Database Example Audit Items
Tenable can be configured to log into the following database types and determine local security policy compliance:
- SQL Server
- Oracle
- MySQL
- PostgreSQL
- DB2
- Informix/DRDA
- MongoDB
In general, Tenable recommends running a database compliance scan with a user with SYSDBA privileges for Oracle, sa or an account with sysadmin server role for MS-SQL, and DB2 instance user account for DB2. Scanning as users with these roles ensures completeness of the report, as some system or hidden tables and parameters can only be accessed by an account with such privileges.
For MongoDB, a NoSQL database, Tenable recommends running a database compliance scan with the database user for the associated database. Note that for Oracle, in most cases a user assigned the DBA role will perform most of the checks in Tenable audits, but some checks will report errors because of insufficient access privileges. This same argument is applicable to other databases as well; a lesser privilege account could be used for database auditing but the downside is a complete report cannot be ensured.
Database audits are normally comprised of select statements that retrieve security-related details from your database such as the existence or status of insecure stored procedures.