the Sybase ASE Patches moduleThis module identifies the Sybase patches that are not installed on Sybase server.

71Understanding ESM Sybase ASE modulesAbout the Sybase ASE Patches module

Patch templates (UNIX)Module: Sybase ASE Patches

Use this option to specify the Sybase ASE Patch template files to be used by thismodule.


Table 2-63 Message for Patch templates





Severity: red-4

Correctable: false




Title: Patch not found

Description: TheSybase ASE Patchnot found.

UNIX (226750)String ID:ESM_SYBASE_PATCH_NOT_FOUND


Servers to check (UNIX)Module: Sybase ASE Patches

Use the name list to specify the servers that are to be excluded or included for allthe Sybase ASE Patches security checks.

About the Sybase ASE Roles and Groups moduleThis module checks for the roles and groups that are based on the options youhave specified.

Automatically update snapshots (UNIX)Module: Sybase ASE Roles and Groups


Database groups (UNIX)Module: Sybase ASE Roles and Groups

72Understanding ESM Sybase ASE modulesAbout the Sybase ASE Roles and Groups module

This check reports the database groups. Use the name list to include or excludethe databases for this check.


Table 2-64 Message for Database groups





Severity: green-0

Correctable: false




Title: Database group

Description: TheSybase ASEdatabase group.

UNIX (226455)String ID:ESM_SYBASE_DATABASE_GROUP


Deleted groups (UNIX)Module: Sybase ASE Roles and Groups

This check reports the database groups and members that were deleted from thedatabase after the last snapshot update. Use the name list to specify the databasenames that should be included or excluded from this check.


Table 2-65 Messages for Deleted groups





Severity: yellow-2

Correctable: false




Title: Deleteddatabase group

Description: TheSybase ASEdatabase group wasdeleted after the lastsnapshot update.

UNIX (226459)String ID:ESM_SYBASE_DELETED_GROUP



Table 2-65 Messages for Deleted groups (continued)





Severity: yellow-2

Correctable: false




Title: Deleted groupmember

Description: TheSybase ASEdatabase groupmember was deletedafter the lastsnapshot update.

UNIX (226460)String ID:ESM_SYBASE_DELETED_GROUP_MEMBER


Deleted roles (UNIX)Module: Sybase ASE Roles and Groups

This check reports the roles and the grantees that were deleted from the databaseafter the last snapshot update. Use the name list to specify the role names thatshould be included or excluded from this check.


Table 2-66 Messages for Deleted roles





Severity: yellow-2

Correctable: false




Title: Deleted role

Description: TheSybase ASE role wasdeleted after the lastsnapshot update.

UNIX (226453)String ID:ESM_SYBASE_DELETED_ROLE



Table 2-66 Messages for Deleted roles (continued)





Severity: yellow-2

Correctable: false




Title: Deleted rolegrantee

Description: TheSybase ASE rolegrantee was deletedafter the lastsnapshot update.

UNIX (226454)String ID:ESM_SYBASE_DELETED_ROLE_GRANTEE


Users to check (UNIX)This option lets you create name lists of the sybase users and sybase databasegroups that are included in the Group members check.

Group members (UNIX)Module: Sybase ASE Roles and Groups

This check reports the group members. Use the name list to include or exclude thedatabases for this check.


Table 2-67 Message for Group members





Severity: green-0

Correctable: false




Title: Group member

Description: TheSybase ASEdatabase groupmember.

UNIX (226456)String ID:ESM_SYBASE_GROUP_MEMBER



New groups (UNIX)Module: Sybase ASE Roles and Groups

This check reports the database groups and members that were added to thedatabase after the last snapshot update. Use the name list to specify the databasenames that should be included or excluded from this check.


Table 2-68 Messages for New groups





Severity: yellow-2

Correctable: false




Title: New databasegroup

Description: TheSybase ASEdatabase group wasadded after the lastsnapshot update.

UNIX (226457)String ID:ESM_SYBASE_NEW_GROUP


Severity: yellow-2

Correctable: false




Title: New groupmember

Description: TheSybase ASEdatabase groupmember was addedafter the lastsnapshot update.

UNIX (226458)String ID:ESM_SYBASE_NEW_GROUP_MEMBER


New roles (UNIX)Module: Sybase ASE Roles and Groups

This check reports the roles and the grantees that were added to the database afterthe last snapshot update. Use the name list to specify the role names that shouldbe included or excluded from this check.



Table 2-69 Messages for New roles





Severity: yellow-2

Correctable: false




Title: New role

Description: TheSybase ASE role wasadded after the lastsnapshot update.

UNIX (226451)String ID:ESM_SYBASE_NEW_ROLE


Severity: yellow-2

Correctable: false




Title: New rolegrantee

Description: TheSybase ASE rolegrantee was addedafter the lastsnapshot update.

UNIX (226452)String ID:ESM_SYBASE_NEW_ROLE_GRANTEE


Role grantees (UNIX)Module: Sybase ASE Roles and Groups

This check reports the role grantees. Use the role list to include or exclude the rolesfor this check.



Table 2-70 Message for Role grantees





Severity: green-0

Correctable: false




Title: Role grantee

Description: TheSybase ASE rolegrantee.

UNIX (226461)String ID:ESM_SYBASE_ROLE_GRANTEE


Role status (UNIX)Module: Sybase ASE Roles and Groups

This check reports the roles and the status. Use the role list to include or excludethe roles for this check.


Table 2-71 Message for Role status





Severity: green-0

Correctable: false




Title: Role status

Description: TheSybase ASE rolestatus information.

UNIX (226450)String ID:ESM_SYBASE_ROLE_STATUS


Servers to check (UNIX)Module: Sybase ASE Roles and Groups


Use the name list to specify the servers for exclusion or inclusion for all the SybaseASE Roles security checks.

Accounts to check (UNIX)Module: Sybase ASE Roles and Groups

Use this check to include or exclude the login accounts for theGranted prohibitedroles check.

Granted prohibited roles (UNIX)Module: Sybase ASE Roles and Groups

This check reports the accounts that have been granted specified roles. Use thename list to include or exclude the prohibited roles that the check should report on.


Table 2-72 Message for Granted prohibited roles





Severity: red-4




Title: GrantedProhibited roles

Description: Theprohibited rolesshould not be grantedto all accounts.

UNIX (226462)String ID:ESM_SYBASE_PROHIBIT_ROLE


Groups and group members to check (UNIX)This check reports the unauthorized combination of database, groups, and groupmembers as specified in the Sybase ASE Groups and group members templates.

This check uses the Sybase ASE groups and group members template.



Table 2-73 Messages for Groups and group members to check





Severity: green-0

Correctable: false




Title: Group memberrecord (Green level)

Description: TheSybase ASE groupmember recordmatches a green leveltemplate entry.

■ UNIX (226463)String ID:ESM_SYBASE_GUM_GREEN_LEVEL


Severity: yellow-2

Correctable: false




Title: Group memberrecord (Yellow level)

Description: TheSybase ASE groupmember recordmatches a yellowlevel template entry.

■ UNIX (226464)String ID:ESM_SYBASE_GUM_YELLOW_LEVEL


Severity: red-4

Correctable: false




Title: Group memberrecord (Red level)

Description: TheSybase ASE groupmember recordmatches a red leveltemplate entry.

■ UNIX (226465)String ID:ESM_SYBASE_GUM_RED_LEVEL


About the Sybase ASE Discovery moduleThe checks in the Sybase ASE Discovery module automate the detection andconfiguration of new Sybase ASE servers that are not yet configured on the ESMagent computers. The Sybase ASEDiscovery module also detects and automaticallyremoves the deleted Sybase ASE servers from the /esm/config/SybaseModule.datconfiguration file.

80Understanding ESM Sybase ASE modulesAbout the Sybase ASE Discovery module

Detect new database server (UNIX)Module: Sybase ASE Discovery

This check reports the Sybase ASE servers that are newly detected on the ESMagent computers and that were not configured earlier.


Table 2-74 Message for Detect new database server





Severity: yellow-1

Correctable: false




Title: Added newdatabase server

Description: The ESMSYBASE Discoverymodule has detecteda new databaseserver. The moduleby using the genericcredentials has addedthe configurationrecord of the newlydetected databaseserver in theconfiguration file.

UNIX (226832)String ID:ESM_SYBASE_NEW_DB_SERVER_ADDED

Category: ESMAdministrativeInformation


Table 2-74 Message for Detect new database server (continued)





Severity: yellow-1

Correctable: true




Title: Failed to addnew database server

Description: The ESMSYBASE Discoverymodule by using thegeneric credentialshas failed to add theconfiguration recordof the newly detecteddatabase server inthe configuration file.Either invalid logoncredentials are usedor the databaseserver is not running.Use the Correctoption and enter thecustom credentials toconfigure the newlydetected databaseserver.

UNIX (226833)String ID:ESM_SYBASE_ADD_DB_SERVER_FAILED


Detect deleted database server (UNIX)Module: Sybase ASE Discovery

This check reports the Sybase ASE servers that are deleted or unreachable butare still configured in the /esm/config/SybaseModule.dat configuration file.



Table 2-75 Message for Detect deleted database server





Severity: yellow-1




Title: Deleteddatabase server

Description: The ESMSYBASE module hasdetected a deleteddatabase server onthe local ESM agentcomputer. Use theUpdate option todelete theconfigurationinformation from theconfiguration file.

UNIX (226834)String ID:ESM_SYBASE_DEL_DB_SERVER_DETECTED


Automatically add new database server (UNIX)Module: Sybase ASE Discovery

This check works with the Detect new database server check. The checkAutomatically add new database server uses the generic credentials toautomatically configure the newly detected Sybase ASE servers.



Table 2-76 Message for Automatically add new database server





Severity: yellow-1

Correctable: true




Title: New DatabaseServer

Description: The ESMSybase Discoverymodule has detecteda new databaseserver on the localESM agent computer.To configure thenewly detecteddatabase server, usethe Update option toconfigure thedatabase server withgeneric credentials.Else, use the Correctoption to provide theappropriate logoncredentials.

UNIX (226831)String ID:ESM_SYBASE_NEW_DB_SERVER_DETECTED


Automatically remove deleted database server (UNIX)Module: Sybase ASE Discovery

This check works with the Detect deleted database server check to automaticallyremove the deleted or the unreachable Sybase ASE server records from the/esm/config/SybaseModule.dat configuration file.



Table 2-77 Message for Automatically remove deleted database server





Severity: yellow-1




Title: Deleteddatabase server

Description: The ESMSYBASE module hasdetected a deleteddatabase server onthe local ESM agentcomputer. Use theUpdate option todelete theconfigurationinformation from theconfiguration file.

UNIX (226834)String ID:ESM_SYBASE_DEL_DB_SERVER_DETECTED


Validate configuration (UNIX)Module: Sybase ASE Discovery

This check validates the entries of the configuration records for successfulconnection and assigned roles. The Sybase ASE Discovery module automaticallycorrects the accounts, if the generic credential that is used is sa and the configurationrecord entry is SYMESMDBA.


Table 2-78 Message for Validate configuration





Severity: yellow-1

Correctable: false




Title: Servervalidation successful

Description: Theconfiguration recordfor the databaseserver has beensuccessfully verified.

UNIX (226836)String ID:ESM_SYBASE_CREDENTIALS_VERIFIED



Table 2-78 Message for Validate configuration (continued)





Severity: yellow-1

Correctable: false




Title: Sybasevalidation failed

Description: Thevalidation ofconfiguration recordfor the databaseserver failed. Use theCorrect option toreconfigure the ESMuser account.

UNIX (226837)String ID:ESM_SYBASE_CREDENTIALS_FAILED


Severity: yellow-1

Correctable: false




Title: Sybase servercredentials rectified

Description: Theconfiguration recordfor the databaseserver has beenrectified.

UNIX (226838)String ID:ESM_SYBASE_CREDENTIALS_RECTIFIED


Severity: yellow-1

Correctable: true




Title: Sybase servercredentials rolesvalidation failed

Description: The ESMuser account is notconfigured with theroles sa_role andsso_role (or asspecified inesmsybaseenv.dat).Use the Correctoption to assign therequired roles.

UNIX (226839)String ID:ESM_SYBASE_CREDENTIALS_ROLES_FAILED



Troubleshooting


■ Encryption exception

■ RDL error

■ LiveUpdate error

Encryption exceptionAn error may display when you run a policy asking you to reconfigure the module.

Table 3-1 lists the error message that is displayed and the solution for the error.

Table 3-1 Encryption exception

SolutionError

This error may occur if you have setSSLConfigure=0 after configuring the SybaseASE module. Or, if you have renamed ordeleted the AESConfigSYB.dat file.

To solve this problem, you need toreconfigure the Sybase ASE module.

If you want to generate logs for encryption,add Debugon=1 in the AESConfigSYB.datfile from the esm\config folder. It generatesSYBASEdebuglog.log in theesm\system\<platform> folder.

Encryption exception

3Chapter

RDL errorThe following list contains the RDL 6.5.3 error and its solution:

Table 3-2 lists the rdl message that is displayed and the solution for the error.

Table 3-2 RDL error

SolutionError

Upgrade RDL 6.5.3 to RDL 6.5.3 SP2.If you have ESM modules for Sybase ASEand RDL 6.5.3 installed on the samecomputer, the RDL database does not getpopulated with correct module IDs of theSybase modules.

LiveUpdate errorThe following two entries appear in theAgent Properties dialog box of the Console,if you are updating an agent from 3.0.0 to 3.1.0 using LiveUpdate:

3.1.0ESM_SYBASE

3.0.0ESM_Sybase

To solve this issue, remove the 3.0.0 LiveUpdate entries from the following twofiles:

■ Manifest.xml

■ Agent app.dat

Note: The LiveUpdate error occurs only on the ESM 9.0.1 agent. You must run thepolicy again to view the changes.

88TroubleshootingRDL error

symantec enterprise security manager sybase modules user ...technical support.....4 chapter 1...

Documents