Fortinet black logo

Handbook (HTML)

Privileges for VA assessments, privilege summaries, and penetration tests

Copy Link
Copy Doc ID 73ac471a-9afd-11ea-8862-00505692583a:114547

Privileges for VA assessments, privilege summaries, and penetration tests

The FortiDB database user for a target database requires the following privileges to run assessments and related tasks:

Task Required privileges
DB2
Run VA Assessment (except penetration test)

CREATE TABLE

SELECT on the following SYSIBM tables:

  • SYSCOLAUTH
  • SYSDBAUTH
  • SYSINDEXAUTH
  • SYSPLANAUTH
  • SYSSCHEMAAUTH
  • SYSTABAUTH
  • SYSTBSPACEAUTH
View a Privilege Summary

SELECT on the following SYSCAT tables:

  • COLAUTH
  • DBAUTH
  • INDEXAUTH
  • PACKAGEAUTH
  • SCHEMAAUTH
  • TABAUTH
  • TBSPACEAUTH

SELECT on the following SYSIBM tables:

  • SYSCOLAUTH
  • SYSDBAUTH
  • SYSINDEXAUTH
  • SYSPLANAUTH
  • SYSSCHEMAAUTH
  • SYSTABAUTH
  • SYSSYSTABLESPACES
  • SYSTBSPACEAUTH
  • SYSUSERAUTH
Run Penetration Test

SELECT on the following SYSCAT tables:

  • COLAUTH
  • DBAUTH
  • INDEXAUTH
  • PACKAGEAUTH
  • SCHEMAAUTH
  • TABAUTH
  • TBSPACEAUTH

SELECT on the following SYSIBM tables:

  • SYSCOLAUTH
  • SYSDBAUTH
  • SYSINDEXAUTH
  • SYSPLANAUTH
  • SYSSCHEMAAUTH
  • SYSTABAUTH
  • SYSTBSPACEAUTH
  • SYSUSERAUTH
Microsoft SQL Server 2000
Run VA assessment (except penetration test)

SELECT on:

  • MASTER.DBO.SPT_VALUES
  • MASTER.DBO.SYSALTFILES
  • MASTER.DBO.SYSDATABASES
  • MASTER.DBO.SYSLOGINS
  • MASTER.DBO.SYSXLOGINS
  • SYSCOLUMNS
  • SYSMEMBERS
  • SYSOBJECTS
  • SYSPROTECTS
  • SYSUSERS

EXECUTE on:

  • MASTER.DBO.XP_CMDSHELL
  • MASTER.DBO.XP_INSTANCE_REGENUMVALUES
  • MASTER.DBO.XP_INSTANCE_REGREAD
  • MASTER.DBO.XP_LOGINCONFIG
  • MASTER.DBO.XP_LOGININFO
  • MASTER.DBO.XP_REGENUMVALUES
  • MASTER.DBO.XP_REGREAD

The database user requires the MS-SQL sysadmin role to use the following policies in assessments:

  • DVA MSSQL 01.01 password field empty
  • DVA MSSQL 01.02 password is the same as login name
View a Privilege Summary

For each individual MS-SQL 2000 database you want to connect to, SELECT on:

  • MASTER.DBO.SYSDATABASES (for MS-SQL 2000 server-level connections)
  • SYSMEMBERS
  • SYSOBJECTS
  • SYSPROTECTS
  • SYSUSERS
Run Penetration Test

SELECT on:

  • MASTER.DBO.SYSDATABASES (for MS-SQL 2000 server-level connections)
  • MASTER.DBO.SYSXLOGINS
  • SYS.DATABASE_ROLE_MEMBERS
  • SYSMEMBERS
  • SYSOBJECTS
  • SYSPROTECTS
  • SYSUSERS (for each individual MS-SQL 2000 database you want to connect to)
Microsoft SQL Server 2005 or 2008
Run VA Assessment (except penetration test)

SELECT on:

  • MASTER.DBO.SPT_VALUES
  • MASTER.DBO.SYSALTFILES
  • MASTER.DBO.SYSDATABASES
  • MASTER.DBO.SYSLOGINS
  • MASTER.DBO.SYSXLOGINS
  • SYS.COLUMNS
  • SYS.MEMBERS
  • SYS.OBJECTS
  • SYS.PROTECTS
  • SYS.USERS

EXECUTE on:

  • MASTER.DBO.XP_CMDSHELL
  • MASTER.DBO.XP_INSTANCE_REGENUMVALUES
  • MASTER.DBO.XP_INSTANCE_REGREAD
  • MASTER.DBO.XP_LOGINCONFIG
  • MASTER.DBO.XP_LOGININFO
  • MASTER.DBO.XP_REGENUMVALUES
  • MASTER.DBO.XP_REGREAD

The database user requires the MS-SQL sysadmin role to use the following policies in assessments:

  • DVA MSSQL 01.01 password field empty
  • DVA MSSQL 01.02 password is the same as login name
  • DVA MSSQL 05.36 List database logins that are part of the local Administrators group
  • DVA MSSQL 05.37 Verify SQL Server not run as local System Administrator
  • DVA MSSQL 05.42 Default Microsoft SQL Listener Port Report
View Privileges Summary

SELECT on:

  • MASTER.SYS.DATABASES (for Microsoft SQL 2005 Server server-level connections)

For each individual Microsoft SQL 2005 Server database that you want to connect to, SELECT on:

  • SYS.DATABASE_PERMISSIONS
  • SYS.DATABASE_PRINCIPALS
  • SYS.DATABASE_ROLE_MEMBERS
  • SYS.OBJECTS
Run Penetration Test

SELECT on:

  • MASTER.SYS.DATABASES (for Microsoft SQL 2005 Server server-level connections)
  • SYS.DATABASE_PERMISSIONS
  • SYS.DATABASE_PRINCIPALS (for each individual Microsoft SQL 2005 Server database that you want to connect to)
  • SYS.DATABASE_ROLE_MEMBERS
  • SYS.OBJECTS
  • SYS.SQL_LOGINS
Oracle
Run VA Assessment (except penetration test)

CREATE SESSION

SELECT_CATALOG_ROLE

SELECT on:

  • SYS.AUDIT$
  • SYS.LINK$
  • SYS.REGISTRY$HISTORY (Oracle 10g only)
  • SYS.USER$
  • SYSTEM.SQLPLUS_PRODUCT_PROFILE
View Privilege Summary

SELECT on:

  • ALL_USERS
  • DBA_COL_PRIVS
  • DBA_ROLE_PRIVS
  • DBA_ROLES
  • DBA_SYS_PRIVS
  • DBA_TAB_PRIVS
Run Penetration Test

SELECT on:

  • ALL_USERS
  • DBA_COL_PRIVS
  • DBA_ROLE_PRIVS
  • DBA_ROLES
  • DBA_SYS_PRIVS
  • DBA_TAB_PRIVS
  • SYS.USER$
Sybase and Sybase IQ
Run VA Assessment (except for penetration test)

SSO_ROLE

If the Sybase server is using SybSecurity:

  • On the MASTER database, add the FortiDB user to the database and grant it SELECT permission on the following tables:
    • SYSSRVROLES
    • SYSLOGINROLES
    • SYSSECMECHS
    • SYSDATABASES (AUDFLAGS column)
    • SYSLOGINS (AUDFLAGS column)
  • On any user-defined databases, add the FortiDB user to the database and grant it SELECT permission on the following table:
    • SYSUSERS

If the Sybase server is not using SybSecurity, grant the database user SELECT permission on the following tables:

  • SYSSRVROLES
  • SYSLOGINROLES
  • SYSSECMECHS
  • SYSDATABASES (AUDFLAGS column)
View a Privilege Summary

For each individual database you want to connect to, grant SELECT on:

  • MASTER.DBO.SYSDATABASES (for server-level connections)
  • SYSOBJECTS
  • SYSPROTECTS
  • SYSUSERS
Run Penetration Test

Grant SELECT on:

  • MASTER.DBO.SYSDATABASES (for server-level connections)
  • SYSOBJECTS
  • SYSPROTECTS
  • SYSUSERS (for each individual database that you want to connect to)
MySQL
Run a VA Assessment (including penetration test)

SELECT on:

  • mysql.user
  • mysql.db
  • mysql.columns_priv
  • mysql.tables_priv
View a Privilege Summary

SELECT on:

  • `INFORMATION\_SCHEMA`.*
  • mysql.user

SHOW DATABASES

See also

Privileges for VA assessments, privilege summaries, and penetration tests

The FortiDB database user for a target database requires the following privileges to run assessments and related tasks:

Task Required privileges
DB2
Run VA Assessment (except penetration test)

CREATE TABLE

SELECT on the following SYSIBM tables:

  • SYSCOLAUTH
  • SYSDBAUTH
  • SYSINDEXAUTH
  • SYSPLANAUTH
  • SYSSCHEMAAUTH
  • SYSTABAUTH
  • SYSTBSPACEAUTH
View a Privilege Summary

SELECT on the following SYSCAT tables:

  • COLAUTH
  • DBAUTH
  • INDEXAUTH
  • PACKAGEAUTH
  • SCHEMAAUTH
  • TABAUTH
  • TBSPACEAUTH

SELECT on the following SYSIBM tables:

  • SYSCOLAUTH
  • SYSDBAUTH
  • SYSINDEXAUTH
  • SYSPLANAUTH
  • SYSSCHEMAAUTH
  • SYSTABAUTH
  • SYSSYSTABLESPACES
  • SYSTBSPACEAUTH
  • SYSUSERAUTH
Run Penetration Test

SELECT on the following SYSCAT tables:

  • COLAUTH
  • DBAUTH
  • INDEXAUTH
  • PACKAGEAUTH
  • SCHEMAAUTH
  • TABAUTH
  • TBSPACEAUTH

SELECT on the following SYSIBM tables:

  • SYSCOLAUTH
  • SYSDBAUTH
  • SYSINDEXAUTH
  • SYSPLANAUTH
  • SYSSCHEMAAUTH
  • SYSTABAUTH
  • SYSTBSPACEAUTH
  • SYSUSERAUTH
Microsoft SQL Server 2000
Run VA assessment (except penetration test)

SELECT on:

  • MASTER.DBO.SPT_VALUES
  • MASTER.DBO.SYSALTFILES
  • MASTER.DBO.SYSDATABASES
  • MASTER.DBO.SYSLOGINS
  • MASTER.DBO.SYSXLOGINS
  • SYSCOLUMNS
  • SYSMEMBERS
  • SYSOBJECTS
  • SYSPROTECTS
  • SYSUSERS

EXECUTE on:

  • MASTER.DBO.XP_CMDSHELL
  • MASTER.DBO.XP_INSTANCE_REGENUMVALUES
  • MASTER.DBO.XP_INSTANCE_REGREAD
  • MASTER.DBO.XP_LOGINCONFIG
  • MASTER.DBO.XP_LOGININFO
  • MASTER.DBO.XP_REGENUMVALUES
  • MASTER.DBO.XP_REGREAD

The database user requires the MS-SQL sysadmin role to use the following policies in assessments:

  • DVA MSSQL 01.01 password field empty
  • DVA MSSQL 01.02 password is the same as login name
View a Privilege Summary

For each individual MS-SQL 2000 database you want to connect to, SELECT on:

  • MASTER.DBO.SYSDATABASES (for MS-SQL 2000 server-level connections)
  • SYSMEMBERS
  • SYSOBJECTS
  • SYSPROTECTS
  • SYSUSERS
Run Penetration Test

SELECT on:

  • MASTER.DBO.SYSDATABASES (for MS-SQL 2000 server-level connections)
  • MASTER.DBO.SYSXLOGINS
  • SYS.DATABASE_ROLE_MEMBERS
  • SYSMEMBERS
  • SYSOBJECTS
  • SYSPROTECTS
  • SYSUSERS (for each individual MS-SQL 2000 database you want to connect to)
Microsoft SQL Server 2005 or 2008
Run VA Assessment (except penetration test)

SELECT on:

  • MASTER.DBO.SPT_VALUES
  • MASTER.DBO.SYSALTFILES
  • MASTER.DBO.SYSDATABASES
  • MASTER.DBO.SYSLOGINS
  • MASTER.DBO.SYSXLOGINS
  • SYS.COLUMNS
  • SYS.MEMBERS
  • SYS.OBJECTS
  • SYS.PROTECTS
  • SYS.USERS

EXECUTE on:

  • MASTER.DBO.XP_CMDSHELL
  • MASTER.DBO.XP_INSTANCE_REGENUMVALUES
  • MASTER.DBO.XP_INSTANCE_REGREAD
  • MASTER.DBO.XP_LOGINCONFIG
  • MASTER.DBO.XP_LOGININFO
  • MASTER.DBO.XP_REGENUMVALUES
  • MASTER.DBO.XP_REGREAD

The database user requires the MS-SQL sysadmin role to use the following policies in assessments:

  • DVA MSSQL 01.01 password field empty
  • DVA MSSQL 01.02 password is the same as login name
  • DVA MSSQL 05.36 List database logins that are part of the local Administrators group
  • DVA MSSQL 05.37 Verify SQL Server not run as local System Administrator
  • DVA MSSQL 05.42 Default Microsoft SQL Listener Port Report
View Privileges Summary

SELECT on:

  • MASTER.SYS.DATABASES (for Microsoft SQL 2005 Server server-level connections)

For each individual Microsoft SQL 2005 Server database that you want to connect to, SELECT on:

  • SYS.DATABASE_PERMISSIONS
  • SYS.DATABASE_PRINCIPALS
  • SYS.DATABASE_ROLE_MEMBERS
  • SYS.OBJECTS
Run Penetration Test

SELECT on:

  • MASTER.SYS.DATABASES (for Microsoft SQL 2005 Server server-level connections)
  • SYS.DATABASE_PERMISSIONS
  • SYS.DATABASE_PRINCIPALS (for each individual Microsoft SQL 2005 Server database that you want to connect to)
  • SYS.DATABASE_ROLE_MEMBERS
  • SYS.OBJECTS
  • SYS.SQL_LOGINS
Oracle
Run VA Assessment (except penetration test)

CREATE SESSION

SELECT_CATALOG_ROLE

SELECT on:

  • SYS.AUDIT$
  • SYS.LINK$
  • SYS.REGISTRY$HISTORY (Oracle 10g only)
  • SYS.USER$
  • SYSTEM.SQLPLUS_PRODUCT_PROFILE
View Privilege Summary

SELECT on:

  • ALL_USERS
  • DBA_COL_PRIVS
  • DBA_ROLE_PRIVS
  • DBA_ROLES
  • DBA_SYS_PRIVS
  • DBA_TAB_PRIVS
Run Penetration Test

SELECT on:

  • ALL_USERS
  • DBA_COL_PRIVS
  • DBA_ROLE_PRIVS
  • DBA_ROLES
  • DBA_SYS_PRIVS
  • DBA_TAB_PRIVS
  • SYS.USER$
Sybase and Sybase IQ
Run VA Assessment (except for penetration test)

SSO_ROLE

If the Sybase server is using SybSecurity:

  • On the MASTER database, add the FortiDB user to the database and grant it SELECT permission on the following tables:
    • SYSSRVROLES
    • SYSLOGINROLES
    • SYSSECMECHS
    • SYSDATABASES (AUDFLAGS column)
    • SYSLOGINS (AUDFLAGS column)
  • On any user-defined databases, add the FortiDB user to the database and grant it SELECT permission on the following table:
    • SYSUSERS

If the Sybase server is not using SybSecurity, grant the database user SELECT permission on the following tables:

  • SYSSRVROLES
  • SYSLOGINROLES
  • SYSSECMECHS
  • SYSDATABASES (AUDFLAGS column)
View a Privilege Summary

For each individual database you want to connect to, grant SELECT on:

  • MASTER.DBO.SYSDATABASES (for server-level connections)
  • SYSOBJECTS
  • SYSPROTECTS
  • SYSUSERS
Run Penetration Test

Grant SELECT on:

  • MASTER.DBO.SYSDATABASES (for server-level connections)
  • SYSOBJECTS
  • SYSPROTECTS
  • SYSUSERS (for each individual database that you want to connect to)
MySQL
Run a VA Assessment (including penetration test)

SELECT on:

  • mysql.user
  • mysql.db
  • mysql.columns_priv
  • mysql.tables_priv
View a Privilege Summary

SELECT on:

  • `INFORMATION\_SCHEMA`.*
  • mysql.user

SHOW DATABASES

See also