powerbroker databases: monitor & audit installation guide...this software is provided “as...

PowerBroker Databases

Monitor and Audit

Installation Guide

Revision/Update Information: April 2018Software Version: PowerBroker Databases: Monitor & Audit 6.9Document Revision: 0

COPYRIGHT NOTICECopyright © 2018 BeyondTrust Software, Inc. All rights reserved. Use of this software and/or document, as and when applicable, is alsosubject to the terms and conditions of the license between the licensee and BeyondTrust Software, Inc. (“BeyondTrust”) orBeyondTrust’s authorized remarketer, if and when applicable.

TRADE SECRET NOTICEThis software and/or documentation, as and when applicable, and the information and know-how they contain constitute theproprietary, confidential and valuable trade secret information of BeyondTrust and/or of the respective manufacturer or author, andmay not be disclosed to others without the prior written permission of BeyondTrust. This software and/or documentation, as and whenapplicable, have been provided pursuant to an agreement that contains prohibitions against and/or restrictions on copying, modificationand use.

DISCLAIMERBeyondTrust makes no representations or warranties with respect to the contents hereof. Other than, any limited warranties expresslyprovided pursuant to a license agreement, NO OTHER WARRANTY IS EXPRESSED AND NONE SHALL BE IMPLIED,INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR USE OR FORA PARTICULAR PURPOSE.

LIMITED RIGHTS FARS NOTICE (If Applicable) If provided pursuant to FARS, this software and/or documentation, as and when applicable, are submitted with limited rights. Thissoftware and/or documentation, as and when applicable, may be reproduced and used by the Government with the express limitationthat it will not, without the permission of BeyondTrust, be used outside the Government for the following purposes: manufacture,duplication, distribution or disclosure. (FAR 52.227.14(g)(2)(Alternate II))

LIMITED RIGHTS DFARS NOTICE (If Applicable)If provided pursuant to DFARS, use, duplication, or disclosure of this software and/or documentation by the Government is subject tolimited rights and other restrictions, as set forth in the Rights in Technical Data – Noncommercial Items clause at DFARS 252.227-7013.

TRADEMARK NOTICESPowerBroker, PowerPassword, and PowerKeeper are registered trademarks of BeyondTrust. PowerSeries, PowerADvantage,PowerBroker Password Safe, PowerBroker Directory Integrator, PowerBroker Management Console, PowerBroker for Desktops,PowerBroker for Virtualization, and PowerBroker Express are trademarks of BeyondTrust.SafeNet and SafeNet logo are registered trademarks of SafeNet, Inc. Copyright 2009, by SafeNet, Inc. All rights reserved. Product names of any third party remain the trademarks of such third party manufacturers and/or distributors, respectively.The Ready for IBM Power Systems Software logo is a registered trademark or International Business Machines Corporation and is usedunder license from IBM."JBoss" and the JBoss logo are registered trademarks of Red Hat, Inc. Copyright 2006 Red Hat, Inc. All rights reserved. The PDP runs on JBOSS Application Server 6.0. License: Lesser General Public License version 2.1 (LGPL v2.1)

FICTITIOUS USE OF NAMESAll names of persons mentioned in this document are used fictitiously. Any resemblance to actual persons, living or dead is entirelycoincidental.

OTHER NOTICESIf and when applicable the following additional provisions are so noted:Copyright 2003 Sun Microsystems, Inc. All Rights Reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditionsare met:1. Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer.2. Redistribution in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in thedocumentation and/or other materials provided with the distribution.Neither the name of Sun Microsystems, Inc. or the names of contributors may be used to endorse or promote products derived fromthis software without specific prior written permission.

This software is provided “AS IS,” without a warranty of any kind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED. SUN MICROSYSTEMS, INC. (“SUN”) AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF THE USE OF OR INABILITY TO USE THIS SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

You acknowledge that this software is not designed or intended for use in the design, construction, operation or maintenance of anynuclear facility.

Locators in the product use the following libraries:1. Microsoft SQL Server JDBC Driver 3.0: License: in attached (Microsoft SQL Server JDBC Driver 3.02. JBOSS PicketLink 1.04: Identity Management Framework License: Lesser General Public License version 2.1 (LGPL v2.1) Details about product: http://www.jboss.org/picketlink/downloads.html3. JBOSS PicketBox 3.0: PicketBox is a Java Security Framework. License: Lesser General Public License version 2.1 (LGPL v2.1) Details about product: http://www.jboss.org/picketbox/downloads.html4.Apache Log4j: Logging License: http://logging.apache.org/log4j/1.2/license.html

Contents

PBDB‐MA Installation Guide 4 © 2018. BeyondTrust Software, Inc.

Contents

Introduction ............................................................................................................... 9

Conventions Used in This Guide ...............................................................................................9Font Conventions ...............................................................................................................9Linespacing Conventions ....................................................................................................9

Where to Go Next? ...................................................................................................................9Documentation Set for PowerBroker Databases: Monitor & Audit .................................10Contacting Support ..........................................................................................................10

Overview of PowerBroker Databases: Monitor & Audit ............................................ 11

PBDB‐MA Installed Components ............................................................................................11Understanding the PBDB Monitor Admin Console ..........................................................11Understanding PBDB Assessment Agents ........................................................................11Understanding the PBDB Assessment Console ................................................................12Understanding the PBDB Assessment Repository ............................................................12Understanding PBDB Agents ............................................................................................12

Understanding the Central Configuration Agent Role ............................................................13Understanding the Collection Agent Role ...............................................................................13Understanding the Loader Agent Role ....................................................................................14Understanding the Monitor Agent Role .................................................................................14

Understanding the Central Configuration Database ........................................................14Understanding the lmConsole Utility ...............................................................................14Understanding the PBDB Report Service .........................................................................14

PBDB‐MA Configured Components ........................................................................................15Understanding Assessment Packages ..............................................................................15Understanding Assessment Policies .................................................................................15Understanding Audit Policies ...........................................................................................15Understanding Audit Sources ...........................................................................................16Components .....................................................................................................................16Understanding Repositories .............................................................................................16

PBDB Tiered Deployment Architecture ..................................................................................17Typical PBDB‐MA Deployment Model ..............................................................................18

Planning Your Implementation ................................................................................. 19

Sizing Guidelines .....................................................................................................................19PBDB Server Sizing Guidelines ..........................................................................................19

Small / Medium Environments ...............................................................................................19Large Environments ................................................................................................................20

Repository Tier Sizing Guidelines .....................................................................................20Estimating Required Repository Disk Space Usage .................................................................20

Collection Tier Sizing Guidelines ......................................................................................21Estimating Required Number of Collection Tier Servers ........................................................21Collection Tier Sizing Example ................................................................................................22Server Guidelines ....................................................................................................................22Collection Tier Server Disk Space Requirement ......................................................................23

Contents


Audit DB Network Configuration ............................................................................................24General Network Configuration .......................................................................................24PBDB Server Network Configuration ................................................................................24Repository Tier Network Configuration ...........................................................................25Collection Tier Network Configuration .............................................................................25Audit Source Network Configuration ...............................................................................25Remote PBDB Assessment Agent Network Configuration ...............................................26

PBDB Server Configuration Considerations ............................................................................26Repository Tier Configuration Considerations ........................................................................27Collection Tier Configuration Considerations ‐ General .........................................................27

(DB2) Configuration Considerations ‐ Log Reading ..........................................................27(SQL Server) Configuration Considerations ......................................................................27(SQL Server) Scheduling Guidance for SQL Server Audit Sources ....................................28

Audit Source Configuration Considerations ............................................................................29Supported Character Sets ................................................................................................29Preparing an Audit Source for Collection .........................................................................30

(DB2) Prerequisites .................................................................................................................30(DB2) Native Audit Configuration ...........................................................................................32(DB2) Additional Parameters and Configuration Considerations ...........................................32(Oracle) Prerequisites .............................................................................................................33(Oracle) Redo Transaction Log Collection Configuration ........................................................33(Oracle) Supplemental Logging ...............................................................................................35(Oracle) Native Audit Collection Configuration ......................................................................35(SQL Server) Required Database Option Settings ...................................................................36(SQL Server) PBDB Monitor Agent Disk Requirements ...........................................................36

Permissions .............................................................................................................................37Installation Permissions ...................................................................................................37Ongoing Operations Permissions .....................................................................................37

Ongoing Operations Permissions ‐ PBDB Server .....................................................................37Ongoing Operations Permissions ‐ Repository Tier ................................................................38Ongoing Operations Permissions ‐ Collection Tier ..................................................................38Ongoing Operations Permissions ‐ Audit Source Tier .............................................................41

Planning Licensing ...................................................................................................................44

Preparing Your Environment ..................................................................................... 45

PBDB Server Prerequisite Checklist ........................................................................................45Operating System Account Setup ...........................................................................................47

UNIX .................................................................................................................................47Windows ..........................................................................................................................48

Installing PowerBroker Databases: Monitor & Audit ................................................. 49

Audit DB Installation Workflow ..............................................................................................49Installing the PBDB Server Core Software ..............................................................................51

Prerequisite Software .......................................................................................................51(Windows) PBDB Server Core Software Installation Checklist .........................................51(Windows) Typical Installation .........................................................................................53(Linux) PBDB Server Core Software Installation Checklist ................................................59(Linux) Typical Installation ................................................................................................61Post Installation Tasks ......................................................................................................68

Verify Agent has Started .........................................................................................................68

Contents


Logging In to the PBDB Monitor Admin Console ....................................................................69Changing the Default Password ..............................................................................................70Installing License Keys .............................................................................................................70Logging into the PBDB Assessment Console ...........................................................................71

Installing PBDB Monitor Agents ..............................................................................................72Collection Tier Prerequisite Software ..............................................................................72Audit Source Prerequisite Software .................................................................................73(Windows) PBDB Monitor Agent Installation Checklist ....................................................74(Windows) Installing a PBDB Monitor Agent ....................................................................74(Windows) Installing a PBDB Assessment Agent ..............................................................78(Windows) Installing Both a PBDB Monitor Agent and a PBDB Assessment Agent .........82(UNIX) PBDB Monitor Agent Installation Checklist ...........................................................89(UNIX) Installing a PBDB Monitor Agent ..........................................................................89(Linux) Installing a PBDB Assessment Agent ....................................................................94(Linux) Installing Both a PBDB Monitor Agent and a PBDB Assessment Agent ................97Post Installation Tasks ....................................................................................................104

(Windows/SQL Server 2000) Create the hname Driver ........................................................104(UNIX) Starting the PBDB Monitor Agent ..............................................................................105Verify PBDB Monitor Agent Heartbeat .................................................................................105

Support for 1024‐ and 2048‐bit Key Length Certificates with HTTPS ...................................106Windows Installation ......................................................................................................107Linux Installation ............................................................................................................107HTTPS/HTTP URL Access .................................................................................................107

Configuring PowerBroker Databases: Monitor & Audit ........................................... 108

Creating a Repository ...........................................................................................................108Understanding Repositories ...........................................................................................108(Oracle) Creating a Repository .......................................................................................109(SQL Server) Creating a Repository ................................................................................112

Configuring the PBDB Report Server ....................................................................................116Accessing the PBDB Report Server .................................................................................116Configuring the PBDB Report Server ..............................................................................117

Creating a Report Server Connection to PBDB Repository ...................................................117Modifying a PBDB Repository Connection ............................................................................120Restarting the PBDB Report Server .......................................................................................121Deploying PBDB Monitor Report Templates .........................................................................121Recommended PBDB Report Server Properties ...................................................................121Modifying Server Properties .................................................................................................122

Modifying the PBDB Monitor Admin Console Time‐out .......................................................123Configuring Assessment ........................................................................................................124

Adding Database Users to the PBDB Assessment Repository ...............................................124Loading Assessment Packages ..............................................................................................125

Validating Your PBDB‐MA Installation .................................................................... 126

Installation Validation Checklist ............................................................................................126Verifying the Central Configuration Agent Installation ..................................................127

(Windows) Verifying the Central Configuration Agent Installation ......................................127(Linux) Verifying the Central Configuration Agent Installation .............................................127

Verifying the Central Configuration Database Creation .................................................128Verifying the PBDB Monitor Admin Console Installation ...............................................128

Contents


Verifying the PBDB Report Service Installation ..............................................................128Verifying the lmConsole Installation ..............................................................................129Verifying Assessment .....................................................................................................130

Verifying PBDB Monitor Agent Installations .........................................................................130Verifying the Product License Key Installation .....................................................................131Verifying the PBDB Repository Creation ...............................................................................131

Alternative Implementations .................................................................................. 132

Deployment Model A ............................................................................................................133Deployment Model B ............................................................................................................134Deployment Model C ............................................................................................................134Deployment Model D ............................................................................................................135

Custom Installations ............................................................................................... 137

Understanding Custom Installations .....................................................................................137(Windows) Custom Installations ...........................................................................................139

(Windows) PBDB Server Custom Installation .................................................................139(Windows) Installing the Central Configuration Agent .........................................................139(Windows) Installing the PBDB Monitor Admin Console ......................................................141(Windows) Installing the PBDB Report Service .....................................................................143(Windows) Installing the lmConsole .....................................................................................144(Windows) Installing Assessment .........................................................................................145(Windows) Changing the PBDB Report Service Port Number ...............................................147(Windows) Changing the Name of the PBDB Report Server .................................................148Creating a PBDB Report Server Connection to Audit DB Repository ....................................148(Windows) Restarting the PBDB Report Server ....................................................................148

(Windows) Repository Tier Custom Installation .............................................................149(Windows) Collection Tier Custom Installation ..............................................................149

(UNIX) Custom Installations ..................................................................................................149(Linux) PBDB Server Custom Installation ........................................................................150

(Linux) Installing the Central Configuration Agent ................................................................150(Linux) Installing the PBDB Monitor Admin Console .............................................................152(Linux) Installing the PBDB Report Service ............................................................................154(Linux) Changing the PBDB Report Service Port Number .....................................................155(Linux) Changing the Name of the PBDB Report Server .......................................................156Creating a PBDB Report Server Connection to Audit DB Repository ....................................156(Linux) Restarting the PBDB Report Service ..........................................................................156(Linux) Installing the lmConsole ............................................................................................157(Linux) Installing Assessment ................................................................................................ 158

Understanding Unattended Installations .............................................................................159(Windows) PBDB Server ‐ Unattended Installation ........................................................159

(Windows) Unattended PBDB Server Installation Checklist .................................................159(Windows) Performing an Unattended PBDB Server Installation .........................................160

(Windows) Agents ‐ Unattended Installation .................................................................161(Windows) Unattended Agent Installation Checklist ............................................................161(Windows) Performing an Unattended Agent Installation ...................................................162

(Linux) PBDB Server ‐ Unattended Installation ..............................................................163(Linux) Unattended PBDB Server Installation Checklist ........................................................163(Linux) Performing an Unattended PBDB Server Installation ...............................................164

(UNIX) Agents ‐ Unattended Installation ........................................................................165(UNIX) Unattended Agent Installation Checklist ............................................................165

Contents


(UNIX) Performing an Unattended Agent Installation ..........................................................166

Configuring the PBDB Monitor Admin Console for a Non‐Default Port ...............................167

Uninstalling PowerBroker Databases: Monitor & Audit .......................................... 169

Audit DB Removal Workflow ................................................................................................169Uninstalling the Audit Source Tier ........................................................................................169

Removing an Audit Source .............................................................................................169(Windows/Unix) Removing a PBDB Monitor Agent .......................................................170

Uninstalling the Collection Tier .............................................................................................173(Windows) Removing a Collection Agent .......................................................................173(UNIX) Removing a Collection Agent ..............................................................................173

Uninstalling the Repository Tier ...........................................................................................174Removing a Repository ..................................................................................................174(Windows) Removing the Loader Agent ........................................................................174(UNIX) Removing the Loader Agent ...............................................................................175

Uninstalling the PBDB Server Core Software ........................................................................175(Windows) Removing All of the PBDB Server Core Software .........................................176(Windows/Linux) Removing PBDB Server Core Software ..............................................176

Index ...................................................................................................................... 179

Introduction


IntroductionThis guide provides information about the environment required to support PowerBroker Databases: Monitor & Audit, as well as detailed installation and configuration instructions for both Windows and Unix platforms.

This guide provides information for consultants, database administrators, network administrators, and others who are responsible for evaluating and preparing an environment and installing PBDB‐MA. This guide includes hardware requirements, software requirements, required permissions, recommended configurations, and installation procedures.

This section includes the document conventions, list of documentation for the product, and where to get additional product information.

Conventions Used in This GuideSpecific font and linespacing conventions are used in this book to ensure readability and to highlight important information such as commands, syntax, and examples.

Font Conventions

The font conventions used for this document are:

• Courier New Font is used for program names, commands, command arguments, folder paths, variable

names, text input, text output, configuration file listings, and source code. For example:

/etc/poweradvantage/product.cfg

• Courier New Bold Font is used for information that should be entered into the system exactly as shown.

For example:

paadmin

• Courier New Italics Font is used for input variables that need to be replaced by actual values. In the following example, variable-name, must be replaced by an actual environment variable name. For example:

result = getenv (variable-name);

• Bold is used for Windows buttons. For example:

Click OK.

Linespacing Conventions

The linespacing of commands, syntax, examples, and computer code in this manual may vary from actual Windows and Unix/Linux usage because of space limitations. For example, if the number of characters required for a single line does not fit within the text margins for this book, the text is displayed on two lines with the second line indented as shown in the following sample:

pkrun –c pathToCert –a someproc password=”PKUserPassword” path=”/tmp/sp”

Where to Go Next?For an overview of PowerBroker Databases: Monitor & Audit, detailed instructions on performing audit tasks including configuring the databases for auditing, and collecting data, see the PowerBroker Databases: Monitor & Audit User Guide.

Introduction


Documentation Set for PowerBroker Databases: Monitor & Audit

The complete PowerBroker Databases: Monitor & Audit documentation set includes the following:

• PowerBroker Databases: Monitor & Audit Installation Guide

• PowerBroker Databases: Monitor & Audit User Guide

• PowerBroker Databases: Monitor & Audit lmConsole User Guide

• PowerBroker Databases: Monitor & Audit Upgrade Guide

• PowerBroker Databases: Monitor & Audit Assessment User Guide

• Online help (for Windows)

• Man pages (for Unix/Linux)

Contacting Support

For support, go to our Customer Portal then follow the link to the product you need assistance with.

The Customer Portal contains information regarding contacting Technical Support by telephone and chat, along with product downloads, product installers, license management, account, latest product releases, product documentation, webcasts and product demos.

Telephone

Privileged Account Management Support

Within Continental United States: 800.234.9072

Outside Continental United States: 818.575.4040

Vulnerability Management Support

North/South America: 866.529.2201 | 949.333.1997

+ enter access code

All other Regions

Standard Support: 949.333.1995

+ enter access code

Platinum Support: 949.333.1996

+ enter access code

Online

http://www.beyondtrust.com/Resources/Support/



Overview of PowerBroker Databases: Monitor & Audit


Overview of PowerBroker Databases: Monitor & AuditPowerBroker Databases: Monitor & Audit monitors access to your information assets and issues alerts when fraud (as defined by your rules and policies) is detected. PBDB‐MA provides an audit trail that supports your data security requirements, including the following:

• Viewing of your data

• Changes to your data

• Changes to database schemas

• Changes to database permissions

PowerBroker Databases: Monitor & Audit provides an organizational view of compliance to your rules and policies, and generates alerts when your policies are violated. All data collected by Audit DB is stored in one or more Audit DB repositories where it is available for reporting and analysis. You use the PBDB Monitor Admin Console to manage all of your audit sources and repositories.

PBDB-MA Installed ComponentsWhen you install PowerBroker Databases: Monitor & Audit, you install and configure the following components:

• PBDB Monitor Admin Console

• PBDB Assessment Agents

• PBDB Assessment Console

• PBDB Assessment Repository

• PBDB Monitor Agents

• Central Configuration Database (CCDB)

• lmConsole utility

• PBDB Report Server and PBDB Monitor Report Templates

These components are described in the following pages.

Understanding the PBDB Monitor Admin Console

The PBDB Monitor Admin Console is a web‐based application that lets you set up, configure, and manage your Audit DB environment. The PBDB Monitor Admin Console communicates with the Central Configuration Database (CCDB), which stores your Audit DB configuration information. You use the PBDB Monitor Admin Console to perform the following tasks:

• Create, configure, manage, and remove repositories

• Add, configure, manage, and remove audit sources

• Create, modify, and delete audit policies and rules

• Monitor the data collection process

• Access the PBDB Report Server to generate and view reports

You install the PBDB Monitor Admin Console as part of the PBDB Server core software installation. If you have a custom implementation, the PBDB Monitor Admin Console must be installed after the Central Configuration Agent is installed and running.

Understanding PBDB Assessment Agents

The PBDB Assessment Agent is installed when you install Assessment using the PBDB Server core software installer. The PBDB Assessment Agent (LumigentVMgrAgent) runs as a daemon on Linux/UNIX and as a service on Windows. In a typical installation, a single agent installed when you install Assessment, can service multiple assessment targets of different types. These might include several database instances on different hosts, a local operating system file system, and several local “Oracle Home” file systems.



Caution! PBDB Assessment Agents are different from PBDB Monitor Agents, even though they are both called agents they are not interchangeable.

Note: Additional agents can be installed to meet auditing requirements or to improve performance.

Note: A PBDB Assessment Agent does not need to be installed on the computer that hosts the PBDB Assessment Repository.

Understanding the PBDB Assessment Console

The PBDB Assessment Console is a web‐based application that lets you set up, configure, and manage your Assessment environment. The PBDB Assessment Console communicates with the PBDB Assessment Repository, which stores your Assessment configuration information. You use the PBDB Assessment Console to perform the following tasks:

• Add, configure, manage, and remove components, component groups, and applications

• Clone, modify, manage, and delete Assessment policies

• Take assessments and view the collected data

• Take snapshot and view the collected data

• Configure and manage alert and report notifications

Understanding the PBDB Assessment Repository

The PBDB Assessment Repository is a relational database that contains installation and configuration information for Assessment, as well as information collected via assessments and snapshots. You can install the PBDB Assessment Repository on an Oracle or SQL Server database. The PBDB Assessment Repository is created by the installer.

The database owner for the PBDB Assessment Repository must be LUMIGENT_VMGR.

Caution! The database owner name must not be changed.

Caution! Although they both contain collected data and may exist on the same server and in the same database instance, the PBDB Assessment Repository and the PBDB Monitor Repository are not the same. These two repositories are each unique and should not be confused.

Understanding PBDB Agents

An agent is a generic term for a service that runs continuously and performs both scheduled and on‐demand tasks.

• On Windows, an agent runs as a service and appears in the Services list as lmEntegraAgent.

• On UNIX, an agent is a daemon process and appears in the process listing as lmEntegraAgent.

In PowerBroker Databases: Monitor & Audit, the PBDB Monitor Agent is the process that manages all PBDB‐MA activity on a given computer. You install one or more agents on each functional Tier in your environment. Agents are distributed across multiple computers and can perform different "roles" based on the configuration. Agents should be deployed as described in this Installation Guide.

Caution! PBDB Monitor Agents are different from PBDB Assessment Agents, even though they are both called "agents" they are not interchangeable.

Note: Each computer in your configuration can have only one PBDB Monitor Agent installed. However, each agent can perform all four roles, or any subset of these roles, depending on your Audit DB configuration.



The following table lists the agent roles and the functions for each role:

Understanding the Central Configuration Agent RoleThe first PBDB agent that you install, by default, fulfills the Central Configuration Agent role. When you install the Central Configuration Agent it creates the Central Configuration Database (CCDB) on the same computer. The CCDB stores configuration information about your Audit DB environment.

The Central Configuration Agent manages the CCDB and communicates configuration information to the other PBDB Agents in your environment. All other PBDB Agents connect to the Central Configuration Agent for configuration information and communicate their status to the CCDB via heartbeat messages.

Understanding the Collection Agent RoleA Collection Agent is responsible for the following tasks:

• Collecting audit data from audit sources

• Normalizing the data

• Executing filter‐based analysis of the data

• Creating an encrypted .ecz file for data transfer to the Repository

• Transferring the .ecz file to the Loader Agent (lmFilePump)

As soon as an .ecz file is transferred, the Loader Agent loads the collected data into the PBDB Monitor Repository Database. The Collection Agent also reports the audit source status to the Central Configuration Agent.

In the standard deployment model an agent is installed on the audit source to perform the Collection role. You use the Agent Tier installer to install PBDB Monitor Agents.

Table 1. Agent Roles

Agent RoleFunctional Tier

Agent Function

Central Configuration Agent

PBDB Server • Managing the Central Configuration Database (CCDB).

• Communicating configuration information to other

agents.

Collection Agent Collection Tier

• Provide database information used when creating and

configuring audit sources.

• Provide database information when creating rules.

• Reporting audit source status to the

Central Configuration Agent.

• Collecting data from the audit source log files and

preparing it to be loaded into the PBDB Repository.

Loader Agent Repository Tier

• Reporting repository status to the


• Loading and publishing collected data into the

repository.

PBDB Monitor Agent Audit Source Tier

• Provide database user and object information used

when creating rules.

• Report audit source status to the




Understanding the Loader Agent RoleA Loader Agent is responsible for the following tasks:

• Receiving the encrypted .ecz file from the Collection Agent

• Preliminary loading of collected data to the Repository

• Parsing the data and submitting it to staging, history, and lookup tables in the Repository

• Further processing the data and publishing it for efficient reporting.

• Purging data that is older than the retention period specified for the Repository

The loader agent publishes data on a schedule, at which point it is available to the PBDB Report Server for reporting. The agent installed on the Repository tier always fulfills the Loader Agent role. The Loader Agent also reports the status of the Repository to the Central Configuration Agent via regular heartbeat messages. In the standard deployment model the agent installed on the PBDB Server performs both the Central Configuration Agent and Loader Agent roles.

Understanding the Monitor Agent RoleThe Monitor role is involved with distributed management of agents. On most platforms the Monitor role and the Collector role are performed by the same agent. The exception to this is SQL Server audit sources, which require an agent installation on the audit source computer.

Understanding the Central Configuration Database

The Central Configuration Database (CCDB) is a set of database tables that Audit DB uses to store metadata about your Audit DB environment. The information that is stored in the CCDB includes the following:

• Network connectivity information for all computers in your configuration

• Login information for each server

• Configuration options for each component

• History information about Audit DB tasks performed on each server

When you install the Central Configuration Agent, the installer creates the Central Configuration Database on the same computer. By default, the CCDB is named "lumigent."

Understanding the lmConsole Utility

The lmConsole Utility provides a command line interface that you can use instead of the PBDB Monitor Admin Console to configure and manage PBDB‐MA components. You can use the lmConsole to perform the following tasks:

• Create and manage audit sources

• Monitor status for

– agents

– audit sources

– Repositories

The lmConsole is useful for managing large installations. Its batch operations make it easier to create and manage large numbers of audit sources. The lmConsole supports configuring audit sources in clustered and non‐clustered environments.

You install the lmConsole as part of the PBDB Server core software installation.

Understanding the PBDB Report Service

The PBDB Report Service is the application you use to view your audited data collected in the Repository. Using prepared reports, you can view your audited data in aggregate and apply filters to easily find the data you need. The PBDB Report Service offers many scheduling and report delivery options.

You install the PBDB Report Service as part of the PBDB Server core software installation.



PBDB-MA Configured ComponentsIn addition to the software components that you install, there are several different configuration components that make up your PowerBroker Databases: Monitor & Audit implementation.

The following configuration components are created and/or managed using the PBDB Monitor Admin Console.

• Audit Policies

• Audit Sources

• PBDB Repository

The following configuration components are created and/or managed using the PBDB Assessment Console or other Assessment utilities.

• Assessment Packages

• Assessment Policies

• Components

Understanding Assessment Packages

Assessment Packages are XML files that contain the definitions of what security items the system is capable of assessing and reporting on. The XML file contains descriptions, parameters, rules, and scripts that apply to a particular type of component that you may want to assess. For example, “Oracle RDBMS Schema” and “SQL Server 2000 RDBMS Schema” are Component types. These content packages are regularly enhanced to include checks for newly discovered weaknesses or security vulnerabilities.

You use the PackageLoader utility to load Assessment Packages to the PBDB Assessment Repository. When you load an Assessment Package, you load the following data definitions into the PBDB Assessment Repository:

• Assessment Items — An Assessment Package defines the default list of assessment items for a component

type. You can clone assessment items or use templates to create custom assessment items.

• Snapshot Items — An Assessment Package defines the default list of snapshot items for a component type. You

can clone snapshot items or use templates to create custom snapshot items.

• Ad Hoc Reports — An Assessment Package defines the default ad hoc reports available for a component type.

You can clone ad hoc reports to create custom ad hoc reports.Note: You must load Assessment Packages before you can create components of a particular type.

Understanding Assessment Policies

A policy is a collection of assessment items, snapshot items, and ad hoc reports that apply to a one or more component types. The properties and parameters of a policy determine the data that Assessment collects when running an assessment or snapshot, and what data is available in ad hoc reports.

The Default Policy is a compilation of the pre‐configured data contained in each of the Assessment Packages that you have loaded into the PBDB Assessment Repository. When you load an Assessment Package, the component types, assessment items, snapshot items, and ad hoc report information in the package are added to the Default Policy. If you do not create custom policies and assign them to components, component groups, or applications, Assessment uses the Default Policy when performing operations.

Understanding Audit Policies

An audit policy is a uniquely named group of audit rules. You use an audit rule to define what data to audit and what to do with the collected data. An audit rule specifies a set of conditions for evaluating database activity and a list of actions to carry out when activity matches the rule conditions.

You can group audit rules into audit policies according to your needs. For example, if you have several audit sources in your Audit DB configuration, you can create a separate audit policy for each audit source. You can also have several audit policies assigned to a single audit source.



Audit rules are assigned to audit policies and audit policies are assigned to audit sources.

For your convenience, PBDB‐MA provides several pre‐populated audit policies to use for the most common auditing tasks. Each audit policy has one or two pre‐populated audit rules assigned to it. You can also create custom audit rules and policies for your own specific auditing needs.

Understanding Audit Sources

An audit source is one database server instance that is monitored (audited) by an agent. The agent gathers information about database activity based the policies and rules that you have configured for the audit source. You can have one or more audit sources in your implementation.

You use the PBDB Monitor Admin Console to set up and configure audit sources. This configuration information is stored in the Central Configuration Database. When you add an audit source, you must specify the Repository to store the data collected from that audit source. Therefore you must create at least one Repository before you add audit sources to Audit DB.

Each audit source in your configuration uses or consumes a PBDB‐MA license. When you are planning your PBDB‐MA implementation, you should estimate the number of audit sources that will be monitored, and plan your licensing accordingly.

Components

An Assessment Component is an audit target for assessments and snapshots.

You load Assessment Packages to add component types to your environment, then add and configure instances of components. For example, in order to monitor Oracle databases you must first load the Oracle RBMS package into the PBDB Assessment Repository. Then you can create (or register) a component for each Oracle database that you want to monitor using Assessment.

The rules and scripts associated with a specific Component type will be executed against components of that type by the PBDB Assessment Agent whenever an assessment, snapshot or report is executed against those instances.

Understanding Repositories

A PBDB Repository stores data collected by one or more Collection Agents. A single Repository may store audit data from multiple audit sources, including a mixture of DB2, Oracle, SQL Server, and Sybase data.

A Repository consists of an offline portion and an online portion:

• The offline portion is a set of encrypted flat files (.ecz files) which contain collected data. These files are used to

populate the Repository, and for archiving purposes.

• The online portion is the PBDB Monitor Repository Database. This is a set of SQL tables that contains recent

audit data, as well as metadata used by other Audit DB functions.A PBDB Repository is associated with one or more Collection Agents, which collect the data that is stored in the Repository. The PBDB agent that is installed on the Repository computer performs the role of the Loader Agent. To make collected data available to the PBDB Report Server, you must publish the data after it has been loaded into the Repository. When you create a Repository, you specify publishing schedule and data retention period for this Repository. At publishing time, data loaded since last publish becomes available to the PBDB Report Server and data that remained in the Repository longer than the specified retention period is purged.

You create and configure Repositories using the PBDB Monitor Admin Console. Configuration information about the Repository is stored in the Central Configuration Database.

Each PBDB Repository in your configuration uses or consumes a PBDB‐MA license. When you are planning your PBDB‐MA implementation, you should estimate the number of Repositories that will be required, and plan your licensing accordingly.



Note: The PBDB Report Service also has a repository component that stores configuration data. To help avoid confusion, the Audit DB or PBDB Repository refers to the repository that stores audited data, and the PBDB Report Server Metadata Repository refers to the repository that contains PBDB Report Server configuration data.

PBDB Tiered Deployment Architecture Architecturally, a Audit DB platform can be thought of as a set of functional tiers, based on the role being performed by the PBDB Monitor Agent. Specifically, a tier is comprised of the functions performed by the PBDB Monitor Agent, as well as Audit DB components associated with the agent function. For more information about agent roles, see “Understanding PBDB Agents,” page 12.

This guide describes the recommended deployment in detail. The following sections provide detailed technical guidance related to supported environments, prerequisites, permissions, and scaling.

Functional TierAgentRole

Descriptions

PBDB Server Central Configuration Agent role

A single server computer hosts system management and configuration components. You install the following PBDB Server core software on this tier: PBDB Monitor Agent, PBDB Monitor Admin Console, Central Configuration Database, PBDB Report Server, lmConsole, PBDB Assessment Agent, and PBDB Assessment Console.

Repository Tier Loader Agent role

You install the following Audit DB components on each computer in this tier: PBDB Monitor Agent and PBDB Monitor Repository Database.In most cases, a single repository is hosted on a single data server (typically the same computer as the PBDB Server core software). For high volume implementations, the Repository Tier can scale with added repositories and servers if needed, but this is not typically required. For guidance on scaling the Repository Tier, see “Repository Tier Configuration Considerations,” page 27.

Collection Tier Collection Agent role

You install a PBDB Monitor Agent on each computer in this tier. In the standard implementation, agents installed on the audit sources perform the collection role.Large or high volume implementations should have at least one dedicated collection server running the Collection Tier. The Collection Tier can scale with additional collection servers if necessary. One collection server can serve many target audit sources. For guidance on scaling the Collection Tier, see “Collection Tier Sizing Guidelines,” page 21.

Audit Source Tier Monitor Agent role

The Audit Source Tier is comprised of the production database servers that have been targeted for auditing by PBDB‐MA. You install a PBDB Monitor Agent on each computer in this tier.



Typical PBDB-MA Deployment Model

You can technically deploy the PBDB‐MA Core Platform in many different topologies ranging from a very simple deployment with all of the software components running on a single computer, to complex deployment involving a network of many PBDB‐MA components distributed across multiple network domains. However, in order for PowerBroker Databases: Monitor & Audit to function in a reliable manner you must deploy it in the distributed configuration described in this document. The recommended and supported topology is to install the PBDB‐MA components as described in this section.

Note: For additional supported deployment topologies, see “Alternative Implementations,” page 132.

The standard implementation requires a single server which hosts the PBDB Server core software and the Repository tier. You install the following PBDB Server core software on the PBDB Server:

• PBDB Monitor Agent performing both the Central Configuration Agent and Loader Agent roles.

• Central Configuration Database


• PBDB Report Service

• lmConsole

• PBDB Monitor Repository Database

In addition, you install a PBDB Monitor Agent on each of the audit sources. This agent performs both Collection and Monitor roles.

Planning Your Implementation


Planning Your ImplementationThis section is intended for your implementation project manager and other members of the implementation team. These individuals might include database administrators, network administrators, and the Audit DB system administrator.

Sizing GuidelinesUse the guidance in the following sections to assess your hardware requirements for your Audit DB implementation.

PBDB Server Sizing Guidelines

PBDB Server sizing is subject to many variables. The following section can be used to guide you in your resource sizing efforts, but the only way to guarantee that you have appropriately resourced the PBDB Server for your environment is to test with a representative load volume.

The primary variables in the sizing of the PBDB Server are the following:

Number of agents ‐ The total number of agents impacts sizing. Each agent is interacting with the PBDB Server by sending heart‐beat notifications, submitting messages to the PBDB‐MA log, and submitting collection progress history markers. The PBDB Servermust scale to handle the transaction rate associated with management of distributed agents.

• Number of reports generated daily ‐ The PBDB Server must support the PBDB Report Server in its generation

of reports, archiving of published reports, and providing access to reports through the portal. The larger the number of reports generated over the period of a day, the more resources are required.

The following table provides PBDB Server sizing guidance based on the number of audit sources that will be monitored by the system, and the frequency with which they are collected.

Small / Medium EnvironmentsThe PBDB Server core software can be installed and run on a single server computer. For a small to medium sized implementation, use the following guidelines:

Table 2. PBDB Server Sizing

Agents 1 report/day 10 reports/day 100 reports/day

1 Small Small Medium

< 5 Small Medium Large

< 25 Medium Medium Large

< 50 Medium Medium Large

50 + Medium Large Large

Table 3. Small to Medium Environments

Requirement Value Notes

Processor Quad Core Intel Xeon 2.0 GHz x64

Physical Memory (RAM)

> = 2 GB



Large EnvironmentsThe PBDB Server core software can be installed and run on a single server computer. For a large implementation, use the following guidelines:

Repository Tier Sizing Guidelines

Repository Tier sizing in a specific environment is subject to many variables. The following section can be used to guide you in your resource sizing efforts, but the only way to guarantee that you have appropriately resourced the Repository Tier for your specific environment is to test with a representative load volume.

In most cases the Repository Tier can be installed and run on a single data server. The Repository Tier can be scaled by adding additional repository servers, if needed, but this is not typically required. A single repository can also scale with hardware resources and appropriate database configuration. The scalability of a given repository is primarily a function of the database platform chosen to host the Audit DB repository.

Estimating Required Repository Disk Space UsageThere are many variables involved with repository sizing, both external and internal. The primary external variables in the sizing of the Repository Tier are the following:

• Number of audit sources being monitored.

• Average size of the audit trail generated from a single audit source.

• The online retention period for the repository.

• Internal overhead (indexing, demoralization for reporting, and others).

With these deployment specific variables, providing general guidance for the repository sizing requirement is very difficult. The approach that will yield the most accurate estimation is extrapolation from a controlled sample collection.

Disc Space 100 GB Dependent on number of reports being archived.

Table 4. Large Environments


Processor 2x Quad Core Intel Xeon 2.0 GHz x64


> = 4 GB

Disc Space 250 GB Dependent on number of reports being archived.

Table 3. Small to Medium Environments




Collection Tier Sizing Guidelines

One collection server can serve multiple audit sources. The number of servers required for the Collection Tier is dependant on the number of audit sources.

Collection Tier sizing is subject to many variables. The following section can be used to guide you in your resource sizing efforts, but the only way to guarantee that you have appropriately resourced the Collection Tier for your environment is to test with a representative load volume.

The Collection Tier can be scaled in two dimensions.

• Collection agents themselves can scale with server capacity.

• Also, the Collection Tier can be scaled by adding additional collection servers to the tier (each running a

collection agent that can be assigned to collect data from N audit sources).

Estimating Required Number of Collection Tier ServersThe following formula provides a rough guideline for estimating the number of servers in the Collection Tier, and the number of audit sources assigned to each server.

N * La / (Lc * C * Tw) = MWhere

• N = number of audit sources.

• La = average load on the audit source.

• Lc = per collection load processing capacity associated the with specification of the Collection Tier computers

chosen (a given computer’s capacity for handling load).

• C = Concurrency value. The number of collections that can run simultaneously.

• Tw = Collection time window. The period of time each day during which collections will be scheduled.

• M = number of computers required.

La: average load on the audit source

For log reading, the obvious variable is the volume of log data generated per day, expressed in gigabytes of log data per day. For database architectures such as Microsoft SQL Server where multiple databases are associated with the audit source, this number is the total log volume associated with all audited databases on the instance.

Lc: per collection load processing capacity

A collector’s capacity to process log data is highly variable for log data collections. It is dependent on the following variables:

• Target database platform

• Pattern of activity (batch vs. OLTP)

• Density of operation types (insert, update, delete)

• Transaction sizes

• Hardware resources.

Note that capacity must be determined through testing in a test environment that is representative of the production environment where Audit DB will be deployed.



The following table contains capacity values that can be used as a starting point in the testing effort:

C: collection concurrency

Collections can be parallelized in two ways.

• One, multiple audit sources can be scheduled for collection at the same time.

• Two, the “CollectorConcurrency” collection option can be set to a value > 1. This will configure the system to

run parallel collections of databases within a specific audit source.

Tw: time window

Theoretically, collections can be scheduled throughout the entire day. However, in many cases, customers choose to schedule collections during off hours.

Collection Tier Sizing ExampleIf we assume an environment with 20 log reading audit sources (N), and average load of 15 GB of log data per day (La), a processing capacity of 100 MB/minute (Lc), and a collection window of 9 hours (540 minutes), and a concurrency of 2, the number of collection servers in the Collection Tier can be roughly determined as:

20 * 15,000 / (100 * 2 * 540) = 2.78or …

3 collector servers required in the Collection Tier.

Server GuidelinesThe following server specification will provide adequate resources for a collection concurrency (C) of 2.

Collection TypeLc Per/Minute

DB2 Log Reading 100 MB

Oracle Log Reading 100 MB

SQL Server Log Reading 50 MB


Processor Quad Core Intel Xeon 2.83 GHz x64

2 CPUs for collection, 1 for agent overhead, 1 for overflow


4GB

Disk Space 500GB The disk requirement is highly variable. It is dependent on volume of activity against target servers, database platform, and audit configuration.



A computer meeting the specification above can deliver adequate resources for the following processes running simultaneously:

• Two running collection processes: Collection can be run in parallel either by having multiple audit sources

configured with the same collection schedule (for example, AS1 and AS2 are both configured to be collected daily at T0), or one audit source with the “CollectorConcurrency” setting set to a value > 1 (“CollectorConcurrency” is a configuration variable that controls parallel processing of databases from a single DB2, SQL Server, or Sybase audit source. By default, this value is set to 1). Collections are resource intensive. Each collection will consume a CPU, a significant amount of RAM, and potentially a significant amount of disk space. Actual usage is highly variable, and is directly dependent on the database platform type targeted by the specific collection, the volume of activity generated against the target database instance, and the audit configuration.

• General agent processing ‐ The Collection Agent itself has a minimal resource requirement unrelated with

collection. This agent must be responsive to configuration changes, heartbeat schedules, and data transfers. General agent processing is not resource intense.

• Overflow ‐ This specification reserves resourcing to provide some capacity for handling overflow situations like

collection collisions (a collection runs long resulting in 3 collections running simultaneously), audit data transfer overflow (for example, the repository server is down for a period of time and audit data queues up on the Collection Tier computer until the repository is back online), and collection failure (for example, collection fails to finish at scheduled times resulting in accumulation of interim audit data such as .ETZ files).

Collection Tier Server Disk Space RequirementDisk utilization by collection processes is highly variable, and difficult to generalize. Collection Tier servers must have appropriate disk space allocated to them to accommodate the volumes of data in the specific environments.

The following types of data are temporarily stored on disk on Collection Tier servers:

• Overhead ‐ Diagnostic logs, cached configuration files and other data is stored in the \halogenated folder. This

will consume a maximum of 500 Mobs.

• Audit trail ‐ The agent generates a set of .ECZ files. These files contain audit trail data that is in the process of

being collected, or audit trail files that have not yet been transferred to a destination repository will be stored in the \Agent\Data\Collector folder on the Collection Tier. A set of ECZ files is generated for each audit source at each scheduled collection. ECZ files are compressed. Disk utilization associated with this can be large depending on activity patterns, volume and audit configuration.

• Temporary Reconstruction Cache Tables ‐ (SQL Server only) Log reading collections against SQL Server audit

sources utilize data caching techniques to optimize the reconstruction of before and after values for UPDATE statements. Disk utilization associated with this is limited to the duration of an actual collection. Disk space consumed by cache tables is freed when the collection process exits. Disk space consumption associated with this can be large depending on activity patterns and volume.

An accurate prediction regarding disk space requirements for a Collection Tier in a particular environment can only be achieved through representative testing. However, use the following guidance for rough estimation and budgetary planning:

• Overhead ‐ ~500 MB

• Space Per Audit Source ‐ multiply the sum total of the following by the number of audit sources assigned to this

collection server:

– ECZ Space Requirement ‐ 500 MB

– (SQL Server Only) Reconstruction Cache Table ‐ 1 x (db total transaction log size for collection period).

– Overflow ‐ The overflow should be 2x the longest amount of time between successful collections. This overflow will allow the system to handle and recover from outages and spikes in volume.



Audit DB Network ConfigurationNetwork Administrators should use the information in this section to prepare the network environment for your Audit DB implementation.

General Network Configuration

Ensure that TCP/IP is enabled.

If going through a proxy, the ports listed in the following sections should be opened bi‐directionally.

Make sure that the host name and DNS names match for all computers that will be part of the Audit DB implementation. A host’s name must be the same throughout the network so that the PBDB Monitor Agents can resolve the DNS name.

Assessment Database Discovery Component

The Assessment Database Discovery Component allows you to identify database servers running on your network. The snapshots and reports within this Assessment Package achieve this by probing network ports on a range of host addresses on your network. Discovered databases are included in reports and snapshots.

Caution! Network port scanning is often considered a hostile action by network and system administrators. Some firewalls and network monitoring software may trigger alerts in response to the use of the Assessment Database Discovery Component. Be sure to consult with your network and/or system administrators before loading and using this Assessment Package.

PBDB Server Network Configuration

The following ports must be opened in a firewall for the PBDB Server:

Table 5. Ports that must be opened for the PBDB Server

Port Protocol Purpose

80 Report Server connector port.

8005 Report Server server port.

8009 Report Server Apache JServe Protocol (AJP) connector port.

8443 https Report Server SSL connector port (Used only when SSL is enabled.)

9080 Port used to access the Assessment computer if not installed on the PBDB Server.

10080 http Provides user access to the PBDB Monitor Admin Console via a browser.

10090 http Provides user access to the Report Server via a browser.

15100 PBDB Assessment Agent Listener.

15101 Assessment Local Administration port.

16400 https All distributed agents must be able to communicate to the CCDB agent over this port.

16401 https Clients of the configuration API must be able to access the CCDB agent via this port.



If using Oracle as a CCDB, Oracle Networking must be configured so that the Central Configuration Agent can connect to the CCDB. Typically this is done in the Oracle TNSNAMES.ORA file.

Repository Tier Network Configuration

The following ports must be opened in a firewall for the Repository Tier:

You must configure database networking to allow the Loader Agent access to the Repository.

Oracle Networking must be configured so that the Repository agent can connect to the Repository. Typically this is done in the Oracle TNSNAMES.ORA file.

Collection Tier Network Configuration

The following ports must be opened in a firewall for the Collection Tier:

Collection computers must be able to access the target database (audited database instance) via native network database protocol, for example, Oracle OCI, SQL Server ODBC, and so on.

Audit Source Network Configuration

The following ports must be opened in a firewall for the Audit Source Tier:

16402 https Clients of the configuration API must be able to access the CCDB agent via this port.

45450 Report Server listener port. The Report Server Studio authoring tool uses this port to communicate with the Report Server.

Table 6. Ports that must be opened for the Repository Tier


16400 https Audit DB distributed agent protocol server (inter‐agent communication, configuration, and so on).

Table 7. Port to open for the Collection Tier


16400 https All distributed agents must be able to communicate to the CCDB agent over this port.

Table 8. Port to open for the Audit Source Tier


16400 https PBDB Monitor Agent port

Table 5. Ports that must be opened for the PBDB Server




For clustered audit sources Audit DB refers to a single virtual IP used to identify the clustered instance. Audit DB requires that the virtual IP for the instance not change.

Remote PBDB Assessment Agent Network Configuration

The following ports must be opened in a firewall for remote PBDB Assessment Agents:

PBDB Server Configuration ConsiderationsCaution! The PBDB Monitor Agent running on the PBDB Server should not be used as a Collection Agent. While

this is technically possible to assign the Central Configuration Agent to an audit source in a collection role, it is not a supported configuration.

Note: The PBDB Server core software is not supported on clustered servers. These components must be installed on a separate, non‐clustered server.

The PBDB Monitor Admin Console and PBDB Report Service are web‐based applications that can be viewed in the following supported browsers:

• Microsoft Internet Explorer 9.0

• Microsoft Internet Explorer 8.0

• Mozilla Firefox 9.0

• Mozilla Firefox 8.0

The default PBDB Report Service license key is generated for up to 4 CPUs. Computers with more than 4 CPUs require a larger capacity license at additional cost.

The PBDB Report Server stores all information about the reporting environment in a database. The configuration options for this database are as follows:

• Custom (Recommended) ‐ Always create a separate database on SQL Server or schema on Oracle for the

PBDB Report Server Metadata Repository.

• (Intellicus) Repository ‐ Automatically creates a database in local HSQLDB file based database. Not

recommended for production deployments.

Oracle Considerations

The CCDB agent service account must be run by a user account that has access to the database hosting the CCDB. The Central Configuration Agent must be able to access the target Oracle database hosting the CCDB via local naming (TNSnames.ora). If an Oracle Central Configuration instance has an alias name configured, the alias name and the SID name must be the same. If they are different, the PBDB Monitor Admin Console will not connect.

Table 9. Ports to open in firewall


15100 Agent Listener Port

15101 Local Administration Port



Repository Tier Configuration ConsiderationsFor large environments, hosting repositories on Oracle is recommended. The PBDB Repository implementation on Oracle is more scalable than the implementation on SQL Server. This is due to the fact that the Oracle implementation leverages range partitions. The use of range partitions make loading, indexing, and purging of data much more scalable.

Caution! The PBDB Monitor Agent running on the Repository Tier should not be used as a Collection Agent. While this is technically possible to assign the Repository Tier agent (Loader role) to an audit source in a collection role, it is not a supported configuration.

Collection Tier Configuration Considerations - GeneralNote: It is a requirement that a collection server in the Collection Tier share endianness with the audit sources

from which it is configured to collect data.

Collection Tier servers cannot be clustered servers.

Note: In a clustered Oracle RAC implementation, the collection server must have read access to the archived Redo Logs on each clustered node.

(SQL Server) The audit source host and Collection Tier host acting as the collector must be in the same Windows domain.

The Operating System Shared Memory parameter must be set to a minimum of 6MB.

(DB2) Configuration Considerations - Log Reading

Note: For most DBMS platforms, installing PBDB Monitor Agents locally on the same server that is hosting an audit source is not recommended. However, when auditing DB2 LUW instances with Audit DB Log Reading technology a PBDB Monitor Agent (Collection role) must be installed locally on the server hosting the audited database server instance.

The guidance listed in this chapter can be applied to local installations of the PBDB Monitor Agents for log reading collections against DB2 audit sources.

(SQL Server) Configuration Considerations

Audit DB log reading technology implementation for SQL Server is a mature and reliable technology that can generically collect a rich audit trail independent of schema, table types, column types, or activity types. However, there are some special configuration considerations and limitations associated with this technology. The limitations and considerations detailed in this section are specific to Audit DB log reading technology implementation for Microsoft SQL Server, and do not apply to log reading on Oracle or DB2.

Caution! This technology requires that PowerBroker Databases: Monitor & Audit collections be run during a period of time where NO batch data manipulation or maintenance jobs are running. Any batch activity running during a collection has the potential to cause the collection to fail.

The reason for this is that Audit DB must collect data from a database’s online transaction log. Batch activity can cause the online transaction log to recycle itself (the log is circular buffer and is overwritten over time) during the Audit DB collection. This will cause the collection to fail. Batch jobs that result in data change of large contiguous ranges of a table’s or database’s overall data set are particularly disruptive to the Audit DB log reading collection process on SQL Server.

The audit source object filtering feature can be used to exclude tables that are the target of high volume activity.

Careful evaluation of activity patterns on the target SQL Server databases and testing of Audit DB software must be done with any planned deployment to a SQL Server database environment to ensure reliable collections.



(SQL Server) Scheduling Guidance for SQL Server Audit Sources

Different collection scheduling strategies are appropriate depending on the activity pattern on a target SQL Server database.

Table 10. Online Transaction Processing (OLTP) Activity Patterns

Pattern Collection Schedule Example

24/7: These are systems that run a constant level of OLTP type activity.

• Frequent and Predictable: the

more frequent the collection, the smaller the log set to process. The smaller log sets are more optimal for our collection.

• Immediately following a

transaction log backup.

For a system that runs transaction log backups every 6 hours at 12:00 AM, 6:00 AM, 12:00PM, 6:00PM, scheduling 4 collections to immediately follow those backups might be appropriate. For example, collection could be scheduled to run at 12:10 AM, 6:10 AM, 12:10PM, 6:10PM might be optimal.

Peaks & Valleys: These are systems that have predictable high and low activity periods. For example, systems where a majority of the activity occurs during business hours.

• Off‐peak: Run collections during

down time.

• Perform a transaction log

backup immediate before the collection (do not start the collection until the transaction log back has finished).

If activity is heavy between 8:00 AM and 7:00 PM, schedule a transaction log backup at 8:00, and a daily collection at 8:10 PM.

Table 11. Batch Activity Patterns

Pattern Collection Schedule Example

Predictable Peaks & Valleys: These are systems where daily, weekly, and monthly batch activity occur at predictable times. Also where there are predictable periods where batch activity is not running.

• Schedule collections to minimize

potential for collision with batch activity.

• Follow batch periods with a

transaction log backup and a collection.

For a system that runs batch activity daily between 1:00am and 3:00am (with a period of low activity following). Schedule a transaction log backup at 3:00 am, and a collection at 3:15am.

Unpredictable or Continuous Activity: These are systems where batch activity occurs continuously or on an unpredictable schedule.

• These environments can exceed

the limits of the log reading technology. A thorough analysis of activity patterns needs to be done to determine if a collection schedule that minimizes collisions can be set.

• Audit source object filtering

must be used to exclude targets of batch activity.



Audit Source Configuration ConsiderationsThis section describes configuration considerations and how to prepare audit sources for collections.

Supported Character Sets

PowerBroker Databases: Monitor & Audit 6.9 only certifies against, and supports environments with an ISO 8859 ‐1(also referred to as Latin‐1) character set. In order to be considered a “supported” environment, all computers running PowerBroker Databases: Monitor & Audit software must conform to the character set restriction. Audit DB certifies only on English (US) language operating system, but its supported on any set of computers conforming to the ISO 8859‐1 standard.

ISO 8859‐1 supports the following language:

Afrikaans, Albanian, Basque, Breton, Catalan, Danish, Dutch, English, Estonian, Faeroese, Finnish, French, Gaelic, Glassine, German, Islands, Irish, Italian, Kurdish, Latin, Luxembourgish, Norwegian, Occitan, Portuguese, Spanish, Swahili, Swedish, Walloon, and Welsh.

For more information about ISO 8859‐1:

http://en.wikipedia.org/wiki/ISO‐8859‐1#ISO‐8859‐1



Preparing an Audit Source for Collection

This section describes the steps you take to prepare an audit source for log reading.

(DB2) PrerequisitesThis section describes the steps you take to prepare a DB2 audit source for log reading.

To check if a database is in Archive mode, you can run the following:

DB2 get db cfg for <db name> |find -i "log"The resulting output should be similar to the following example:

Table 12. DB2 prerequisites for log reading

Setting / Parameter Description Notes

LOGARCHMETH1 (in DB CFG)

The audited database must be in ARCHIVE mode where the database will make copies of transactions logs after they are filled. The transaction logs are read by the Audit DB collection process.1. CONNECT TO <development database> user <user

name> using <password>

2. QUIESCE DATABASE IMMEDIATE FORCE CONNECTIONS

3. UNQUIESCE DATABASE

4. CONNECT RESET

5. UPDATE DB CFG FOR <development database> USING logarchmeth1 "DISK:/udb/db2inst1/ArchiveFiles/" logprimary 3 logsecond 2

A backup must be taken before the first collection

Table 13. Output from checking whether a database is in Archive mode

Name Value

Log retain for recovery status No

User exit for logging status Yes

Catalog Cache Size (4K) (CATALOGCACHE_SZ) = (MAXAPPLS*4)

Log buffer size (4KB) (LOGBUFSZ) = 8

Log file size (4KB) (LOGFILSIZ) = 1000

Number of primary Log Files (LOGPRIMARY) = 3

Number of secondary log files (LOGSECOND) = 2

Changed path to log files (NEWLOGPATH) =

Path to Log files C:\DB2\NODE0000\SQL00002\SQLOGDIR\

Overflow log path (OVERFLOWLOGPATH) =

Mirror Log path (MIRRORLOGPATH) =

First active log file S0000000.LOG



Block log on disk full (BLK_LOG_DSK_FUL) = NO

Percent of max active log space by transaction

(MAX_LOG=0)

Number of active log files for 1 active UOW

(NUM_LOG_SPAN)=0

Percent log file reclaimed before soft checkpoint

(SOFTMAX)=100

Log retain for recovery enabled (LOGRETAIN) = OFF

User exit for logging enabled (USEREXIT) = OFF

HADR log write synchronization mode (HADR_SYNCMODE) = NEARSYNC

First log archive method (LOGARCHMETH1) = DISK:\DB2\archive_dir

Options for logarchmeth1 (LOGARCHOPT1)=

Second log archive method (LOGARCHMETH2) = OFF

Options for logarchmeth2 (LOGARCHOPT2)=

Failover log archive path (FAILARCHPATH)=

Number of log archive retires on error (NUMARCHRETRY)=5

Log archive retry Delay (secs) (ARCHRETRYDELAY)=20

Log pages during index build (LOGINDEXBUILD) = OFF

Table 13. Output from checking whether a database is in Archive mode

Name Value



(DB2) Native Audit ConfigurationAudit DB can collect information from an audited database's audit trail for DDL activity. To turn on the db2audit facility use the following settings and commands:

(DB2) Additional Parameters and Configuration Considerations1. DB2 environment variable DBINSTHOME needs to be set to the instance being audited.

2. To collect DML (Before and After) values:

For each table, you must execute the following command:ALTER TABLE <table name> data capture changes

3. To collect session specific information:

Execute the following command:db2set DB2_LOGGING_DETAIL=AUTHID

Table 14.


db2audit start Turns on the db2audit facility

You can turn off the DB2 native auditing by running db2audit stop.

db2audit configure scope audit, objmaint, checking, sysadmin, validate, secmaint status both errortype normal

Specific the scopes to collect DDL and DCL information.

Caution! The context scope is turned off to prevent performance problems. Turning this parameter on can cause serious database issues.



(Oracle) PrerequisitesThis section describes the steps you take to prepare an Oracle audit source for log reading.

(Oracle) Redo Transaction Log Collection ConfigurationAudit DB requires that the audited database be in archive log mode in order to generate transaction redo log files that will then be processed by the collector to generate audit data. The following settings must be enabled/set.

To check if a database is in ARCHIVELOG mode, you can run the following query as a system user:

SQL> show parameter archive


Mode = ARCHIVELOG The audited database must in ARCHIVELOG mode where the database will make copies of all online redo logs after they are filled. The copied (archived) redo logs are read by the Audit DB collection process.

Parameter =LOG_ARCHIVE_START

Redo logs can be either manually or automatically archived. If the instance is set to Automatic Archival, then the redo log will be archived as soon the log writer is finished writing to it. Enabling Automatic Archival will not start redo archiving until the instance is in Archive mode.

This parameter has been deprecated in Oracle 10g. The Oracle background process ARCH is started automatically when the database is in ARCHIVELOG mode.

Parameter =LOG_ARCHIVE_DEST

Sets the log archive destination where the archived logs are written.

Oracle 10g/11g implements a LOG_ARCHIVE_DEST_n parameter which allows for the multiplexing of the archive logs.

NAME-------------------

TYPE-------

VALUE---------------------------------------

archive_lag_target integer 0log_archive_dest stringlog_archive_dest_1 string LOCATION=C:\oracle\oradata\OLUO\archivelog_archive_dest_10 stringlog_archive_dest_2 stringlog_archive_dest_3 stringlog_archive_dest_4 stringlog_archive_dest_5 stringlog_archive_dest_6 stringlog_archive_dest_7

NAME--------------------------

TYPE-----------

VALUE--------------------------------

log_archive_dest_8 stringlog_archive_dest_9 stringlog_archive_dest_state_1 string enable



log_archive_dest_state_10 string enablelog_archive_dest_state_2 string enablelog_archive_dest_state_3 string enablelog_archive_dest_state_4 string enablelog_archive_dest_state_5 string enablelog_archive_dest_state_6 string enablelog_archive_dest_state_7 string enablelog_archive_dest_state_8 string enable

NAME-------------------------------

TYPE-----------

VALUE--------------------------

log_archive_dest_state_9 string enablelog_archive_duplex_dest stringlog_archive_format string %t_%s.dbflog_archive_max_processes integer 2log_archive_min_succeed_dest integer 1log_archive_start boolean TRUElog_archive_trace integer 0remote_archive_enable string truestandby_archive_dest string %ORACLE_HOME%\RDBMS



(Oracle) Supplemental LoggingFor Log Reading, you must enable supplemental logging to audit an Oracle audit source.

Specifically, Audit DB requires UNIQUE_INDEX level supplemental logging to be enabled for full audit capabilities. Audits will function with a lower supplemental logging level, but key data will not be available in the audit trail.

You can do this by directly executing the following file through SQLPlus:

$PBDBHOME/Sql/enable_supplemental_logging_oracle.sqlTo check if supplemental logging is enabled, you can run the following query as a system user:

SQL>select supplemental_log_data_min,supplemental_log_data_pk,supplemental_log_data_ui,supplemental_log_data_fk,supplemental_log_data_allfrom v$database;

Alternatively, supplemental logging can be enabled by Audit DB via the PBDB Monitor Admin Console when you create the audit source.

(Oracle) Native Audit Collection ConfigurationAudit DB can collect information from an audited database’s audit trail and in addition, it can collect audit information written into operating system (OS) files on UNIX platforms. The following settings are required:

To check if an audited database is configured for native audit collection, one can run the following query.

SQL> show parameter audit

NAME------------------------------

TYPE----------

VALUE--------------------------

SUPPLEMENTAL_LOG_DATA_MIN string YESSUPPLEMENTAL_LOG_DATA_PK string YESSUPPLEMENTAL_LOG_DATA_UI string YESSUPPLEMENTAL_LOG_DATA_FK string YES/NO (not required)SUPPLEMENTAL_LOG_DATA_ALL string YES/NO (not required)

Setting / Parameter Description

Parameter: AUDIT_TRAIL This parameter when set to ‘os’ or ‘db’ enables database auditing and directs all audit records to the operating system’s (OS) audit trail or the database audit trail (SYS.AUD$).

Parameter : AUDIT_SYS_OPERATION This parameter when set to ‘TRUE’ ensures that SYSDBA activity is audited. The audited information is always written to the OS audit trail.

Parameter : AUDIT_FILE_DEST This parameter specifies the operating system folder into which the audit trail is written when the AUDIT_TRAIL initialization parameter is set to os. It is also the location to which mandatory auditing information is written and, if so specified by the AUDIT_SYS_OPERATIONS initialization parameter, audits records for user SYS.



Note: To capture audit data from the native audit, AUDIT commands must be run to specify which events are to be collected.

Note: Use Oracle AUDIT to capture logins, logouts, failed logins, and certain DCL commands.

(SQL Server) Required Database Option Settings

Caution! If ‘truncate log on chkpt’ is set to true, you must switch it to false. When you change this parameter you must take a full database backup, and take an initial transaction log backup.

(SQL Server) PBDB Monitor Agent Disk RequirementsThe PBDB Monitor Agent (Monitor role) running locally on the computer hosting the target SQL Server instance is responsible for managing some real‐time data capture via SQL Server's Profiler Trace interface. The PBDB Monitor Agent uses space in its local agent folder (\agent.data\data\...) to temporarily store profiler trace files (.TRC) as well as Audit DB collection files (.ESZ) between scheduled collections. It is important to allocate enough disk space for this purpose. Under typical circumstances where session logins/logouts and DDL operations are being captured via the trace, the volume of data associated with this mechanism should be relatively low. SELECTs or EXECUTEs are being audited via the trace, the volume could be much higher.

Accurately determining the disk space requirement associated with these mechanisms can only be done by testing in a representative environment. However, the following guidance can be used for planning and budgetary purposes.

With default configuration, Audit DB will allow trace data to grow to 500MB before packaging the trace data into .ETZ format (which also compresses the data at an approximate ratio of 10:1). Given this, if we assume collections occur once a day, and that the trace file data hits the 500 MB threshold every 30 minutes (an arbitrary number), we can make a rough calculation as to the typical daily disk consumption by trace and .ETZ files:

500MB + (48 * 50) = 2900MB // approximately 3 Gb per day

It is recommended that a minimum of 3 days worth of space be allocated to accommodate for unexpected outages and recovery.

NAME----------------------------

TYPE----------

VALUE----------------------------

audit_sys_operations boolean TRUEaudit_trail string DBtransaction_auditing boolean TRUE

Setting / Parameter Description

Parameter: 'trunc. log on chkpt' is set to false, that is, Full Recovery Mode.

There is one database level configuration requirement. All databases that will be monitored using the Audit DB log reading technology must be configured to run in Full Recovery Mode.This can be verified by running the following command in SQL Server:

sp_dboption 'dbname'The 'trunc. log on chkpt' must be set to false. If this is the case, 'trunc. log on chkpt' will not be included in the result set returned by sp_dboption.



PermissionsThis section describes the permissions required to install, configure, and manage your Audit DB implementation.

Installation Permissions

Operating System Permissions

To install any of the Audit DB components, you must log in to the operating system as the following user:

• Windows ‐ Administrator

• UNIX ‐ User (as described in “Operating System Account Setup,” page 47)

Database Permissions - Central Configuration Database

For Central Configuration Database creation you need a database login with DBA or System Administrator privileges on the database where the Central Configuration Database (CCDB) is going to be installed.

Database Permissions - PBDB Repository

For Repository creation you need:

• Oracle ‐ DBA privileges on the database where the Repository is going to be created. The user can be created

automatically either by the installer or through the PBDB Monitor Admin Console by running the following script:

<installation_folder>\BeyondTrust\Audit DB\Enterprise\Sql\ create_lumigent_repository_user_oracle.sql

or$PBDBHOME/BeyondTrust/sql/create_lumigent_repository_user_oracle.sql

• SQL Server ‐ System Administrator privileges on the database where the Repository is going to be created. You

have to provide an SQL login that has DB owner permissions on the PBDB Monitor Repository Database. Use the same credentials as the ongoing operations user when configuring the Repository connection in the PBDB Report Server.

Database Permissions - PBDB Assessment Agent

• You must have privileges on target databases sufficient to create accounts and confer privileges.

Database Permissions - PBDB Assessment Repository Database

• You must have privileges on the PBDB Assessment Repository Database sufficient to create a database,

accounts and roles. The PBDB Assessment Repository owner must be the LUMIGENT_VMGR user, as defined in the script RepositoryUserSetup<DBMS>.sql.

Ongoing Operations Permissions

To function properly, the PBDB Monitor Agent needs access to the files and databases required by its role.

Ongoing Operations Permissions - PBDB Server


• Windows ‐ Local System or Local Administrator


CCDB Database Permissions

For CCDBs hosted on Oracle, the user is created automatically. For more details about this user’s permissions, refer to the following script, which can be found in the Sql folder of the installation:

create_lumigent_config_user_oracle.sql



For SQL Server, the customer has to provide an SQL login that has DB owner permissions on the CCDB database.

PBDB Assessment Agent Permissions

For PBDB Assessment Agent permissions required by the different Assessment Packages, see the Component Agent Grant scripts in the following folder:

<installation_folder>\BeyondTrust\Audit DB\Assessment\SQL\Components

Ongoing Operations Permissions - Repository Tier


• Windows ‐ Local system


Database Permissions

For repository creation you need:

• Oracle ‐ DBA privileges

• SQL Server ‐ System Administrator privileges

Oracle

The user can be created automatically either by the installer or through the PBDB Monitor Admin Console by running the following script:

$PBDBHOME/Sql/create_lumigent_repository_user_oracle.sql

SQL Server

The customer has to provide an SQL login that has DB owner permissions on the PBDB Monitor Repository Database.

Use the same credentials as the ongoing operations user when configuring the repository connection in the PBDB Report Server.

Ongoing Operations Permissions - Collection TierYou need the following permissions to manage ongoing operations for the Collection Source Tier.


• Windows ‐ Local System or Local Administrator

• UNIX ‐ The user must be setup as specified in “Operating System Account Setup,” page 47.

The following is a high level overview of the access required by a PBDB Monitor Agent running on a Collection Tier level.

Note: Running the agent in a user account that has been configured according to the specification in this guide provides the required permissions in most cases. For more information, see “Custom Installations,” page 137.



Group membership in the database’s operating system administration groups.

The operating system user account running the PBDB Monitor Agent must be a member of the following operating system groups.

Table 15. Groups memberships required

DBMS UNIX Group(s) Windows

DB2 db2iadm1, db2ifdm1 LocalSystem/Administrator

Oracle dba LocalSystem/Administrator

SQL Server NA LocalSystem/Administrator

Sybase none LocalSystem/Administrator



Read access to the target database’s archived redo logs and/or transaction logs.

Read access to the target database’s native audit logs

SQL Server audit sources only: remote read/write access to the local PBDB Monitor Agent (Monitor role) on the computer hosting the target SQL Server instance.

Table 16.

DBMS Location

DB2 The folder specified in the db cfg parameter logarchmeth1:A typical setting might be,

UPDATE DB CFG FOR <development database> USING logarchmeth1 "DISK:/udb/db2inst1/ArchiveFiles/" logprimary 3 logsecond 2

with archive files being written to a hierarchy such as:<archive dir>/<instancename>/<databasename>/NODE0000/C000000000

Oracle Typically the folder specified in the LOG_ARCHIVE_DEST and LOG_ARCHIVE_DEST_n Oracle initialization parameters. Alternatively, .ARC files can be log shipped to a secondary location which the Collection Tier can access.

SQL Server For example:\\<Server Host>\Microsoft SQL Server \MSSQL.1 \MSSQL\Backup

Alternatively .TRN files can be log shipped to a secondary location which the Collection Tier can access.

Table 17.

DBMS Location

DB2 Typically,$DB2INSTHOME sqllib/security/auditdata/db2audit.log

Note: The location changes after each database restore to for example, <archive folder>/<instance name>/<database name>/NODE0000/C000000001, and must be changed in Audit DB Console to match the new value.

Oracle Typically the folder specified by 'AUDIT_FILE_DEST' Oracle initialization parameter.

SQL Server NA

Table 18.

DBMS Location

SQL Server Typically,\\SERVERHOST\BeyondTrust\Audit DB\Agent\Data



Read/execute access to DBMS client libraries and tools.

Ongoing Operations Permissions - Audit Source TierThe following sections provides details related to required privileges during ongoing operations (collections) for Audit DB.

Operating System Permissions - General

• Windows ‐ Local system or Local Administrator

• UNIX ‐ The user must be setup as specified in “Operating System Account Setup,” page 47.

For detailed operational permissions requirements for PBDB Monitor Agents running locally (as Collection Agents) on computers in the Audit Source Tier, see “Ongoing Operations Permissions ‐ Collection Tier,” page 38.

Note: Running the agent in a user account that has been setup according to the specification in “Operating System Account Setup,” page 47 will provide the required permissions in most cases.

(DB2) Permissions for Audit Source Creation

To create an audit source you need DBA privileges. You need system role privilege (the capability to create/ drop any tables, users, stored procedures, views, and indices) to the audit source database.

(DB2) Permissions for Collections

(Oracle) Permissions for Audit Source Creation

At audit source creation time, an Oracle user with DBA privileges is required. This level of privilege is required to create the user account on the Oracle system. This user is NOT saved or used by the Audit DB system during normal operation, but is only used to "setup" the Oracle database for auditing.

Specifically, Audit DB executes the following script with the elevated privileges at audit source creation time.

$PBDBHOME/Sql/create_lumigent_config_user_oracle.sql

Table 19.

DBMS Location

DB2 Typically$DB2INSTHOME/sqllib/bin$DB2INSTHOME/sqllib/lib$DB2INSTHOME/sqllib/lib32

Oracle Typically$ORACLE_HOME/bin$ORACLE_HOME/lib$ORACLE_HOME/lib32

SQL Server TypicallyC:\Program Files\Microsoft SQL Server\

Table 20.

Privilege Type Objects

Sysadm group A user in the Sysadm group or same group as the DB2 instance owner.The group specified in the DB2 dbm cfg parameter sysadm.

NA



This scripts creates a user account and grants all db privileges required by Audit DB to execute collections.

The user account can be created in one of two ways:

• At audit source creation time through the PBDB Monitor Admin Console (which will result in the

create_lumigent_config_user_oracle.sql script being run the Audit DB against the database).

• As a prerequisite step before creating the audit source. In this case, a DBA must run

create_lumigent_config_user_oracle.sql manually against the database, and then provide the user’s password to the Audit DB administrator.

(Oracle) Permissions for Collections

An Oracle user named LUMIGENT is created during audit source creation time and granted the minimal set of privileges required for ongoing operations. For details, view the following Oracle user creation script found in the PBDB Monitor Agent installation folder.

$PBDBHOME/Sql/create_lumigent_config_user_oracle.sqlReview these scripts for a detailed descriptions of the specific permissions required. The following summarization of the required permissions is provided as a general overview.

Note: The SELECT and DELETE privileges on SYS.AUD$ are NOT automatically granted to the user by the create_lumigent_config_user_oracle.sql script. If you wish to configure Audit DB to read and delete data from SYS.AUD$, you must explicitly grant those privileges to the user.

(SQL Server) Permissions Required for Service Account

On SQL Server the Audit DB server components are loaded into the audited SQL Server instance as a set of extended stored procedures. The server components themselves establish database connection to the target server instance using Windows authentication. This means that the OS account under which the SQL Server service is running must have a Windows authentication login mapped to it. This requirement is met with default installations of SQL Server.

To test this requirement, execute the following Audit DB extended stored procedure:

exec xp_lmdbaudit_checkacct <server name>The procedure requires one argument, the server name.

If properly configured, the extended stored procedure will return the following:

Command(s) completed successfully.


CREATE SESSION SYSTEM PRIVILEGE NA

UNLIMITED TABLESPACE SYSTEM PRIVILEGE NA

CREATE TABLE SYSTEM PRIVILEGE NA

CREATE VIEW SYSTEM PRIVILEGE NA

CREATE PROCEDURE SYSTEM PRIVILEGE NA

CREATE TRIGGER SYSTEM PRIVILEGE NA

CREATE SEQUENCE SYSTEM PRIVILEGE NA

SELECT ANY DICTIONARY SYSTEM PRIVILEGE NA

SELECT_CATALOG_ROLE SYSTEM PRIVILEGE NA

SELECT, DELETE OBJECT PRIVILEGE SYS.AUD$*



(SQL Server) Permissions for Audit Source Creation

A SQL Server instanced is "setup" for auditing when it is added to the Audit DB configuration as an audit source. For example, the Create Audit Source screen prompts the user for a SQL Server login that provides system administrator level privileges when creating the audit source in Audit DB. This login is NOT saved or used by the Audit DB system during normal operation, but is only used to "setup" the SQL Server instance for auditing.

Specifically, Audit DB creates the following extended stored procedures during audit source creation:

xp_lmdbaudit_logattachsp_lmdbaudit_startxp_lmdbaudit_packagetracedataxp_lmdbaudit_ispackagecompletexp_lmdbaudit_traceconfigurexp_lmdbaudit_checkacctxp_lmdbaudit_initxp_lmdbaudit_loadsp_lmdbaudit_version

(SQL Server) Permissions for Collections

Audit DB ships with role creation SQL scripts that can be used to create SQL Server logins, database user, and roles with the required permissions. The following scripts are installed with the PBDB Monitor Agent:

<installation_folder>\Sql\create_lumigent_collect_user_mssql_2005.sql

Note: This script can also be used for SQL Server 2008.

Review these scripts for detailed descriptions of the specific permissions required. The following summary of the required permissions is provided as a general overview.


SELECT OBJECT PRIVILEGE Various system dictionary views:

• sys.ll_objects

• sys.schemas

See script for details.

ROLE ROLE_MEMBERSHIP db_datareader

ROLE ROLE_MEMBERSHIP db_backupoperator

EXECUTE OBJECT PRIVILEGE Trace management procedures:

• sys.sp_trace_create

• sys.sp_trace_setevent

• sys.sp_trace_setfilter

• sys.sp_trace_setstatus

EXECUTE OBJECT PRIVILEGE Audit DB extended stored procedures:

• xp_lmdbaudit_*



Planning LicensingEach audit source in your configuration uses or consumes a Audit DB license. When you are planning your Audit DB implementation, you should estimate the number of audit sources that will be monitored, and plan your licensing accordingly.

Each PBDB Repository in your configuration uses or consumes a Audit DB license. When you are planning your Audit DB implementation, you should estimate the number of Repositories that will be required, and plan your licensing accordingly.

Check the CPU count of the computer that will host the PBDB Report Service. In a standard implementation this will be the PBDB Server. Computers with more than 8 CPUs need a larger‐capacity license at additional cost.

Preparing Your Environment


Preparing Your EnvironmentThis chapter contains prerequisites that your environment should meet before you install Audit DB.

PBDB Server Prerequisite ChecklistIn the standard implementation, you install the following Audit DB components on the PBDB Server:

• PBDB Monitor Agent performing the Central Configuration Agent and Loader Agent roles


• PBDB Report Server

• lmConsole

• PBDB Assessment Agent


In the standard implementation, the following Audit DB components reside on the PBDB Server:

• Central Configuration Database

• PBDB Monitor Repository Database

• PBDB Report Server Metadata Repository Database

• PBDB Assessment Repository Database

Use the following checklist to prepare to environment where you will install the PBDB Server core software and the Repository tier. Note that when you install the Central Configuration Agent it creates the Central Configuration Database automatically.

Note: The recommended implementation is to install the Central Configuration Agent, PBDB Monitor Admin Console, PBDB Report Service, and lmConsole, and to create the CCDB and PBDB Repository all on the same computer.



Table 21. Checklist for Preparing the Environment

Prerequisite Task Notes

Determine your licensing requirements. See “Planning Licensing,” page 44.

Acquire or assign a database server to act as the PBDB Server.

Validate that the DB server meets the hardware requirements.

See “PBDB Server Sizing Guidelines,” page 19.

Validate that the DB server meets the operating system requirements.

For information about supported platforms, refer to the Release Notes.

Validate that the DBMS meets the requirements for the Central Configuration Database.


Validate that the DBMS meets the requirements for the PBDB Repository.


Verify that the software prerequisites have been met.

See “Prerequisite Software,” page 51.

Complete the required network configuration. See “Audit DB Network Configuration,” page 24, and “Repository Tier Network Configuration,” page 25.

Review the Configuration Considerations for the PBDB Server and verify that your environment meets all requirements.

See “PBDB Server Configuration Considerations,” page 26.

Review the Configuration Considerations for the Repository Tier and verify that your environment meets all requirements.

See “Repository Tier Configuration Considerations,” page 27.

Create a database instance for the CCDB

Create a database instance for the PBDB Repository

Determine the installation folder for the Audit DB software.

The default installation folder is: Windows ‐ C:\Program Files \BeyondTrust \PowerBroker DatabasesLinux ‐ /home/<user name>/BeyondTrust



Operating System Account SetupThis section provides details about setting up user accounts to run Audit DB components.

UNIX

To set up a user account to run Audit DB on UNIX:

1. Create a UNIX user account on the host.

This account will be used to both install and run Audit DB software.

2. Assign group membership:

Note: This step is required for Audit Source and Collection Tier components only.

Make the user a member of the following groups where applicable. Assign group membership based on target DBMS platform type.

Determine the location and sizing of the Agent Data folder. (.ECZ files)

The default Agent data folder is:Windows ‐ C:\Program Files \BeyondTrust \PowerBroker Databases \Agent Linux ‐ /home/<user name>/BeyondTrust/agent See “PBDB Server Sizing Guidelines,” page 19, and “Repository Tier Configuration Considerations,” page 27.

Set up archiving on the Agent Data folder (not just backups).

Need ability to get software onto the PBDB Server. Need R/W/E access to the folder.

(Oracle) Need to know Oracle HOME and SID.

(Oracle) Need to know the Oracle DEFAULT and TEMP tablespaces.

(Oracle) Configure TNSnames.ora or know TNS names entry for each audited instance.

(Oracle) Oracle client tools installed. Need R/E access to those tools.

(Oracle) DB has partitioning enabled.

(SQL Server) Make sure SQL Server Browser Service is running.

(SQL Server 2008) Set to SQL Server 2005 compatibility mode.

Table 22. Group Memberships

DBMS UNIX Group(s)

DB2 ‘db2iadm1’ and ‘db2fadm1’

Table 21. Checklist for Preparing the Environment



DB group membership is needed for the following reasons:– Read access to database archive redo, transaction log, and audit log files.

– Read/execute access to the database client libraries and tools.

3. (Optional) Manually create an agent data folder

Note: By default, the installation will create an agent folder (name agent.hostname) in the user's home folder. If you choose to place the agent data folder in the user's home folder, this step can be ignored.

The agent will use this folder to store configuration, temporary, and archived audit trail data. Depending on the number of audit sources serviced by the agent (either in the capacity of a collection role or loader role), the space requirement can be large. In this case it may be beneficial to host the agent data folder on a different volume. # mkdir /vol/agent.host# chown BeyondTrust /vol/agent.host# chgrp X /vol/agent.host# chmod 700 /vol/agent.host

Note: When you create a UNIX user you do not have to set the UNIX environment (PATH and LD_LIBRARY_PATH) for DB libraries and tools.

The Audit DB installation process on UNIX platforms will generate an agent startup script that will appropriately set LD_LIBARY_PATH and PATH environment variables so that paths to DBMS client libraries and tools are included. See the following files in the agent.data/etc/ folder after the installation process has been completed: – env.sh

– env.csh

– runEntegraAgent.sh

Windows

To set up a user account to run Audit DB on Windows:

1. Add a local or network user account.

2. Make the user a member of the Administrators group on the local host.

3. Alternatively, run the agent as LocalSystem.

Oracle ‘dba’

Sybase none

Table 22. Group Memberships

Installing PowerBroker Databases: Monitor & Audit


Installing PowerBroker Databases: Monitor & AuditThe chapter documents the recommended standard implementation for Audit DB as described in “PBDB Tiered Deployment Architecture,” page 17.

For custom implementations, see “Alternative Implementations,” page 132, and then “Custom Installations,” page 137.

Audit DB Installation WorkflowDuring the Audit DB installation process you must perform the following installation and configuration tasks. Use this checklist to locate instructions for each task and to keep track of your progress.

Table 23. Audit DB Installation Workflow

Task Documentation for Task Done

1. Create operating system accounts to run the Audit DB components.

See “Operating System Account Setup,” page 47.

2. Download the installation software from www.beyondtrust.com.

3. Install the PBDB Server core software:

• Central Configuration Agent, and

create the CCDB



• lmConsole

• PBDB Assessment Agent,

PBDB Assessment Console, and PBDB Assessment Repository

See “Installing the PBDB Server Core Software,” page 51,OR“Custom Installations,” page 137.

4. Validate your PBDB Server installation by logging into the PBDB Monitor Admin Console.

See “Logging In to the PBDB Monitor Admin Console,” page 69.See also “Validating Your PBDB‐MA Installation,” page 126.

5. Change the default password. See “Changing the Default Password,” page 70.

6. Install the Product License Key. See “Installing License Keys,” page 70.

7. Install PBDB Monitor Agent on each audit source.

See “Installing PBDB Monitor Agents,” page 72.

8. Create the PBDB Repository on the PBDB Server.

See “Creating a Repository,” page 108.

9. Configure the PBDB Report Service.

• Create connection to

PBDB Repository

• Deploy

PBDB Monitor Report Templates

• Recommended Parameters

See “Configuring the PBDB Report Server,” page 116.

10. Create audit sources. For instructions, refer to the Audit DB User Guide.



11. Create audit rules. For instructions, refer to the Audit DB User Guide.

12. Create one or more policies that contain one or more rules.

For instructions, refer to the Audit DB User Guide.

13. Associate policies with audit sources. For instructions, refer to the Audit DB User Guide.

14. Deploy policies to initiate monitoring. For instructions, refer to the Audit DB User Guide.

15. Validate your installation

• Perform an activity against audit

source.

• Run a collection.

• Publish the collected data.

• Run a report.

For instructions, refer to the Audit DB User Guide.

16. Install patches in the following order:1. Central Configuration Agent

2. Loader Agent (Repository)

3. Collection Agents

4. PBDB Monitor Agents

5. PBDB Monitor Admin Console

6. PBDB Report Service patches

7. PBDB Monitor Report Templates updates

8. lmConsole

For patch installation instructions, refer to the Audit DB Release Notes.

Table 23. Audit DB Installation Workflow



Installing the PBDB Server Core SoftwareThe PBDB Server consists of a single server computer that hosts the following PBDB Server core software:


• Central Configuration Database (created the first time you install a PBDB Monitor Agent)

• lmConsole

• PBDB Monitor Agent (Central Configuration Agent role)


• PBDB Assessment Agent


• PBDB Assessment Repository

In the standard implementation, the PBDB Server also hosts the PBDB Repository and the Central Configuration Agent also performs the Loader Agent role.

Note: PBDB‐MA supports auditing for Oracle RAC and MSCS Clusters. However, in a clustered environment, all of the PBDB Server core software must be installed on a non‐clustered computer.

Note: Use the following PBDB‐MA versions for auditing different versions of db2 LUW– For auditing Db2 LUW v9.5, PBDB Monitor AgentV6.6.3 should be used as the agent. For this situation,

both PBDB‐MA V6.6.3 and V6.7 can be used as the server.

– For auditing Db2 LUW v9.7, PBDB Monitor Agent v6.7 should be used as the agent. The server must be V6.7

Prerequisite Software

The main prerequisite for the PBDB Server core software is a database instance on the PBDB Server, on which to host the CCDB. For more information about supported DBMS, refer to the Release Notes.

The main prerequisite for the Repository Tier is a database instance on the Repository Tier computer, on which to host the PBDB Repository. In the standard implementation, this can be the same database as the CCDB.

The PBDB Report Server must have the database clients installed that match the PBDB Monitor Repository Database, and must have ODBC connectivity to the PBDB Monitor Repository.

Assessment must have the database clients installed that match the PBDB Assessment Repository.

For Oracle, make sure that Oracle Client tools are installed on the computer that will host the CCDB and/or the Repository, and that connectivity to Oracle is established. The agent needs read and execute access to these tools.

The PBDB Report Server must have the database clients installed that match the PBDB Monitor Repository Database, and must have ODBC connectivity to the Repository.

Note: For 64 bit version of Oracle client, the 32 bit libraries must also be installed.

(Windows) PBDB Server Core Software Installation Checklist

The following table lists information that you will need to complete the PBDB Server core software installation.



The agent runs as a Windows service. You must decide whether to run the agent under the Local System account, or under a specified Windows account. Most customers run the PBDB Monitor Agent under a specified Windows service account.

Table 24. PBDB Server Core Software Installation Checklist for Windows

Input Default Value Your Value

Installation Location C:\Program Files\BeyondTrust\PowerBroker Databases

Host Name for CCDB Computer where the PBDB Server core software is being installed.

Port number for Central Configuration Agent communication

16400

Agent Data Directory C:\Program Files\BeyondTrust\ PowerBroker Databases\Agent

Windows user account to run Central Configuration Agent service

User Name Password

Target Database ‐ CCDB

Net Service Name (Oracle)

Database instance to host the CCDB (SQL Server)

DB User Name and Password User NamePassword

Password for user (created by installer)

User Name = lumigentPassword

DEFAULT tablespace (Oracle) USERS

TEMP tablespace (Oracle) TEMP

Target Database (PBDB Assessment Repository)

Oracle or SQL ServerNote: May be the same

database as the CCDB.

Database Host (PBDB Assessment Repository)

Note: May be the same database as the CCDB.

Database Instance (PBDB Assessment Repository)

(Oracle) Net Service Name(SQL Server) Instance Name

Database Port (Oracle) 1521(SQL Server) 1433

DB User Name and Password User NamePassword



(Windows) Typical Installation

To install the PBDB Server core software, you must log in as a user with DBA privileges for the database where the Central Configuration Database is going to be created.

Note: (SQL Server) If you plan to use system authentication for logging into SQL Server, make sure that the system user that you log in as has authority to create the database and the schema.For SQL Server 2012 as the PBDB Server, PBDB must run with the same credentials in which the SQL Server 2012 is running. If not the Audit source status will be set to offline.

To install the PBDB Server core software on Windows:

1. Log on as a local administrator. To create the Central Configuration Agent, you must have authority to create a database user and the schema and modify the registry.

2. In the PBDB Server folder of the installation media, launch AuditDB_server_setup_<OS>_<CPUArch>.6.8.x.yyyy.exe. The installation wizard opens.

3. In the Welcome dialog, click Next.

4. In the Select Installation Type dialog, click Complete PBDB Server and click Next.

Local Administration Port 15101

Agent Listener Port 15100

Table 24. PBDB Server Core Software Installation Checklist for Windows




5. In the Select Installation Folder dialog, click Next to accept the default destination folder or else click Choose to select another location and then click Next.

6. In the Configure Agent dialog, either click Next to accept the default values or else configure the following.a. Enter the Host Name for the communication port on this computer.

b. Enter the Port Number that the Central Configuration Agent will use to communicate with other agents. The default is 16400.

Caution! If you change this value, you must use the same port for all other agents in your Audit DB implementation. All communications among agents must be on the same port.

c. Select the Agent Data Directory. All data that the Agent creates and uses will be stored under this data folder. Depending on the amount of data collected and the frequency of your backups, this folder can grow in size, so be sure the folder is large enough for your needs.

Caution! Each PBDB Monitor Agent must have its own Agent Data Directory. You cannot have two PBDB Monitor Agents pointing to the same Agent Data Directory.

d. Click Next.



7. In the Configure Agent dialoga. Select the Windows user account to be used to run the Central Configuration Agent service.

– Select Local System Account to run the PBDB Monitor Agent as the local system account.

– Select This Account to run the PBDB Monitor Agent as a different account. Enter a User Name and the account Password.

b. Click Next.

8. In the Configure Central Configuration Database dialog, select the database platform where you are going to create the Central Configuration Database.For Oracle databases:a. Type the name of the Net Service where the Central Configuration Database (CCDB) should be created.

This is the Oracle service name that can be found in the tnsnames.ora file.

b. Type the Oracle DB User Name. This is the Oracle database user that the installer will use to create the Central Configuration user and schema (called "lumigent"). The Central Configuration Agent will use the user to connect to the CCDB schema within Oracle.

c. Type the Oracle DB Password.

d. Click Next. The installer connects to the database using the supplied credentials. The Configure Central Configuration Database ‐ Oracle Schema window opens.



e. Enter a Password for the user. The installer will automatically create the user. Re‐enter the Password for the user.

f. Type the DEFAULT Tablespace. The default value is USERS.

g. Type the TEMP Tablespace. The default value is TEMP.

h. Click Next.

For SQL Server databases:a. Type the name of the Database Instance where the Central Configuration Database (CCDB) should be

created.

– For an unnamed instance, enter the host name (computer name) of the computer hosting the SQL Server instance.

– For a named instance, enter the host name\ instance name.

b. Select a Database Authentication method.

For SQL Authentication:

a. Type the SQL Server DB User Name. This is the SQL Server user that the installer will use to create the Central Configuration user and schema (called "lumigent"). The Central Configuration Agent uses the default user for Audit DB to connect to the CCDB schema within SQL Server.

b. Type the SQL Server DB Password.

c. Click Next. The installer connects to the database using the supplied credentials.



9. In the Assessment Setup dialog, select the database platform where you are going to create the PBDB Assessment Repository. This can be the same database as the PBDB Repository.For Oracle databases:a. In the Database Host field, type the host name of the computer where you want to create the

PBDB Assessment Repository.

b. In the Database Instance field, type the name of the Net Service where the PBDB Assessment Repository should be created. This is the Oracle Service.

c. In the Database Port field, type 1521.

d. In the Database Authentication section

a. Type the Oracle DB User Name. This is the Oracle database user that the installer will use to create the Assessment user and schema (called "LUMIGENT_VMGR"). Assessment will use the LUMIGENT_VMGR user to connect to the Assessment schema within Oracle.

b. Type the Oracle DB Password.

c. Click Next.

For SQL Server databases:a. In the Database Host field, type the host name of the computer where you want to create the


b. In the Database Instance field, type the name of the Database Instance where the PBDB Assessment Repository should be created.

– If you’re connecting to the default instance, leave this field blank.

– If you’re connecting to a named instance, enter only the instance name.


d. In the Database Authentication section, select an authentication method.




a. Type the SQL Server DB User Name. This is the SQL Server user that the installer will use to create the Assessment user and schema (called "LUMIGENT_VMGR"). The Agent will use the default Assessment user to connect to the Assessment schema within SQL Server.


c. Click Next.

10. In the Assessment Setup dialog, accept the defaults for Local Administration Port and Agent Listener Port and click Next.

11. In the Pre‐Installation Summary dialog, review the settings you have selected and click Install.The installer performs the following functions:– Creates the folder structure and files

– Installs the Central Configuration Agent

– Creates the Central Configuration Database

– Installs the PBDB Monitor Admin Console, lmConsole, PBDB Report Server, PBDB Assessment Agent and PBDB Assessment Console

– Writes settings to the appropriate configuration files

– Starts the following Windows services:

– PBDB Monitor Admin Console

– PBDB Monitor Agent

– PBDB Report Server

– LumigentVMgrAgent

– LumigentVMgrUI

12. In the Installation Status Summary dialog, click Done.If there were problems installing any component, they will be flagged in the Installation Status Summary, as shown below.



For more detailed information about your installation, you can refer to the installation log file, PowerBroker_Databases_Server_InstallLog.log. You can search the log file for error messages. This can be found in the following location:

<installation_folder>\BeyondTrust\PowerBroker Databases

After you have finished installing the PBDB Server core software, complete “Post Installation Tasks,” page 68.

(Linux) PBDB Server Core Software Installation Checklist

For Linux, the Audit DB home folder must be readable and writable only by the PBDB‐MA user (mode 700). The log files and temporary files created by the PBDB Monitor Agent must not be visible to other users, even those of the same group. For specific instructions on creating the user account for use with Audit DB, see “Operating System Account Setup,” page 47.

Tip: Installation Status Summary

The Installation Status Summary is stored in the Status folder. You can view the status history of all your component installations, upgrades, and removals by viewing the index.html file. For example,

C:\Program Files\BeyondTrust\PowerBroker Databases\Status\index.html



The following table lists information that you will need to complete the PBDB Server core software installation via a graphical user interface (GUI).

Table 25. PBDB Server Core Software Installation Checklist for Linux


Path name to home folder /home/<user_name>/BeyondTrust

Host name of the CCDB computer Computer where the PBDB Server core software is being installed.

TCP/IP Port number for Central Configuration Agent communication

16400

Path to Agent Data Directory /home/<user_name>/BeyondTrust/agent

User Account that will own the Agent process

User name = Password =

CCDB Platform Oracle

Net Service Name

CCDB Administrator User name =Password =

Oracle home folder [ORACLE_HOME]

Password for user (created by the installer)

TableSpace Name Users

Temp TableSpace Name Temp

PBDB Assessment Repository Database Platform

Oracle


Database Instance(PBDB Assessment Repository)

Net Service Name

Database Port 1521

Database Authentication User name =Password =

Oracle home folder [ORACLE_HOME]





(Linux) Typical Installation

Note: Installation of the PBDB Server core software is supported on Red Hat Linux only.The PBDB Monitor Agent installation wizard runs a GUI interface. For console only installation, see “(UNIX) Agents ‐ Unattended Installation,” page 165.

To install the PBDB Server core software, you must log in as a user with DBA privileges for the database where the Central Configuration Database is going to be created.

Note: “Operating System Account Setup,” page 47, provides instructions for UNIX user account permissions. Before installing PowerBroker Databases components, you should create a user following these guidelines.

To install the PBDB Server core software on Linux:

1. Log into the computer as an OS Administrator user with read, write, and execute permissions to the planned agent’s home folder.

2. Change directory to the folder of the installation media, either the installation CD or downloaded media. For example, if you have copied the media into a temporary folder:$ cd /home/<user name>/temp

3. Change the permission of the copied or downloaded file to be executable. Make sure that this is the PBDB Server core software installer.$ chmod +x AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.bin

4. Start the installation program by typing the following command:$ ./AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.binThe PBDB Server installation wizard opens.


6. In the Select Installation Type dialog, click Complete PBDB Server, then click Next.



7. In the Select Installation Folder dialog, either click Next to accept the default destination folder or click Browse to select another location and then click Next.Note: If you choose a different folder, the PBDB Monitor Report Templates are still installed to the default

location.



8. In the Configure Agent dialog, either click Next to accept the default values or else configure the following.a. Enter the Host Name for the communication port on this computer. The default value is the first

discovered host name for the system currently running the installation.




Note: Each PBDB Monitor Agent must have its own Agent Data Directory. You cannot have two PBDB Monitor Agents pointing to the same Agent Data Directory.

d. Click Next.



9. In the Configure Agent dialog, specify the UNIX user account to be used to run the Central Configuration Agent daemon process and click Next.



10. In the Configure Central Configuration Database dialog, select Oracle as the database platform where you are going to create the Central Configuration Database.a. Type the name of the Net Service where the Central Configuration Database (CCDB) should be created.

This is the Oracle service name that can be found in the tnsnames.ora file.

b. Type the Oracle DB User Name. This is the Oracle database user that the installer will use to create the Central Configuration user and schema (called "lumigent"). The Central Configuration Agent will use the PBDB‐MA user to connect to the CCDB schema within Oracle.


d. Enter the ORACLE_HOME folder.

e. Click Next. The installer connects to the database using the supplied credentials.

11. In the Configure Central Configuration Database dialog, enter a Password for the user of PBDB‐MA. The installer will automatically create the user.a. Re‐enter the Password for the user.

b. Type the DEFAULT Tablespace. The default value is USERS.

c. Type the TEMP Tablespace. The default value is TEMP.

d. Click Next.



12. In the Assessment Setup dialog, select Oracle as the database platform where you are going to create the PBDB Assessment Repository. a. In the Database Host field, type the host name of the computer where you want to create the


b. In the Database Instance field, type the name of the Net Service where the PBDB Assessment Repository should be created. This is the Oracle Service.


d. In the Database Authentication section

a. Type the Oracle DB User Name. This is the Oracle database user that the installer will use to create the Assessment user and schema (called "LUMIGENT_VMGR"). Assessment will use the LUMIGENT_VMGR user to connect to the Assessment schema within Oracle.

b. Type the Oracle DB Password.

c. Click Next.




14. In the Pre‐Installation Summary dialog, review the settings you have selected and click Install.The installer performs the following functions:– Creates the folder structure and files



– Installs the PBDB Monitor Admin Console, lmConsole, PBDB Report Server, PBDB Assessment Agent and PBDB Assessment Console


– Starts the following daemon processes:

– PBDB Monitor Agent

– Audit DB GUI

– PBDB Report Service


– LumigentVMgrUI

15. In the Installation Status Summary dialog, click Done.After you have finished installing the PBDB Server core software, complete “Post Installation Tasks,” page 68.



Post Installation Tasks

After you have installed the PBDB Server core software, complete the following post‐installation tasks:

1. Verify that the Central Configuration Agent has started.

2. Sign in to the PBDB Monitor Admin Console.

3. Change the default password.

4. Install license keys.

5. Launch the PBDB Report Service.

6. Deploy PBDB Monitor Report Templates.

Verify Agent has StartedVerify that the Central Configuration Agent has started by looking in the following log file for a "heartbeat" message.

On Windows:

<installation_folder> \BeyondTrust\PowerBroker Databases\Agent\Log\ImEntegraAgent*.log

On UNIX:

<installation_folder>/agent.<hostname>/log/lmEntegraAgent*.logOpen the log file in a text editor and search for the word "heartbeat." You should see something similar to the following:

YYYY-MM-DD HH:MM:SS (lmEntegraAgent-4252) - [INFO] The PBDB Monitor Agent on <hostname> has started. Agent version <version number>.

YYYY-MM-DD HH:MM:SS (lmEntegraAgent-4252) - [INFO] The PBDB Monitor Agent on <hostname> has finished initialization. Heartbeat every 300 seconds. Maintenance scheduled Start YYYY-MM-DD HH:MM:SS, Period 1DT00H00M00S.



Logging In to the PBDB Monitor Admin ConsoleThere are two ways to connect to the PBDB Monitor Admin Console: by using the Windows Start menu or by using Internet Explorer.

Note: Make sure that Internet Explorer is the default browser for computer hosting the PBDB Server core software.

To access the PBDB Monitor Admin Console in a browser by using the Start Menu:

Select Start, Programs, PBDB Server, PBDB Monitor Admin Console, PBDB Monitor Admin Console. The PBDB Monitor Admin Console starts in your default browser.

To access the PBDB Monitor Admin Console by using a browser:

1. Start Internet Explorer.

2. In the Internet Explorer Address field enter the following URL:http://localhost:10080/eac/jsp/login.jspIf the PBDB Monitor Admin Console is hosted on a different system, replace "localhost" with the host name of the system hosting the PBDB Monitor Admin Console. For example:http://lumsvr1:10080/eac/jsp/login.jspNote: The first time you sign in to Audit DB, use the default administrator user name and password

"auditdb". The first time you sign in you should change the default password for security purposes. For more information about changing passwords, see “Changing the Default Password,” page 70.

To sign in to Audit DB:

1. On the Login screen, enter your user name and password. The default user name and password are auditdb/auditdb.

2. Click LOGIN. The Audit DB Home window opens.

Tip: SQL Server 2005 Browser Service

On SQL Server 2005, if you are having problems signing in, verify that the SQL Server 2005 Browser Service is running on the computers where the CCDB is installed. You can set this service to start automatically. PBDB Monitor Agent need the Browser Service to communicate with CCDB.



Changing the Default PasswordTo update your password from the Login screen:

1. Click Update Password. The Change Password dialog opens.

2. In the User Name field, type your user name.

3. In the Old Password field, type your old password.

4. In the New Password and Confirm Password fields, type your new password. The password must be at least 6 characters and must be different than your user name.

5. Click Update Password.You can use the user name with the new password or create a different user with Admin privileges.

Installing License KeysYou need a valid license to run Audit DB. Audit DB licenses specify the number and type of components (Repositories and audit sources) that are included in your contract.

Each audit source and each Repository in your Audit DB configuration uses a license. License count is cumulative. For example, if you have two licenses, each one authorized for four audit sources and one Repository, you are licensed for a total of eight audit sources and two Repositories.

Note: You can add additional license keys at any time. Contact BeyondTrust Software if you need to purchase additional licensing.

All license keys are valid for collecting and processing the following audit data:

• Data Definition Language (DDL) SQL statements

• Data Manipulation Language (DML) SQL statements

• SELECT statements

• Stored procedures

To enter your PowerBroker Databases license key:

1. Log into the PBDB Monitor Admin Console as a Audit DB administrator.

2. Click the Admin tab.

3. Click the Licenses tab. Audit DB displays the Administer Audit DB License Keys window.



4. In the New License Key field, enter your license key.

5. Click Add Key. Audit DB installs the license and adds the license key to the table. The table is updated with the new license key and capabilities.

Logging into the PBDB Assessment ConsolePowerBroker Databases: Monitor & Audit is a web‐based application. You connect to the Audit DB Console using a web browser.

To log in to the Audit DB Console:

1. Launch Internet Explorer.

2. In the Internet Explorer Address field, enter the URL:http://yourserver:9080/ConsoleWhere yourserver is the name of the server hosting your Audit DB installation.

3. In the Login Window, enter your user name and password. The default user name is LUMIGENT_VMGR and the password is LUMIGENT_VMGR (case sensitive.)

4. Click Submit. The Console opens and displays the Home window.



Installing PBDB Monitor AgentsPBDB Monitor Agent perform different roles, depending on where they are installed. By default, the first agent that you install becomes the Central Configuration Agent.

In a standard implementation you install the following PBDB Monitor Agents:

• A single PBDB Monitor Agent on the PBDB Server that performs both the Central Configuration Agent and

Loader Agent roles.

• A single PBDB Assessment Agent on the PBDB Server to manage Assessment activities.

• A PBDB Monitor Agent on each audit source to perform the Collection Agent and PBDB Monitor Agent roles.

By default, the Agent Tier installer installs only a PBDB Monitor Agent. Although it is not usually necessary, you may install additional PBDB Assessment Agents on other computers, for example, file system assessments and snapshots require a local PBDB Assessment Agent.

• To install only a PBDB Assessment Agent, see “(Windows) Installing a PBDB Assessment Agent,” page 78.

• To install both a PBDB Monitor Agent and a PBDB Assessment Agent, see “(Windows) Installing Both a

PBDB Monitor Agent and a PBDB Assessment Agent,” page 82.Note: The Collection Tier should be a dedicated server in large environments. Installing Collection Agents locally

on the same server that is hosting the audit source for environments with heavy data load is not recommended. (However, for SQL Server audit sources, a local PBDB Monitor Agent is required.)

For information about alternate implementation models, “Alternative Implementations,” page 132. Large implementations require additional agent installations:

• You install a PBDB Monitor Agent on the PBDB Server to act as the Central Configuration Agent.

• You install a PBDB Monitor Agent on the Repository Tier to act as the Loader Agent.

• You install a PBDB Monitor Agent on the Collection Tier to act as the Collection Agent.

• You install a PBDB Monitor Agent on each SQL Server audit source to act as a PBDB Monitor Agent.

Note: For SQL Server, you must install a PBDB Monitor Agent on every computer hosting an audit source and/or a Repository. For agent installation you must use the CCDB’s host name (DNS name).

Note: On SQL Server 2005, start the SQL Server Browser Service on the computers where you install PBDB Monitor Agents. PBDB Monitor Agents need the Browser Service to communicate with the Central Configuration Database.

Collection Tier Prerequisite Software

A collection server must be able to access an audited database via that databases standard network database protocol, for example, the Collection Agent must be able to access an Oracle database via OCI. This means that the database network client tools must be installed and configured on the collection server, and available to the PBDB Monitor Agent account.

In general, the version of the client libraries installed on the Collection Tier server must be of a version greater than or equal to the highest version database server that will be audited.

Specifically, the following libraries must be installed if auditing the associated database platform from the Collection Tier server.

Table 26. Prerequisite Software for Collection Tier

DBMS Platform Audited

Client Libraries Notes

DB2 DB2 Run time client

Oracle Oracle Client Tools For the 64 bit version of Oracle, 32 bit version of libraries must also be installed.



Audit Source Prerequisite Software

The following table describes the prerequisite software and local PBDB Monitor Agent installation requirements by target database platform.

DB2 LUW Prerequisites

Auditing DB2 LUW database server instances requires that a PBDB Monitor Agent (Collection role) be installed locally on the computer hosting the DB2 LUW instance. This in turn requires the DB2 run‐time client libraries to be installed as a prerequisite.

Oracle Prerequisites

There are no components required to run locally on the computer hosting an Oracle audit source. If a choice is made to run the Audit DB collection agent locally on the computer hosting the target Oracle database, then the Oracle collector tier requirements must also be met. For more information about collection tier requirements, see “PBDB‐MA Installed Components,” page 11.

SQL Server Prerequisites

Auditing of SQL Server instances requires that a PBDB Monitor Agent be installed locally on the computer hosting the SQL Server instance. This in turn requires the SQL Server Native Client component to be installed as a prerequisite. This agent does not have to be configured in a collection role. Collections can be off‐loaded to a remote agent.

Sybase Prerequisites

Sybase Adaptive Server Enterprise (ASE) database servers can only be audited via network capture. There is no requirement for a local PBDB Monitor Agent installation in this case.

SQL Server SQL Server Native Client

Sybase No requirement.PowerBroker Databases redistributes the needed components.


PBDB Monitor Agent Local Install Required?

Other Prerequisites

DB2 Y (Collection role) DB2 Run‐Time Client

Oracle N NA

SQL Server Y (Monitor role) SQL Server Native Client

Sybase N NA

Table 26. Prerequisite Software for Collection Tier


Client Libraries Notes



(Windows) PBDB Monitor Agent Installation Checklist

The following table lists information that you will need to complete a PBDB Monitor Agent installation.

The PBDB Monitor Agent runs as a Windows service. You must decide whether to run the agent under the Local System account, or under a specified Windows account. Most customers run the PBDB Monitor Agent under a specified Windows service account.

(Windows) Installing a PBDB Monitor Agent

The procedure installs only a PBDB Monitor Agent.

• To install only a PBDB Assessment Agent, see “(Windows) Installing a PBDB Assessment Agent,” page 78.

• To install both a PBDB Monitor Agent and a PBDB Assessment Agent, see “(Windows) Installing Both a

PBDB Monitor Agent and a PBDB Assessment Agent,” page 82.The standard implementation requires a PBDB Monitor Agent on the PBDB Server to perform the Central Configuration Agent role, and a PBDB Monitor Agent on each audit source server to perform the Collection and PBDB Monitor Agent roles.

Note: You can install only one PBDB Monitor Agent on each computer that is running Windows.For SQL Server 2012 as the PBDB agent, the PBDB agent should run with the same credentials in which SQL Server 2012 server is running. If not the Audit source status will be set offline.

To install a PBDB Monitor Agent on Windows:

1. Log on as a local administrator.

2. In the Agent Tier folder of the installation media, launch AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.exe. The PBDB Monitor Agent installation wizard opens.


Table 27. PBDB Monitor Agent Installation Checklist


Installation Folder C:\Program Files\BeyondTrust\ PowerBroker Databases

Windows user account to run Agent service

User namePassword

Host Name for the new Agent

Central Configuration Communications Port

16400


Central Configuration Agent Host Name



4. In the Choose Install Set dialog, select the check box for the PBDB Monitor Agent and click Next.



5. In the Select Installation Folder dialog, either accept the default destination folder or click Choose to select another location and click Next.

6. In the Configure Agent dialog:a. Select the Windows user account to be used to run the agent service.



Note: This account must be a domain account with access to the data file share and the backup directories.

b. Click Next.



7. In the Configure Agent dialog, either click Next to accept the default values or configure the following.a. Enter the Host Name for the computer that will host the new PBDB Monitor Agent.

b. Enter the Communication Port that the Central Configuration Agent uses to communicate with other agents. The default is 16400.

Caution! If you changed this value when you installed the PBDB Server core software, you must use the same port for all other agents in your Audit DB implementation. All communications among PBDB Monitor Agent must be on the same port.

c. Select the Agent Data Directory. All data that the PBDB Monitor Agent creates and uses will be stored under this data folder. Depending on the amount of data collected and the frequency of your backups, this folder can grow in size, so be sure the folder is large enough for your needs.


d. Click Next.



8. In the Configure Agent dialog, enter the Host Name for the Central Configuration Agent and click Next.

9. In the Pre‐Installation Summary dialog, review the settings you have selected and click Install.The installer performs the following functions:– Creates the installation log file.

– Creates the folder structure and files.

– Installs the PBDB Monitor Agent files.

– Writes settings to the appropriate configuration files.

– Creates and starts the PBDB Monitor Agent Windows service.

– Connects to the Central Configuration Database and registers the PBDB Monitor Agent.

– Creates a history entry in the Status folder.

10. In the Installation Status Summary dialog, click Done.If there were problems installing any component, they will be flagged in the Installation Status Summary.

(Windows) Installing a PBDB Assessment Agent

The following table lists information that you will need to complete a PBDB Assessment Agent installation.

Table 28. Information for Installing a PBDB Assessment Agent on a Computer Running Windows

Input Default ValueYour Value




To install a PBDB Assessment Agent on Windows:




4. In the Choose Install Set dialog, select the PBDB Assessment Agent check box, clear the PBDB Monitor Agent check box and click Next.

Target Database Type (PBDB Assessment Repository)

Oracle or SQL ServerNote: This must match your existing


Database Host

Database Instance

Database Port Oracle ‐ 1521SQL Server ‐ 1433



Table 28. Information for Installing a PBDB Assessment Agent on a Computer Running Windows

Input Default ValueYour Value




6. In the Assessment Setup dialog, enter the following.a. Select the Target Database for the existing PBDB Assessment Repository: Oracle or SQL Server

b. Enter the Host Name of the PBDB Assessment Repository.

c. Enter the Database Instance of the PBDB Assessment Repository.

– For Oracle, enter the Oracle Net Service name.

– For the default Microsoft SQL Server instance, leave this field blank.

– For a named Microsoft SQL Server instance, enter the instance name.

d. Enter the Database Port for the PBDB Assessment Repository. The default port for Oracle is 1521 and the default port for SQL Server is 1438.

e. Click Next.






– Installs the PBDB Assessment Agent files.


– Creates and starts the PBDB Assessment Agent Windows service.

– Connects to the PBDB Assessment Repository and registers the PBDB Assessment Agent.





(Windows) Installing Both a PBDB Monitor Agent and a PBDB Assessment Agent

The following table lists information that you will need to install both a PBDB Monitor Agent and a PBDB Assessment Agent.

The PBDB Monitor Agent runs as a Windows service. You must decide whether to run the PBDB Monitor Agent under the Local System account, or under a specified Windows account. Most customers run the PBDB Monitor Agent under a specified Windows service account.

To install both a PBDB Monitor Agent and a PBDB Assessment Repository on Windows:




Table 29. Information for Installing a PBDB Monitor Agent and a PBDB Assessment Agent on a Computer Running Windows



Windows user account to run Agent service

User namePassword

Host Name for the new Agent


16400


Central Configuration Server Host Name


Oracle or SQL ServerNote: This must match your

existingPBDB Assessment Repository.








4. In the Choose Install Set dialog, select both the PBDB Monitor Agent and the PBDB Assessment Agent, then click Next.



6. In the Configure Agent dialog:a. Select the Windows user account to be used to run the Audit DB agent service.



Note: This account must be a domain account with access to the data file share and the backup directories.

b. Click Next.



7. In the Configure Agent dialog, either click Next to accept the default values or else enter the following.a. Enter the Host Name for the computer that will host the new PBDB Monitor Agent.


Caution! If you changed this value when you installed the PBDB Server core software, you must use the same port for all other agents in your Audit DB implementation. All communications among agents must be on the same port.



d. Click Next.






– For Oracle, enter the Oracle Net Service name.

– For the default Microsoft SQL Server instance, leave this field blank.

– For a named Microsoft SQL Server instance, enter the instance name.


e. Click Next.




– Installs the PBDB Monitor Agent files.




– Creates and starts the PBDB Assessment Agent Windows service.




12. In the Installation Status Summary dialog, click Done.



If there were problems installing any component, they will be flagged in the Installation Status Summary.

(UNIX) PBDB Monitor Agent Installation Checklist

The following table lists information that you will need to complete a PBDB Monitor Agent installation.

(UNIX) Installing a PBDB Monitor Agent

The procedure installs only a PBDB Monitor Agent.

• To install only a PBDB Assessment Agent, see “(Linux) Installing a PBDB Assessment Agent,” page 94.

• To install both a PBDB Monitor Agent and a PBDB Assessment Agent, see “(Linux) Installing Both a

PBDB Monitor Agent and a PBDB Assessment Agent,” page 97.The standard implementation requires a PBDB Monitor Agent on the PBDB Server to perform the Central Configuration Agent role, and a PBDB Monitor Agent on each audit source server to perform the Collection and PBDB Monitor Agent roles.

The PBDB Monitor Agent installation wizard runs a GUI interface. For console only installation, see “(UNIX) Agents ‐ Unattended Installation,” page 165.

Note: “Operating System Account Setup,” page 47, provides instructions for UNIX user account permissions. Before installing PowerBroker Databases components, you should create a user following these guidelines.

You can set up a PBDB Monitor Agent other than the Central Configuration Agent to be used in a shared drive configuration or independently.

To install a PBDB Monitor Agent on UNIX:

1. Log on as the user of Audit DB.

2. Change directory to the folder of the installation media, either the installation CD or downloaded media. For example, if you have copied the media into a temporary folder:$ cd /home/<user_name>/temp

3. Change the permission of the copied or downloaded file to be executable. Make sure that this is the Agent Tier installer.

Table 30. Information for Installing a PBDB Monitor Agent on a Computer Running UNIX


Installation Folder /home/<user_name>/BeyondTrust/

User Account

User Account Password

Host Name for the new PBDB Monitor Agent


16400

Agent Data Directory /home/<user_name>/BeyondTrust/agent.<hostname>

Central Configuration Agent Host Name

Agent Database (database agent will monitor)



$ chmod +x AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.bin

4. Start the installation program by typing the following command:$ ./AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.bin The PBDB Monitor Agent installation wizard opens.


6. In the Choose Install Set dialog, select the check box for the PBDB Monitor Agent, then click Next.

7. In the Select Installation Folder dialog, either click Next to accept the default destination folder or click Choose to select another location and then click Next.



8. In the Configure Agent dialog, specify the UNIX user account to be used to run the PBDB Monitor Agent daemon process and click Next.



9. In the Configure Agent dialog, either click Next to accept the default values or else configure the following.a. Enter the Agent Host Name for the computer that will host the new PBDB Monitor Agent.





d. Click Next.




11. In the Configure Agent dialog, select the database that the PBDB Monitor Agent will monitor and enter the information required to configure the agent for the DBMS.

12. Click Next.

13. In the Pre‐Installation Summary dialog, review the settings you have selected and click Install.The installer performs the following functions:– Creates the installation log file

– Creates the folder structure and files

– Installs the PBDB Monitor Agent files


– Creates the PBDB Monitor Agent daemon process.

– Connects to the Central Configuration Database and registers the agent.

– Creates a history entry in the Status folder




(Linux) Installing a PBDB Assessment Agent

The following table lists information that you will need to complete a PBDB Assessment Agent installation.

Table 31. Information for Installing a PBDB Assessment Agent on a Computer Running Linux


Installation Folder /home/<user_name>/BeyondTrust/


Oracle or SQL ServerNote: This must match your existing


Database Host

Database Instance






To install a PBDB Assessment Agent on UNIX:



3. Change the permission of the copied or downloaded file to be executable. Make sure that this is the Agent Tier installer.$ chmod +x AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.bin

4. Start the installation program by typing the following command:$ ./AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.bin

The PBDB Monitor Agent installation wizard opens.


6. In the Choose Install Set dialog, select the PBDB Assessment Agent check box, clear the PBDB Monitor Agent check box, and click Next.








e. Click Next.








– Creates the PBDB Assessment Agent daemon process.




(Linux) Installing Both a PBDB Monitor Agent and a PBDB Assessment Agent

The following table lists information that you will need to install both a PBDB Monitor Agent and a PBDB Assessment Agent.

Table 32. Information for Installing a PBDB Monitor Agent and a PBDB Assessment Agent on a Computer Running Linux


Installation Folder /home/<user name>/BeyondTrust

User Account



To install both a PBDB Monitor Agent and a PBDB Assessment Agent on UNIX:



3. Change the permission of the copied or downloaded file to be executable. Make sure that this is the Agent Tier installer.$ chmod +x AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.bin

4. Start the installation program by typing the following command:$ ./AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.bin The PBDB Monitor Agent installation wizard opens.


User Account Password

Host Name for the new PBDB Monitor Agent


16400

Agent Data Directory /home/<user_name>/BeyondTrust/agent.<hostname>

Central Configuration Server Host Name

Agent Database (database that PBDB Monitor Agent will monitor)


Oracle or SQL ServerNote: This must match your existing PBDB Assessment Repository.






Table 32. Information for Installing a PBDB Monitor Agent and a PBDB Assessment Agent on a Computer Running Linux




6. In the Choose Install Set dialog, select both the PBDB Monitor Agent and the PBDB Assessment Agent, and then click Next.




8. In the Configure Agent dialog, specify the UNIX user account to be used to run the PBDB Monitor Agent daemon process and click Next.



9. In the Configure Agent dialog, either click Next to accept the default values or else configure the following.a. Enter the Agent Host Name for the computer that will host the new PBDB Monitor Agent.





d. Click Next.




11. In the Configure Agent dialog, select the database that the PBDB Monitor Agent will monitor, enter the information required to configure the agent for the DBMS, and click Next.







e. Click Next.


14. In the Pre‐Installation Summary dialog, review the settings you have selected and click Install.The installer performs the following functions:– Creates the installation log file





– Creates the PBDB Monitor Agent daemon process.

– Creates the PBDB Assessment Agent daemon process.







Post Installation Tasks

After you install the PBDB Monitor Agent, complete the post‐installation tasks for your operating system.

(Windows/SQL Server 2000) Create the hname DriverThis procedure is required for SQL Server 2000 (and for SQL Server 2005 and 2008 in compatibility mode). Audit DB uses the hname driver during collections.

On the audited computer:

1. Remove the current hname service by using this sc command:sc delete hname

2. You need the correct version of the hname.sys file, which has different versions for 32 bit, x64, and ia64. The 32 bit hname.sys file is installed with the agent in the Enterprise\bin folder. The x64 bit hname is attached to SalesForce Solution 00000037. Call BeyondTrust Support for the ia64 file.

3. For 32‐bit and 64‐bit computers that are running Windows, save the hname.sys file to the following folder: windows\system32\drivers

4. Create the hname service using this sc command: sc create hname binPath= c:\windows\system32\drivers\hname.sys type= kernel

start= auto Note: There is a space between each = and the next character.

5. Start the hname service using this sc command:sc start hname



(UNIX) Starting the PBDB Monitor Agent Following the installation of a PBDB Monitor Agent on UNIX, you must start the PBDB Monitor Agent service.

To start the PBDB Monitor Agent service:

1. Log in as the user who installed the PBDB Monitor Agent.

2. Go to the <installation location> folder and type cd agent.<hostname>/etc.

3. Run ./entegra.init start.

4. Enter your UNIX password. The password is the UNIX password of the UNIX user who installed the Agent.

Verify PBDB Monitor Agent HeartbeatAll PBDB Monitor Agents communicate with the Central Configuration Agent using HTTP protocol. When a PBDB Monitor Agent starts, it registers with the Central Configuration Agent and sends heartbeat to it at regular intervals based on the "heartbeat period" parameter setting in the EntegraInit.xml file.

At each heartbeat, a PBDB Monitor Agent sends following information to the Central Configuration Agent:

• The agent name

• Current status of the agent

• Detail status if error

• Current time of heartbeat

• Time of last error

• Time of last reset, i.e., the time when configuration was loaded

• Heartbeat interval of the agent

• Time zone of the host where agent is running

• GMT Offset. A negative value implies that the host is located to the west of GMT

• Daylight Saving Time in effect.

• Configuration sequence number. This number is incremented by the Central Configuration Agent every time

you change the configuration.Note: If any PBDB Monitor Agent misses three consecutive heartbeats, the Central Configuration Agent records

its status as broken.Verify that the PBDB Monitor Agent started and is communicating with the Central Configuration Agent by looking in the following log file for a 'heartbeat' message.

On Windows:

<installation_folder>\BeyondTrust\PowerBroker Databases\Agent\Log\ImEntegraAgent*.log

On UNIX:

<installation_folder>/agent.<hostname>/log/lmEntegraAgent*.logOpen the log file in a text editor and search for the word "heartbeat." You should see something similar to the following:

YYYY-MM-DD HH:MM:SS (lmEntegraAgent-4252) - LUM2032I The Audit DB 2.0 Agent on <hostname> has finished initialization. Heartbeat every 300 seconds. Maintenance scheduled Start YYYY-MM-DD HH:MM:SS, Period 1DT00H00M00S.



Support for 1024- and 2048-bit Key Length Certificates with HTTPSPBDB‐MA version 6.8.6 provides support for using either 1024‐bit or 2048‐bit key length certificates along with HTTPS support. You can install any of the certificates for the communication between the agent and the server depending upon your security policy requirements.

Data over HTTPS is encrypted before it is being sent. On receiving end, it is decrypted before it is processed. Trapping of encrypted data over the Internet is difficult making it relatively secure.

Two batch scripts are provided to enable either 1024‐bit or 2048‐bit certificates on the PBDB Monitor Admin Console server and the PBDB Monitor Agent. By default, PBDB‐MA supports 1024‐bit key length certificates. To replace the 1024‐bit support with 2048‐bit support, run the 2048 script. The script also restarts the services.

The script also enables HTTPS support for the PBDB Monitor Admin Console. However, the user can choose to use either HTTP or HTTPS.



Windows Installation

On Windows, the scripts are 1024.bat and 2048.bat.

On the server computer, run the script from the following location:

<PBDB-InstallationDirectory>/PowerBroker Databases/Etc/Certificates_Server

On the agent computer, run the script from the following location:

<PBDB-InstallationDirectory>/PowerBroker Databases/Etc/Certificates_Agent

Linux Installation

On Linux, the scripts are 1024.sh and 2048.sh.

On the server computer, run the script from the following location:

<PBDB-InstallationDirectory>/etc/Certificates_Server

On the agent computer, run the script from the following location:

<PBDB-InstallationDirectory>/etc/Certificates_Agent

HTTPS/HTTP URL Access

The Admin Console and Report Server can be accessed using the following links for both Windows and Linux installations

For the Admin Console:

• http://localhost:10080/eac/jsp/login.jsp

• https://localhost:10081/eac/jsp/login.jsp

For the Report Server:

• http://localhost:10090/auditdb/

• https://localhost:10091/auditdb/

Note: Ensure that both the server and agents are running with same key length certificate; that is, either 1024‐bit key length or 2048‐bit key length certificates must be installed on both the server and the agent. A mismatch will result in agent‐server communication failure with an SLL handshake error message in Event monitor of the Admin Console.

Configuring PowerBroker Databases: Monitor & Audit


Configuring PowerBroker Databases: Monitor & AuditAfter you have installed Audit DB you must configure the system. You use the PBDB Monitor Admin Console to configure Audit DB.

Note: Some configuration tasks can also be performed using the lmConsole utility.

Creating a RepositoryBefore you start the auditing process, you need to configure your Audit DB environment using the PBDB Monitor Admin Console. All the configuration information that you enter in PBDB Monitor Admin Console is saved in the Central Configuration Database.

You must create a Repository before you can begin adding audit sources to your configuration. Audit DB cannot create a new audit source without a default Repository for the collected data. If you create more than one Repository, you can use the Edit Audit Source window to specify the Repository for an audit source.

Note: Creating Repositories requires Audit DB Admin or DBA privileges.

Note: The number of Repositories you can create is limited by your license.

Understanding Repositories

A Repository stores collected data. It consists of an offline portion and an online portion:

• The offline portion is a set of .ecz files ‐ encrypted files containing collected data used to populate the

Repository.

• The online portion is the PBDB Monitor Repository Database ‐ a set of tables containing collected data, as well

as metadata used by other Audit DB functions.

The Collection Agent transfers .ecz files to the computer hosting the Repository. As soon as an .ecz file is transferred, collected data is loaded into the PBDB Monitor Repository Database.

To make collected data available to the PBDB Report Server, you must publish the data after it has been loaded into the Repository. When you create a Repository, you specify publishing schedule and data retention period for this Repository. Data retention period is the number of days that collected data should remain in the Repository after it has been published. When auditing begins, publishing is performed automatically according to the specified schedule. At publishing time, data loaded since last publish becomes available to the PBDB Report Server (along with previously published data) and data that remained in the Repository longer than the specified retention period is purged.

For an Oracle audit source you select a Repository on the database instance level. All data collected on a single Oracle audit source is stored in a single Repository.

For a Microsoft SQL Server audit source you select a Repository on the database level. Each database that belongs to the audit source can have its own Repository. Thus, data collected on a single SQL Server database may be stored in several Repositories.

A single Repository may store audit data from multiple audit sources, including a mixture of SQL Server, Oracle, DB2, and Sybase data. You may set up several Repositories to host data collected from different audit sources. Since reporting and viewing of collected data are done on a per‐Repository basis, direct all data that you want to view in a single report to the same Repository.



(Oracle) Creating a Repository

Before creating a new Oracle Repository:

• Identify an Oracle instance to host the Repository. Make sure this instance has partitioning.

• Make sure that a PBDB Monitor Agent is installed on the computer selected to host the Repository.

• Decide which tablespaces to use for storing the data and for temporary operations. The Add Repository

window will provide a list of the tablespaces available for the selected database.

• Decide what user name to use for accessing the Repository tables. A user with this name will be created by the

Add Repository process and this user name will be the name of the Oracle Schema containing the Repository tables. You will specify this user in step 6 below.

Caution! For Oracle RAC the Repository must be created on a non‐clustered instance.

When you open the Audit DB Summary window for the first time, you are prompted to create a Repository. Creating a Repository is the first step in the configuration process. If you already have one or more repositories, you can still add more.

To create a new Oracle Repository:

1. Log into the PBDB Monitor Admin Console with Admin or DBA privileges.

2. Click the Configure tab. The Audit DB Summary window opens.

3. In the Repositories (View All/Add) area, click Add. The Create Repository window opens. This window is divided into three areas. The third area is initially disabled. Fill in information in the first two areas and click Login to enable input fields in the third area.



4. In the first two areas of the window provide the following information:

a. Select Oracle from the Database Type list.

b. Type the name that will uniquely identify the Repository to Audit DB in the Repository Name field.

Caution! Repository names cannot begin with a number.

c. Select the PBDB Monitor Agent that is installed and running on the computer hosting the PBDB Monitor Repository Database from the Agent Name drop‐down list. This list includes all the agents controlled by the CCDB.

d. Type the network service name (SID) for the Oracle instance hosting the new Repository schema in the Service Name field. This should be the same name as in the tnsnames.ora file.

e. Type the user name with DBA privileges in the Username field. This user will run the scripts that create a repository user and the repository schema.

f. Type the password for the specified user name in the Password field.

5. Click Login. The Add Repository window refreshes, changing the input fields in the first two areas to read only and enabling the input fields in the third area.

6. In the third area of the window provide the following information:

a. Type the name to be created for the user who will own the new Repository tables and access them for auditing in the Repository Username field. You were asked to decide what user name to use here before creating the Repository. This user name will also be the name of the Oracle Schema containing the repository tables.

b. Type the password for the Repository user name in the New Password and Verify Password fields.

c. Select the tablespaces to use for storing the tables and for temporary operations from the Default Tablespace and Temporary Tablespace lists.

d. Select the units (days, months, etc.) for how often you want to publish from the Publish Every list. Then specify the number of units in the Publish Every field and type the date and time when to start publishing data in the Start Publishing field. These fields specify how often to transfer loaded data from unpublished tables into published tables in the Repository. Collected data becomes available to the PBDB Report Server only after it has been published.

e. Type the number of days the audit data will remain available in your on‐line Repository for viewing and reporting in the Data Retention Period. Use this option to manage the size of the Repository by removing old records. If you set Data Retention Period to 0, all data will remain in the Repository forever and eventually you will run out of space.

Note: Data is purged if it was PUBLISHED at least 24 hours *retain days ago.



7. Click Create Repository. The View All Repositories window opens. The new Repository appears in the table listing all repositories. Initially the value of # audit sources for the new Repository is 0, since no audit source has been assigned to this Repository yet.

To open the Repository Summary window:

1. Click the name of the Repository.

(SQL Server) Creating a Repository

Before creating a new Microsoft SQL Server Repository you need to:

• Identify a Microsoft SQL Server Instance to host the Repository.

• Make sure that a PBDB Monitor Agent is installed on the computer selected to host the Repository.

• Select which SQL Server user will own the Repository tables and access the Repository during auditing. This

user must exist before you add a new Repository. You will specify this user in step 6 below.

Caution! When auditing Microsoft Cluster Service (MSCS) clusters, the Repository must be created on a non‐clustered computer.

To create a new Microsoft SQL Server Repository:

1. Log into the PBDB Monitor Admin Console with Admin or DBA privileges.

2. Click the Configure tab. The Audit DB Summary window opens.

When you open the Audit DB Summary window for the first time, you are prompted to create a Repository. Creating a Repository is the first step in the configuration process. If you already have one or more repositories, you can still add more.

3. In the Repositories (View All/Add) area, click Add. The Create Repository tab opens. This window is divided into three areas. The third area is initially disabled. Fill in information in the first two areas and click Login to enable input fields in the third area.

Tip: Editing Repository configuration settings

In the Repository Summary window you can edit Repository configuration settings.



4. In the first two areas of the window provide the following information:

a. Select SQL server from the Database Type list.

b. Type the name that will uniquely identify the Repository to Audit DB in the Repository Name field.

Caution! Repository names cannot begin with a number.

c. Select the PBDB Monitor Agent that is installed and running on the computer hosting the PBDB Monitor Repository Database from the Agent Name drop‐down list. This list includes all the agents controlled by the CCDB.

d. Type the network service name for the database instance that will house the new Repository in the SQL Server Instance field.

e. Type the user name in the Username field. This user must have privileges to run the script that creates the new PBDB Monitor Repository Database.

f. Type the password for the specified user name in the Password field.



5. Click Login. The Add Repository window refreshes, changing the input fields in the first two areas to read only and enabling the input fields in the third area.



6. In the third area of the window, provide the following information:

a. Type the name of the SQL Server database in the Repository Database Name field. This database will be created in the SQL Server instance to hold the Repository tables.

b. Type the name of an existing SQL Server user in the Login Name field. This name will be used to connect to this Repository. You were asked to select this user before creating the Repository.

c. Type the password for the specified login name in the Password field.

d. Select the units (days, months, etc.) for how often you want to publish from the Publish Every list, specify the number of units in the Publish Every field, and type the date and time when to start publishing data in the Start Publishing field. Collected data becomes available to the PBDB Report Server only after it has been published.

e. Type the number of days the audit data will remain available in your on‐line Repository for viewing and reporting in the Data Retention Period. Use this option to manage the size of the Repository by removing old records. If you set Data Retention Period to 0, all data will remain in the Repository forever and eventually you will run out of space.

Note: Data is purged according to transaction timestamp (lumActivities.Time). The algorithm is as follows: Find the minimum activityid for data that is not older than 24 hours * Retain Days from now. Delete all data with a lower activityid #.

Since the first 10 digits of activityid is the load number which is increases sequentially in order of load time and SQL Server data is collected in reverse chronological order, there is almost ALWAYS some data older than Retain Days but purged because some lower numbered transaction exists that is not supposed to be purged.

7. Click Create Repository. The View All Repositories window opens. The new Repository appears in the table listing all repositories.

Note: Initially the value of # audit sources for the new Repository is 0, since no audit source has been assigned to this Repository yet.

To open the Repository Summary window, click the name of the Repository. You can edit the Repository configuration settings in the Repository Summary window.



Configuring the PBDB Report ServerThe primary method of viewing your audit data is via reports. PowerBroker Databases: Monitor & Audit uses the Intellicus Report Server as its reporting tool.

Accessing the PBDB Report Server

There are three ways to access the PBDB Report Server:

Using the Start menu:

Click Start, Programs, PBDB Server, Report Server, Report Portal.

Note: Make sure that Internet Explorer is the default browser on the computer you use to run the PBDB Report Service.

Using Internet Explorer:

Start Internet Explorer and enter the address http://<localhost>:10090/auditdb/

Where localhost is the host name or IP address of the system hosting the PBDB Report Service and 10090 is the default port number.

From the PBDB Monitor Admin Console:

In the PBDB Monitor Admin Console, click the Report tab.

The Login window opens.

You should log into the PBDB Report Server as a user with Super Administrator privileges.

1. In the Login Name field, type the user name, auditdb.

2. In the Password field, type the password auditdb.



3. (Optional) Click OPTIONS to select a different organization or language.

– Organization: The options are Lumigent or Intellica. Login Name and Password for Lumigent is "auditdb". Login Name and Password for Intellica is "Admin".

– Language: The options are English, Arabic, German, or Hindi.

4. Click Login.

Configuring the PBDB Report Server

Before you can start generating reports with the PBDB Report Server you must first complete the following initial configuration tasks:

1. Create a repository connection. For instructions, see “Creating a Report Server Connection to PBDB Repository,” page 117.

2. Deploy PBDB Monitor Report Templates. For instructions, see “Deploying PBDB Monitor Report Templates,” page 121.

Creating a Report Server Connection to PBDB RepositoryThe PBDB Report Server needs a connection to the PBDB Repository in order to generate reports from the data loaded in the Repository. The PBDB Report Server also needs its own repository for the metadata created while generating reports. The default Intellicus repository is an HSQLDB database. The PBDB Report Server supports multiple database connections. One of the connections must be the PBDB Report Server's repository connection.

You can create a separate repository for the PBDB Report Server to hold configuration data. In this case you need to create two connections—one to PBDB Repository and the other one the PBDB Report Server Metadata Repository. We recommend that you create a separate repository for your PBDB Report Server if either of the following applies to your PowerBroker Databases implementation:

• If you have a substantial amount of data in your PBDB Repository and plan to generate lots of reports.

• If you anticipate moving your PBDB Report Service from one server to another (for example, to upgrade to a

newer or more powerful computer). If the configuration information used by the PBDB Report Server (schedules, jobs, tasks, customizations, parameter value groups, etc.) is stored in a database rather than the default HSQLDB flat file, then it is much easier to migrate the PBDB Report Server.

Each of the instances of Microsoft SQL Server hosted on the same computer listens on a specific port. To use multiple instances of Microsoft SQL Server in the PBDB Report Server, create one database connection for each of the instances. The server name, which is the name of the computer hosting multiple instances, for these connections will be the same, but the port will be unique to each of the connections.

To create a connection to a repository:

1. Log into the PBDB Report Server as a user with Super Administrator privileges.

2. Select Administration, Configure, Databases. The Connection Configuration window opens.



In this window you see the list of existing connections. Configuration information about the highlighted connection is displayed below the list.

3. Click Add.

4. In the Connection Name field, type the name that uniquely identifies this connection.

5. Select the database platform from the Provider drop‐down list. The window changes to display the required information for the selected database platform.

6. Enter the following provider specific details about the PBDB Monitor Repository Database to connect to:

If you do not know the database provider, select Others.For SQL Server, in the Server field, enter the name of the host computer only, not the host_computer/server_instance name. – To obtain the port number on SQL Server 2000:

a. On the Microsoft SQL Server 2000 server, start the SQL Server Network Utility.

b. Click the General tab.

c. Click the instance you want from the Instances drop‐down list.

Table 33. PBDB Monitor Repository Database Specifications

HSQLDB Oracle SQL Server

Database

Driver Version

Port

Server Host computer name only

SID



d. Click TCP/IP—Properties. The port number for this instance appears in the Properties dialog box

– To obtain the port number on SQL Server 2005:

a. On the Microsoft SQL Server 2005 server, go to the Microsoft SQL Server 2005 Configuration Tool.

b. Run SQL Server 2005 Configuration Manager.

c. Click the instance you want from the SQL Server 2005 Network Configuration drop‐down list.

d. Double click TCP/IP.

e. Click IP Address. The port number for this instance appears in TCP Port dialog box.

If you work with multiple SQL Server Instances hosted on the same computer, create a separate connection for each instance. For each connection make sure to accurately specify the following information:– In the Server field, specify the name of the computer hosting multiple instances. The Server will be the

same for all instances.

– In the Port field, specify the port number for the instance you are connecting to. Each instance has its own port number.

Example ‐ If you have two SQL Server instances on your computer, my_computer\instance_1 and my_computer\instance_2, create two connections. In the Server field for both connections, specify my_computer. In the Port field for each connection specify the port number for the instance you are connecting to.

7. In the User Name and Password fields, type user name and password that should be used to connect to the PBDB Monitor Repository Database if the database requires specific user name and password for connection.

Note: For Oracle, in the User Name field, enter the name of the repository schema to which you are connecting. In the Password field, enter the password for the repository schema user.

8. If the user name and password are not required to connect to the database, select the Blank check box.

9. To prompt for the user name and password at run time, select the Runtime check box.

10. The URL value is filled in automatically based on the provided information. You can specify different URL by editing this field. If the URL is masked, clear the Mask URL check box to view the value.

11. Select the Is Default box to set this connection as the default. When you start the PBDB Report Service, it will connect to this PBDB Repository by default and all reports will run on this Repository, unless a different connection is specified. For more information see “Modifying a PBDB Repository Connection,” page 120.

12. Select the Is Repository box to set this connection as the PBDB Report Server configuration repository connection. The PBDB Report Server creates a set of tables for the configuration repository and stores its metadata in this repository. At least one of the PBDB Report Server connections must be a configuration repository connection.

13. In the Pool Settings group, specify the following settings that are used to optimize the PBDB Report Server performance:

a. In the Initial Connections field, type the number of connections to be opened up initially. If this is a default or repository connection, this number of connections is opened at start up.

b. In the Incremental Size field, type the number of additional connections to open when the number of requests exceeds the number of initial connections.

c. In the Maximum Connections field, type the maximum number of connections that can be opened. Excess requests are queued until connections are made available. Please check with usage licensing from your database vendor about valid maximum connections.

d. In the Resubmit Time field, type waiting time in seconds before re‐submitting the unused connection.

14. In the Cache field, type the time in minutes after which the record‐set fetched from database servers will be purged. This is set per data connection, but purging thread will purge all the data cached.

15. Click Test.

The PBDB Report Server displays message Connection Test Succeeded. If the test was unsuccessful, fix connection configuration and try again.

16. Click Save.



Note: Every time you add a new repository connection or change a repository connection configuration, you must log out of the PBDB Report Server and restart the PBDB Report Service for the changes to take effect.

Modifying a PBDB Repository ConnectionWhen you start the PBDB Report Service, it connects to a PBDB Repository using the default connection. To select a different connection:

1. Click the connection button in the upper right corner of the window.

The Connect to dialog box opens.

2. Select a different connection from the Select Connection drop‐down list.

3. To use this connection as your default connection, check the Also save in my preferences check box.

4. Click Connect.

Note: Every time you add a new repository connection or change a repository connection configuration, you must log out of the PBDB Report Server and restart the PBDB Report Service for the changes to take effect.



Restarting the PBDB Report ServerEvery time you add a new repository connection or change a repository connection configuration, you must log out of the PBDB Report Server and restart the PBDB Report Service for the changes to take effect.

To restart the PBDB Report Server:

1. Log out of the PBDB Report Server.

2. Click Start, Programs, PBDB Server, Report Server, Stop Server. A console window opens. Wait until the PBDB Report Server stops and the console window closes.

3. Click Start, Programs, PBDB Server, Report Server, Start Server. A console window opens. Wait until the PBDB Report Server starts and the console window closes.

Deploying PBDB Monitor Report TemplatesFor every new repository connection you need to deploy PBDB Monitor Report Templates. The PBDB Monitor Report Templates are installed as .CAB files.

To deploy PBDB Monitor Report Templates:

1. Select Repository, Deploy_Report_Bundle.

2. Click Browse and find the file

C:\Program Files\BeyondTrust\PowerBroker Databases\Report Templates\lumigent_report_templates.cab

Tips:– If you changed the default folder during the PBDB Report Server installation, find this file in the Report

Templates folder in that folder.

– If you access the PBDB Report Server from a remote computer running Windows that is not on the same network as the computer where the PBDB Report Server is installed, you must copy the lumigent_report_templates.cab file on the local computer to be able to deploy the templates.

3. Click Upload. The information derived from the cab file is displayed.

4. Click Deploy. The list of successfully updated reports is displayed.

To access the uploaded reports use the Reports menu.

Recommended PBDB Report Server PropertiesIt is recommended that you make the following adjustment to the default PBDB Report Server properties:

1. Log into the PBDB Report Server as a user with Super Administrator privileges, for example, user auditdb.

2. Select Administration, Configure, Server.

3. Modify the following properties:

Database Connection TimeOut (seconds)– Oracle= 3600 (the default)

– SQL Server = 0 (zero)

Client Session Timeout (seconds) = 7200

4. Click Save.

5. Click Administration, Configure, Client.

Report Server Timeout = 7200HTML Viewer Timeout = 30

Tip: Restarting the PBDB Report Server

You can also click Start, Settings, Control Panel, Administrative Tools, Services to restart the PBDB Report Server.



Report Server Chunk Timeout = 7200Logging Enabled = YesLog Level = Error

6. Click Save.

Modifying Server PropertiesPBDB Report Server has a set of default server properties that it uses when it starts up. To change the default server properties:

1. Click Administration, Configure, Server.

2. Edit the desired server properties.

3. Click Save.

Note: To e‐mail your reports, you must specify the name of your mail server in the SMTP SERVER field. If your mail server requires login to send mail, you must also provide your user name in the SMTP SERVER USER field and password in the SMTP SERVER PASSWORD field.



Modifying the PBDB Monitor Admin Console Time-outBy default, the PBDB Monitor Admin Console logs out the user after 20 minutes of inactivity. This time‐out applies to both the main window and pop‐up windows used to select values. You can modify the time‐out by editing the home.jsp file.

To modify the PBDB Monitor Admin Console time‐out:

1. Stop the PBDB Monitor Admin Console service.

– Windows ‐ Stop the Windows service PBDB Monitor Admin Console– Linux ‐ net stop lmAudit DBGUI

2. Locate the home.jsp file in the following folder:<installation_folder>\BeyondTrust\PowerBroker Databases\

AdminConsole\tomcat\webapps\eac\jsp

3. Make a backup copy of the original file and rename it, for example home_original.jsp.

4. Open the home.jsp file using a text editor.

5. Search for the string setTimeout('killUserSession() which appears twice in the following section of the file:

<SCRIPT LANGUAGE="JavaScript">sessionTO = setTimeout('killUserSession()', 1200000);function killUserSession() {

document.location.href="/eac/logout.do?action=sessionTimeout";}function resetTimeoutByPopup() {

clearTimeout(sessionTO);sessionTO = setTimeout('killUserSession()', 1200000);}

<logic:empty name="token" scope="session">document.location.href="/eac/jsp/login.jsp?action=sessionTimeout";</logic:empty></SCRIPT>

6. Modify the value of both setTimeout values, for example, to set the new value to 60 minutes, enter the following:

setTimeout('killUserSession()', 3600000); The default time‐out value is set to 1200000 milliseconds, or 20 minutes. The following table shows sample values in both minutes and milliseconds.

7. Save the file.

8. Restart the PBDB Monitor Admin Console service.

– Windows ‐ Start the Windows service PBDB Monitor Admin Console– Linux ‐ net start lmAudit DBGUI

Table 34. Converting Minutes to Milliseconds

Minutes Milliseconds

15 900000

30 1800000

45 2700000

60 3600000



Configuring AssessmentThe following configuration steps, which were manual in previous Assessment releases, are performed automatically by the PBDB Server core software installer:

• Generating the bootstrap file (LumigentVMgrBootstrap.properties)

• Creating the PBDB Assessment Repository

• Creating the Assessment User (LUMIGENT_VMGR) in the PBDB Assessment Repository

• Creating the Assessment roles in the PBDB Assessment Repository (LUMIGENT_VMGR_USER,

LUMGIENT_VMGR_REPORTMGR, LUMIGENT_VMGR_OBSOLETEMGR, LUMIGENT_VMGR_ADMIN)

Adding Database Users to the PBDB Assessment RepositoryBefore you can create Assessment users and grant them privileges, you must first create database user IDs in the database that houses the PBDB Assessment Repository. Consult with your database administrator for guidance on creating database users.



Loading Assessment PackagesYou use the Package Loader utility (PackageLoader.bat or PackageLoder.sh) to load package data into the PBDB Assessment Repository.

To load an Assessment Package:

1. Launch the Package Loader utility.

Windows — <installation_folder>\BeyondTrust\Assessment\ PackageLoader.batUNIX — <installation_folder>/BeyondTrust/Assessment/PackageLoader.sh

2. The utility lists all the available packages in the console. To load a package, type the package number and press ENTER. Assessment loads the package and displays the prompt to enter another package.

3. Type another package number or type the letter "q" and press ENTER to quit the console.

Tip: Installation History

You can use the Administration, Installation History window to view which packages have been loaded into the PBDB Assessment Repository.

Validating Your PBDB‐MA Installation


Validating Your PBDB-MA InstallationWhen you install Audit DB components, the installation wizard indicates whether or not the installation has completed successfully.

This chapter provides additional ways to verify that each of your Audit DB components has been successfully installed and is working.

Note: Your Audit DB environment will require additional configuration before you are ready to begin auditing. Because the majority of audit configuration tasks are covered in the Audit DB User Guide, information about how to verify your audit configuration is included in that guide.

Installation Validation ChecklistThis chapter includes additional information about installation validation that can be used for troubleshooting purposes.

Installation Status SummaryPBDB Server

Installation Status SummaryPBDB Server, showing error

Table 35. Installation Validation Checklist

Component

“Verifying the Central Configuration Agent Installation,” page 127

“Verifying the Central Configuration Database Creation,” page 128

“Verifying the PBDB Monitor Admin Console Installation,” page 128

“Verifying the PBDB Report Service Installation,” page 128

“Verifying the lmConsole Installation,” page 129

“Verifying Assessment,” page 130

“Verifying PBDB Monitor Agent Installations,” page 130



Verifying the Central Configuration Agent Installation

The Central Configuration Agent is the first component that you install. You install the Central Configuration Agent as part of the PBDB Server core software.

(Windows) Verifying the Central Configuration Agent Installation

• On the PBDB Server, click Start, Settings, Control Panel, Administrative Tools, Services and verify that the

Windows Service PBDB Monitor Agent exists and has started.

• Using Windows Explorer, verify that the following folder has been created:

<installation_folder>\BeyondTrust\PowerBroker Databases\Agent

• Verify that the log folder and file have been created:

<installation_folder>\BeyondTrust\PowerBroker Databases\Agent\lmEntegraAgent*.log

• Check the agent log file for errors.

• Check the log file for the phrase "Agent successfully registered itself with the ECCS on host '<host name>'.

• Check the log file for the phrase "The PBDB Monitor Agent on <host> has finished initialization. Heartbeat

every 300 seconds."

• Verify that the following log files have been created in the following folder:

<installation_folder>\BeyondTrust\PowerBroker Databases\Agent\

(Linux) Verifying the Central Configuration Agent Installation

• Verify that the process "lmEntegraAgent" exists and has started

• Verify that the following folder has been created

/home/<user_name>/BeyondTrust/agent.<server>• Verify that the log folder and file have been created:

/home/<user_name>/BeyondTrust/agent.<server>/log/lmEntegraAgent*.log• Check the agent log file for errors.


• Check the log file for the phrase "The PBDB Monitor Agent on <host> has finished initialization. Heartbeat

every 300 seconds."

Table 36. Log Files in the Installation Folder

Oracle SQL Server

config_sp_oracle.log config_sp_mssql.log

create_auditdb_user_oracle.log create_auditdb_user_mssql.log

create_lumigent_config_oracle.log create_lumigent_config_mssql.log



Verifying the Central Configuration Database Creation

The Central Configuration Database is called "lumigent."

Oracle CCDB

Using SQL Plus, log into the database as the new user for PBDB‐MA (lumigent/<password>)

Check for lumcfg* tables owned by LUMIGENT

Select table_name from dba_tables where owner=’LUMIGENT’;

SQL Server CCDB

Check that the database has been created and can be accessed using the login ID specified during the Repository creation.

Verifying the PBDB Monitor Admin Console Installation

Windows


Windows Service PBDB Monitor Admin Console exists and has started.


<installation_folder>\BeyondTrust\PowerBroker Databases\AdminConsole

• Verify that the PBDB Monitor Admin Console appears in the Windows Start menu by clicking Start, All

Programs, PBDB Server, PBDB Monitor Admin Console.

• Verify that the PBDB Monitor Admin Console log has been created at the following location:

<installation_folder>\BeyondTrust\PowerBroker Databases\AdminConsole\AuditDBGUI.log

• Verify that you can log in to the PBDB Monitor Admin Console

http://<host>:10080/eac/jsp/login.jsp

Linux

• Verify that the process lmEntegraAgent exists and has started

• Verify that the following folder has been created:

/home/<user_name>/BeyondTrust/AdminConsole• Verify that the AdminWebServer.init daemon exists in the AdminConsole folder and runs successfully.

• The PBDB Monitor Admin Console log has been created:

<installation_folder>/BeyondTrust/AdminConsole/AuditDBGUI.log• You can log in to the PBDB Monitor Admin Console

http://<host>:10080/eac/jsp/login.jsp

Verifying the PBDB Report Service Installation

Windows


Windows Service PBDB Report Service exists and has started.

• Using Windows Explorer, verify that the following directories have been created:

<installation_folder>\BeyondTrust\PowerBroker Databases\ReportServer

• The PBDB Report Server appears in the Windows Start menu. Click Start, All Programs, PBDB Server, Report

Server.



• You can log in to the PBDB Report Server from either the Report tab of the PBDB Monitor Admin Console or

directly via either of the following URLs.

http://localhost:10090/PowerBroker Databasesorhttp://<hostname>:10090/PowerBroker Databases


<installation_folder>\BeyondTrust\PowerBroker Databases\ReportServer\ReportEngine\logs\ReportEngine.log

• Check the log file for the phrase "Designers can start now"

Linux

• Verify that the following folder has been created:

/home/<username>/BeyondTrust/ReportServer• You can log in to the PBDB Report Server from either the Report tab of the PBDB Monitor Admin Console or

directly via either of the following URLs.

http://localhost:10090/PowerBroker Databasesorhttp://<hostname>:10090/PowerBroker Databases


<installation_folder>\BeyondTrust\PowerBroker Databases\ReportServer\ReportEngine\logs\ReportEngine.log

• Check the log file for the phrase "Designers can start now"

Verifying the lmConsole Installation

• Verify that the lmConsole folder has been created

Windows<installation_folder>\BeyondTrust\PowerBroker Databases\

Tools\lmConsoleLinux/home/<user_name>/BeyondTrust/Tools/lmConsole

• Launch the lmConsole by clicking the lmConsole.bat file or running the lmConsole.sh file in the lmConsole

folder.

• Log in to the lmConsole:

If installed on the same computer as the CCDB:lmconsole> login –user auditdb –password auditdb

If installed on a different computer than the CCDB:lmconsole> login –user auditdb –password auditdb –host <hostname> -port 16401



Verifying Assessment

• Verify that the Assessment folder has been created:

Windows<installation_folder>\BeyondTrust\PowerBroker Databases\

AssessmentLinux <installation_folder>/BeyondTrust/Assessment

• Verify that the Assessment services exist and have started.


– LumigentVMgrUI

• Messages produced at startup and shutdown of the Agent Service are written to the file

AgentService.log found in the Assessment folder.

• Messages produced by the UI Service are logged to files in the tomcat/logs folder. On UNIX platforms they

are also logged to the file UIService.log in the installation folder.

• On all platforms, messages produced during Agent operation are written to the file Agent.log in the Assessment folder. The LoggerConfig.properties file is set by default to print only informational and critical errors.

• To verify package loading, review the session log files created during package installation. The session log file

can be found in the following folder:

Windows ‐ C:\tempLinux ‐ /tmp

Verifying PBDB Monitor Agent Installations

Windows

• Click Start, Settings, Control Panel, Administrative Tools, Services and verify that the Windows Service

PBDB Monitor Agent exists and has started.


<installation_folder>\BeyondTrust\PowerBroker Databases\Agent


<installation_folder>\BeyondTrust\PowerBroker Databases\Agent\lmEntegraAgent*.log

• Check the agent log file for errors.


• Check the log file for the phrase "The AuditDB Agent on <host> has finished initialization. Heartbeat every 300

seconds."

Linux

• Verify that the process "lmEntegraAgent" exists and has started

• Verify that the following folder has been created

/home/<user name>/BeyondTrust/agent.<server>• Verify that the log folder and file have been created:

/home/<user_name>/BeyondTrust/agent.<server>/log/lmEntegraAgent*.log• Check the agent log file for errors.

• Check the log file for the phrase "Agent successfully registered itself with the ECCS on host <host_name>."

• Check the log file for the phrase "The PBDB Monitor Agent on <host_name> has finished initialization. Heartbeat every 300 seconds."



Verifying the Product License Key InstallationWhen you add license keys to Audit DB, the license data appears on the Admin Licenses tab.

After you add a license, you should check that the number of audit sources and Repositories are correct.

Verifying the PBDB Repository Creation You use the PBDB Monitor Admin Console to create the PBDB Repository. After you click Create Repository, Audit DB displays the Repository List tab.

When you first create a Repository it is uninitialized. After the creation process is complete, the Repository Status should be listed as follows:

• Configure > Repository List = on‐line

• Monitor > Dashboard = OK

Check the lmEntragraAgent.log file for errors. This file can be found in the following folder:

Windows

<installation_folder>\BeyondTrust\PowerBroker Databases\Agent\Log

Linux

<installation_folder>/BeyondTrust/Agent/Log

Alternative Implementations


Alternative ImplementationsThe standard Audit DB implementation is described in “PBDB Tiered Deployment Architecture,” page 17. The standard deployment should be sufficient for the majority of Audit DB implementations. However, the very smallest and largest implementations may require a different topology.

The following table provides the recommended deployment topologies for various deployment sizes, taking into consideration both number of audit sources, and volume of activity per audit source. The different deployment models are described in this chapter.

* High volume audit sources should be evaluated on a case by case basis. A variety of approaches can be employed, but must be appropriately designed for the given circumstances and tested thoroughly in a test environment before migrating to your production environment.

Table 37. Recommended Deployment Topologies

Number of Audit Sources

Audit source volume = Low

Audit source volume = Medium

Audit source volume = High*

1 ‐ 5 A B B,C

6 ‐ 20 B B B,C

> 20 B B B,C,D



Deployment Model ADeployment model A is only appropriate for very small implementations, that is, implementations with one to five low volume audit sources. In this implementation, all Audit DB components are installed on the same computer.

If all target audit sources are Oracle databases, no additional agents are required. DB2 and SQL Server databases require an agent installation on the audit source.



Deployment Model BThe Model B implementation is the standard deployment which should be used for the majority of implementations. In this model, you install one PBDB Monitor Agent to act as the Central Configuration Agent and Loader Agent on the PBDB Server, and install additional agents on each of the audit source computers to perform the Collection and Monitor roles. This model is the deployment architecture referred to in the bulk of this Installation Guide.

Deployment Model CFor implementations where there is high volume of activity on audit sources or a requirement for 0 performance overhead on production database servers, you can move the collection processing to one or more dedicated Collection Servers.

Deployment Model C is appropriate for implementations where there is a high volume of activity on any number of audit sources. However, if you have both high volume activity and a large number of audit sources (greater than 20) you should use Deployment Model D, as described in the next section.

In this deployment model, the PBDB Server hosts both the PBDB Server core software and the Repository tier, one or more dedicated servers host the Collection tier, and PBDB Monitor Agents are installed on all computers in each tier, with the exception of Oracle audit sources.

Note: In this topology, you must account for network i/o related to the transfer of transaction log data from the database server to the collector server (either through FTP or direct file i/o over a network mounted drive).



Deployment Model DImplementations that have both high volumes of activity and large numbers of audited databases should use a deployment where each functional tier is hosted on one or more dedicated servers. This implementation can be used when a very large volume of data is being collected and stored in a Repository, or if Audit DB is leveraging a database server hosted in a separate datacenter.

Custom Installations


Custom InstallationsThis chapter includes additional instructions and guidance for non‐default Audit DB installations.

Understanding Custom InstallationsThe previous chapters in this guide describe the recommended installation for the Audit DB components. However, there are cases where the recommended installation may not be the optimum installation for your business needs.

• Very small installations (those monitoring five or fewer audit sources and running a very limited number of

reports) may choose to install all of the Audit DB components on a single computer.

• Large installations (those running a large number of daily reports and/or monitoring a large number of audit

sources) may need one or more of the following custom installations:– Installing the PBDB Server core software on separate computers.

– Installing two or more Repositories.

– Installing two or more Collection computers.

Note: For more information about sizing requirements, see “Sizing Guidelines,” page 19.

Table 38. Installation Requirements for PBDB Components

Tier and Component Installation Requirements

PBDB Server core software

Central Configuration Agent / Central Configuration Database

Must be first component installed. The Central Configuration Agent creates the Central Configuration Database when it is installed. All of the other PBDB Server core software needs to be able to communicate with the CCDB to function.The Central Configuration Database cannot be installed on a node that is a part of Oracle RAC. However, the Central Configuration Agent can remotely collect data from an audit source that is a part of Oracle RAC.

PBDB Monitor Admin Console Can be installed anywhere. As a best practice, should be installed on the PBDB Server.

PBDB Report Service Can be installed anywhere. As a best practice, should be installed on the PBDB Server.Must have database clients installed that match the PBDB Monitor Repository Database.

lmConsole Can be installed anywhere. As a best practice, you should install the lmConsole on the PBDB Server (that is, on the same computer as the Central Configuration Agent). This lets the lmConsole automatically locate the port on which the Central Configuration Agent is running.

PBDB Assessment Agent, PBDB Assessment Console, and PBDB Assessment Repository

Can be installed anywhere.As a best practice, should be installed as part of the PBDB Server core software.

Repository Tier



PBDB Repository Can be installed anywhere. As a best practice should be installed on a dedicated Repository Tier computer.

• Very small installations may install the Repository Tier on the

same computer as the PBDB Server core software, although this is not a recommended configuration.

• Larger installations may require multiple dedicated

Repository Tier computers.

Loader Agent One Loader Agent must be installed on each Repository Tier computer.Note: If the Repository Tier is installed on the same computer

as the PBDB Server core software, you cannot install a second agent. The Central Configuration Agent performs the Loader Agent role.

Collection Tier

Collection Agent Can be installed anywhere. As a best practice should be installed on a dedicated Collection Tier computer.

• Very small installations may install the Collection Tier on the

same computer as the PBDB Server core software, although this is not a recommended configuration.

• Larger installations may require multiple dedicated

Collection Tier computers.Note: If the Collection Tier is installed on the same computer

as the PBDB Server core software, you cannot install a second agent. The Central Configuration Agent performs the Collection Agent role.

Audit Source Tier

PBDB Monitor Agent • DB2 ‐ Requires a PBDB Monitor Agent on each audit source

computer (Monitor role).

• Oracle ‐ No software required on audit source computer.

• SQL Server ‐ Requires a PBDB Monitor Agent on each audit

source computer (Monitor role).

Table 38. Installation Requirements for PBDB Components

Tier and Component Installation Requirements



(Windows) Custom InstallationsYou use the same installation program for custom installations that you use for the recommended installation. Before performing a custom installation, you should review the installation instructions in the previous chapters.

(Windows) PBDB Server Custom Installation

The recommended configuration is to install all of the PBDB Server core software on a single computer. But the PBDB Server installer also supports installing each of the Windows components separately. For example, if you wanted to install the PBDB Report Service on its own computer, or need to reinstall one of the tier components.

To install individual components, in the Select Installation Type dialog, choose Custom.

Caution! The Central Configuration Agent and Central Configuration Database must be installed first. All of the other PBDB Server core software needs to be able to communicate with the CCDB in order to function.

(Windows) Installing the Central Configuration AgentCaution! The Central Configuration Agent and Central Configuration Database must be installed first. All of the

other PBDB Server core software needs to be able to communicate with the CCDB in order to function.

To perform a custom installation of Central Configuration Agent:

1. Log on as a local administrator. To create the Central Configuration Agent, you must have authority to create a database user and the schema and modify the registry.

2. In the PBDB Server folder of the installation media, launch AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.exe. The PBDB Server installation wizard opens.


4. In the Select Installation Type dialog, click Custom, then click Next.



5. In the Select Installation Type dialog, select Central Configuration Server and clear all the other options.

6. Click Next.

7. In the Select Installation Folder dialog, click Next to accept the default destination folder or click Choose to select another location.

8. In the Configure Agent dialog, select the Windows user account to be used to run the Central Configuration Agent service.



9. Click Next.

10. In the Configure Agent dialog, click Next to accept the default values OR

a. Enter the Host Name for the communication port on this computer.




d. Click Next.


11. In the Configure Central Configuration Database dialog, select the database platform where you are going to create the Central Configuration Database.

For Oracle databases:



a. Type the name of the Net Service where the Central Configuration Database (CCDB) should be created. This is the Oracle service name that can be found in the tnsnames.ora file.

b. Type the Oracle DB User Name. This is the Oracle database user that the installer will use to create the Central Configuration user and schema (called "lumigent"). The Central Configuration Agent will use the user to connect to the CCDB schema within Oracle.


d. Click Next. The installer connects to the database using the supplied credentials. The Configure Central Configuration Database ‐ Oracle Schema window opens.

e. Enter a Password for the user. The will installer automatically create the user.

f. Re‐enter the Password for the user.

g. Type the DEFAULT Tablespace. The default value is USERS.

h. Type the TEMP Tablespace. The default value is TEMP.

i. Click Next.

For SQL databases:a. Type the name of the Database Instance where the Central Configuration Database (CCDB) should be

created.

– If connecting to the default instance, leave this field blank.

– If connecting to a named instance, enter the instance name.

b. Select an authentication method.


a. Type the SQL Server DB User Name. This is the SQL Server user that the installer will use to create the Central Configuration user and schema (called "lumigent"). The Central Configuration Agent will use the user to connect to the CCDB schema within SQL Server.


c. Click Next. The installer connects to the database using the supplied credentials.

12. In the Pre‐Installation Summary dialog, review the settings you have selected and click Install.

The installer performs the following functions:– Creates the folder structure and files




– Starts the PBDB Monitor Agent Windows service.


(Windows) Installing the PBDB Monitor Admin ConsoleTo perform a custom installation of the PBDB Monitor Admin Console:







5. In the Select Installation Type dialog, select PBDB Monitor Admin Console, clear all the other options, and click Next.


7. In the Central Configuration Service Information dialog, enter the following and click Next:

a. Host Name ‐ This is the name of the computer hosting the Central Configuration Agent.

b. Central Configuration Listener Port ‐ The default value is 16401. If you changed the port value for the Central Configuration Communication Port, this value must be that port value +1.

c. Namespace Service Port ‐ The default value is 16402. If you changed the port value for the Central Configuration Communication Port, this value must be that port value +2.

8. In the PBDB Report Server dialog, enter the name of the computer hosting the PBDB Report Server.

Note: If you have not yet installed the PBDB Report Server, accept the default value. After you have installed the PBDB Report Server, change the name of the PBDB Report Server host in the properties file. For instructions, see “(Windows) Changing the Name of the PBDB Report Server,” page 148.



– Installs the PBDB Monitor Admin Console.


– Starts the PBDB Monitor Admin Console Windows service.




(Windows) Installing the PBDB Report ServiceTo perform a custom installation of the PBDB Report Service:




4. In the Select Installation Type dialog, click Custom and click Next.

5. In the Select Installation Type dialog, select Report Server, clear all the other options, and click Next.

6. In the Select Installation Folder dialog, either click Next to accept the default destination folder or else click Choose to select another location and then click Next.



– Installs the PBDB Report Service


– Starts the PBDB Report Server Windows service.




It is recommended that you install the PBDB Report Service on the same computer as the PBDB Server core software. If your implementation calls for installing the PBDB Report Service on a separate computer, you must perform these additional tasks:

1. Change the PBDB Report Server host name in the AuditDBGUI.properties file. For instructions, see “(Windows) Changing the Name of the PBDB Report Server,” page 148.

2. Create a connection between the PBDB Report Server and the PBDB Repository. For instructions, see “Creating a PBDB Report Server Connection to Audit DB Repository,” page 148.

3. Restart the PBDB Report Server. For instructions, see “(Windows) Restarting the PBDB Report Server,” page 148.

(Windows) Installing the lmConsoleTo perform a custom installation of the lmConsole:





5. In the Select Installation Type dialog, select lmConsole, clear all the other options, and click Next.






– Installs the lmConsole.



(Windows) Installing AssessmentTo install only Assessment:

1. Log on as a local administrator. To create the PBDB Assessment Repository you must have authority to create a database user and the schema and modify the registry.




5. In the Select Installation Type dialog, select Assessment, clear all the other options, and click Next.


7. In the Assessment Setup dialog, select the database platform where you are going to create the PBDB Assessment Repository.

For Oracle databases:a. Type the name of the Net Service where the PBDB Assessment Repository should be created. This is the

Oracle Service

b. Type the Oracle DB User Name. This is the Oracle database user that the installer will use to create the Assessment user and schema (called "LUMIGENT_VMGR"). Assessment will use the LUMIGENT_VMGR user to connect to the Assessment schema within Oracle.

c. Type the Oracle DB Password, and then click Next.



For SQL Server databases:a. Type the name of the Database Instance where the PBDB Assessment Repository should be created.

– If connecting to the default instance, leave this field blank.

– If connecting to a named instance, enter the instance name.

b. Select an authentication method.


a. Type the SQL Server DB User Name. This is the SQL Server user that the installer will use to create the Assessment user and schema (called "LUMIGENT_VMGR"). The Agent will use the default Assessment user to connect to the Assessment schema within SQL Server.


c. Click Next.

8. In the Assessment Setup dialog:

a. Enter the Assessment User Password, then re‐enter it. This will be the password for the LUMIGENT_VMGR user.

b. If necessary, modify the defaults for the Local Administration and Agent Listener ports.

c. Click Next.


The installer performs the following functions:– Creates the folder structure and files.

– Installs the PBDB Assessment Agent.

– Installs the PBDB Assessment Console.

– Creates the Assessment user and roles.

– Creates the PBDB Assessment Repository.


– Starts the PBDB Assessment Agent and PBDB Assessment Console services.




(Windows) Changing the PBDB Report Service Port NumberBy default PBDB Report Service uses port 10090. If you have reserved this port for another application, you must change the port used by the PBDB Report Service.

To change the port number for the PBDB Report Service:

1. Navigate to the following folder:

<installation_folder>\BeyondTrust\PowerBroker Databases\Report Server\Jakarta\conf\

2. Using a text editor, open the server.xml file.

3. Search for the following text string:

Connector port="10090"

4. Change the value of Connector port to the number of an available port and save the changes.

5. Click Start, Settings, Control Panel, Administrative Tools, Services and stop the PBDB Monitor Admin Console service.



7. Using a text editor, open the AuditDBGUI.properties file.

8. Locate the following line:

reportServerURL=http://<hostname>:10090/auditdb/

9. Change the port number and save the changes.

10. Click Start, Settings, Control Panel, Administrative Tools, Services and restart the PBDB Monitor Admin Console service.



(Windows) Changing the Name of the PBDB Report ServerTo change the name of the PBDB Report Service host computer:





reportServerURL=http://<hostname>:10090/auditdb/reportServerURL=http://report_server_computer_name:10090/auditdb/

4. Replace report_server_computer_name with the actual name of the computer hosting the PBDB Report Service.

5. Save AuditDBGUI.properties.

6. Restart the PBDB Monitor Admin Console.

Creating a PBDB Report Server Connection to Audit DB RepositoryFor instructions for creating a PBDB Report Server connection to the Repository, see “Creating a Report Server Connection to PBDB Repository,” page 117.

(Windows) Restarting the PBDB Report ServerTo restart the PBDB Report Server:


2. Right‐click the PBDB Report Server icon in the Task Bar.

3. Select Stop Report Server and wait until the PBDB Report Server stops.

4. Right‐click the PBDB Report Server icon.

5. Select Start Report Server.

Note: You can also click Start, Settings, Control Panel, Administrative Tools, Services to restart the PBDB Report Server.



(Windows) Repository Tier Custom Installation

Note: You must install the Loader Agent before you create the PBDB Repository.The majority of deployments do not require a dedicated Repository server. In most implementations the Central Configuration Agent performs the Loader Agent role.

If your implementation requires a separate Repository server, you must install a PBDB Monitor Agent on the server to perform the Loader Agent role.

If your implementation is large enough to require more than a single Repository (“Deployment Model D,” page 135), you must install a PBDB Monitor Agent on each Repository computer.

(Windows) Collection Tier Custom Installation

Small (“Deployment Model A,” page 133) and standard implementations do not require a separate Collection server. The agent installed on the audit source performs the Collection Agent role.

Larger implementations (“Deployment Model C,” page 134 and “Deployment Model D,” page 135) require one or more dedicated Collection Servers.

(UNIX) Custom InstallationsYou use the same installation program for custom installations that you use for the recommended installation. Before performing a custom installation, you should review the installation instructions in the previous sections.



(Linux) PBDB Server Custom Installation

The recommended configuration is to install all of the PBDB Server core software on a single computer. But the PBDB Server core software installer also supports installing each of the Linux components separately. For example, if you wanted to install the PBDB Report Service on its own computer or needed to reinstall one of the tier components.

To install individual components, in the Select Installation Type dialog, choose Custom, then select the components you want to install.

Caution! The Central Configuration Agent and Central Configuration Database must be installed first. All of the other PBDB Server core software needs to be able to communicate with the CCDB to function.

(Linux) Installing the Central Configuration AgentCaution! The Central Configuration Agent and Central Configuration Database must be installed first. All of the

other PBDB Server core software needs to be able to communicate with the CCDB in order to function.

Note: Installation of the PBDB Server core software is supported on Red Hat Linux only.To install the PBDB Server core software, you must log in as a user with DBA privileges for the database where the Central Configuration Database is going to be created. “Operating System Account Setup,” page 47 provides instructions for UNIX user account permissions. Before installing Audit DB components, you should create a user following the provided guidelines.

To install the Central Configuration Agent on Linux:

1. Log into the computer as an OS Administrator user with read, write, and execute permissions to the planned agent’s home folder.

2. Change directory to the folder of the installation media, either the installation CD or downloaded media. For example, if you have copied the media into a temporary folder:

$ cd /home/<user_name>/temp



3. Change the permission of the copied or downloaded file to be executable. Make sure that this is the PBDB Server installer.

$ chmod +x AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.bin

4. Start the installation program by typing the following command:

$ ./AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.bin The PBDB Server installation wizard opens.



7. In the Select Installation Type dialog, select Central Configuration Agent and clear all the other options. Click Next.


9. In the Configure Agent dialog, enter the Linux user account and password that will be used to run the Central Configuration Agent. Click Next.

10. In the second Configure Agent dialog, click Next to accept the default values OR

a. Enter the Host Name for the communication port on this computer.




d. Click Next.




11. In the Configure Central Configuration Database dialog,

a. Select Oracle as the target database.

b. Type the name of the Net Service where the Central Configuration Database (CCDB) should be created. This is the Oracle service name that can be found in the tnsnames.ora file.

c. Type the Oracle DB User Name. This is the Oracle database user that the installer will use to create the Central Configuration user and schema (called "lumigent"). The Central Configuration Agent will use the user to connect to the CCDB schema within Oracle.

d. Type the Oracle DB Password.

e. Click Next.

12. In the Configure Central Configuration Database ‐ Oracle Schema dialog,

a. Enter a Password for the user. The will installer automatically create the user.

b. Re‐enter the Password for the user.

c. Type the DEFAULT Tablespace. The default value is USERS.

d. Type the TEMP Tablespace. The default value is TEMP.

e. Click Next.






– Starts the PBDB Monitor Agent daemon process


(Linux) Installing the PBDB Monitor Admin ConsoleNote: “Operating System Account Setup,” page 47 provides instructions for UNIX user account permissions.

Before installing Audit DB components, you should create a user following the provided guidelines.To install the PBDB Monitor Admin Console on Linux:

1. Log on as the PBDB‐MA user on UNIX.









6. In the Select Installation Type dialog, select PBDB Monitor Admin Console and clear all the other options. Click Next.


8. In the Central Configuration Agent Information dialog, enter the following and click Next.

– Host Name ‐ This is the name of the computer hosting the Central Configuration Agent.

– Central Configuration Listener Port ‐ The default value is 16401. If you changed the port value for the Central Configuration Communication Port, this value must be that port value +1.

– Namespace Service Port ‐ The default value is 16402. If you changed the port value for the Central Configuration Communication Port, this value must be that port value +2.

9. In the PBDB Report Server dialog, enter the name of the computer hosting the PBDB Report Service.

Note: If you have not yet installed the PBDB Report Service, accept the default value. After you have installed the PBDB Report Service, change the name of the PBDB Report Server in the properties file. For instructions, see “(Linux) Changing the Name of the PBDB Report Server,” page 156.



– Installs the PBDB Monitor Admin Console


– Starts the Audit DB GUI daemon process




(Linux) Installing the PBDB Report ServiceTo perform a custom installation of the PBDB Report Service:








6. In the Select Installation Type dialog, select Report Server and clear all the other options.

7. Click Next.




– Installs the PBDB Report Service


– Starts the PBDB Report Service daemon process




We recommend that you install the PBDB Report Service on the PBDB Server. If your implementation calls for installing the PBDB Report Service on a separate computer, you must perform these additional tasks:

1. Change the PBDB Report Server host name in the AuditDBGUI.properties file. For instructions, see “(Linux) Changing the Name of the PBDB Report Server,” page 156.

2. Create a connection between the PBDB Report Server and the PBDB Repository. For instructions, see “Creating a PBDB Report Server Connection to Audit DB Repository,” page 148.

3. Restart the PBDB Report Server. For instructions, see “(Linux) Restarting the PBDB Report Service,” page 156.

(Linux) Changing the PBDB Report Service Port NumberBy default PBDB Report Service uses port 10090. If you have reserved this port for another application, you must change the port used by the PBDB Report Service.

To change the port number for the PBDB Report Service:


<installation_folder>/BeyondTrust/ReportServer/jakarta/conf

2. Using a text editor, open the server.xml file.

3. Search for the following text string:

Connector port="10090"

4. Change the value of Connector port to the number of an available port and save the changes.

5. Stop the PBDB Monitor Admin Console process.


<installation_folder>/BeyondTrust/AdminConsole



reportServerURL=http://<hostname>:10090/auditdb/

9. Change the port number and save the changes.

10. Start the PBDB Monitor Admin Console process.



(Linux) Changing the Name of the PBDB Report ServerTo change the name of the PBDB Report Service host computer:


<installation_folder>/BeyondTrust/AdminConsole



reportServerURL=http://<hostname>:10090/auditdb/reportServerURL=http://report_server_computer_name:10090/auditdb/

4. Replace report_server_computer_name with the actual name of the computer hosting the PBDB Report Service.

5. Save AuditDBGUI.properties.

6. Restart the PBDB Monitor Admin Console.

Creating a PBDB Report Server Connection to Audit DB RepositoryThe procedure for creating a PBDB Report Server connection to the Audit DB Repository is the same for both Windows and Linux. You perform this task using the PBDB Monitor Admin Console. For instructions, see “Creating a Report Server Connection to PBDB Repository,” page 117.

(Linux) Restarting the PBDB Report ServiceTo restart the PBDB Report Service:


2. Stop the PBDB Report Service by running the following file

<installation_folder>/ReportServer/reportengine/bin/run.sh.

3. Restart the PBDB Report Service by running the following file:

<installation_folder>/ReportServer/jakarta/bin/startup.sh.



(Linux) Installing the lmConsoleIf you are installing the lmConsole on the same host as the Central Configuration Agent, install the lmConsole in the same folder as the agent. Otherwise, create a new installation folder for the lmConsole.

To perform a custom installation of the lmConsole:








6. In the Select Installation Type dialog, select lmConsole and clear all the other options.

7. Click Next.




– Installs the lmConsole




(Linux) Installing AssessmentTo install only Assessment:


$ cd /home/<user name>/temp

2. Change the permission of the copied or downloaded file to be executable. Make sure that this is the PBDB Server installer.

$ chmod +x LumigentTier_Setup_linux.bin


$ ./LumigentTier_Setup_linux.binThe PBDB Server installation wizard opens.



6. In the Select Installation Type dialog, select Assessment and clear all the other options.

7. Click Next.


9. In the Assessment Setup dialog, select Oracle as the database platform where you are going to create the PBDB Assessment Repository.

a. Type the name of the Net Service where the PBDB Assessment Repository should be created. This is the Oracle Service

b. Type the Oracle DB User Name. This is the Oracle database user that the installer will use to create the Assessment user and schema (called "LUMIGENT_VMGR"). Assessment will use the LUMIGENT_VMGR user to connect to the Assessment schema within Oracle.


d. Click Next.

10. In the Assessment Setup dialog, enter the Assessment User Password, then re‐enter it. This will be the password for the LUMIGENT_VMGR user.

11. If necessary, modify the defaults for the Local Administration and Agent Listener ports.

12. Click Next.


The installer performs the following functions:– Creates the folder structure and files.

– Installs the PBDB Assessment Agent.

– Installs the PBDB Assessment Console.

– Creates the Assessment user and roles.

– Creates the PBDB Assessment Repository.


– Starts the PBDB Assessment Agent and PBDB Assessment Console processes.




Understanding Unattended InstallationsThe Audit DB installation programs can be run from the command line without user interaction.

(Windows) PBDB Server - Unattended Installation

To install the PBDB Server core software from a command line, you enter the required inputs for the installation into a properties file which the installer users to complete the installation.

(Windows) Unattended PBDB Server Installation ChecklistThe following table lists the properties that you must specify in order to install the PBDB Server core software via an unattended installation. You enter these values in the lumigentinstaller.properties file.

Table 39. Properties for Unattended Installation of PBDB Server Core Software (Windows)

Value Default value Notes

INSTALLER_UI= silent Do not change this value.

USER_INSTALL_DIR= C:\\Program Files\\BeyondTrust\\PowerBroker Databases

PERFORM_UPGRADE= yes

INSTALL_PRODUCTS_IN_UPGRADE_DIR

yes

CHOSEN_INSTALL_SET= Complete

CHOSEN_INSTALL_FEATURE_LIST=

CCServer,AdminConsole,ReportServer,Tools,lmConsole

SERVICE_USERNAME= To use local system account, leave blank.

SERVICE_PASSWORD= To use local system account, leave blank.

AGENT_HOSTNAME=

AGENT_COMMUNICATION_ PORT=

16400

AGENT_DATA_DIRECTORY= C:\\Program Files\\BeyondTrust\\PowerBroker Databases\\Agent

CENTRAL_CONFIG_ HOSTNAME=

CC_LISTENER_PORT= 16401 AGENT_COMMUNICATION_PORT + 1

NAMESPACE_SERVICE_ PORT=

16402 AGENT_COMMUNICATION_PORT +2



(Windows) Performing an Unattended PBDB Server InstallationTo install the PBDB Server core software from the command line:

1. In your installation media, locate the lumigentinstaller.properties file.

2. Using a text editor, open the file.

3. Enter values for the following user inputs as described in “(Windows) Unattended PBDB Server Installation Checklist,” page 159.

4. Save the properties file.

5. Open a command prompt.

6. Change directory to the location of your installation media. For example:

cd C:\Downloadsorcd <CD name>

7. Enter the following command:

LumigentTier_setup_<OS>.exe -f <properties file path>Example 1 ‐ If the properties file is in the same folder as LumigentTier_setup_<OS>.exe:

LumigentTier_setup_<OS>.exe -f lumigentinstaller.propertiesExample 2 ‐ If the properties file is in C:\temp:

REPORT_SERVER_HOST NAME=

SELECTED_CCDB_TYPE= Valid values are

• MSSQL

• Oracle

CCDB_DBA= Oracle DBA account.Leave blank for SQL Server.

CCDB_DBA_PASSWORD= Oracle DBA password.Leave blank for SQL Server.

CCDB_USERNAME= Oracle ‐ default user name is "lumigent".SQL Server ‐ leave blank for Windows authentication.

CCDB_PASSWORD= Oracle ‐ enter a password for the user.SQL Server ‐ leave blank for Windows authentication.

CCDB_INSTANCE=

ORACLE_HOME=

ORACLE_DEFAULT_ TBLSPC=

USERS Oracle default TableSpace.

ORACLE_TEMP_TBLSPC= TEMP Oracle temp TableSpace.

Table 39. Properties for Unattended Installation of PBDB Server Core Software (Windows)




LumigentTier_setup_<OS>.exe -f c:\temp\lumigentinstaller.propertiesNote: There is no installation confirmation during an unattended Windows installation. The command

prompt appears, then the installer performs the following functions:

– Creates the installation log file







8. After the installation has completed, you can view the installation status by opening the following file in a browser.

C:\Program Files\BeyondTrust\PowerBroker Databases\Status\index.html

9. Verify that the Central Configuration Agent started by searching in the following log file for a 'heartbeat' message.

<installation_folder> \BeyondTrust\PowerBroker Databases\Agent\Log\ImEntegraAgent*.log

"The Audit DB 2018 Agent on <hostname> has finished initialization. Heartbeat every 300 seconds."

(Windows) Agents - Unattended Installation

The agent installation program can be launched from a command line and perform the installation without user interaction. You enter the required inputs for the installation into a properties file which the installer users to complete the installation.

(Windows) Unattended Agent Installation ChecklistThe following table lists the properties that you must specify in order to install a PBDB Monitor Agent via an unattended installation. You enter these values in the agentinstaller.properties file.

Table 40. Properties for Unattended Installation of a PBDB Monitor Agent (Windows)



USER_INSTALL_DIR= C:\\Program Files\\BeyondTrust\\PowerBroker Databases


INSTALL_PRODUCTS_IN_UPGRADE_DIR=

yes

SERVICE_USERNAME= To use local system account, leave blank.

SERVICE_PASSWORD= To use local system account, leave blank.

AGENT_HOSTNAME=



(Windows) Performing an Unattended Agent InstallationTo install a PBDB Monitor Agent from the command line:

1. In your installation media, locate the agentinstaller.properties file.


3. Enter values for the following user inputs as described in “(Windows) Unattended Agent Installation Checklist,” page 161.




cd C:\Downloadsorcd <CD name>


AgentTier_setup_<OS>.exe -f <properties file path>Example 1 ‐ If the properties file is in the same folder as AgentTier_setup_<OS>.exe:

AgentTier_setup_<OS>.exe -f agentinstaller.propertiesExample 2 ‐ If the properties file is in C:\temp:

AgentTier_setup_<OS>.exe -f c:\temp\agentinstaller.propertiesNote: There is no installation confirmation during an unattended installation. The command prompt

appears, then the installer performs the following functions:








8. Verify that the Agent started and is communicating with the Central Configuration Agent by looking in the following log file for a 'heartbeat' message.

<installation_folder>\BeyondTrust\PowerBroker Databases\Agent\Log\ImEntegraAgent*.log

"The Audit DB 2018 Agent on <hostname> has finished initialization. Heartbeat every 300 seconds."


16400 This value must match the value specified when installing the PBDB Server core software.

AGENT_DATA_DIRECTORY= C:\\Program Files\\BeyondTrust\\PowerBroker Databases\\Agent


Table 40. Properties for Unattended Installation of a PBDB Monitor Agent (Windows)




(Linux) PBDB Server - Unattended Installation

To install the PBDB Server core software from a command line, you enter the required inputs for the installation into a properties file which the installer uses to complete the installation.

(Linux) Unattended PBDB Server Installation ChecklistThe following table lists the properties that you must specify in order to install the PBDB Server core software via an unattended installation. You enter these values in the lumigentinstaller_linux.properties file.

Table 41. Properties for Unattended Installation of PBDB Server Core Software (Linux)



USER_INSTALL_DIR= /home/<user_name>/BeyondTrust


INSTALL_PRODUCTS_IN_ UPGRADE_DIR

yes

CHOSEN_INSTALL_SET= Complete

CHOSEN_INSTALL_FEATURE_LIST=

CCServer,AdminConsole,ReportServer,Tools,lmConsole

UNIX_ACCOUNT_ID=

UNIX_ACCOUNT_PASSWORD=

AGENT_HOSTNAME=


16400

AGENT_DATA_DIRECTORY= /home/<user_name>/BeyondTrust/agent.<hostname>


CC_LISTENER_PORT= 16401 AGENT_COMMUNICATION_PORT + 1

NAMESPACE_SERVICE_ PORT=

16402 AGENT_COMMUNICATION_PORT +2

REPORT_SERVER_HOST NAME=

SELECTED_CCDB_TYPE= Oracle

CCDB_DBA= Oracle DBA account.

CCDB_DBA_PASSWORD= Oracle DBA password.



(Linux) Performing an Unattended PBDB Server InstallationTo install the PBDB Server core software from the command line:

1. In your installation media, locate the lumigentinstaller_linux.properties file.


3. Enter values for the following user inputs as described in “(Linux) Unattended PBDB Server Installation Checklist,” page 163.


5. Open a terminal session.

6. Change directory to the location of the AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.bin file on your installation media. For example,

cd /home/<user_name>/temp


./AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.bin–f <properties file path>

Example 1 ‐ If the properties file is in the same folder as AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.bin:, then enter the following command

./AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.bin–f lumigentinstaller_linux.properties

Example 2 ‐ If the properties file is in /home/<user_name>/downloads, then enter the following command:

./AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.bin–f /home/<user_name>/downloads/lumigentinstaller_linux.properties

The installer performs the following functions:– Creates the installation log file





8. Go to <installation_folder> and type cd agent.<hostname>/etc.


CCDB_USERNAME= Oracle ‐ default user name is "lumigent".

CCDB_PASSWORD= Oracle ‐ enter a password for the user.

CCDB_INSTANCE=

ORACLE_HOME=

ORACLE_DEFAULT_ TBLSPC=

USERS Oracle default TableSpace.

ORACLE_TEMP_TBLSPC= TEMP Oracle temp TableSpace.

Table 41. Properties for Unattended Installation of PBDB Server Core Software (Linux)





11. Verify that the Agent started and is communicating with the Central Configuration Agent by looking in the following file for a "heartbeat" message.

<installation_folder>/agent.<hostname>/log/lmEntegraAgent.logYYYY-MM-DD HH:MM:SS (lmEntegraAgent-4252) - LUM2032I The Audit DB 2.0 Agent

on <hostname> has finished initialization. Heartbeat every 300 seconds. Maintenance scheduled Start YYYY-MM-DD HH:MM:SS, Period 1DT00H00M00S.

(UNIX) Agents - Unattended Installation

The agent installation program can be launched from a command line and perform the installation without user interaction. You enter the required inputs for the installation into a properties file which the installer users to complete the installation.

(UNIX) Unattended Agent Installation Checklist

The following table lists the properties that you must specify in order to install a PBDB Monitor Agent via an unattended installation. You enter these values in the agentinstaller_unix.properties file.

Table 42. Properties for Unattended Installation of a PBDB Monitor Agent (UNIX)



USER_INSTALL_DIR= /home/<user_name>/BeyondTrust


INSTALL_PRODUCTS_IN_ UPGRADE_DIR=

yes

UNIX_ACCOUNT_ID= Specify the UNIX account that will own the Agent process.

UNIX_ACCOUNT_PASSWORD=

AGENT_HOSTNAME=


16400 This value must match the value specified when installing the PBDB Server core software.

AGENT_DATA_DIRECTORY= home/<user_name>/BeyondTrust/agent

AGENT_DATABASES= Oracle


ORACLE_HOME=

IS_ORACLE_RAC= no

CLUSTER_SHARED_DATA_ DIR=



(UNIX) Performing an Unattended Agent InstallationTo install a PBDB Monitor Agent from the command line:

1. In your Agent installation media, locate the agentinstaller_unix.properties file.


3. Enter values for the user inputs as described in “(UNIX) Performing an Unattended Agent Installation,” page 166.




cd /home/<user_name>/downloads orcd <CD name>


./AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.bin -f <properties file path>

Example 1 ‐ If the properties file is in the same folder as AgentTier_Setup_<OS>.bin:./AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.bin -f agentinstaller_unix.properties

Example 2 ‐ If the properties file is in /home/<user_name>/downloads:./AuditDB_server_setup_<OS>_<CPUarch>.6.8.x.yyyy.bin -f /home/<user_name>/downloads/agentinstaller_unix.properties. The installer performs the following functions:






8. Go to <installation_folder> and type cd agent.<hostname>/etc.



11. Verify that the Agent started and is communicating with the Central Configuration Agent by looking in the following file for a "heartbeat" message.

<installation_folder>/agent.<hostname>/log/lmEntegraAgent.logYYYY-MM-DD HH:MM:SS (lmEntegraAgent-4252) - LUM2032I The Audit DB 2.0 Agent

on <hostname> has finished initialization. Heartbeat every 300 seconds. Maintenance scheduled Start YYYY-MM-DD HH:MM:SS, Period 1DT00H00M00S.

Note: If you are configuring a DB2 database, you must provide the DB2 instance and DB2 library file information. See the following section.

DB2 Database Settings

Additional settings for DB2 databases must be configured after the silent installation.

DB2_INSTANCE=

DB2_HOME=

Table 42. Properties for Unattended Installation of a PBDB Monitor Agent (UNIX)




The following files must be updated: Env.sh and runEntegraAgent.sh.

• Env.sh

setenv INSTHOME "<instance home path>"setenv DB2INSTANCE "<instance name>"setenv LIBPATH "<instance home path>/sqllib/lib32:<install

dir>/lib":${LIBPATH}:$LIBPATHsetenv PATH "<install dir>/bin":/bin:$PATH

• runEntegraAgent.sh

DB2INSTANCE="<instance name>"export DB2INSTANCE

LIBPATH=""<instance home path>/sqllib/lib32:<install dir>/lib"LUMIGENT_LIBPATH="<instance home path>/sqllib/lib32:<install dir>/lib"

Configuring the PBDB Monitor Admin Console for a Non-Default PortBy default, the PBDB Monitor Admin Console uses the following ports:

• Oracle ‐ 1521

• SQL Server ‐ 1433

Using a non‐default port may result in the following error message:

* java.sql.SQLException: Network error IOException: Connection refused: connect

sqlserver not configured to listen on the default port (hostname:1433)If your business processes call for using a non‐default port with your databases, then you must configure the PBDB Monitor Admin Console to use localhost and/or a custom port number instead of what the PBDB Monitor Agent passes to it at runtime. This involves editing the ApplicationResources.properties file.



To configure the PBDB Monitor Admin Console to use a non‐default port:

1. Navigate to the ApplicationResources.properties file.Windows ‐ <installation_folder>\BeyondTrust\PowerBroker Databases\

AdminConsole\tomcat\webapps\eac\WEB-INF\classesLinux<installation_folder>/BeyondTrust/AdminConsole/tomcat/

webapps/eac/WEB-INF/classes

2. Using a text editor, open the ApplicationResources.properties file.

3. Look for the following in the file:

mssqlConnectString=jdbc:jtds:sqlserver://$$HOST$$[:$$PORT$$][/$$DATABASE$$][;instance=$$INSTANCE$$][;$$AUTHTYPE$$]

4. Edit it to look like this:

mssqlConnectString=jdbc:jtds:sqlserver://localhost[:$$PORT$$][/$$DATABASE$$][;instance=$$INSTANCE$$][;$$AUTHTYPE$$]

In the following examples, both $$HOST$$ and $$PORT$$ were replaced:mssqlConnectString=jdbc:jtds:sqlserver://localhost:2433[/$$DATABASE$$][;ins

tance=$$INSTANCE$$][;$$AUTHTYPE$$]mssqlConnectString=jdbc:jtds:sqlserver://localhost:1516/lumigent

5. Save your changes.

6. Restart the PBDB Monitor Admin Console service.

Uninstalling PowerBroker Databases: Monitor & Audit


Uninstalling PowerBroker Databases: Monitor & AuditThe PBDB Server and Agent Tier installers also install a program to remove the various Audit DB components.

Note: Product un‐installation must follow the same mode that was used for product installation. For example, if you installed Audit DB using the silent mode, you must uninstall Audit DB using the silent mode.

Audit DB Removal WorkflowNote: If there is any data or files that you want to retain, such as log files, configuration files, or collection (.ecz)

files, move the files to a different location before you perform the removal procedure.

1. Remove the Audit Source Tier.

a. Un‐assign policies from audit sources.

b. Remove audit sources.

c. Stop the PBDB Monitor Agent service/process and uninstall the PBDB Monitor Agent.

d. Delete any remaining installation folders on each audit source computer.

2. Remove the Collection Tier.

a. Stop the Collection Agent service/process and uninstall the Collection Agent.

b. Delete any remaining installation folders on each Collection Tier computer.

3. Remove the Repository Tier.

a. Delete the Repository in the PBDB Monitor Admin Console.

b. Stop the Loader Agent service/process and uninstall the Loader Agent.

c. Remove the PBDB Monitor Repository Database tables.

d. Delete any remaining installation folders on each Repository Tier computer.

4. Remove the PBDB Server core software.

a. Uninstall the PBDB Server core software (Central Configuration Agent, PBDB Monitor Admin Console, PBDB Report Service, lmConsole, PBDB Assessment Agent, and PBDB Assessment Console).

b. Remove the Central Configuration Database tables.

c. Delete any remaining installation folders on the PBDB Server.

Uninstalling the Audit Source TierThe first step in removing Audit DB is to remove the Audit Source Tier.

Removing an Audit Source

You use the PBDB Monitor Admin Console or the lmConsole to delete audit sources from the Central Configuration Database. Make sure all the policies assigned to the audit source are removed (unassigned) before deleting the audit source. For more information about audit policies, refer to the PowerBroker Databases: Monitor & Audit User Guide.

Note: (Oracle audit source) If you are using Selects, you must run the disable_oracle_select.sql script before removing the Oracle audit source. This script can be found in the Sql folder of your installation, for example:

C:\Program Files\BeyondTrust\PowerBroker Databases\Sql

Note: (SQL Server audit source) You must enter a user name and password with DBA privileges to delete the audit source.

To remove a policy from an audit source:

1. Log into the PBDB Monitor Admin Console.

2. Click the Configure tab. The Audit DB Summary screen opens.

3. On the Configure tab, click the Overviews subtab.



4. On the Overviews subtab click Audit Source Relations View.

5. On the Audit Source Relations View, click the Plus Sign (+) next to a database to view the policies associated with the database.

6. Click the eyeglass icon next to a policy. The Summary subtab appears.

7. Click the Assign to Audit Sources/DB subtab.

8. Click Unassign.

9. In the confirmation dialog box, click Yes.

10. On the Audit Source Relations View, click Done.

11. To unassign another policy click the Overviews subtab and repeat steps 4. ‐ 10.

To remove an audit source with no associated policies:

1. In the PBDB Monitor Admin Console, click the Configure tab. The Audit DB Summary dialog opens.

2. Click the name of the audit source you want to remove. The Audit Source Summary dialog opens.

3. Click Delete This Audit Source. The Delete Audit Source dialog opens.

4. Click Delete.

5. In the confirmation message, click OK.

For Microsoft SQL Server Database audit source, you need to enter a user name and password with DBA privileges to delete the audit source.

(Windows/Unix) Removing a PBDB Monitor Agent

DB2 and SQL Server audit sources require a PBDB Monitor Agent. Oracle and Sybase audit sources do not require a PBDB Monitor Agent.

Note: When uninstalling for MSSQL, ensure all the policies are unassigned/undeployed before performing uninstall process. This is required for the V6.7 mechanism (which reads directly from SQL server trace). A folder named “Audits” is created in the MSSQL Object Browser under the database being audited. This will be removed only when a policy is undeployed; otherwise, it continues to remain and keeps auditing data from the SQL trace.

To remove a PBDB Monitor Agent:

1. On the audit source computer, do one of the following:

– Windows: Click Start, Settings, Control Panel, Add or Remove Programs.

– Linux: Change directory to the BeyondTrust installation folder, for example:

cd /home/<username>/BeyondTrust/Uninstall PBDB Monitor Agent

2. Select the PowerBroker Databases Enterprise Agent.

3. Click Remove. The Uninstall PBDB Monitor Agent wizard opens.

Tip: Windows agent service

The removal process stops the Windows agent service.



4. In the Provide Database Credential page, do one of the following:

– If the agent is auditing other than SQL Server, then select Others and ignore the Enter the Database Instance field.

– If the agent is auditing an SQL Server database, then provide the SQL Server credentials with local administrator privileges. This credential is used to remove processes, such as LMS2.exe, that Audit DB attaches to the SQL Server process.



5. Click Uninstall.

6. In the Removal Complete dialog, click Done.

Note: The uninstall process removes all files except files that are in use. You can delete these files manually after the uninstall process completes.



Uninstalling the Collection TierAfter you have removed all audit sources, you remove the Collection Tier. Your implementation may include one or many Collection computers.

(Windows) Removing a Collection Agent

To remove the Collection Agent:

1. On the Collection computer, click Start, Settings, Control Panel, Add or Remove Programs.

2. Select the Audit DB Enterprise Agent.


4. In the Remove PBDB Monitor Agent dialog, click Uninstall. The wizard removes the Agent files.


6. Repeat this process for each Collection computer.

Note: The removal process does not delete the Status folder. If you do not want to maintain the installation history for the agent, you can delete the following folder:

<installation_folder>\BeyondTrust\PowerBroker Databases\Status

(UNIX) Removing a Collection Agent

To uninstall a PBDB Monitor Agent on UNIX:


2. Change directory to the BeyondTrust installation folder, for example:


3. Run Uninstall_PBDB_Monitor_Agent.

The Uninstall wizard opens.

4. In the Welcome dialog, click Uninstall.


Note: The un‐install process removes all files except the status folder. If you do not want to retain the installation history, you may delete these files.



Tip: Agent daemon process

The removal process stops the agent daemon process.



Uninstalling the Repository TierUninstalling the Repository Tier consists of removing the Repository, removing the Loader Agent, removing the PBDB Monitor Repository Database, and cleaning up any remaining files.

Removing a Repository

If you have multiple Repositories, repeat this process for each one.

To remove a Repository:

1. Log into the PBDB Monitor Admin Console using a Audit DB user ID with Admin or DBA privileges.

2. Click the Configure tab. The Audit DB Summary Page opens.

3. In the Repositories (View All/Add) area click View All. The View All Repositories page opens.

4. Click the name of the Repository you want to delete. The Repository Summary dialog opens.

5. Click Delete This Repository. The Delete Repository dialog opens.

6. Select the type of delete you want:

– Delete all collected audit data within this repository. (Delete data) ‐ Selecting this option deletes data in the Repository, but does not delete the Repository schema from the database. If you want to remove the Repository schema, you must drop it manually. When you select this option, you must supply a User Name and Password.

– Retain collected audit data within this repository (Do NOT delete data). ‐ Selecting this option deletes the link from the PBDB Monitor Admin Console to the Repository, while retaining the collected audit data within the Repository. User name and password are not required.

7. Click Apply Changes.

(Windows) Removing the Loader Agent

To remove the Loader Agent:

1. On the Repository computer, click Start, Settings, Control Panel, Add or Remove Programs.

2. Select the PBDB Monitor Agent.


4. In the Remove PBDB Monitor Agent dialog, click Uninstall. The wizard removes the Agent files.


6. If you have more than one Repository computer, repeat this process for each computer.

Note: The removal process does not delete the Status folder. If you do not want to maintain the installation history for the agent, you can delete the following folder:






(UNIX) Removing the Loader Agent

To uninstall a PBDB Monitor Agent on UNIX:


2. Change directory to the PowerBroker Databases installation folder, for example:


3. Run Uninstall_PBDB_Monitor_Agent.

The Uninstall wizard opens.

4. In the Welcome dialog, click Uninstall.


Note: The uninstall process removes all files except the status folder. If you do not want to retain the installation history, you can delete these files.

Uninstalling the PBDB Server Core SoftwareRemoving the PBDB Server core software involves the following tasks:

1. *Stopping the PBDB Report Service

2. *Stopping the GUI service

3. *Stopping the Central Configuration Agent service

4. *Uninstalling the PBDB Monitor Admin Console

5. *Uninstalling the PBDB Report Service

6. *Removing the PBDB Monitor Agent

7. Removing the Central Configuration Database

8. Deleting any remaining files and folders

* The PBDB Server uninstall program performs the first six tasks for you.

You can access the PBDB Server uninstaller program in the following ways:

• Via Windows Add or Remove Programs

• Windows

<installation_folder>\Uninstall PBDB Server\UninstallLumigentTier.exe

Linux<installation_folder>/Uninstall PBDB Server/Uninstall PowerBroker Databases Server.bin

Note: Removing the PBDB Server core software does not delete your audit data.

Tip: Agent daemon process

The removal process stops the agent daemon process.



(Windows) Removing All of the PBDB Server Core Software

Caution! Removing the Central Configuration Agent will render your Audit DB environment unusable. Do not remove the Central Configuration Agent while you are using Audit DB for auditing.

To uninstall all of the PBDB Server core software:

1. Using Windows Explorer, navigate to the following folder:

<installation_folder>\BeyondTrust\PowerBroker Databases\Uninstall PBDB Server

2. Launch UninstallLumigentTier.exe. The Uninstall PBDB Server wizard opens.

3. In the Remove PBDB Server dialog, click Next.

4. In the Removal Options dialog, click Complete Removal, then click Next.

Note: Clicking Next starts the removal process.

The wizard displays the removal progress. When the removal is complete, the Removal Complete dialog opens. If there are any Audit DB components that could not be removed, they are listed on this dialog.


Note: The removal program does not remove installation status history files. If you do not wish to retain these files, delete the following folder:


For example:

C:\Program Files\BeyondTrust\PowerBroker Databases\Status

(Windows/Linux) Removing PBDB Server Core Software

Note: When uninstalling for MSSQL, ensure all the policies are unassigned/undeployed before performing uninstall process. If you are auditing Select queries using the V6.7 mechanism (read directly from SQL server trace) then a folder named “Audits” is created in the MSSQL Object Browser under the database being audited. This will be removed only when a policy is undeployed; otherwise, it continues to remain and keeps auditing data from SQL trace.

The PBDB Server removal program provides the option to remove individual components that make up the PBDB Server core software For example, if a component needs to be moved to a different computer, or reinstalled, you can remove just that individual component.

Caution! Removing the Central Configuration Agent will render your Audit DB environment unusable. Do not remove the Central Configuration Agent while you are using Audit DB for auditing.

To remove specific components of the PBDB Server core software:

1. Launch the Uninstall PBDB Server wizard.

2. In the Remove PBDB Server dialog, click Next.

3. In the Removal Options dialog, select Remove Specific Features.

Tip: Windows services

The removal process stops the Windows services.



4. In the Select Product Features page, select the check box for each component that you want to remove. Click Next.

5. In the Provide Database Credential page, do one of the following:

– If the agent is auditing other than SQL server, then select Others and ignore the Enter the Database Instance field.

– If the agent is auditing an SQL Server database then provide the SQL Server credentials with local administrator privileges. This credential is used to remove processes, such as LMS2.exe, that Audit DB attaches to the MS SQL Server process.



6. Click Uninstall.

7. In the Installation Complete page, select whether you want to restart your system to complete the removal.

Note: The option to restart your system to complete the removal is available only for SQL Server 2008 R2 and SQL Server 2012. It is a known issue that restart will not result in an actual restart. Please ignore the messages.

8. Click Done.

Note: The uninstall process removes all files except files that are in use. However, you can delete these files manually after the uninstall process completes.

Index


Symbols

.ecz files, 16, 23

.etz files, 36

A

Admin Console, 11custom installation, Linux, 152custom installation, Windows, 141sign in, 69starting service, 123

agentinstaller_unix.properties file, 165agentinstaller.properties file, 161agents, 12

Central Configuration Agent, 13Collection Agent, 13Loader Agent, 14Monitor Agent, 14PBDB Monitor Agent (UNIX), 12PBDB Monitor Agent (Windows), 12roles, 13

alias names, 26Assessment packages

loading, 125audit policies, 15Audit Source Tier, 17

configuration considerations, 29network configuration, 25prerequisite software, 73removing, 169

audit sources, 16preparing for collection (DB2), 30, 32preparing for collection (log reading), 30preparing for collection (Oracle), 33, 35preparing for collection (SQL Server), 36removing, 169

AuditdbGUI.properties file, 147, 155

B

batch activity, 28browsers, supported, 26buttons, Admin Console

Login, 69

buttons, Administration ConsoleAdd Key, 71Create Repository, 112, 115Login, 109, 112Update Password, 70

C

CCDB, 14Central Configuration Agent, 13Central Configuration Database, 14Central Configuration Server

custom installation, Linux, 150custom installation, Windows, 139

checklistsagent installation, UNIX, unattended, 165agent installation, Windows, unattended, 161Lumigent Tier installation, Linux, unattended,

163PBDB Server core software installation,

Windows, 51PBDB Server core software installation,

Windows, unattended, 159Repository Tier installation, UNIX, 89Repository Tier installation, Windows, 74

client libraries, 48, 73required access, 41, 48requirements, 72

clustered serversCollection Tier, 27PBDB Server, 26

collectionDB2 configuration considerations, 32DB2 native audit configuration, 32DB2 prerequisites, 30Oracle native audit configuration, 35Oracle prerequisites, 33Oracle supplemental logging, 35SQL Server disk requirements, 36SQL Server required settings, 36

Collection Agent, 13Collection Tier, 17

configuration considerations, 27DB2, 27

Index

Index


SQL Server, 27disk space requirements, 23estimating number of servers, 21network configuration, 25prerequisite software, 72removing, 173scheduling guidance (SQL Server), 28server guidelines, 22sizing example, 22sizing guidelines, 21

command line tools, 14components, 11

Admin Console, 11agents, 12audit sources, 16Central Configuration Database, 14lmConsole, 14Report Server, 14Repository, 16

consoleURL, 71

conventions, document, 9custom installations, 137

Admin Console, Linux, 152Admin Console, Windows, 141available options, 137Central Configuration Server, 139, 150Linux, 157lmConsole, Linux, 157lmConsole, Windows, 144PBDB Server

post‐installation tasks, Windows, 147, 148,156

PBDB Server, Linux, 150PBDB Server, Windows, 139Report Server, Linux, 154Report Server, Windows, 143unattended installations, 159UNIX, 149Windows, 139, 144

D

daemon process, 12data collection

retention period, 108DDL, 32, 36DML, 32

documentationconventions, 9set, 10

H

HSQLDB file based database, 26

L

licensesaudit sources, 16installing, 70repository, 16

lmConsole, 14, 144, 157lmEntegraAgentWindows service, 12Loader Agent, 14

installation, 89removing, 174

lumigentinstaller_linux. properties file, 163lumigentinstaller.properties file, 159

M

Monitor Agent, 14removing, 170

N

network configurationAudit Source Tier, 25Collection Tier, 25PBDB Server, 24Repository Tier, 25

O

ODBC connectivity, 51OLTP activity, 28Oracle client libraries, 51Oracle RAC, 27

P

Package Loader utility, 125passwords

Report Server, 116passwords, changing default, 70PBDB Server

configuration considerations, 26network configuration, 24sizing guidelines, 19

Index


PBDB Server core software, 17custom installation, Linux, 150custom installation, Windows, 139installation checklist, Linux, 59installation checklist, Windows, 51installation, Linux, 61installation, Windows, 53installing, 51post‐installation tasks, 69, 70post‐installation tasks, Linux, 68post‐installation tasks, Windows, 68prerequisite software, 51removing, 175removing all of the PBDB Server core software,

176removing components, 176

PBDB user, 37, 38permissions

database, 37, 38ongoing operations

DB2, 41Oracle, 41SQL Server, 42

operating system, 37, 38ports, 25

10080, 2410090, 2415100, 2415101, 2416400, 24, 2516401, 2416402, 2545450, 2580, 248005, 248009, 248443, 249080, 24Collection Tier, 25PBDB Server, 24Repository Tier, 25

post‐installation taskscustom installation, 147, 148, 156PBDB Server core software, 68, 69, 70

prerequisite softwareAudit Source Tier, 73Collection Tier, 72PBDB Server core software, 51

privilegesSuper Administrator, 116

propertiesReport Server, 122

properties filesagentinstaller_unix.properties, 165agentinstaller.properties, 161AuditdbGUI.properties, 147, 155lumigentinstaller.properties, 159lumignetinstaller_linux.properties, 163

R

removingaudit sources, 169Monitor agent, 170Repository, 174

Report Server, 14accessing, 116configuring properties, 122connecting to repository, 117custom installation‐ Windows, 143custom installation, Linux, 154selecting repository connection, 120templates, deploying, 121

repositoriesselecting connection for Report Server, 120SQL Server, 112

Repository, 16removing, 174

Repository Tier, 17configuration considerations, 27estimated disk space usage, 20installation checklist, UNIX, 89installation checklist, Windows, 74installation, UNIX, 89network configuration, 25post‐installation tasks, 104, 105post‐installation tasks, UNIX, 105recommended DBMS, 27removing, 174sizing guidelines, 20

rolesCentral Configuration Agent, 13Collection Agent, 13Loader Agent, 14Monitor Agent, 14

S

scriptscreate_lumigent_collect_user_mssql_2005.sq

Index


l, 43create_lumigent_config_user_oracle.sql, 37,

41, 42create_lumigent_repository_user_oracle.sql,

37, 38enable_supplemental_logging_oracle.sql, 35

server.xml, 147, 155signing in, 69sizing guidelines

Collection Tier, 21PBDB Server, 19Repository Tier, 20

stored proceduressp_lmdbaudit_start, 43sp_lmdbaudit_version, 43sys.sp_trace_create, 43sys.sp_trace_setevent, 43sys.sp_trace_setfilter, 43sys.sp_trace_setstatus, 43xp_lmdbaudie_checkacct, 42xp_lmdbaudit_*, 43xp_lmdbaudit_checkacct, 43xp_lmdbaudit_init, 43xp_lmdbaudit_ispackagecomplete, 43xp_lmdbaudit_load, 43xp_lmdbaudit_logattach, 43xp_lmdbaudit_packagetracedata, 43xp_lmdbaudit_traceconfigure, 43

T

tnsnames.ora file, 25, 26

U

unattended installation, 159agents, UNIX, 165agents, Windows, 161PBDB Server core software, Linux, 163PBDB Server core software, Windows, 159performing on Linux, PBDB Server core

software, 164performing on UNIX, agent installation, 166performing on Windows, agent installation,

162performing on Windows, PBDB Server core

software, 160URL, 71user accounts

setup for UNIX, 47setup for Windows, 48

usersLumigent, 42Oracle, 41, 42OS user, 39SQL Server, 43SYS, 35system, 33, 35Windows Administrator, 37Windows Local Administrator, 37Windows local Administrator, 38, 41Windows local system, 37, 38, 41

utilitiesPackage Loader, 125

powerbroker databases: monitor & audit installation guide...this software is provided “as...

Documents