Database Auto-discovery

Database Auto-discovery Overview

Sometimes a new database is introduced into a production environment outside of the normal control mechanisms. For example, the new database might be part of an application package from a software vendor. In older installations some databases may have been left unmonitored and “forgotten,” because the data and/or activities performed on it were not seen as a risk when the database was implemented.

Or in another case a rogue DBA might create a new instance of the database and do with it as he or she pleases, without being monitored.

Guardium's Auto-discovery application can be configured to probe the network, searching for and reporting on all databases discovered.

Once an auto-discovery process has been defined, it can be run on demand or scheduled to be run on a periodic basis. There are two types of jobs that can be scheduled for each process:

The two jobs can be scheduled individually, or the auto-discovery process can be defined to run the probe job as soon as the scan job completes.

Because the processes of scanning and probing ports can take time, the progress of an auto-discovery process can be displayed at any time (by clicking the Progress/Summary button).

Once the jobs have been completed, the results can be viewed using predefined reports.

To summarize, the following steps outline the procedure for using the Database Auto-discovery application:

  1. Configure one or more Auto-discovery processes to search specific IP addresses or subnets for one or more ports. See Create an Auto-discovery Process.

  2. Run the Auto-discovery process on demand or an a scheduled basis. See Run or Schedule an Auto-discovery Process.

  3. View Auto-discovery reports, or create custom reports. See Auto-discovery Reports.

Create an Auto-discovery Process

  1. Do one of the following to open the Auto-discover Process Selector:

  2. Click New to open the Auto-discovery Process Builder.

  3. Enter a Process name, which must be unique on the Guardium system.

  4. Optionally mark the Run probe automatically after scan box, to run the probe job immediately after the scan job completes. (Database auto-discovery is a two-job process, which is described in more detail, under the Run an Auto-discovery Process topic, below.)

  5. For each host or subnet to be scanned, repeat the following steps to configure a scan task. While doing this, watch the message that displays above the Hosts title bar. It will display how many hosts and ports will be scanned. If the number increases dramatically, you may need to adjust your host and/or port specifications.

  6. To modify a Host or Port, type over it, and be sure to click the Apply button, which will be activated when you make any modifications to the Host or Port entries.

  7. To remove a task, click the (Delete this task) button. If the task has been run and has scan results dependent upon it, it cannot be deleted.

  8. Optionally run or schedule a job. See Run or Schedule an Auto-discovery Process.

  9. Optionally assign roles. See Security Roles.

  10. Optionally add comments. See Comments.

  11. Click the Done button when you are done.

Update an Auto-discovery Process

Note that when an auto-discovery process definition changes, the statistics for that process will be reset.

  1. Do one of the following to open the Auto-discover Process Selector:

  2. Select the process to be modified from the list.

  3. Click Modify to open the Auto-discovery Process Builder, and refer to Create an Auto-Discovery Process, above, to modify the process definition.

Remove an Auto-discovery Process

  1. Do one of the following to open the Auto-discover Process Selector:

  2. Select the process to be removed from the list.

  3. Click Remove. You will be prompted to confirm the action.

Run or Schedule an Auto-discovery Process

  1. Do one of the following to open the Auto-discovery Process Selector:

  2. Select the auto-discovery process to run from the list, and click Modify to open the process in the Auto-discovery Process Builder.

  3. There are two types of jobs that can be run or scheduled (see the overview above for a description of the two job types).

  4. After starting or scheduling a job, you can click the Progress Summary button at any time to display the status of this process.

  5. Click the Done button when you are finished.

Auto-discovery Reports

On the user portal, the auto-discovery reports can be viewed on the Discover > DB Discovery tab. Also from that tab, you can create custom reports using the Auto-discovery Query Builder.

The following sections describe the Auto-discovery Tracking Domain and all default reports. The procedures for creating custom reports are described in the Audit & Report help book, and are not repeated here.

Auto-discovery Tracking Domain

The Auto-discovery Tracking domain contains all of the data reported by auto-discovery processes. It contains the entities described below. Click any entity name to display its attributes (from the Entities and Attributes Appendix).

Auto-discovery Tracking Domain Entities

Entity

Description

Auto-discovery Scan

Provides a timestamp for each scan operation

Discovered Host

Provides the IP address and host name for each discovered host

Discovered Port

For each port discovered open, provides a timestamp, identifies the port, and provides the database type, if applicable

Databases Discovered Report

Do one of the following to open the Databases Discovered report:

The main entity for this report is the Discovered Port entity. There will be a separate row of the report for each individual port found with a supported database type listening.

For the reporting period, for each database discovered, this report lists the Time Probed, Server IP address, Server Host Name, DB Type, Port, Port Type (usually TCP) and a count of occurrences for the row.

There are no special runtime parameters for this report, but it excludes any discovered ports with a database type of Unknown.

When an auto-discovery process definition changes, the statistics for that process will be reset.

There are no drill-down reports available on this reporting domain.