Connecting to target databases : Privileges required by the FortiDB database user : Privileges for VA assessments, privilege summaries, and penetration tests
 
Privileges for VA assessments, privilege summaries, and penetration tests
The FortiDB database user for a target database requires the following privileges to run assessments and related tasks:
Task
Required privileges
DB2
Run VA Assessment (except penetration test)
CREATE TABLE
SELECT on the following SYSIBM tables:
SYSCOLAUTH
SYSDBAUTH
SYSINDEXAUTH
SYSPLANAUTH
SYSSCHEMAAUTH
SYSTABAUTH
SYSTBSPACEAUTH
View a Privilege Summary
SELECT on the following SYSCAT tables:
COLAUTH
DBAUTH
INDEXAUTH
PACKAGEAUTH
SCHEMAAUTH
TABAUTH
TBSPACEAUTH
SELECT on the following SYSIBM tables:
SYSCOLAUTH
SYSDBAUTH
SYSINDEXAUTH
SYSPLANAUTH
SYSSCHEMAAUTH
SYSTABAUTH
SYSSYSTABLESPACES
SYSTBSPACEAUTH
SYSUSERAUTH
Run Penetration Test
SELECT on the following SYSCAT tables:
COLAUTH
DBAUTH
INDEXAUTH
PACKAGEAUTH
SCHEMAAUTH
TABAUTH
TBSPACEAUTH
SELECT on the following SYSIBM tables:
SYSCOLAUTH
SYSDBAUTH
SYSINDEXAUTH
SYSPLANAUTH
SYSSCHEMAAUTH
SYSTABAUTH
SYSTBSPACEAUTH
SYSUSERAUTH
Microsoft SQL Server 2000
Run VA assessment (except penetration test)
SELECT on:
MASTER.DBO.SPT_VALUES
MASTER.DBO.SYSALTFILES
MASTER.DBO.SYSDATABASES
MASTER.DBO.SYSLOGINS
MASTER.DBO.SYSXLOGINS
SYSCOLUMNS
SYSMEMBERS
SYSOBJECTS
SYSPROTECTS
SYSUSERS
EXECUTE on:
MASTER.DBO.XP_CMDSHELL
MASTER.DBO.XP_INSTANCE_REGENUMVALUES
MASTER.DBO.XP_INSTANCE_REGREAD
MASTER.DBO.XP_LOGINCONFIG
MASTER.DBO.XP_LOGININFO
MASTER.DBO.XP_REGENUMVALUES
MASTER.DBO.XP_REGREAD
The database user requires the MS-SQL sysadmin role to use the following policies in assessments:
DVA MSSQL 01.01 password field empty
DVA MSSQL 01.02 password is the same as login name
View a Privilege Summary
For each individual MS-SQL 2000 database you want to connect to, SELECT on:
MASTER.DBO.SYSDATABASES (for MS-SQL 2000 server-level connections)
SYSMEMBERS
SYSOBJECTS
SYSPROTECTS
SYSUSERS
Run Penetration Test
SELECT on:
MASTER.DBO.SYSDATABASES (for MS-SQL 2000 server-level connections)
MASTER.DBO.SYSXLOGINS
SYS.DATABASE_ROLE_MEMBERS
SYSMEMBERS
SYSOBJECTS
SYSPROTECTS
SYSUSERS (for each individual MS-SQL 2000 database you want to connect to)
Microsoft SQL Server 2005 or 2008
Run VA Assessment (except penetration test)
SELECT on:
MASTER.DBO.SPT_VALUES
MASTER.DBO.SYSALTFILES
MASTER.DBO.SYSDATABASES
MASTER.DBO.SYSLOGINS
MASTER.DBO.SYSXLOGINS
SYS.COLUMNS
SYS.MEMBERS
SYS.OBJECTS
SYS.PROTECTS
SYS.USERS
EXECUTE on:
MASTER.DBO.XP_CMDSHELL
MASTER.DBO.XP_INSTANCE_REGENUMVALUES
MASTER.DBO.XP_INSTANCE_REGREAD
MASTER.DBO.XP_LOGINCONFIG
MASTER.DBO.XP_LOGININFO
MASTER.DBO.XP_REGENUMVALUES
MASTER.DBO.XP_REGREAD
The database user requires the MS-SQL sysadmin role to use the following policies in assessments:
DVA MSSQL 01.01 password field empty
DVA MSSQL 01.02 password is the same as login name
DVA MSSQL 05.36 List database logins that are part of the local Administrators group
DVA MSSQL 05.37 Verify SQL Server not run as local System Administrator
DVA MSSQL 05.42 Default Microsoft SQL Listener Port Report
View Privileges Summary
SELECT on:
MASTER.SYS.DATABASES (for Microsoft SQL 2005 Server server-level connections)
For each individual Microsoft SQL 2005 Server database that you want to connect to, SELECT on:
SYS.DATABASE_PERMISSIONS
SYS.DATABASE_PRINCIPALS
SYS.DATABASE_ROLE_MEMBERS
SYS.OBJECTS
Run Penetration Test
SELECT on:
MASTER.SYS.DATABASES (for Microsoft SQL 2005 Server server-level connections)
SYS.DATABASE_PERMISSIONS
SYS.DATABASE_PRINCIPALS (for each individual Microsoft SQL 2005 Server database that you want to connect to)
SYS.DATABASE_ROLE_MEMBERS
SYS.OBJECTS
SYS.SQL_LOGINS
Oracle
Run VA Assessment (except penetration test)
CREATE SESSION
SELECT_CATALOG_ROLE
SELECT on:
SYS.AUDIT$
SYS.LINK$
SYS.REGISTRY$HISTORY (Oracle 10g only)
SYS.USER$
SYSTEM.SQLPLUS_PRODUCT_PROFILE
View Privilege Summary
SELECT on:
ALL_USERS
DBA_COL_PRIVS
DBA_ROLE_PRIVS
DBA_ROLES
DBA_SYS_PRIVS
DBA_TAB_PRIVS
Run Penetration Test
SELECT on:
ALL_USERS
DBA_COL_PRIVS
DBA_ROLE_PRIVS
DBA_ROLES
DBA_SYS_PRIVS
DBA_TAB_PRIVS
SYS.USER$
Sybase and Sybase IQ
Run VA Assessment (except for penetration test)
SSO_ROLE
If the Sybase server is using SybSecurity:
On the MASTER database, add the FortiDB user to the database and grant it SELECT permission on the following tables:F
SYSSRVROLES
SYSLOGINROLES
SYSSECMECHS
SYSDATABASES (AUDFLAGS column)
SYSLOGINS (AUDFLAGS column)
On any user-defined databases, add the FortiDB user to the database and grant it SELECT permission on the following table:
SYSUSERS
If the Sybase server is not using SybSecurity, grant the database user SELECT permission on the following tables:
SYSSRVROLES
SYSLOGINROLES
SYSSECMECHS
SYSDATABASES (AUDFLAGS column)
View a Privilege Summary
For each individual database you want to connect to, grant SELECT on:
MASTER.DBO.SYSDATABASES (for server-level connections)
SYSOBJECTS
SYSPROTECTS
SYSUSERS
Run Penetration Test
Grant SELECT on:
MASTER.DBO.SYSDATABASES (for server-level connections)
SYSOBJECTS
SYSPROTECTS
SYSUSERS (for each individual database that you want to connect to)
MySQL
Run a VA Assessment (including penetration test)
SELECT on:
mysql.user
mysql.db
mysql.columns_priv
mysql.tables_priv
View a Privilege Summary
SELECT on:
`INFORMATION\_SCHEMA`.*
mysql.user
SHOW DATABASES
See also
Adding or modifying assessments
Viewing and exporting a privilege summary
Penetration tests