symantecenterprisesecurity modules for ibm db2 databases ...s_guide_3.0_windows.pdf ·...
TRANSCRIPT
Symantec Enterprise SecurityManager™ Modules for IBMDB2 Databases (Windows)User’s Guide 3.0
Release for Symantec ESM 6.5.x and9.0 for Windows
Symantec Enterprise Security Manager Modules forIBM DB2 Databases Windows User’s Guide 3.0
The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.
Legal NoticeCopyright©2009Symantec Corporation. All rights reserved. Symantec, the Symantec Logo,ActiveAdmin, BindView, bv-Control, Enterprise Security Manager, and LiveUpdate aretrademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S.and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.
THEDOCUMENTATIONISPROVIDED“ASIS”ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, “Rights inCommercial Computer Software or Commercial Computer Software Documentation”, asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation20330 Stevens Creek Blvd.Cupertino, CA 95014
http://www.symantec.com
Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.
Symantec’s maintenance offerings include the following:
■ A range of support options that give you the flexibility to select the rightamount of service for any size organization
■ Telephone and Web-based support that provides rapid response andup-to-the-minute information
■ Upgrade assurance that delivers automatic software upgrade protection
■ Global support that is available 24 hours a day, 7 days a week
■ Advanced features, including Account Management Services
For information about Symantec’sMaintenance Programs, you can visit ourWebsite at the following URL:
www.symantec.com/techsupp/
Contacting Technical SupportCustomerswith a currentmaintenance agreementmay access Technical Supportinformation at the following URL:
www.symantec.com/techsupp/
Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.
When you contact Technical Support, please have the following informationavailable:
■ Product release level
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:
www.licensing.symantec.com
Customer serviceCustomer service information is available at the following URL:
www.symantec.com/techsupp/
Customer Service is available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates, such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade assurance and maintenance contracts
■ Information about the Symantec Buying Programs
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs or manuals
Maintenance agreement resourcesIf you want to contact Symantec regarding an existing maintenance agreement,please contact the maintenance agreement administration team for your regionas follows:
[email protected] and Japan
[email protected], Middle-East, and Africa
[email protected] America and Latin America
Additional enterprise servicesSymantec offers a comprehensive set of services that allow you tomaximize yourinvestment in Symantec products and to develop your knowledge, expertise, andglobal insight, which enable you to manage your business risks proactively.
Enterprise services that are available include the following:
These solutions provide early warning of cyber attacks, comprehensive threatanalysis, and countermeasures to prevent attacks before they occur.
SymantecEarlyWarningSolutions
These services remove the burdenofmanaging andmonitoring security devicesand events, ensuring rapid response to real threats.
Managed Security Services
Symantec Consulting Services provide on-site technical expertise fromSymantec and its trustedpartners. SymantecConsultingServices offer a varietyof prepackaged and customizable options that include assessment, design,implementation,monitoring, andmanagement capabilities. Each is focused onestablishing andmaintaining the integrity and availability of your IT resources.
Consulting Services
Educational Services provide a full array of technical training, securityeducation, security certification, and awareness communication programs.
Educational Services
To access more information about Enterprise services, please visit our Web siteat the following URL:
www.symantec.com
Select your country or language from the site index.
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 1 Introducing Symantec ESM Modules for IBM DB2Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
About the Symantec ESM Modules for IBM DB2 Databases ... . . . . . . . . . . . . . . . . . 9What you can do with ESM DB2 modules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Where you can get more information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Chapter 2 Installing Symantec ESM Modules for IBM DB2Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
System requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Minimum account privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Installing the ESM DB2 module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Silently installing the ESM DB2 module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Configuration of the ESM DB2 Remote module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
About editing the configuration records ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Silently configuring the ESM DB2 Remote module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 18About creating a baseline snapshot ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Configuring the IBM DB2 Database by using the ESM DB2 Discovery
module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Configuring a new IBM DB2 database .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Configuring IBM DB2 with generic credentials ... . . . . . . . . . . . . . . . . . . . . . . . . . . 20Reusing generic credentials of an IBM DB2 database .... . . . . . . . . . . . . . . . . . 20Removing deleted databases ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Chapter 3 Understanding the ESM DB2 Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
About the ESM DB2 Discovery module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Detect New Database .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Detect Deleted Database .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Automatically Add New Database .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Automatically Remove Deleted Database .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
About the ESM DB2 Audit Configuration module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Auditing enabled .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Event types ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Contents
Audit Database Events ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Audit Miscellaneous Events ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32DB2 Copies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Other Audit Settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
About the ESM DB2 Fix Packs module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Template files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Installed Fix Packs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41DB2 Copies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
About the ESM DB2 Remote module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41DB2 Database Aliases ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Authentication from the Server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42DB2 Version and OS .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Discovery mode .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42System authorities ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Database privileges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Chapter 4 Logging functionality on the ESM DB2 modules . . . . . . . . . . 61
About the Logging functionality on the ESM DB2 modules ... . . . . . . . . . . . . . . . . 61About the log levels of the messages ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Creating the configuration file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Parameters of the configuration file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63About log file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Format of the log file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65About the backup of logs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Chapter 5 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Encryption exception .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67ESM DB2 Remote module errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Contents8
Introducing Symantec ESMModules for IBM DB2Databases
This chapter includes the following topics:
■ About the Symantec ESM Modules for IBM DB2 Databases
■ What you can do with ESM DB2 modules
■ Where you can get more information
About the Symantec ESM Modules for IBM DB2Databases
Symantec Enterprise Security Manager (ESM) Modules for IBM DB2 Databasesextends Symantec ESM beyond securing the operating system to securingmission-critical e-business components.Thesemodulesprotect IBMDB2Databasesfromknownsecurity vulnerabilities. Themodules introducenew, database-specificexecutables and content, including modules to check audit configuration, fixpacks, authenticationmethods, currentDB2versionandUnauthorizedAuthoritiesor privileges.
Working within the framework of Symantec ESM, the industry's mostcomprehensive solution for discovering security vulnerabilities, Symantec ESMModules for IBM DB2 Databases eases the administrative burden of measuringthe effectiveness of enterprise security policies and enforcing compliance.
This product installs on Windows 2000, Windows Server 2003, Windows 2008,Solaris SPARC, IBM AIX, and Red Hat Enterprise Linux servers. With these
1Chapter
modules, Symantec ESM's centralized security scanning and integrated reportingcapabilities can be used to automate security evaluations and policy enforcementfor any IBM DB2 8.2, 9.1, 9.5, and 9.7 databases that runs on your network.
What you can do with ESM DB2 modulesYou can use Symantec ESM modules to report on the complaince of the yourcomputer's security policies. You can use Symantec ESM Modules for IBM DB2Databases in the same way that you use other Symantec ESM modules:
■ Configure the application module to report on the IBM DB2 instances anddatabases
■ Create a Symantec ESM policy using one or more DB2 modules
■ Configure the new policy
■ Configure applicable templates
■ Run the policy
■ Review the policy run results to compare the results with the your Enterprisesecurity policies.
The ESM DB2 Remote module uses the configuration information that is storedin the /esm/configDB2Module.dat file.
Where you can get more informationSee “Using policies, templates, snapshots, and modules” in the latest version ofyour SymantecEnterprise SecurityUser’sGuide and “Reviewing policies,modules,andmessages” in the latest version of your Symantec ESMSecurityUpdateUser’sGuide formore information about Symantec ESMmodules. Formore informationonSymantecESMSecurityUpdates seeSymantecEnterpriseSecurityUser’sGuide.
For more information on Symantec ESM, Symantec ESM Security Updates, andSymantecESMsupport for databaseproducts, see theSymantecSecurityResponseWeb site at http://securityresponse.symantec.com
Introducing Symantec ESM Modules for IBM DB2 DatabasesWhat you can do with ESM DB2 modules
10
Installing Symantec ESMModules for IBM DB2Databases
This chapter includes the following topics:
■ System requirements
■ Minimum account privileges
■ Installing the ESM DB2 module
■ Silently installing the ESM DB2 module
■ Configuration of the ESM DB2 Remote module
■ Silently configuring the ESM DB2 Remote module
■ About creating a baseline snapshot
■ Configuring the IBM DB2 Database by using the ESM DB2 Discovery module
System requirementsTable 2-1 lists the supported IBM DB2 versions and operating systems that ESMApplication modules are installed on.
2Chapter
Table 2-1 Supported DB2 versions and operating systems
Supported IBMDB2 versions
Supported OSversions
ArchitectureSupportedoperatingsystems
9.1, 9.5, and 9.7Windows Server2008
x86Windows (32-bit)
8.1, 8.2 , 9.1, 9.5,and 9.7
Windows Server2003
x86Windows (32-bit)
8.1, 8.2, and 9.1Windows Server2000
x86Windows (32-bit)
Note: You must have a IBM DB2 client application and IBM DB2 server installedon the same computer where you plan to install the ESM DB2 module.
Note: The Symantec ESM Application modules for DB2 are supported only on theEnterprise Server Edition for the IBM DB2 databases.
Table 2-2 lists the supported IBM DB2 versions and operating systems on whichthe ESM DB2 Database module can report remotely.
Table 2-2 Supported DB2 versions and operating systems
Supported IBMDB2versions
Supported OSversions
ArchitectureSupportedoperating systems
8.1, 8.2, 9.1, 9.5, and9.7
4 and 5x86Red Hat EnterpriseLinux ES (32-bit)
8.1, 8.2, 9.1, and 9.54x64Red Hat EnterpriseLinux ES (64-bit)
8.1, 8.2, 9.1, and 9.54x86Red Hat EnterpriseLinux AS (32-bit)
8.1, 8.2, and 9.15.2RS6KAIX (32-bit)
8.2, 9.1, 9.5, and 9.75.3 and 6.1PPC64AIX (64-bit)
8.2, 9.1, 9.5, and 9.79 and 10SPARCSun Solaris
8.1, 8.2, 9.1, 9.5, and9.7
Windows Server2003
x86, Itanium, andOpteron and EM64T
Windows (32-bit,64-bit, and IA64-bit)
Installing Symantec ESM Modules for IBM DB2 DatabasesSystem requirements
12
Table 2-2 Supported DB2 versions and operating systems (continued)
Supported IBMDB2versions
Supported OSversions
ArchitectureSupportedoperating systems
9.1, 9.5, and 9.7Windows Server2008
x86, Itanium, andOpteron and EM64T
Windows (32-bit,64-bit, and IA64-bit)
To install Symantec ESM modules for IBM DB2 Databases, you must have thefollowing free disk space:
Table 2-3 Disk space requirements
Disk spaceAgent operating system
15 MBWindows 2008 (x86)
15 MBWindows Server 2000 (x86)
15 MBWindows 2003 (x86)
Minimum account privilegesThe ESM DB2 Remote module, the login accounts need minimum privileges toexecute the following commands for performingESMsecurity checks on IBMDB2server:
■ Select syscat.dbauth
■ Get database manager configuration
■ Get database configuration for <db>
Note: No specific account privileges are required for the ESM DB2 AuditConfiguration and the ESM DB2 Fix Packs modules to work on Windows.
Installing the ESM DB2 moduleYou can install the ESM DB2 module using esmdb2tpi.exe.
The installation program does the following:
■ Extracts and installs module executables and configuration (.m) files and thetemplate files.
■ Registers the .mand template files using the register.exe programon the agent.
13Installing Symantec ESM Modules for IBM DB2 DatabasesMinimum account privileges
To run the installation program and register the files
1 From the product disc, run\\DATABASES\DB2\Modules\<architecture>\esmdb2tpi.exe.
2 Choose one of the following option:
To display the contents of the package.Option 1
To install the module, rerunesmdb2tpi.exe and select option 2.
Option 2
3 The 'Do you wish to register the template or .m files?' message appears. Doone of the following:
■ If the files are not registered with the manager, type Y.
■ If the files have already been registered, type N and skip to “To enablesecurity checking for your IBM DB2 databases.”
4 Enter the ESM manager that the agent is registered to.
Usually, it is the name of the computer that the manager is installed on.
5 Enter the ESM access name (logon name) for the manager.
6 Enter the ESM password that is used to log on to the ESM manager.
7 Enter the network protocol that is used to contact the ESM manager.
8 Enter the port that is used to contact the ESM Manager. The default port is5600.
9 Enter the name of the agent as it is registered to the ESM manager.
Usually, it is the name of the computer that the agent is installed on.
10 The 'Is this information correct?' message appears. Do one of the following:
■ Type Y, the installation continues to extract the files.
■ TypeN, the installation prompts to enter the ESMmanager that the agentis registered to.
When the extraction is complete, you are prompted to add configurationrecords to enable the ESM security checking for your IBM database.
11 The 'Continue and add configuration records to enable ESMsecurity checkingfor your DB2 database? [yes]' appears. Do one of the following:
■ Type Y, to install the ESM DB2 module on the agent computer.
■ Type N, the program installation continues without configuration.
Installing Symantec ESM Modules for IBM DB2 DatabasesInstalling the ESM DB2 module
14
Note: You should register the template and the .m files once for the agents thatuse the same manager on the same operating system.
If you have typed Y, the installation program reads the existing configurationrecords and displays them.
To enable security checking for your IBM DB2 databases
1 The installation displays the existing records from the configuration file.Choose one of the following:
To manually create a new configurationrecord for an undetected database.
Option 1
To modify or remove an existingconfiguration record.
Option 2
To exit the configuration.Option 3
2 To add a configuration record for the database, do the following:
■ Enter the DB2 Alias\Database name. Press Enter if you are satisfied withthe detected alias.
■ DB2 Node\Instance name.
■ Enter the DB2 database login.
■ Enter the password that is used to log on to the IBM database.
■ Re-enter the password.
The ESM DB2 module searches for the installation path. If the module isunable to find the installation path, the module reports a 'Setup is unable tofind the Installation Path. Please enter. DB2 Installation path." message.Re-enter the correct Installation path.
3 The 'Is this information correct?' message appears. Do one of the following:
■ Type Y to continue and add configuration records to enable the ESMsecurity checking for your DB2 database.
■ Type N to re-enter the connection information.
4 The ‘Would you like to validate the connection with the database?' messageappears. Do one of the following:
■ Type Y to connect to a database and validate the connection.
■ Type N to add the configuration records directly in the configuration filewithout validating the connection.
15Installing Symantec ESM Modules for IBM DB2 DatabasesInstalling the ESM DB2 module
5 If the validation fails, the 'Would you still like to add this record to theconfiguration file' message appears. Do one of the following:
■ Type Y to add the record in the configuration file without validating theconfiguration records.
■ Type N, the program lists all the configuration records and promptingyou to choose one of the options.
6 After you have created configuration records for each database, the programlists all of the configuration records. Choose one of the following options:
To manually create a new configurationrecord for an undetected database.
Option 1
To modify or remove an existingconfiguration record.
Option 2
To exit the configuration.Option 3
Note:The encryption that is used to store the credentials is 256-bit AES encryptionalgorithm.
Silently installing the ESM DB2 moduleYou can use the esmdb2.tpi to install the ESM DB2 module silently.
esmdb2.tpi -it -m <Manager Name> -U <Username> -p <5600> -P <password>- g<Agent Name> -e
Table 2-4 lists the command-line options for installing the ESM DB2 modulesilently
Table 2-4 Options to install the ESM DB2 module silently
DescriptionOption
Install this tune-up/third-party package.-I
Display the description and contents of this tune-up/third-partypackage.
-d
Specify the ESM access record name.-U
Do not execute the before and after executables (installation withoutconfiguration).
-e
Installing Symantec ESM Modules for IBM DB2 DatabasesSilently installing the ESM DB2 module
16
Table 2-4 Options to install the ESM DB2 module silently (continued)
DescriptionOption
Specify the TCP port to use.-p
Specify the ESM access record password.-P
Specify the ESM manager name.-m
Connect to the ESM manager by using TCP.-t
Specify the ESM agent name to use for registration.-g
Do not prompt for and do the re-registration of the agents.-K
Update the report content file on the manager.-Y
Configuration of the ESM DB2 Remote moduleAfter installing the ESMDB2module, you can edit the configuration records usingthe DB2Setup.exe. A configuration record is created for each database alias whenyou enable security checking during installation.
Note: You do not have to configure the ESM DB2 module for the ESM DB2 AuditConfiguration and Fix Pack modules.
About editing the configuration recordsYou can add, modify, or remove the configuration records for the IBM DB2databases byusing theDB2Setup.exe program. Bydefault, DB2Setup.exe is locatedin the \\<InstallDir> \ESM\bin\<platform>\directory.
Run DB2Setup.exe on the ESM DB2 modules with the following options:
Table 2-5 lists the options for configuring the ESM DB2 modules
Table 2-5 Options for configuring the ESM DB2 modules
TypeTo silently configure the ESM DB2Remote modules that are installed onWindows
DB2Setup -hDisplay Help
DB2Setup -cCreate configuration records for detectedIBM DB2 databases.
17Installing Symantec ESM Modules for IBM DB2 DatabasesConfiguration of the ESM DB2 Remote module
Table 2-5 Options for configuring the ESM DB2 modules (continued)
TypeTo silently configure the ESM DB2Remote modules that are installed onWindows
DB2Setup -aAdd new configuration records forundetected IBM DB2 databases.
DB2Setup -mModify or remove existing IBMDB2databaseconfiguration records.
DB2Setup -lList existing DB2 database configurationrecords.
DB2Setup -if <file name> -of <file name>Setup reads from the input file other thandefault file\\InstallDirectory\esm\config\DB2Module.dat.
This option works in collaboration with -ofoption.
DB2Setup -of <file name>Specify a new output file for the IBM DB2database configuration records. The defaultfile is\\InstallDirectory\esm\config\DB2Module.dat.
Silently configuring the ESM DB2 Remote moduleYou can use the DB2Setup.exe to configure the ESMDB2Remotemodule silently.
Use the following option to configure the ESM DB2 Remote module silently:
Table 2-6 lists the options for configuring the ESM DB2 Remote module silently
Table 2-6 Options to configure the ESM DB2 Remote module silently
DescriptionOptions
Silently configure the DB2 Remote module.-q
Specify the database name.-D
Specify the instance name.-I
Specify the username.-U
Specify to validate the connection to theDB2databasewith the given instance name, username, and password.
-V
Installing Symantec ESM Modules for IBM DB2 DatabasesSilently configuring the ESM DB2 Remote module
18
About creating a baseline snapshotTo establish a baseline for ESM DB2 module security checks, create a new ESMDB2 remote policy with snapshot-related checks enabled. Running this policycreates snapshots of the current account information that you can update whenyou run checks for new, deleted, or modified information.
Run themodule one time to create the snapshots, then rerun themodule to detectchanges between policy runs.
After running a policy, to update the snapshots directly from messages in thePolicy Run report, do one of the following:
■ Right-click on a modified message
■ Right-click on a deleted message
■ Right-click on a new report message
Configuring the IBM DB2 Database by using the ESMDB2 Discovery module
The ESM DB2 Discovery module includes four checks that let you automate thedetection and configuration of new databases that are not yet configured on thelocal ESMagent computers.Moreover, the checks also detect the deleted databasesand let you remove the deleted databases from the \\ProgramFiles\Symantec\ESM\config\DB2Module.dat configuration file.
Configuring a new IBM DB2 databaseTo report on the IBM DB2 database you should first configure the IBM DB2database on an ESM agent computer.
To configure a new IBM DB2 database manually
1 Run the ESM DB2 Discovery module on the ESM agent computers that haveIBM DB2 installed.
The module lists all the new databases that were not previously configured.
2 Select multiple databases and do one of the following:
■ Right-click and select Correction option.The Correction option configures the databases with custom credentials.
■ Right-click and select Snapshot Update option.
19Installing Symantec ESM Modules for IBM DB2 DatabasesAbout creating a baseline snapshot
The Snapshot Update option configures the database with genericcredentials. Before you select the Snapshot Update option, you shouldfirst configure the generic credentials.See “Configuring IBM DB2 with generic credentials” on page 20.
To configure a new IBM DB2 database automatically
1 Enable the check 'Automatically add new database.'
The check uses the generic credentials to configure the newly discovereddatabase entry in the \\ProgramFiles\Symantec\ESM\config\DB2Module.datconfiguration fileautomatically.
If the connection attempt fails then themodule returns a correctablemessage.
2 To use the Correctable option, do the following:
■ Right-click on the message
■ Choose Correction option
■ Enter custom credentialsTheDB2Discoverymodule uses these credentials and attempts to connectand adds the configuration record in the configuration file after eachsuccessful connection.
Configuring IBM DB2 with generic credentialsYou can configure a new IBM DB2 database on an ESM agent computer by usinga generic credential. The generic credential option helps you to configure acommon credential for all the IBM DB2 databases on an ESM agent computer.
To specify generic credentials
1 On the Command Prompt, type DB2SETUP.exe -G.
2 Enter the Generic Login ID: User name.
3 Enter a password for the generic login. Reconfirm the password.
4 Press Enter.
The generic credentials are configured in the \\ProgramFiles\Symantec\ESM\config\DB2Module.dat.
Reusing generic credentials of an IBM DB2 databaseIf you want to specify a common generic credential on multiple IBM DB2 serversit is not necessary to use DB2SETUP.exe -G option on every IBM DB2 server.Instead, you can use -gif and -gof options to specify a generic credential. The
Installing Symantec ESM Modules for IBM DB2 DatabasesConfiguring the IBM DB2 Database by using the ESM DB2 Discovery module
20
specified generic credential is then stored in an encrypted format in the file thatcan be reused on every IBM DB2 server. You should first specify the genericcredentials and then reuse the generic credentials.
To specify generic credentials
1 On the Command Prompt, type DB2SETUP.exe -gof <filepath>
For example: DB2Setup.exe -gof C:\pass.dat.
2 Enter the Generic Login ID: User name
3 Enter a password for the generic login. Reconfirm the password.
4 Press Enter.
Thepass.dat file is createdwith the encrypted generic credentials that are specifiedin Step 1.
To reuse generic credentials
1 Copy the pass.dat file on an IBM DB2 ESM agent computer where you wantto import the generic credentials.
2 On the Command Prompt, type DB2SETUP-gif <filepath>
For example: DB2Setup.exe -gof C:\pass.dat.
The generic credentials are imported in the \\ProgramFiles\Symantec\ESM\config\DB2Module.dat file.
Removing deleted databasesAlthough, you may have deleted an IBM DB2 database, the configurationinformation still exists in the ESMmodule. As a result, themodulewhen executedreports the deleted IBM DB2 databases as deleted databases
To remove deleted databases manually
1 Run the Discovery module on the target ESM agent computers. The modulelists all the deleted databases that were configured earlier.
2 Select multiple databases, right-click and select Snapshot Update option.
The Snapshot Update option deletes the configuration information of suchdatabases.
To remove the deleted databases automatically
◆ Enable the check ‘Automatically remove deleted databases.’
The module automatically deletes the corresponding database records fromthe \\Program Files\Symantec\ESM\config\DB2Module.dat configurationfile.
21Installing Symantec ESM Modules for IBM DB2 DatabasesConfiguring the IBM DB2 Database by using the ESM DB2 Discovery module
Installing Symantec ESM Modules for IBM DB2 DatabasesConfiguring the IBM DB2 Database by using the ESM DB2 Discovery module
22
Understanding the ESMDB2 Modules
This chapter includes the following topics:
■ About the ESM DB2 Discovery module
■ About the ESM DB2 Audit Configuration module
■ About the ESM DB2 Fix Packs module
■ About the ESM DB2 Remote module
About the ESM DB2 Discovery moduleThe ESM DB2 Discovery module includes four checks that let you automate thedetection and configuration of new databases that are not yet configured on thelocal ESM agent computers. The checks also detect the deleted databases and letyou remove the deleted databases from the \\ProgramFiles\Symantec\ESM\config\DB2Module.dat configuration file.
The module reports the instance name and the node name in the informationcolumn. If the node name for the corresponding instance is different, the modulereports the node name as: (Nodename) instance name. Else, the module displaysthe instance name.
Detect New DatabaseThis check reports the database that are newly detected on the ESM agentcomputers and that were not configured earlier in the \\ProgramFiles\Symantec\ESM\config\DB2Module.dat configuration file.
3Chapter
Even when the DB2 instance service is down the check continues to report thenewly discovered databases under the instance that is down. As the instanceservice is down you cannot connect to the database thus you cannot use thesnapshot update and correction features for the databases to add the configurationrecords.
Table 3-1 lists the message output for the Detect New Database check.
Table 3-1 Detect New Database message
SeverityTitleMessage name
yellow-1New DatabaseESM_DB2_NEW_DATABASE_DETECTED
Detect Deleted DatabaseThis check reports all thedatabases that aredeleted fromtheESMagent computersbut are still configured in the\\ProgramFiles\Symantec\ESM\config\DB2Module.dat configuration file.
If the configuration file contains any remote database, the discovery moduleignores that database when it reports the deleted databases.
If the remote databases that are registered to a node are deleted from the clientcomputer the check reports the deleted databases as deleted.
Table 3-2 lists the message output for the Detect Deleted Database check.
Table 3-2 Detect Deleted Database message
SeverityTitleMessage name
yellow-1Deleted DatabaseESM_DB2_DEL_DATABASE_DETECTED
Automatically Add New DatabaseThis check works in collaboration with the ‘Detect New Database’ check. Thischeck uses the generic credentials to automatically configure the newly detecteddatabases.
Table 3-3 lists themessage output for theAutomaticallyAddNewDatabase check.
Understanding the ESM DB2 ModulesAbout the ESM DB2 Discovery module
24
Table 3-3 Automatically Add New Database messages
SeverityTitleMessage name
yellow-1Added New DatabaseESM_DB2_NEW_DATABASE_ADDED
yellow-1Failed to Add New DatabaseESM_DB2_ADD_DATABASE_FAILED
Automatically Remove Deleted DatabaseThis check works in collaboration with the ‘Detect Deleted Database’ check. Thischeck automatically deletes the removed database records from the \\ProgramFiles\Symantec\ESM\config\DB2Module.dat configuration file.
Table 3-4 lists themessage output for theAutomaticallyRemoveDeletedDatabasecheck.
Table 3-4 Automatically Remove Deleted Database messages
SeverityTitleMessage name
yellow-1Removed Deleted DatabaseESM_DB2_DATABASE_DELETED
About the ESM DB2 Audit Configuration moduleTheESMDB2Audit Configurationmodule reports the current audit configurationinformationand its status on the computerwhere the IBMDB2server is configured.
The ESM DB2 Audit Configuration module reports on IBM DB2 Copies.
Note: If the ESM agent has only the IBM DB2 client installed, the module reportson the audit settings of the client.
The ESM DB2 Audit Configuration module lets you generate reports based onvarious events and event types.
Auditing enabledThis check reports whether auditing is enabled on the IBM DB2 instances.
Table 3-5 lists the message output for the Auditing Enabled check.
25Understanding the ESM DB2 ModulesAbout the ESM DB2 Audit Configuration module
Table 3-5 Auditing Enabled message
SeverityTitleMessage name
red-4DB2 Audit StatusESM_AUDIT_ACTIVE
Event typesThe checks that are included in the Events Types group let you specify whichtypes of events you want to audit. You can also specify whether only successfulor failed events, or both, should be logged.
Audit Failure EventsThis check reports whether the IBM DB2 databases logs error events are audited.This check is not supported on the IBM DB2 database version 9.5 and 9.7.
Table 3-6 lists the message output for the Audit Failure Events check.
Table 3-6 Audit Failure Events messages
SeverityTitleMessage name
red-4Auditing Failure EventsESM_LOG_DB2ERROR
yellow-1Auditing Failure EventsESM_LOG_ERROR_WARNING
Audit Success EventsThis check reports whether IBM DB2 databases logs success events are audited.This check is not supported on the IBM DB2 database version 9.5 and 9.7.
Table 3-7 lists the message output for the Audit Success Events check.
Table 3-7 Audit Success Events messages
SeverityTitleMessage name
red-4Auditing Success EventsESM_LOG_SUCCESS
yellow-1Audit Success eventsESM_LOG_SUCCESS_WARNING
yellow-1Audit Success eventsESM_LOG_SUCCESS_ENABLED_WARNING
Understanding the ESM DB2 ModulesAbout the ESM DB2 Audit Configuration module
26
Audit Database EventsThe checks that are included in the Audit Database Events group verify whichIBM DB2 database events are audited.
Auditing Related EventsThis check reports whether the IBM DB2 databases logs audit events.
Table 3-8 lists the messages output for the Audit Auditing Related Events check.
Table 3-8 Audit Auditing Related Events messages
SeverityTitleMessage name
red-4Audit auditing relatedevents
ESM_LOG_DB2AUDIT
yellow-1Audit auditing relatedevents
ESM_LOG_AUDIT_WARNING
The following three newmessages are added to theAuditingRelatedEvents check.The check reports the messages only on the IBM DB2 database version 9.5 and9.7.
Table 3-9 lists the message output for the Audit Auditing Related Events checkon the IBM DB2 database version 9.5 and 9.7.
Table 3-9 Auditing Related Events messages
SeverityTitleMessage name
green-0Audit EnabledESM_SETTING_ENABLED
red-4Auditing DisabledESM_SETTING_DISABLED
yellow-1Auditing DisabledESM_SETTING_DISABLED_WARNING
Checking EventsThis check reports whether the IBM DB2 databases logs checking events.
Table 3-10 lists the message output for the Checking Events check.
27Understanding the ESM DB2 ModulesAbout the ESM DB2 Audit Configuration module
Table 3-10 Checking Events messages
SeverityTitleMessage name
red-4Audit Checkingevents
ESM_LOG_CHECKING
yellow-1Audit CheckingEvents
ESM_LOG_CHECKING_WARNING
The following three new messages are added to the Checking Events check. Thecheck reports the messages only the IBM DB2 database version 9.5 and 9.7.
Table 3-11 lists the messages output for the Checking Events check on the IBMDB2 database version 9.5 and 9.7.
Table 3-11 Checking Events messages
SeverityTitleMessage name
green-0Audit EnabledESM_SETTING_ENABLED
red-4Auditing DisabledESM_SETTING_DISABLED
yellow-1Auditing DisabledESM_SETTING_DISABLED_WARNING
Object Maintenance EventsThis check reports whether the IBM DB2 databases logs Object Maintenanceevents.
Table 3-12 lists the messages output for Audit Object Maintenance Events check.
Table 3-12 Object Maintenance Events messages
SeverityTitleMessage name
red-4Audit ObjectMaintenance events
ESM_LOG_OBJMAINT
yellow-1Audit ObjectMaintenance events
ESM_LOG_OBJMAINT_WARNING
The following three new messages are added to the Object Maintenance Eventscheck. The check reports the messages only on the IBM DB2 database version 9.5and 9.7.
Understanding the ESM DB2 ModulesAbout the ESM DB2 Audit Configuration module
28
Table 3-13 lists the message output for the Object Maintenance Events check onthe IBM DB2 database version 9.5 and 9.7.
Table 3-13 Object Maintenance Events messages
SeverityTitleMessage name
green-0Audit EnabledESM_SETTING_ENABLED
red-4Auditing DisabledESM_SETTING_DISABLED
yellow-1Auditing DisabledESM_SETTING_DISABLED_WARNING
Security Maintenance EventsThis check reports whether the IBM DB2 databases logs Security Maintenanceevents.
Table 3-14 lists the message output for the Security Maintenance Events check.
Table 3-14 Security Maintenance Events messages
SeverityTitleMessage name
red-4Audit SecurityMaintenance events
ESM_LOG_SECMAINT
yellow-1Audit SecurityMaintenance events
ESM_LOG_SECMAINT_WARNING
The following three new messages are added to the Security Maintenance Eventscheck. The check reports the messages only on the IBM DB2 database version 9.5and 9.7.
Table 3-15 lists the message output for the Security Maintenance Events checkon the IBM DB2 database version 9.5 and 9.7.
Table 3-15 Security Maintenance Events messages
SeverityTitleMessage name
green-0Audit EnabledESM_SETTING_ENABLED
red-4Auditing DisabledESM_SETTING_DISABLED
yellow-1Auditing DisabledESM_SETTING_DISABLED_WARNING
29Understanding the ESM DB2 ModulesAbout the ESM DB2 Audit Configuration module
System Administrator EventsThis check reportswhether IBMDB2databases logs SystemAdministrator events.
Table 3-16 lists the message output for the System Administrator Events check.
Table 3-16 System Administrator Events messages
SeverityTitleMessage name
red-4Audit SystemAdministrator events
ESM_LOG_SYSADM
yellow-1Audit SystemAdministrator events
ESM_LOG_SYSADM_WARNING
The following three newmessages are added to the SystemAdministrator Eventscheck. The check reports the messages only on the IBM DB2 database version 9.5and 9.7.
Table 3-17 lists the message output for the System Administrator Events checkon the IBM DB2 database version 9.5 and 9.7.
Table 3-17 System Administrator Events messages
SeverityTitleMessage name
green-0Audit EnabledESM_SETTING_ENABLED
red-4Auditing DisabledESM_SETTING_DISABLED
yellow-1Auditing DisabledESM_SETTING_DISABLED_WARNING
Validate EventsThis check reports whether IBM DB2 databases logs Validate events.
Table 3-18 lists the message output for Validate Events check.
Table 3-18 Validate Events messages
SeverityTitleMessage name
red-4Audit Validate eventsESM_LOG_VALIDATE
yellow-1Audit Validate eventsESM_LOG_VALIDATE_WARNING
Understanding the ESM DB2 ModulesAbout the ESM DB2 Audit Configuration module
30
The following three new messages are added to the Validate Events check. Thecheck reports the messages only on the IBM DB2 database version 9.5 and 9.7.
Table 3-19 lists themessage output for the Validate Events check on the IBMDB2database version 9.5 and 9.7.
Table 3-19 Validate Events messages
SeverityTitleMessage name
green-0Audit EnabledESM_SETTING_ENABLED
red-4Auditing DisabledESM_SETTING_DISABLED
yellow-1Auditing DisabledESM_SETTING_DISABLED_WARNING
Context EventsThis check reports whether IBM DB2 databases logs Context events.
Table 3-20 lists the message output for the Audit Context Events check.
Table 3-20 Context Events messages
SeverityTitleMessage name
red-4Audit context eventsESM_LOG_CONTEXT
yellow-1Audit Context eventsESM_LOG_CONTEXT_WARNING
The following three new messages are added to the Context Events check. Thecheck reports the messages only on the IBM DB2 database version 9.5 and 9.7.
Table 3-21 lists the message output for the Context Events check on the IBM DB2database version 9.5 and 9.7.
Table 3-21 Context Events messages
SeverityTitleMessage name
green-0Audit EnabledESM_SETTING_ENABLED
red-4Auditing DisabledESM_SETTING_DISABLED
yellow-1Auditing DisabledESM_SETTING_DISABLED_WARNING
31Understanding the ESM DB2 ModulesAbout the ESM DB2 Audit Configuration module
Error Handling FacilityThis check reports whether the IBM DB2 databases have the audit facilityparameter set toAudit. Youhave the option to specifywhether audit facility errorsare returned to the user (AUDIT) or ignored (NORMAL).
The Error type parameter defines errors that either are returned to the user orare ignored. The following options are defined for the ERROR TYPE option:
Transactions succeed only if the appropriate audit record is writtento the audit log.
Audit
Transactions succeed regardless of the audit status. The applicationcontinues with normal processing and programmatically definedtermination.
Normal
Table 3-22 lists the message output for the Error Handling Facility check.
Table 3-22 Error Handling Facility message
SeverityTitleMessage name
red-4Audit Facility For ErrorHandling
ESM_LOG_ERRORTYPE
Audit Miscellaneous EventsThe checks that are included in theAuditMiscellaneousEvents groupverifywhichIBM DB2 database miscellaneous events are audited.
Instance Startup and ShutdownThis check reports whether IBM DB2 databases log the startup and shutdownevents of instances.
Table 3-23 lists themessage output for the Instance startup and shutdown check.
Table 3-23 Instance startup and shutdown messages
SeverityTitleMessage name
red-4Audit Instance startupand shutdown
ESM_LOG_INSTANCE_UP_DOWN
yellow-1Audit Instance startupand shutdown
ESM_LOG_INSTANCE_UP_DOWN_WARNING
Understanding the ESM DB2 ModulesAbout the ESM DB2 Audit Configuration module
32
The following threenewmessages are added to the InstanceStartupandShutdowncheck. The check reports the messages only on the IBM DB2 database version 9.5and 9.7.
Table 3-24 lists themessage output for the Instance Startup and Shutdown checkon the IBM DB2 database version 9.5 and 9.7.
Table 3-24 Instance Startup and Shutdown messages
SeverityTitleMessage name
green-0Audit EnabledESM_SETTING_ENABLED
red-4Auditing DisabledESM_SETTING_DISABLED
yellow-1Auditing DisabledESM_SETTING_DISABLED_WARNING
Changes To Configuration ParametersThis check reports whether IBM DB2 databases log the changes made to theinstance and the database configuration parameters.
Table 3-25 lists the message output for the Changes to configuration parameterscheck.
Table 3-25 Changes to configuration parameters messages
SeverityTitleMessage name
red-4Audit changes made toinstance and databaseconfiguration parameters
ESM_LOG_DB_DBM_CFG
yellow-1Audit changes made toinstance and databaseconfiguration parameters
ESM_LOG_DB_DBM_CFG_WARNING
The following three new messages are added to the Changes To ConfigurationParameters check. The check reports themessages only on the IBMDB2 databaseversion 9.5 and 9.7.
Table 3-26 lists themessage output for the Changes ToConfiguration Parameterscheck on the IBM DB2 database version 9.5 and 9.7.
33Understanding the ESM DB2 ModulesAbout the ESM DB2 Audit Configuration module
Table 3-26 Changes To Configuration Parameters messages
SeverityTitleMessage name
green-0Audit EnabledESM_SETTING_ENABLED
red-4Auditing DisabledESM_SETTING_DISABLED
yellow-1Auditing DisabledESM_SETTING_DISABLED_WARNING
Database Activation and DeactivationThis check reports whether IBM DB2 databases log database activation anddeactivation.
Table 3-27 lists the message output for the Database activation and deactivationcheck.
Table 3-27 Database activation and deactivation messages
SeverityTitleMessage name
red-4Audit database activationand deactivation
ESM_LOG_DB_ACT_DEACT
yellow-1Audit database activationand deactivation
ESM_LOG_DB_ACT_DEACT_WARNING
The following three new messages are added to the Database Activation andDeactivation check. The check reports themessages only on the IBMDB2databaseversion 9.5 and 9.7.
Table 3-28 lists themessage output for the Database Activation and Deactivationcheck on the IBM DB2 database version 9.5 and 9.7.
Table 3-28 Database Activation and Deactivation messages
SeverityTitleMessage name
green-0Audit EnabledESM_SETTING_ENABLED
red-4Auditing DisabledESM_SETTING_DISABLED
yellow-1Auditing DisabledESM_SETTING_DISABLED_WARNING
Understanding the ESM DB2 ModulesAbout the ESM DB2 Audit Configuration module
34
Use of SYSADM, DBADM, SYSCTRL, SYSMAINTThis check reports whether IBM DB2 databases log the use of SYSADM, DBADM,SYSCTRL, SYSMAINT.
Table 3-29 lists the message out for the Use of SYSADM, DBADM, SYSCTRL,SYSMAINT check.
Table 3-29 Use of SYSADM,DBADM,SYSCTRL,SYSMAINT messages
SeverityTitleMessage name
red-4Audit Use of SYSADM,DBADM,SYSCTRL, SYSMAINT
ESM_LOG_ADMINS
yellow-1Audit Use of SYSADM,DBADM,SYSCTRL, SYSMAINT
ESM_LOG_ADMINS_WARNING
The following three new messages are added to the Use of SYSADM, DBADM,SYSCTRL, SYSMAINT check. The check reports the messages only the IBM DB2database version 9.5 and 9.7.
Table 3-30 lists the message output for the Use of SYSADM, DBADM, SYSCTRL,SYSMAINT check on the IBM DB2 database version 9.5 and 9.7.
Table 3-30 Use of SYSADM, DBADM, SYSCTRL, SYSMAINT messages
SeverityTitleMessage name
green-0Audit EnabledESM_SETTING_ENABLED
red-4Auditing DisabledESM_SETTING_DISABLED
yellow-1Auditing DisabledESM_SETTING_DISABLED_WARNING
Attempted Access To Restricted ObjectsThis check reports whether IBM DB2 databases log the attempted access torestricted objects defined by information owner.
Table 3-31 lists themessage output for the Attempted access to restricted objectscheck.
35Understanding the ESM DB2 ModulesAbout the ESM DB2 Audit Configuration module
Table 3-31 Attempted access to restricted objects messages
SeverityTitleMessage name
red-4Audit attempted access torestricted objects defined byInformation owner
ESM_LOG_RESTRICTED_OBJ
yellow-1Audit attempted access torestricted objects defined byInformation owner
ESM_LOG_RESTRICTED_OBJ_WARNING
The following threenewmessages are added to theAttemptedAccessToRestrictedObjects check. The check reports the messages only on the IBM DB2 databaseversion 9.5 and 9.7.
Table 3-32 lists themessage output for theAttemptedAccessToRestrictedObjectscheck on the IBM DB2 database version 9.5 and 9.7.
Table 3-32 Attempted Access To Restricted Objects messages
SeverityTitleMessage name
green-0Audit EnabledESM_SETTING_ENABLED
red-4Auditing DisabledESM_SETTING_DISABLED
yellow-1Auditing DisabledESM_SETTING_DISABLED_WARNING
Access To Sensitive Objects and/or TablesThis check reports whether IBMDB2 databases log the access to sensitive Objectsand/or Tables defined by Information owner.
Table 3-33 lists the output message for the Access to sensitive Objects and/orTables check.
Table 3-33 Access to sensitive Objects and/or Tables messages
SeverityTitleMessage name
red-4Audit access to sensitiveObjects and/or Tablesdefined by Informationowner
ESM_LOG_SENSITIVE_OBJ
Understanding the ESM DB2 ModulesAbout the ESM DB2 Audit Configuration module
36
Table 3-33 Access to sensitive Objects and/or Tables messages (continued)
SeverityTitleMessage name
yellow-1Audit access to sensitiveObjects and/or Tablesdefined by Informationowner
ESM_LOG_SENSITIVE_OBJ_WARNING
The following three new messages are added to the Access To Sensitive Objectsand/orTables check. The check reports themessages only on the IBMDB2databaseversion 9.5 and 9.7.
Table 3-34 lists the message output for the Access To Sensitive Objects and/orTables check on the IBM DB2 database version 9.5 and 9.7.
Table 3-34 Access To Sensitive Objects and/or Tables messages
SeverityTitleMessage name
green-0Audit EnabledESM_SETTING_ENABLED
red-4Auditing DisabledESM_SETTING_DISABLED
yellow-1Auditing DisabledESM_SETTING_DISABLED_WARNING
Unsuccessful Connection AttemptsThis check reportswhether IBMDB2databases log the non-successful connectionattempts from all users.
Table 3-35 lists the message output for the Unsuccessful connection attemptscheck.
Table 3-35 Unsuccessful connection attempts messages
SeverityTitleMessage name
red-4Audit non-successfulconnection attempts fromallusers
ESM_LOG_FAILED_CONN
yellow-1Audit non-successfulconnection attempts fromallusers
ESM_LOG_FAILED_CONN_WARNING
37Understanding the ESM DB2 ModulesAbout the ESM DB2 Audit Configuration module
The following three new messages are added to the Unsuccessful ConnectionAttempts check. The check reports the messages only on the IBM DB2 databaseversion 9.5 and 9.7.
Table 3-36 lists the message output for the Unsuccessful Connection Attemptscheck on the IBM DB2 database version 9.5 and 9.7.
Table 3-36 Unsuccessful Connection Attempts messages
SeverityTitleMessage name
green-0Audit EnabledESM_SETTING_ENABLED
red-4Auditing DisabledESM_SETTING_DISABLED
yellow-1Auditing DisabledESM_SETTING_DISABLED_WARNING
Administrative Functions PerformedThis check reports whether IBM DB2 databases log the administrative functionsperformedbyall users against databasepermissions granted to accounts or groups.
Table 3-37 lists the message output for the Administrative functions performedcheck.
Table 3-37 Administrative functions performed messages
SeverityTitleMessage name
red-4Audit administrativefunctions performed by allusers against databasepermissions granted toaccounts or groups
ESM_LOG_ADMIN_FNS
yellow-1Audit administrativefunctions performed by allusers against databasepermissions granted toaccounts or groups
ESM_LOG_ADMIN_FNS_WARNING
The following three new messages are added to the Administrative FunctionsPerformed check. The check reports the messages only on the IBM DB2 databaseversion 9.5 and 9.7.
Table 3-38 lists the message output for the Administrative Functions Performedcheck on the IBM DB2 database version 9.5 and 9.7.
Understanding the ESM DB2 ModulesAbout the ESM DB2 Audit Configuration module
38
Table 3-38 Administrative Functions Performed messages
SeverityTitleMessage name
green-0Audit EnabledESM_SETTING_ENABLED
red-4Auditing DisabledESM_SETTING_DISABLED
yellow-1Auditing DisabledESM_SETTING_DISABLED_WARNING
DB2 CopiesThis check lets you include or exclude the DB2 copies that themodule reports on.By default, the module examines all the database copies that were configuredduring the DB2 installation. Use the name list in this option to specify the copiesthat are to be included or excluded. Use the name list to specify DB2V8 to includeor exclude DB2 version 8.
Other Audit SettingsThe checks that are included in the Other Audit Settings group reports on otheraudit settings.
Audit Data PathThis check reports the path that you set for the audit data. This check has beenintroduced under a new check group ‘Other Audit Settings’ and is only supportedon the IBM DB2 database version 9.5 and 9.7.
If there is no audit path set for this setting then the value appears as set to default.
Table 3-39 lists the message output for the Audit data path check.
Table 3-39 Audit Data Path message
SeverityTitleMessage name
green-0Audit Data PathESM_AUDIT_DATA_PATH
Audit Archive PathThis check reports the path that you set for the audit archive. This check has beenintroduced under a new check group ‘Other Audit Settings’ and is only supportedon the IBM DB2 database version 9.5 and 9.7.
39Understanding the ESM DB2 ModulesAbout the ESM DB2 Audit Configuration module
Note: If there is no audit Archive path set for this setting then the value appearsas set to default.
Table 3-40 lists the message output for the Audit archive path check.
Table 3-40 Audit Archive Path message
SeverityTitleMessage name
green-0Archive PathESM_AUDIT_ARCHIVE_PATH
About the ESM DB2 Fix Packs moduleThis module reports if the current ESM DB2 level on the IBM DB2 server needsto be upgraded to the latest ESM DB2 fix pack.
The ESM DB2 Fix Packs module reports on the IBM DB2 Copies.
Note: If the ESM agent has only the IBM DB2 client installed, the module reportson the client computer.
Template filesThis check reports the information on the specific template files that are to beincluded for the checks. This check compares the existing IBM DB2 level on theIBM DB2 server with the latest fix pack available in the template file and reportsthe difference.
Note: The template files have been updated with the latest fix packs released byIBM.
Table 3-41 lists the message output for the Template files check.
Table 3-41 Template files messages
SeverityNameMessage
red-4No template files specifiedDB2_TEMPLATEFILE_MISSING
red-4Required DB2 Fix Pack foryour computer
DB2_REQUIRED_FIXPACK
red-4Configuration ErrorDB2_CONFIG_ERR
Understanding the ESM DB2 ModulesAbout the ESM DB2 Fix Packs module
40
Installed Fix PacksThis check reports the fix packs that are installed on the IBM DB2 server. Thischeck also reports the details of the IBM DB2 level on the IBM DB2 server.
Table 3-42 lists the message output for the Installed Fix Pack check.
Table 3-42 Installed Fix Pack messages
SeverityNameMessage
green-0Installed DB2 Fix Pack onyour computer
DB2_INSTALLED_FIXPACK
red-4Configuration ErrorDB2_CONFIG_ERR
DB2 CopiesThis check lets you include or exclude the DB2 copies that themodule reports on.By default, the module examines all the database copies that were configuredduring the DB2 installation. Use the name list in this option to specify the copiesthat are to be included or excluded. Use the name list to specify DB2V8 to includeor exclude DB2 version 8.
About the ESM DB2 Remote moduleThe ESM DB2 Remote module includes checks that specify database aliases to bechecked, examine authentication methods, and list the current DB2 version andoperating system.
DB2 Database AliasesDuring the ESM DB2 Remote module installation, the module creates aconfiguration record to perform security check on each database. After installingthe ESM DB2 Remote module, you can use the DB2Setup.exe to add newconfiguration records.
By default, ESM examines every IBM DB2 database alias for which there exists aconfiguration record.Use the IBMDB2DatabaseAliases option to specify includedor excluded database aliases that you want to check. If the name list is empty, alldatabases are checked.
To include one or more database aliases:
1 Enter names in the name list.
2 Select Include.
41Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
To exclude one or more database aliases:
1 Enter names in the name list.
2 Select Exclude.
Note: ESM stores IBM DB2 database configuration records in the \\ProgramFiles\Symantec\ESM\config\DB2Module.dat file.
Authentication from the ServerThis check examines the way users are authenticated. Your database is mostsecure if users are authenticated from the server side rather than the client side.
Use the Authorized Setting name list to specify the authorized authenticationmethods. TheAuthorized Setting name list includes by default the recommendedauthentication methods SERVER and SERVER_ENCRYPT.
Table 3-43 lists the message for the Authentication from the Server check.
Table 3-43 Authentication from the Server message
SeverityTitleMessage name
red-4Invalid DB2 Authenticationsetting
INVALID_AUTHENTICATION_SETTING
DB2 Version and OSThis check reports the DB2 database version and operating system.
Table 3-44 lists the message for the DB2 Version and OS check.
Table 3-44 DB2 Version and OS message
SeverityTitleMessage name
green-0DB2 Version and OSDB2_VERSION_OS
Discovery modeDiscovery mode is an IBM DB2 feature that is used to gather information fromIBM DB2 servers located on a network. The ESM Modules for IBM DB2 Databasesincludes checks that verify if a server, instance, or database is running in discoverymode.
Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
42
Server Discovery ModeThis check examines the discovery mode setting for the IBM DB2 server.
Use the Server Discovery Mode name list to specify allowed the discovery modeaction parameters. By default, the Server Discovery Mode name list containsDISABLE and KNOWN.
After you run this check, the Policy Run report lists all discovery mode actionparameters that are not in the name list.
Table 3-45 lists the message output for the Server Discovery Mode check.
Table 3-45 Server Discovery Mode message
SeverityTitleMessage name
green-0DB2 Server Discovery ModeSERVER_DIS_MODE
Instance Discovery ModeThis check examines the discovery mode setting for IBM DB2 instances.
Use the InstanceDiscoveryMode name list to specify the allowed discoverymodeaction parameters. By default, the Instance Discovery Mode name list containsDISABLE.
After you run this check, the Policy Run report lists all discovery mode actionparameters that are not in the name list.
Table 3-46 lists the message output for the Instance Discovery Mode check.
Table 3-46 Instance Discovery Mode message
SeverityTitleMessage name
green-0DB2 Instance DiscoveryMode
INSTANCE_DIS_MODE
Database Discovery ModeThis check examines the discovery mode setting for IBM DB2 databases.
Use theDatabaseDiscoveryModename list to specify the alloweddiscoverymodeaction parameters. By default, the Database Discovery Mode name list containsDISABLE.
After you run this check, the Policy Run report lists all discovery mode actionparameters that are not in the name list.
Table 3-47 lists the message output for the Database Discovery Mode check.
43Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
Table 3-47 Database Discovery Mode message
SeverityTitleMessage name
green-0DB2 Database DiscoveryMode
DATABASE_DIS_MODE
System authoritiesThe ESM DB2 Remote module lets you to maintain lists of groups and users thathave beengranted IBMDB2authorities. The checks create reports of unauthorizedgroups andusers. Themodule also includes checks that report new,modified, anddeleted groups and users that have been granted authorities.
Unauthorized Group Set in System Administrator AuthorityThis check reports groups that are granted the System Administrator Authoritybut that are not authorized to have it.
Use the Authorized Groups name list to exclude all groups that are authorized tohave the System Administrator Authority.
After you run this check, the Policy Run report lists groups that have the SystemAdministrator Authority and that are not in the Authorized Groups name list.
Table 3-48 lists the message output for the Unauthorized System AdministratorAuthority check.
Table 3-48 Unauthorized System Administrator Authority message
SeverityTitleMessage name
yellow-3Unauthorized group set forSystem AdministratorAuthority
UNAUTH_SYSADM_GROUP
Unauthorized Group Set in System Control AuthorityThis check reports groups that have been granted the System Control Authoritybut that are not authorized to have it.
Use the Authorized Groups name list to exclude all groups that are authorized tohave the System Control Authority.
After you run this check, the Policy Run report lists groups that have the SystemControl Authority and that are not in the Authorized Groups name list.
Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
44
Table 3-49 lists themessageoutput for theUnauthorizedSystemControlAuthoritycheck.
Table 3-49 Unauthorized System Control Authority message
SeverityTitleMessage name
yellow-3Unauthorized group set forSystem Control Authority
UNAUTH_SYSCTRL_GROUP
Unauthorized Group Set in System Maintenance AuthorityThis check reports groups that have been granted the System MaintenanceAuthority but that are not authorized to have it.
Use the Authorized Groups name list to exclude all groups that are authorized tohave the System Maintenance Authority.
After you run this check, the Policy Run report lists groups that have the SystemMaintenance Authority and that are not in the Authorized Groups name list.
Table 3-50 lists themessage for theUnauthorized SystemMaintenanceAuthoritycheck.
Table 3-50 Unauthorized System Maintenance Authority message
SeverityTitleMessage name
yellow-3Unauthorized group set forSystem MaintenanceAuthority
UNAUTH_SYSMAINT_GROUP
UnauthorizedGroup/User inDatabaseAdministrator AuthorityThis check reports groups and users that have been granted the DatabaseAdministrator Authority but that are not authorized to have it.
Use the Authorized Groups/Users name list to exclude all groups and users thatare authorized to have the Database Administrator Authority.
After you run this check, the Policy Run report lists groups and users that havetheDatabaseAdministratorAuthority and that arenot in theAuthorizedGroups/Users name list.
Table 3-51 lists the message for the Unauthorized Database AdministratorAuthority check.
45Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
Table 3-51 Unauthorized Database Administrator Authority message
SeverityTitleMessage name
yellow-3Unauthorizedgroup/user setfor Database AdministratorAuthority
UNAUTH_GROUPUSER_DBADMAUTH
New Group/User in Database Administrator AuthorityThis check reports groups andusers thatwere granted theDatabaseAdministratorAuthority since the last snapshot updates.
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-52 lists the message for the New Group/User in Database AdministratorAuthority check.
Table 3-52 New Group/User in Database Administrator Authority message
SeverityTitleMessage name
yellow-2New group/user set forDatabase AdministratorAuthority
NEW_GROUPUSER_DBADMAUTH
If the detected user \or group is authorized to have this authority, update thesnapshot. Revoke the authority if the detected user or group is not authorized.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
Deleted Group/User in Database Administrator AuthorityThis check reports groups and users that had the Database AdministratorAuthority andhad it revoked or thatwere deleted since the last snapshot updates.
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-53 lists the message output for the Deleted Group/User in DatabaseAdministrator Authority check.
Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
46
Table 3-53 Deleted Group/User in Database Administrator Authority message
SeverityTitleMessage name
yellow-2Deleted group/user set forDatabase AdministratorAuthority
DEL_GROUPUSER_DBADMAUTH
If the deletion is authorized, update the snapshot. Restore the authority if it shouldnot have been deleted.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
Modified Group/User in Database Administrator AuthorityThis check reports groups and users with Database Administrator Authority“grantor” or “granteetype” changes since the last snapshot updates.
The Policy Run reports changes to the grantor and the granteetype. For example,a message might read:
grantor changed to gwashington from fdouglas
Or a message might read:
granteetype changed to user from group
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-54 lists the message output for the Modified Group/User in DatabaseAdministrator Authority check.
Table 3-54 Modified Group/User in Database Administrator Authority message
SeverityTitleMessage name
yellow-2Modified group/user set forDatabase AdministratorAuthority
MOD_GROUPUSER_DBADMAUTH
If the modification is authorized, update the snapshot. Restore the authority if itshould not have been modified.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
47Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
Unauthorized Group/User in LOAD AuthorityThis check reports groups and users that were granted the LOAD Authority butthat are not authorized to have it.
Use the Authorized Groups/Users name list to exclude all groups and users thatare authorized to have the LOAD Authority.
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-55 lists themessage output for the Unauthorized LOADAuthority check.
Table 3-55 Unauthorized LOAD Authority message
SeverityTitleMessage name
yellow-3Unauthorizedgroup/user setfor LOAD Authority
UNAUTH_GROUPUSER_LOADAUTH
New Group/User in LOAD AuthorityThis check reports groups and users that were granted the LOADAuthority sincethe last snapshot updates.
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-56 lists the message output for the New Group/User in LOAD Authoritycheck.
Table 3-56 New Group/User in LOAD Authority message
SeverityTitleMessage name
yellow-2Newgroup/user set forLOADAuthority
NEW_GROUPUER_LOADAUTH
If the detected user or group is authorized to have this authority, update thesnapshot. Revoke the authority if the detected user or group is not authorized.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
Deleted Group/User in LOAD AuthorityThis check reports groups and users that had the LOAD Authority and had itrevoked or that were deleted since the last snapshot updates.
Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
48
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-57 lists themessage output for theDeletedGroup/User in LOADAuthoritycheck.
Table 3-57 Deleted Group/User in LOAD Authority message
SeverityTitleMessage name
yellow-2Deleted group/user set forLOAD Authority
DEL_GROUPUSER_LOADAUTH
If the deletion is authorized, update the snapshot. Restore the authority if it shouldnot have been deleted.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
Modified Group/User in LOAD AuthorityThis check reports groups and users with LOAD Authority “grantor” or“granteetype” changes since the last snapshot updates.
The Policy Run reports changes to the grantor and the granteetype. For example,a message might read:
grantor changed to gwashington from fdouglas
Or a message might read:
granteetype changed to user from group
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-58 lists the message output for the Modified Group/User in LOADAuthority check.
Table 3-58 Modified Group/User in LOAD Authority message
SeverityTitleMessage name
yellow-2Modified group/user set forLOAD Authority
MOD_GROUPUSER_LOADAUTH
If the modification is authorized, update the snapshot. Restore the authority if itshould not have been modified.
49Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
Database privilegesThe ESM DB2 Remote module lets you maintain lists of groups and users thathave IBM DB2 database privileges. The checks create reports of groups and usersthat are unauthorized to have these privileges. The module also includes checksthat report groups and users that have newly been granted database privileges,that have privileges modified, that have privileges revoked, or that have beendeleted since the last snapshot updates.
Unauthorized Group/User in BINDADD Database PrivilegeThis check reports groupsandusers thathavebeengranted theBINDADDDatabasePrivilege but that are not authorized to have it.
Use the Authorized Groups/Users name list to exclude all groups and users thatare authorized to have the BINDADD Database Privilege.
After you run this check, the Policy Run report lists groups and users that havetheBINDADDDatabasePrivilege and that are not in theAuthorizedGroups/Usersname list.
Table 3-59 lists the message output for the Unauthorized BINDADD DatabasePrivilege check.
Table 3-59 Unauthorized BINDADD Database Privilege message
SeverityTitleMessage name
yellow-3Unauthorizedgroup/user setfor BINDADD DatabasePrivilege
UNAUTH_GROUPUSER_BINDADDAUTH
New Group/User in BINDADD Database PrivilegeThis check reports groups and users that were granted the BINDADD DatabasePrivilege since the last snapshot updates.
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-60 lists themessage output for theNewGroup/User inBINDADDDatabasePrivilege check.
Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
50
Table 3-60 New Group/User in BINDADD Database Privilege message
SeverityTitleMessage name
yellow-2New group/user set forBINDADDDatabasePrivilege
NEW_GROUPUSER_BINDADDAUTH
If the detected user or group is authorized to have this privilege, update thesnapshot. Revoke the privilege if the detected user or group is not authorized.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
Deleted Group/User in BINDADD Database PrivilegeThis check reports groups and users that had the BINDADD Privilege and had itrevoked or that were deleted since the last snapshot updates.
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-61 lists the message output for the Deleted Group/User in BINDADDPrivilege check.
Table 3-61 Deleted Group/User in BINDADD Privilege message
SeverityTitleMessage name
yellow-2Deleted group/user set forBINDADDDatabasePrivilege
DEL_GROUPUSER_BINDADDAUTH
If the deletion is authorized, update the snapshot. Restore the privilege if it shouldnot have been deleted.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
Modified Group/User in BINDADD Database PrivilegeThis check reports groups and users with BINDADDDatabase Privilege “grantor”or “granteetype” changes since the last snapshot updates.
The Policy Run reports changes to the grantor and the granteetype. For example,a message might read:
grantor changed to gwashington from fdouglas
Or a message might read:
granteetype changed to user from group
51Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
Table 3-62 lists the message output for the Modified Group/User in BINDADDDatabase Privilege check.
Table 3-62 Modified Group/User in BINDADD Database Privilege message
SeverityTitleMessage name
yellow-2Modified group/user set forBINDADDDatabasePrivilege
MOD_GROUPUSER_BINDADDAUTH
If the modification is authorized, update the snapshot. Restore the privilege if itshould not have been modified.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
Unauthorized Group/User in CONNECT Database PrivilegeThis check reports groups and users that have been granted the CONNECTDatabase Privilege but that are not authorized to have it.
Use the Authorized Groups/Users name list to exclude all groups and users thatare authorized to have the CONNECT Database Privilege.
After you run this check, the Policy Run report lists groups and users that havethe CONNECT Database Privilege and that are not in the Authorized Groups/Users name list.
Table 3-63 lists the message output for the Unauthorized CONNECT DatabasePrivilege check.
Table 3-63 Unauthorized CONNECT Database Privilege message
SeverityTitleMessage name
yellow-3Unauthorizedgroup/user setfor CONNECT DatabasePrivilege
UNAUTH_GROUPUSER_CONNECTAUTH
New Group/User in CONNECT Database PrivilegeThis check reports groups and users that were granted the CONNECT DatabasePrivilege since the last snapshot updates.
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-64 lists themessage output for theNewGroup/User inCONNECTPrivilegecheck.
Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
52
Table 3-64 New Group/User in CONNECT Privilege message
SeverityTitleMessage name
yellow-2New group/user set forCONNECTDatabasePrivilege
NEW_GROUPUSER_CONNECTAUTH
If the detected user or group is authorized to have this privilege, update thesnapshot. Revoke the privilege if the detected user or group is not authorized.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
Deleted Group/User in CONNECT Database PrivilegeThis check reports groups and users that had the CONNECT Database Privilegeand had it revoked or that were deleted since the last snapshot updates.
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-65 lists the message output for the Deleted Group/User in CONNECTDatabase Privilege check.
Table 3-65 Deleted Group/User in CONNECT Database Privilege message
SeverityTitleMessage name
yellow-2Deleted group/user set forCONNECTDatabasePrivilege
DEL_GROUPUSER_CONNECTAUTH
If the deletion is authorized, update the snapshot. Restore the privilege if it shouldnot have been deleted.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
Modified Group/User in CONNECT Database PrivilegeThis check reports groups and userswith CONNECTDatabase Privilege “grantor”or “granteetype” changes since the last snapshot updates.
The Policy Run reports changes to the grantor and the granteetype. For example,a message might read:
grantor changed to gwashington from fdouglas
Or a message might read:
granteetype changed to user from group
53Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-66 lists the message output for the Modified Group/User in CONNECTDatabase Privilege check.
Table 3-66 Modified Group/User in CONNECT Database Privilege message
SeverityTitleMessage name
yellow-2Modified group/user set forCONNECTDatabasePrivilege
MOD_GROUPUSER_CONNECTAUTH
Unauthorized Group/User in CREATETAB Database PrivilegeThis check reports groups and users that have been granted the CREATETABDatabase Privilege but that are not authorized to have it.
Use the Authorized Groups/Users name list to exclude all groups and users thatare authorized to have the CREATETAB Database Privilege.
After you run this check, the Policy Run report lists groups and users that havethe CREATETAB Database Privilege and that are not in the Authorized Groups/Users name list.
Table 3-67 lists the message output for the Unauthorized CREATETAB DatabasePrivilege check.
Table 3-67 Unauthorized CREATETAB Database Privilege message
SeverityTitleMessage name
yellow-3Unauthorizedgroup/user setfor CREATETAB DatabasePrivilege
UNAUTH_GROUPUSER_CREATETABAUTH
New Group/User in CREATETAB Database PrivilegeThis check reports groups and users thatwere granted the CREATETABDatabasePrivilege since the last snapshot updates.
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-68 lists the message output for the New CREATETAB Database Privilegecheck.
Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
54
Table 3-68 New CREATETAB Database Privilege message
SeverityTitleMessage name
yellow-2New group/user set forCREATETAB DatabasePrivilege
NEW_GROUPUSER_CREATETABAUTH
If the detected user or group is authorized to have this privilege, update thesnapshot. Revoke the privilege if the detected user or group is not authorized.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
Deleted Group/User in CREATETAB Database PrivilegeThis check reports groups and users that had the CREATETABDatabase Privilegeand had it revoked or that were deleted since the last snapshot updates.
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-69 lists the message output for the Deleted Group/User in CREATETABDatabase Privilege check.
Table 3-69 Deleted Group/User in CREATETAB Database Privilege message
SeverityTitleMessage name
yellow-2Deleted group/user set forCREATETAB DatabasePrivilege
DEL_GROUPUSER_CREATETABAUTH
If the deletion is authorized, update the snapshot. Restore the privilege if it shouldnot have been deleted.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
Modified Group/User in CREATETAB Database PrivilegeThis check reports groupsanduserswithCREATETABDatabasePrivilege “grantor”or “granteetype” changes since the last snapshot updates.
The Policy Run reports changes to the grantor and the granteetype. For example,a message might read:
grantor changed to gwashington from fdouglas
55Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
Or a message might read:
granteetype changed to user from group
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-70 lists the message output for the Modified Group/User in CREATETABDatabase Privilege check.
Table 3-70 Modified Group/User in CREATETAB Database Privilege message
SeverityTitleMessage name
yellow-2Modified group/user set forCREATETAB DatabasePrivilege
MOD_GROUPUSER_CREATETABAUTH
If the modification is authorized, update the snapshot. Restore the privilege if itshould not have been modified.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
New Group/User in CREATE_NOT_FENCED Database PrivilegeThis check reports groups andusers thatwere granted theCREATE_NOT_FENCEDDatabase Privilege since the last snapshot updates.
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-71 lists themessage output for theNewCREATE_NOT_FENCEDDatabasePrivilege check.
Table 3-71 New CREATE_NOT_FENCED Database Privilege message
SeverityTitleMessage name
yellow-2New group/user set forCREATE_NOT_FENCEDDatabase Privilege
NEW_GROUPUSER_NOFENCEAUTH
If the detected user or group is authorized to have this privilege, update thesnapshot. Revoke the privilege if the detected user or group is not authorized.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
56
Unauthorized Group/User in CREATE_NOT_FENCED DatabasePrivilegeThis check reports groups and users that have been granted theCREATE_NOT_FENCEDDatabase Privilege but that are not authorized to have it.
Use the Authorized Groups/Users name list to exclude all groups and users thatare authorized to have the CREATE_NOT_FENCED Database Privilege.
After you run this check, the Policy Run report lists groups and users that havethe CREATE_NOT_FENCEDDatabase Privilege and that are not in theAuthorizedGroups/Users name list.
Table 3-72 lists themessage output for theUnauthorizedCREATE_NOT_FENCEDPrivilege check.
Table 3-72 Unauthorized CREATE_NOT_FENCED Privilege message
SeverityTitleMessage name
yellow-3Unauthorizedgroup/user setfor CREATE_NOT_FENCEDDatabase Privilege
UNAUTH_GROUPUSER_NOFENCEAUTH
Deleted Group/User in CREATE_NOT_FENCED DatabasePrivilegeThis check reports groups andusers thathad theCREATE_NOT_FENCEDDatabasePrivilege and had it revoked or that were deleted since the last snapshot updates.
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-73 lists the message output for the Deleted CREATE_NOT_FENCEDDatabase Privilege check.
Table 3-73 Deleted CREATE_NOT_FENCED Database Privilege message
SeverityTitleMessage name
yellow-2Deleted group/user set forCREATE_NOT_FENCEDDatabase Privilege
DEL_GROUPUSER_NOFENCEAUTH
If the deletion is authorized, update the snapshot. Restore the privilege if it shouldnot have been deleted.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
57Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
Modified Group/User in CREATE_NOT_FENCED DatabasePrivilegeThis check reports groups and users with CREATE_NOT_FENCED DatabasePrivilege “grantor” or “granteetype” changes since the last snapshot updates.
The Policy Run reports changes to the grantor and the granteetype. For example,a message might read:
grantor changed to gwashington from fdouglas
Or a message might read:
granteetype changed to user from group
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-74 lists the message output for the Modified CREATE_NOT_FENCEDDatabase Privilege check.
Table 3-74 Modified CREATE_NOT_FENCED Database Privilege message
SeverityTitleMessage name
yellow-2Modified group/user set forCREATE_NOT_FENCEDDatabase Privilege
MOD_GROUPUSER_NOFENCEAUTH
If the modification is authorized, update the snapshot. Restore the privilege if itshould not have been modified.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
Unauthorized Group/User in IMPLICIT_SCHEMA DatabasePrivilegeThis check reports groups and users that have been granted theIMPLICIT_SCHEMA Database Privilege but that are not authorized to have it.
Use the Authorized Groups/Users name list to exclude all groups and users thatare authorized to have the IMPLICIT_SCHEMA Database Privilege.
After you run this check, the Policy Run report lists groups and users that havethe IMPLICIT_SCHEMA Database Privilege and that are not in the AuthorizedGroups/Users name list.
Table 3-75 lists the message output for the Unauthorized IMPLICIT_SCHEMADatabase Privilege check.
Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
58
Table 3-75 Unauthorized IMPLICIT_SCHEMA Database Privilege message
SeverityTitleMessage name
yellow-3Unauthorizedgroup/user setfor IMPLICIT_SCHEMADatabase Privilege
UNAUTH_GROUPUSER_IMPLSCHEMAAUTH
New Group/User in IMPLICIT_SCHEMA Database PrivilegeThis check reports groups and users that were granted the IMPLICIT_SCHEMADatabase Privilege since the last snapshot updates.
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-76 lists the message output for the New IMPLICIT_SCHEMA DatabasePrivilege check.
Table 3-76 New IMPLICIT_SCHEMA Database Privilege message
SeverityTitleMessage name
yellow-2New group/user set forIMPLICIT_SCHEMADatabasePrivilege
NEW_GROUPUSER_IMPLSCHEMAAUTH
If the detected user or group is authorized to have this privilege, update thesnapshot. Revoke the privilege if the detected user or group is not authorized.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
Deleted Group/User in IMPLICIT_SCHEMA Database PrivilegeThis check reports groups and users that had the IMPLICIT_SCHEMA DatabasePrivilege and had it revoked or that were deleted since the last snapshot updates.
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-77 lists themessage output for the Deleted IMPLICIT_SCHEMADatabasePrivilege check.
59Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
Table 3-77 Deleted IMPLICIT_SCHEMA Database Privilege message
SeverityTitleMessage name
yellow-2Deleted group/user set forIMPLICIT_SCHEMADatabasePrivilege
DEL_GROUPUSER_IMPLSCHEMAAUTH
If the deletion is authorized, update the snapshot. Restore the privilege if it shouldnot have been deleted.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
ModifiedGroup/User in IMPLICIT_SCHEMADatabasePrivilegeThis check reports groups and users with IMPLICIT_SCHEMADatabase Privilege“grantor” or “granteetype” changes since the last snapshot updates.
The Policy Run reports changes to the grantor and the granteetype. For example,a message might read:
grantor changed to gwashington from fdouglas
Or a message might read:
granteetype changed to user from group
Run the module one time to create the snapshot, then rerun the module to detectchanges between policy runs.
Table 3-78 lists themessage output for theModified IMPLICIT_SCHEMADatabasePrivilege check.
Table 3-78 Modified IMPLICIT_SCHEMA Database Privilege message
SeverityTitleMessage name
yellow-2Modified group/user set forIMPLICIT_SCHEMADatabasePrivilege
MOD_GROUPUSER_IMPLSCHEMAAUTH
If the modification is authorized, update the snapshot. Restore the privilege if itshould not have been modified.
You can update the snapshot directly from the console grid by right-clicking onthe Policy Run message.
Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module
60
Logging functionality on theESM DB2 modules
This chapter includes the following topics:
■ About the Logging functionality on the ESM DB2 modules
About the Logging functionality on the ESM DB2modules
The logging feature in the ESM DB2 modules enables the ESM to log theinformation, such as errors and exceptions that amodule generates at the runtime.This feature is currently enabled for the Audit configuration, Fix pack, Remote,and Discovery modules.
About the log levels of the messagesThe log level specifies the type and criticality of a message. You can manuallycreate a configuration file and specify the log level messages that you want to belogged.
ESM checks the log level that you set in the configuration file and stores only thequalifying messages in the log file.
See “Creating the configuration file” on page 63.
You can specify the following log levels:
Disable logging for the moduleESMNOLOG
4Chapter
All critical failures are logged.
ESM always logs all critical failuresirrespective of the log level that you specifyin the configuration file. However, ifESMNOLOG is specified in the configurationfile, ESM does not log the critical failures.
ESMCRITICALFAILURE|ESMERROR|ESMEXCEPTION is the default log level andyou need not explicitly specify it in theconfiguration file.
ESMCRITICALFAILURES
All errors are logged.
The following are some examples of theerrors:
■ Template file not found
■ Configuration file not found
ESMERRORS
All exceptions are logged.ESMEXCEPTIONS
All warnings are logged.ESMWARNINGS
All information messages are logged.
The information that is gathered during apolicy run is also logged at this level.
Note: When you enable theESMINFORMATION level, the performanceof the module may be affected since all theinformation messages are logged.
ESMINFORMATION
All debug information is logged.ESMTRACE
All time-consuming operations are logged.ESMPERFMANCETIMING
All audit information is logged.
This level covers the data modificationoperations such as Correction and Update.
ESMAUDIT
Includes all log levels except ESMNOLOG.ESMMAXIMUM
You specify the log level in the LogLevel parameter of the configuration file. Forexample, to log the messages that are related to critical failures, specify the loglevel as follows:
[db2discovery_LogLevel] = ESMCRITICALFAILURES
Logging functionality on the ESM DB2 modulesAbout the Logging functionality on the ESM DB2 modules
62
You can also specifymultiple log levels by separating themwith a pipe (|) characteras follows:
[db2discovery_LogLevel] = ESMCRITICALFAILURES|ESMPERFMANCETIMING
You can use log levels for specific operations as follows:
ESMCRITICALFAILURES and ESMERRORSFor regular policy runs
ESMCRITICALFAILURES, ESMERRORS,ESMTRACE, and ESMINFORMATION
To generate detailed logs for policy failure
Creating the configuration fileYou can create a configuration file named esmlog.conf in the <esm_install_dir>\config folder and specify the values that ESMuses to store the logs of amodule.
To create the configuration file
1 Change to the <esm_install_dir> \config folder.
2 Create a new text file and specify the parameters and their values.
3 Save the text file as esmlog.conf.
See “Parameters of the configuration file” on page 63.
The following is an example of the entries in the configuration file:
[MaxFileSize] = 1024
[NoOfBackupFile] = 20
[LogFileDirectory] = <esm_install_dir>\system\agentname\logs
[db2discovery_LogLevel] = ESMINFORMATION|ESMTRACE
[db2discovery_LogLevel] = ESMMAXIMUM
Note:We do not ship a default configuration file with the ESM DB2 modules. Youmust manually create the file and specify the parameters in it.
Note:Youdonot have to create a new esmlog.conf file, if youhave already createdthe file for a SecurityUpdate (SU) or any other applicationmodule. In the existingesmlog.conf file, you can add the module_loglevel for the DB2 modules.
Parameters of the configuration fileTable 4-1 lists the parameters that you need to specify in the configuration file.
63Logging functionality on the ESM DB2 modulesAbout the Logging functionality on the ESM DB2 modules
Table 4-1 Configuration file parameters
Default valueRange of valuesDescriptionParameter name
1 MB1 MB to 1024 MB (1GB)
Specify themaximum file sizefor the log file in MB
[MaxFileSize]
10 to 20Specify the numberof backup files of logsthat canbe storedpermodule.
For example, if thevalue ofNOOFBACKUPFILEis3, then ESM stores amaximum of 3backup files for themodule.
[NoOfBackupFile]
The %systemroot%\tempdirectory is used onthe Windowsoperating systems.
N/ASpecify the absolutepath to store the logfile and backup logfiles.
[LogFileDirectory]
ESMCRITICALFAILURE|ESMERROR|ESMEXCEPTION
N/ASpecify the log levelalong with the shortname of the module.
For example, to logall errormessages forthe ESM DB2Discovery module,specify the following:
[db2discovery_LogLevel]=ESMERRORS
[<module>_LogLevel]
If the configuration file esmlog.conf is not present then the logging functionalityappears to be disabled and no logs are generated.
About log fileThe ESM application now stores the log file of the modules in the directory thatthe user specifies. If the directory that the user specifies does not exist, then themodule first creates the directory and then stores the log files in it.
Logging functionality on the ESM DB2 modulesAbout the Logging functionality on the ESM DB2 modules
64
The log file has the following format:
<module_name>.log
The <module_name> is the short name of the module. For example, the log fileof the ESM DB2 Discovery module is named db2discovery.log. The backup filename for ESMDB2Discoverymodule is named db2discovery.log_1.bak and so on.
Note: During the process of logging, ESM locks the log file to store the logginginformation. If the log file is open at that time, the information about the logsmay be lost.
Format of the log fileA log file contains the following fields:
Serial number of the log file entry
The serial number is displayed inhexadecimal format.
The serial number is reset in the next policyrun on the module.
Serial Number
Thread identifier of the process thatgenerated the message
Thread ID
Name of the source file that caused themessage to be generated
Source File Name
Line number in the source file from wherethe message was generated
Line Number
Date on which the log was createdDate
Time at which the log was createdTime
Theactualmessage thatwasgeneratedalongwith the log level of that message.
Message
About the backup of logsWhen the log file reaches a specified size limit, ESM backs up the log file. Thissize limit is configurable and you can specify it in the MaxFileSize parameter ofthe configuration file.
If the log file reaches the MaxFileSize value, ESM creates a backup of the log filedepending on the No of BackupFile value that is specified in configuration file.
65Logging functionality on the ESM DB2 modulesAbout the Logging functionality on the ESM DB2 modules
For example, if the No of BackupFile value is 0, ESM overwrites the existing logfile, if any, for the module.
Logging functionality on the ESM DB2 modulesAbout the Logging functionality on the ESM DB2 modules
66
Troubleshooting
This chapter includes the following topics:
■ Encryption exception
■ ESM DB2 Remote module errors
Encryption exceptionAnerrormaydisplaywhenyou run apolicy asking you to reconfigure themodule.
Table 5-1 lists the error message that is displayed and the solution for the error.
Table 5-1 Encryption exception
SolutionError
This error may occur if you have set SSLConfigure =0 after configuring theESMDB2module. Or, if you have renamed or deletedthe AESConfigure.dat file.
To solve this problem, you need toreconfigure the ESM DB2 module.
If you want to generate logs for encryption,addDebugon=1 in theAESConfigure.dat filefrom esm\config folder. This generatesDB2AESDebuglog.log in the\esm\system\<platform>folder.
Encryption error
ESM DB2 Remote module errorsYoumay encounter errorswhile running policies thatmay cause the user accountto get locked or the connection to the DB2 database may fail.
5Chapter
Table 5-2 lists the errors pertaining to ESM DB2 Remote module and theirsolutions.
Table 5-2 ESM DB2 Remote module errors
SolutionError
This happens because for every check, theESM DB2 module connects to the databaseand the user account gets locked based onthe Windows Password policy.
To solve this problem, make sure thecredentials supplied for each database iscorrect.
User account gets locked after running aPolicy run on DB2 Remote module onWindows
This happens when the local DB2 instanceis registered to a different control center anduses a different node name on the samecomputer. Likewise, the install pathdetection may also fail.
To solve this problem, use the instancenameto configure the databases.
Connection to theDB2database by using thenode name may fail
TroubleshootingESM DB2 Remote module errors
68