Sometimes a new database is introduced into a production environment
outside of the normal control mechanisms. For example, the new database
might be part of an application package from a software vendor. In older
installations some databases may have been left unmonitored and “forgotten,”
because the data and/or activities performed on it were not seen as a
risk when the database was implemented.
Or in another case a rogue DBA might create a new instance of the database
and do with it as he or she pleases, without being monitored.
Guardium's Auto-discovery application can be configured to probe the
network, searching for and reporting on all databases discovered.
Once an auto-discovery process has been defined, it can be run on demand
or scheduled to be run on a periodic basis. There are two types of jobs
that can be scheduled for each process:
A scan job scans
each specified host (or hosts in a specified subnet), and compiles a list
of open ports from the list of ports specified for that host. A scan job
must be run before running the second type of job.
A probe job
uses the list of open ports compiled during the latest completed scan
only. The probe job determines if there are database services running
on those ports. You can view the results of this job on the Databases
Discovered predefined report (described later).
The two jobs can be scheduled individually, or the auto-discovery process
can be defined to run the probe job as soon as the scan job completes.
Because the processes of scanning and probing ports can take time, the
progress of an auto-discovery process can be displayed at any time (by
clicking the Progress/Summary button).
Once the jobs have been completed, the results can be viewed using predefined
reports.
To summarize, the following steps outline the procedure for using the
Database Auto-discovery application:
Configure one or more Auto-discovery processes to search
specific IP addresses or subnets for one or more ports. See Create
an Auto-discovery Process.
Run the Auto-discovery process on demand or an a scheduled
basis. See Run
or Schedule an Auto-discovery Process.
View Auto-discovery reports, or create custom reports.
See Auto-discovery
Reports.
Do one of the following to open the Auto-discover Process
Selector:
Click New to
open the Auto-discovery Process Builder.
Enter a Process name,
which must be unique on the Guardium system.
Optionally mark the Run
probe automatically after scan box, to run the probe job immediately
after the scan job completes. (Database auto-discovery is a two-job process,
which is described in more detail, under the Run
an Auto-discovery Process topic, below.)
For each host or subnet to be scanned, repeat the following
steps to configure a scan task. While doing this, watch the message that
displays above the Hosts title bar. It will display how many hosts and
ports will be scanned. If the number increases dramatically, you may need
to adjust your host and/or port specifications.
Enter a comma-separated list of host IP addresses,
optionally using wildcard * (asterisk) characters; for example: 192.168.2.*
will select all addresses beginning with 192.168.2.
Enter a comma separated list of one or more ports.
You can also enter ranges of ports by specifying a – (dash) between the
first and last port numbers in the range (4100–4102, for example), but
this is discouraged.
Click the Add
button.
To modify a Host or Port, type over it, and be sure
to click the Apply button, which
will be activated when you make any modifications to the Host or Port
entries.
To remove a task, click the 
(Delete this task) button. If the task has
been run and has scan results dependent upon it, it cannot be deleted.
Optionally run or schedule a job. See Run
or Schedule an Auto-discovery Process.
Optionally assign roles. See Security
Roles.
Optionally add comments. See Comments.
Click the Done
button when you are done.
Note that when an auto-discovery process definition changes, the statistics
for that process will be reset.
Do one of the following to open the Auto-discover Process
Selector:
Select the process to be modified from the list.
Click Modify
to open the Auto-discovery Process Builder, and refer to Create
an Auto-Discovery Process, above, to modify the process definition.
Do one of the following to open the Auto-discover Process
Selector:
Select the process to be removed from the list.
Click Remove.
You will be prompted to confirm the action.
Do one of the following to open the Auto-discovery Process
Selector:
Select the auto-discovery process to run from the list,
and click Modify to open the process
in the Auto-discovery Process Builder.
There are two types of jobs that can be run or scheduled
(see the overview above for a description of the two job types).
To run a job immediately, click its Run
Once Now button.
To schedule a job, click its Modify
Schedule button, and see Scheduling
if you need help defining a schedule.
After starting or scheduling a job, you can click the
Progress Summary button at any
time to display the status of this process.
Click the Done
button when you are finished.
On the user portal, the auto-discovery reports can be viewed on the
Discover > DB Discovery tab. Also from that tab, you can create custom
reports using the Auto-discovery Query Builder.
The following sections describe the Auto-discovery Tracking Domain and
all default reports. The procedures for creating custom reports are described
in the Audit & Report
help book, and are not repeated here.
Auto-discovery Tracking Domain
The Auto-discovery Tracking domain contains all of the data reported
by auto-discovery processes. It contains the entities described below.
Click any entity name to display its attributes (from the Entities and
Attributes Appendix).
Auto-discovery Tracking Domain Entities
|
Entity |
Description |
|
Auto-discovery
Scan |
Provides a timestamp for each scan operation |
|
Discovered Host |
Provides the IP address and host name for each discovered host |
|
Discovered Port |
For each port discovered open, provides a timestamp, identifies the
port, and provides the database type, if applicable |
Databases Discovered Report
Do one of the following to open the Databases Discovered report:
The main entity for this report is the Discovered
Port entity. There will be a separate row of the report for each
individual port found with a supported database type listening.
For the reporting period, for each database discovered, this report
lists the Time Probed, Server IP address, Server Host Name, DB Type, Port,
Port Type (usually TCP) and a count of occurrences for the row.
There are no special runtime parameters for this report, but it excludes
any discovered ports with a database type of Unknown.
When an auto-discovery process definition changes, the statistics for
that process will be reset.
There are no drill-down reports available on this reporting domain.