Symantec™ Enterprise Security Manager SybaseModules User Guide
Documentation version 4.2
The software described in this book is furnished under a license agreement and may be usedonly in accordance with the terms of the agreement.
Legal NoticeCopyright © 2015 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registeredtrademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Othernames may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required toprovide attribution to the third party (“Third Party Programs”). Some of the Third Party Programsare available under open source or free software licenses. The License Agreementaccompanying the Software does not alter any rights or obligations you may have under thoseopen source or free software licenses. Please see the Third Party Legal Notice Appendix tothis Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying,distribution, and decompilation/reverse engineering. No part of this document may bereproduced in any form by any means without prior written authorization of SymantecCorporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIEDCONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ORNON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCHDISCLAIMERSAREHELD TOBE LEGALLY INVALID. SYMANTECCORPORATIONSHALLNOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTIONWITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THEINFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGEWITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer softwareas defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq."Commercial Computer Software and Commercial Computer Software Documentation," asapplicable, and any successor regulations, whether delivered by Symantec as on premisesor hosted services. Any use, modification, reproduction release, performance, display ordisclosure of the Licensed Software and Documentation by the U.S. Government shall besolely in accordance with the terms of this Agreement.
Symantec Corporation350 Ellis StreetMountain View, CA 94043
http://www.symantec.com
Technical SupportSymantec Technical Support maintains support centers globally. Technical Support’sprimary role is to respond to specific queries about product features and functionality.The Technical Support group also creates content for our online Knowledge Base.The Technical Support group works collaboratively with the other functional areaswithin Symantec to answer your questions in a timely fashion. For example, theTechnical Support group works with Product Engineering and Symantec SecurityResponse to provide alerting services and virus definition updates.
Symantec’s support offerings include the following:
■ A range of support options that give you the flexibility to select the right amountof service for any size organization
■ Telephone and/or Web-based support that provides rapid response andup-to-the-minute information
■ Upgrade assurance that delivers software upgrades
■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis
■ Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our Web site atthe following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.
Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should be atthe computer on which the problem occurred, in case it is necessary to replicatethe problem.
When you contact Technical Support, please have the following informationavailable:
■ Product release level
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registrationIf your Symantec product requires registration or a license key, access our technicalsupport Web page at the following URL:
www.symantec.com/business/support/
Customer serviceCustomer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates, such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade assurance and support contracts
■ Information about the Symantec Buying Programs
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs, DVDs, or manuals
Support agreement resourcesIf you want to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:
[email protected] and Japan
[email protected], Middle-East, and Africa
[email protected] America and Latin America
Technical Support ............................................................................................... 4
Chapter 1 Introducing Symantec ESM Sybase ASE ........................ 11
About the Symantec ESM modules for Sybase ASE ............................ 11What you can do with the Symantec ESM modules for Sybase
ASE ..................................................................................... 12Template .................................................................................... 12Where you can get more information ................................................ 13
Chapter 2 Understanding ESM Sybase ASE modules ..................... 14
About the Sybase ASE Account module ............................................ 14Automatically update snapshots (UNIX) ...................................... 14Deleted logon accounts (UNIX) ................................................. 15Unlocked default logon accounts (UNIX) ..................................... 15Logon accounts (UNIX) ........................................................... 16New logon accounts (UNIX) ...................................................... 16Servers to check (UNIX) .......................................................... 17Accounts with system roles (UNIX) ............................................ 17Database user aliases (UNIX) ................................................... 18Inactive accounts (UNIX) ......................................................... 18Login triggers (UNIX) .............................................................. 20Accounts with default master database (UNIX) ............................. 21Locked accounts not manually locked by ASE (UNIX) .................... 22
About the Sybase ASE Auditing module ............................................ 23Audit queue size (UNIX) .......................................................... 23Audit segments (UNIX) ............................................................ 24Auditing enabled (UNIX) .......................................................... 24Auditing threshold procedure (UNIX) .......................................... 25Database Audit Options (UNIX) ................................................. 25Global Audit Options (UNIX) ..................................................... 26Login Audit Options (UNIX) ...................................................... 27Object Audit Options (UNIX) ..................................................... 27Procedure Audit Options (UNIX) ................................................ 28Servers to check (UNIX) .......................................................... 28Suspend audit when dev is full (UNIX) ........................................ 28
Contents
Trunc transaction log on chkpt (UNIX) ........................................ 29Multiple audit tables (UNIX) ...................................................... 29Sufficient log space (UNIX) ....................................................... 30
About the Sybase ASE Configuration module ..................................... 30Configuration parameters (UNIX) ............................................... 30Device status (UNIX) ............................................................... 32Master dev default disk status (UNIX) ......................................... 33Servers to check (UNIX) .......................................................... 34Version and product level (UNIX) ............................................... 34Net password encryption (UNIX) ............................................... 35Sample databases (UNIX) ........................................................ 36Sybase homes (UNIX) ............................................................. 37Trusted remote logins (UNIX) .................................................... 37Databases on master device (UNIX) ........................................... 38SSL encryption and strong cipher (UNIX) .................................... 39Prohibited extended stored procedures (UNIX) ............................. 39
About the Sybase ASE Object module .............................................. 40Automatically update snapshots (UNIX) ...................................... 40Database status (UNIX) ........................................................... 40Databases to check (UNIX) ...................................................... 41Deleted database (UNIX) ......................................................... 41Deleted granted object perm (UNIX) ........................................... 42Exclude granted object perm (UNIX) .......................................... 43Grantable object permission (UNIX) ........................................... 44Granted object permission (UNIX) .............................................. 44Grantors to check (UNIX) ......................................................... 45New database (UNIX) ............................................................. 45New granted object permission (UNIX) ....................................... 46Object actions to check (UNIX) .................................................. 47Object permission (UNIX) ......................................................... 48Object types to check (UNIX) .................................................... 49Objects to check (UNIX) .......................................................... 50Servers to check (UNIX) .......................................................... 50User access to database (UNIX) ................................................ 50Accounts with CREATE permission (UNIX) .................................. 50Accounts with set proxy permission (UNIX) ................................. 51Grantees to check (UNIX) ........................................................ 52Stored procedure signature (UNIX) ............................................ 52Database owners to check (UNIX) ............................................. 54Owners to check (UNIX) .......................................................... 54Object owners (UNIX) ............................................................. 54Database backups protected (UNIX) .......................................... 55
About the Sybase ASE Password Strength module ............................. 56
8Contents
Double occurrences (UNIX) ...................................................... 56Empty password (UNIX) .......................................................... 56Minimum password age (UNIX) ................................................. 56Minimum password length (UNIX) .............................................. 57Password = any login name (UNIX) ............................................ 58Password = login name (UNIX) ................................................. 59Password = wordlist word (UNIX) .............................................. 60Password contains Digits (UNIX) ............................................... 61Plural (UNIX) ......................................................................... 62Prefix (UNIX) ......................................................................... 63Reverse order (UNIX) .............................................................. 63Roles without passwords (UNIX) ............................................... 64Servers to check (UNIX) .......................................................... 64Suffix (UNIX) ......................................................................... 64Hide guessed password details (UNIX) ....................................... 65Login options(account) (UNIX) .................................................. 65Maximum failed login attempts (UNIX) ........................................ 65Maximum reported messages (UNIX) ......................................... 66Monitor password age (UNIX) ................................................... 66Password complexity parameters (UNIX) .................................... 67Roles to check (UNIX) ............................................................. 68Roles - maximum failed login attempts (UNIX) .............................. 69Roles - password expiration (UNIX) ............................................ 69Roles - minimum password length (UNIX) ................................... 69System encryption password (UNIX) .......................................... 69Encryption keys in database (UNIX) ........................................... 70Password protect encryption keys (UNIX) .................................... 71
About the Sybase ASE Patches module ............................................ 71Patch templates (UNIX) ........................................................... 72Servers to check (UNIX) .......................................................... 72
About the Sybase ASE Roles and Groups module .............................. 72Automatically update snapshots (UNIX) ...................................... 72Database groups (UNIX) .......................................................... 72Deleted groups (UNIX) ............................................................ 73Deleted roles (UNIX) ............................................................... 74Users to check (UNIX) ............................................................. 75Group members (UNIX) ........................................................... 75New groups (UNIX) ................................................................. 76New roles (UNIX) ................................................................... 76Role grantees (UNIX) .............................................................. 77Role status (UNIX) .................................................................. 78Servers to check (UNIX) .......................................................... 78Accounts to check (UNIX) ........................................................ 79
9Contents
Granted prohibited roles (UNIX) ................................................ 79Groups and group members to check (UNIX) ............................... 79
About the Sybase ASE Discovery module ......................................... 80Detect new database server (UNIX) ........................................... 81Detect deleted database server (UNIX) ....................................... 82Automatically add new database server (UNIX) ............................ 83Automatically remove deleted database server (UNIX) ................... 84Validate configuration (UNIX) .................................................... 85
Chapter 3 Troubleshooting .................................................................. 87
Encryption exception ..................................................................... 87RDL error ................................................................................... 88LiveUpdate error .......................................................................... 88
10Contents
Introducing Symantec ESMSybase ASE
This chapter includes the following topics:
■ About the Symantec ESM modules for Sybase ASE
■ What you can do with the Symantec ESM modules for Sybase ASE
■ Template
■ Where you can get more information
About the Symantec ESM modules for Sybase ASEThe Symantec Enterprise Security Manager (ESM) modules for Sybase AdaptiveServer Enterprise (ASE) servers extends Symantec ESM protection to your SybaseASE servers.
These modules implement the checks and options that are specific to Sybase ASEservers, to protect them from exposure to known security problems. The modulesmay be installed locally on the Symantec ESM agent that resides on your SybaseASE server.
The modules may also assess Sybase ASE servers over the network and beinstalled on an ESM agent that has the Sybase ASE client installed. You can usethe Symantec ESM modules for Sybase ASE server in the same way that you usefor other Symantec ESM modules.
1Chapter
What you can dowith the Symantec ESMmodules forSybase ASE
You can use the ESM Application modules to scan the Sybase ASE servers forreporting vulnerabilities.
You can perform the following tasks using the ESM console:
■ Create a policy.
■ Configure the policy.
■ Create a rules template.
■ Run the policy.
■ Review the policy run.
■ Correct security problems from the console.
■ Create reports.
TemplateSeveral of the documented modules use templates to store the Sybase ASEparameters and object settings. Differences between the current settings andtemplate values are reported when the modules run. Modules use templates tostore Sybase ASE parameters and object settings.
Table 1-1 Template name
Predefinedtemplate
Template nameCheck nameModule
noneSybase ProcedureAudit Options
Procedure AuditOptions
Sybase ASE Auditing
noneSybase ASE ObjectAudit Options
Object Audit Options
noneSybase ASE LoginAudit Options
Login Audit Options
noneSybase DatabaseAudit Options
Database AuditOptions
noneSybase ASE GlobalAudit Options
Global Audit Options
12Introducing Symantec ESM Sybase ASEWhat you can do with the Symantec ESM modules for Sybase ASE
Table 1-1 Template name (continued)
Predefinedtemplate
Template nameCheck nameModule
noneSybase ConfigurationParameter
ConfigurationParameters
Sybase ASEConfiguration
noneSybase ASE DeviceStatus
Device Status
noneSybase ASE ObjectPermissions
Object PermissionSybase ASE Object
excludegrantedobjperm.gop
Sybase Grantedobject perm
Exclude grantedobject perm
noneSybase StoredProcedure Signatures
Stored proceduresignature
sybasepatch.syqSybase ASE PatchPatch templatesSybase ASE Patches
noneSybase PasswordParameter
Password complexityparameters
Sybase ASEPassword Strength
Where you can get more informationFor more information about Symantec ESM application modules, Security Updates,Industry Standards Policies, and more, see the Symantec Security Responsewebsite at the following URL: Security Response Web site.
For detailed information about templates for ESM application modules version 4.2for Sybase ASE, see the Symantec™ Enterprise Security Manager Checks andTemplate Reference help file.
Note: Save the Symantec™ Enterprise Security Manager Checks and TemplateReference help on your local computer and then open the file.
13Introducing Symantec ESM Sybase ASEWhere you can get more information
Understanding ESM SybaseASE modules
This chapter includes the following topics:
■ About the Sybase ASE Account module
■ About the Sybase ASE Auditing module
■ About the Sybase ASE Configuration module
■ About the Sybase ASE Object module
■ About the Sybase ASE Password Strength module
■ About the Sybase ASE Patches module
■ About the Sybase ASE Roles and Groups module
■ About the Sybase ASE Discovery module
About the Sybase ASE Account moduleThis module checks for the server account that is based on the options that youhave specified.
Automatically update snapshots (UNIX)Module: Sybase ASE Account
Enable this option to automatically update the snapshots with the current information.
2Chapter
Deleted logon accounts (UNIX)Module: Sybase ASE Account
This check reports the logon accounts that were deleted from the database afterthe last snapshot update. Use the name list to specify the logon names that shouldbe included or excluded from this check.
The following table lists the message for the check.
Table 2-1 Message for Deleted logon accounts
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deleted logonaccount
Description: TheSybase ASE logonaccount was deletedafter the lastsnapshot update.
UNIX (226653)String ID:ESM_SYBASE_DELETED_LOGON_ACCOUNT
Category: ChangeNotification
Unlocked default logon accounts (UNIX)Module: Sybase ASE Account
This check reports the default logon accounts that should be locked. Use the namelist to include the default logon accounts that you want the check to report on. If thename list is left empty the check reports no problems found.
The following table lists the message for the check.
15Understanding ESM Sybase ASE modulesAbout the Sybase ASE Account module
Table 2-2 Message for Unlocked default logon accounts
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Unlockeddefault logon account
Description: TheSybase ASE logonaccount is unlocked.The default logonaccounts should belocked.
UNIX (226650)String ID:ESM_SYBASE_DEFAULT_LOGON_ACCOUNT
Category: PolicyCompliance
Logon accounts (UNIX)Module: Sybase ASE Account
This check reports the logon accounts and their status. Use the name list to specifythe logon names that should be included or excluded from this check.
The following table lists the message for the check.
Table 2-3 Message for Logon accounts
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Logon account
Description: TheSybase ASE logonaccount.
UNIX (226651)String ID:ESM_SYBASE_LOGON_ACCOUNT
Category: PolicyCompliance
New logon accounts (UNIX)Module: Sybase ASE Account
16Understanding ESM Sybase ASE modulesAbout the Sybase ASE Account module
This check reports the logon accounts that were added to the database after thelast snapshot update. Use the name list to specify the logon names that should beincluded or excluded from this check.
The following table lists the message for the check.
Table 2-4 Message for New logon accounts
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New logonaccount
Description: TheSybase ASE logonaccount was addedafter the lastsnapshot update.
UNIX (226652)String ID:ESM_SYBASE_NEW_LOGON_ACCOUNT
Category: ChangeNotification
Servers to check (UNIX)Module: Sybase ASE Account
Use the name list to specify the servers that should be included or excluded for allSybase ASE Account security checks.
Accounts with system roles (UNIX)Module: Sybase ASE Account
This check reports the accounts that have both the sa_role and sso_role assignedto them. Use the name list to include or exclude the login names that the checkshould report on.
The following table lists the message for the check.
17Understanding ESM Sybase ASE modulesAbout the Sybase ASE Account module
Table 2-5 Message for Accounts with system roles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Account with systemroles
Description: Rolessa_role and sso_roleshould not be grantedto all accounts.
UNIX (226660)String ID:ESM_SYBASE_SA_SSO_ROLE
Category: PolicyCompliance
Database user aliases (UNIX)Module: Sybase ASE Account
This check reports the aliases of the database users that are present on the server.Use the name list to include or exclude the database users whose aliases you wantto report.
The following table lists the message for the check.
Table 2-6 Message for Database user aliases
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Alias of the Databaseuser
Description: TheSybase ASEdatabase user hasalias.
UNIX (226654)String ID:ESM_SYBASE_ALIAS
Category: PolicyCompliance
Inactive accounts (UNIX)Module: Sybase ASE Account
18Understanding ESM Sybase ASE modulesAbout the Sybase ASE Account module
This check reports the unlocked Sybase ASE logins that have not logged on to theserver for more than the days that are specified in the Days since last login textbox. Use the name list to include or exclude the login names that the check shouldreport on. Sybase ASE 15.0.2 and later supports this check.
Enable the configuration parameter 'enable the last login updates.'
The check also reports those login accounts that do not have an entry against thelast login date parameter but were created earlier than the days specified. Moreover,the check reports those login accounts as inactive whose last login date parameterindicates that there has been no login to the server for more than the days specified.
An inactive account is an easy target for those who can break into your system.Hence, you should remove or disable all inactive accounts.
Note: If you specify 0 in the Days since last login text box, the check overlooksthat value and by default reports on 30 days.
The following table lists the message for the check.
Table 2-7 Message for Inactive accounts
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Last login update notenabled
Description: Thereported Sybase ASEhas the 'enable lastlogin updates'password policyparameter asdisabled. Due to thisthe last login dateinformation is neverupdated whenever auser logs in.
UNIX (226658)String ID:ESM_SYBASE_LAST_LOGIN_UPDATE
Category: PolicyCompliance
19Understanding ESM Sybase ASE modulesAbout the Sybase ASE Account module
Table 2-7 Message for Inactive accounts (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Inactive account
Description: Thereported loginaccount has beeninactive for more thannumber of daysspecified by yourpolicy. Those loginaccounts are reportedas inactive accountsfor which the lastlogin date parameterindicates that therehas been no login tothe server for morethan the specifiednumber of days. Alsoa login account whichdoes not have anentry against the lastlogin date parameterbut which had beencreated earlier thanthe specified numberof days would bereported as aninactive account. Aninactive account canbe an easy target forintruders trying tobreak into yoursystem. Remove ordisable the inactivelogin accounts.
UNIX (226659)String ID:ESM_SYBASE_INACTIVE_ACCOUNT
Category: PolicyCompliance
Login triggers (UNIX)Module: Sybase ASE Account
20Understanding ESM Sybase ASE modulesAbout the Sybase ASE Account module
This check reports the Sybase ASE logins that have login triggers assigned to themand the global login trigger defined on the Sybase ASE server. Use the name listto include or exclude the login names that the check should report on.
The Global login trigger is useful when you want all the logins to apply the samelogin trigger.
The login triggers that the check reports are the ASE stored procedures. Thesestored procedures are automatically executed in the settings when you successfullylog on to the Sybase ASE server.
The following table lists the message for the check.
Table 2-8 Message for Login triggers
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Global login trigger
Description: TheSybase ASE has aglobal login triggerdefined. Global logintrigger can be usefulwhen you want alllogins to use thesame login trigger.
UNIX (226655)String ID:ESM_SYBASE_GLOBAL_TRIGGER
Category: SystemInformation
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Login trigger
Description: Thereported Sybase ASElogin account has alogin trigger defined.A login trigger is anASE storedprocedure which isautomaticallyexecuted in thebackground when auser successfully logson to Sybase ASE.
UNIX (226657)String ID:ESM_SYBASE_LOGIN_TRIGGER
Category: SystemInformation
Accounts with default master database (UNIX)Module: Sybase ASE Account
21Understanding ESM Sybase ASE modulesAbout the Sybase ASE Account module
This check reports the accounts that have master as their default database. Usethe name list to include or exclude the login names that the check should reporton.
The following table lists the message for the check.
Table 2-9 Message for Accounts with default master database
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Account with defaultdatabase master
Description: It isrecommended onlyASE administratorsshould be assigneddefault database asmaster, since thisdatabase stores allsystem tables. Allstandard usersshould be associatedwith a specific homedatabase other thanmaster.
UNIX (226661)String ID:ESM_SYBASE_SA_SSO_ROLE
Category: PolicyCompliance
Locked accounts not manually locked by ASE (UNIX)Module: Sybase ASE Account
This check reports the locked logon accounts that should be locked manually byASE. The check verifies that the reason for locking reads Account locked by ASEby manually executing sp_locklogin. Use the name list to include the logonaccounts that you want the check to report on. If the name list is empty, the checkreports no problems found. The reason for locking is only available in ASE version15.0.2 and later.
The following table lists the message for the check.
22Understanding ESM Sybase ASE modulesAbout the Sybase ASE Account module
Table 2-10 Message for Locked accounts not manually locked by ASE
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Logon accountis not manuallylocked by ASE
Description: TheSybase ASE logonaccount is notmanually locked. Thelogon accounts mustbe locked by the ASEby manuallyexecutingsp_locklogin.
UNIX (226662)String ID:ESM_SYBASE_NOT_MANUALLY_LOCKED
Category: PolicyCompliance
About the Sybase ASE Auditing moduleThis module checks for the auditing setup that is based on the options that youhave specified.
Audit queue size (UNIX)Module: Sybase ASE Auditing
This check reports Adaptive Servers that have an audit queue size larger than thespecified value.
The following table lists the message for the check.
23Understanding ESM Sybase ASE modulesAbout the Sybase ASE Auditing module
Table 2-11 Message for Audit queue size
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Audit queuesize
Description: TheSybase ASE server'saudit queue size islarger than thespecified value.
UNIX (226552)String ID:ESM_SYBASE_AUDIT_QUEUE_SIZE
Category: PolicyCompliance
Audit segments (UNIX)Module: Sybase ASE Auditing
This check lists audit segments in the sybsecurity database.
The following table lists the message for the check.
Table 2-12 Message for Audit segments
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Auditingthreshold procedure
Description: TheSybase ASE serverdoes not have anauditing thresholdprocedure enabled.
UNIX (226551)String ID:ESM_SYBASE_NO_THRESHOLD_PROCEDURE
Category: PolicyCompliance
Auditing enabled (UNIX)Module: Sybase ASE Auditing
This check reports Adaptive Servers that do not have auditing enabled in theconfiguration parameters.
24Understanding ESM Sybase ASE modulesAbout the Sybase ASE Auditing module
The following table lists the message for the check.
Table 2-13 Message for Auditing enabled
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Auditing notenabled
Description: TheSybase ASE serverdoes not haveauditing enabled.
UNIX (226550)String ID:ESM_SYBASE_AUDITING_NOT_ENABLED
Category: PolicyCompliance
Auditing threshold procedure (UNIX)Module: Sybase ASE Auditing
This check reports the Adaptive Servers that do not have an auditing thresholdprocedure enabled.
The following table lists the message for the check.
Table 2-14 Message for Auditing threshold procedure
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Auditingthreshold procedure
Description: TheSybase ASE serverdoes not have anauditing thresholdprocedure enabled.
UNIX (226551)String ID:ESM_SYBASE_NO_THRESHOLD_PROCEDURE
Category: PolicyCompliance
Database Audit Options (UNIX)Module: Sybase ASE Auditing
25Understanding ESM Sybase ASE modulesAbout the Sybase ASE Auditing module
This check reports the database audit options.
The following table lists the message for the check.
Table 2-15 Message for Database Audit Options
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Audit Option
Description: AuditOption.
UNIX (226555)String ID:ESM_SYBASE_AUDIT_OPTION
Category: PolicyCompliance
Global Audit Options (UNIX)Module: Sybase ASE Auditing
This check reports the global audit options.
The following table lists the message for the check.
Table 2-16 Message for Global Audit Options
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Audit Option
Description: AuditOption.
UNIX (226555)String ID:ESM_SYBASE_AUDIT_OPTION
Category: PolicyCompliance
26Understanding ESM Sybase ASE modulesAbout the Sybase ASE Auditing module
Login Audit Options (UNIX)Module: Sybase ASE Auditing
This check reports the login audit options.
The following table lists the message for the check.
Table 2-17 Message for Login Audit Options
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Audit Option
Description: AuditOption.
UNIX (226555)String ID:ESM_SYBASE_AUDIT_OPTION
Category: PolicyCompliance
Object Audit Options (UNIX)Module: Sybase ASE Auditing
This check reports the object audit options.
The following table lists the message for the check.
Table 2-18 Message for Object Audit Options
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Audit Option
Description: AuditOption.
UNIX (226555)String ID:ESM_SYBASE_AUDIT_OPTION
Category: PolicyCompliance
27Understanding ESM Sybase ASE modulesAbout the Sybase ASE Auditing module
Procedure Audit Options (UNIX)Module: Sybase ASE Auditing
This check reports the procedure audit options.
The following table lists the message for the check.
Table 2-19 Message for Procedure Audit Options
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Audit Option
Description: AuditOption.
UNIX (226555)String ID:ESM_SYBASE_AUDIT_OPTION
Category: PolicyCompliance
Servers to check (UNIX)Module: Sybase ASE Auditing
This option uses the name list to specify the servers to be included or excluded forall the Sybase ASE Auditing checks.
Suspend audit when dev is full (UNIX)Module: Sybase ASE Auditing
This check reports the Adaptive Servers that have a configuration parameter valueset to suspend the audit when a device is full that does not match the specifiedvalue. A value of 0 (zero) causes the server to truncate the next audit table andstart using tha table as the current audit table when the current audit table becomesfull. A value of 1 (one) causes the server to suspend the audit process and all userprocesses that cause an auditable event until an empty table is set as the currentaudit table.
The following table lists the message for the check.
28Understanding ESM Sybase ASE modulesAbout the Sybase ASE Auditing module
Table 2-20 Message for Suspend audit when dev is full
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Suspend auditwhen device is full
Description: TheSybase ASE serversuspends audit whendevice is full.
UNIX (226553)String ID:ESM_SYBASE_SUSPEND_AUDITING
Category: PolicyCompliance
Trunc transaction log on chkpt (UNIX)Module: Sybase ASE Auditing
This check reports the Adaptive Servers and their databases that are not configuredto truncate transaction logs when performing a checkpoint. Use the Databasesname list to include or exclude the databases from this check.
The following table lists the message for the check.
Table 2-21 Message for Trunc transaction log on chkpt
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Truncatetransaction log oncheckpoint
Description: TheSybase ASE servertruncates thetransaction logs at acheckpoint.
UNIX (226554)String ID:ESM_SYBASE_TRUNCATE_LOG
Category: PolicyCompliance
Multiple audit tables (UNIX)Module: Sybase ASE Auditing
29Understanding ESM Sybase ASE modulesAbout the Sybase ASE Auditing module
This check reports the Adaptive Servers that are not configured with more than oneaudit tables.
The following table lists the message for the check.
Table 2-22 Message for multiple audit tables
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Multiple audittables are notconfigured
Description: Youmustconfigure multipleaudit tables.
UNIX (226557)String ID:ESM_SYBASE_NO_MULTIPLE_AUDIT_TABLES
Category: PolicyCompliance
Sufficient log space (UNIX)Module: Sybase ASE Auditing
This check reports the adaptive servers that do not have the audit physical devices,transaction log, and master database physical devices different and on differentpartitions or physical paths and drives and when such audit devices do not haveany threshold procedure attached to them.
This is a host-based check.
About the Sybase ASE Configuration moduleThis module checks for the Sybase configuration that is based on the options thatyou have specified.
Configuration parameters (UNIX)Module: Sybase ASE Configuration
This check reports the unauthorized configuration parameter values as specifiedin the enabled Sybase ASE Configuration Parameters templates.
The following table lists the messages for the check.
30Understanding ESM Sybase ASE modulesAbout the Sybase ASE Configuration module
Table 2-23 Messages for Configuration parameters
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Unauthorizedconfigurationparameter (Greenlevel)
Description: TheSybase ASEconfigurationparameter matches agreen level templateentry.
UNIX (226151)String ID:ESM_SYBASE_SYP_GREEN_LEVEL
Category: PolicyCompliance
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Unauthorizedconfigurationparameter (Yellowlevel)
Description: TheSybase ASEconfigurationparameter matches ayellow level templateentry.
UNIX (226152)String ID:ESM_SYBASE_SYP_YELLOW_LEVEL
Category: PolicyCompliance
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Unauthorizedconfigurationparameter (Red level)
Description: TheSybase ASEconfigurationparameter matches ared level templateentry.
UNIX (226153)String ID:ESM_SYBASE_SYP_RED _LEVEL
Category: PolicyCompliance
31Understanding ESM Sybase ASE modulesAbout the Sybase ASE Configuration module
Table 2-23 Messages for Configuration parameters (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Configurationparameter not found
Description: TheSybase ASEconfigurationparameter is notfound.
UNIX (226154)String ID:ESM_SYBASE_SYP_NOT_FOUND
Category: PolicyCompliance
Device status (UNIX)Module: Sybase ASE Configuration
This check reports the device status as specified in the enabled Sybase ASEDeviceStatus templates.
The following table lists the messages for the check.
Table 2-24 Messages for Device status
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Device status(Green level)
Description: TheSybase ASE devicestatus matches agreen level templateentry.
UNIX (226156)String ID:ESM_SYBASE_SYD_GREEN_LEVEL
Category: PolicyCompliance
32Understanding ESM Sybase ASE modulesAbout the Sybase ASE Configuration module
Table 2-24 Messages for Device status (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Device status(Yellow level)
Description: TheSybase ASE devicestatus matches ayellow level templateentry.
UNIX (226157)String ID:ESM_SYBASE_SYD_YELLOW_LEVEL
Category: PolicyCompliance
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Device status(Red level)
Description: TheSybase ASE devicestatus matches a redlevel template entry.
UNIX (226158)String ID:ESM_SYBASE_SYD_RED _LEVEL
Category: PolicyCompliance
Master dev default disk status (UNIX)Module: Sybase ASE Configuration
This check reports the servers on which the master device default disk status isset. The default disk status is turned on by a master device, allowing the userdatabases to be installed on the master device by default.
The following table lists the message for the check.
33Understanding ESM Sybase ASE modulesAbout the Sybase ASE Configuration module
Table 2-25 Message for Master dev default disk status
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Device defaultstatus
Description: TheSybase ASE masterdevice default diskstatus is set.
UNIX (226155)String ID:ESM_SYBASE_DEVICE_DEFAULT
Category: PolicyCompliance
Servers to check (UNIX)Module: Sybase ASE Configuration
Use the name list to specify the servers that are to be excluded or included for allthe Sybase ASE Configuration security checks.
Version and product level (UNIX)Module: Sybase ASE Configuration
This check reports the Sybase Adaptive Server Enterprise version and productlevel.
The following table lists the message for the check.
34Understanding ESM Sybase ASE modulesAbout the Sybase ASE Configuration module
Table 2-26 Message for Version and product level
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Sybase ASEversion and productlevel
Description: TheSybase ASE versionand product level.
UNIX (226150)String ID:ESM_SYBASE_VERSION_LEVEL
Category: PolicyCompliance
Net password encryption (UNIX)Module: Sybase ASE Configuration
This check reports the remote servers for which the 'net password encryption' optionis set to false.
The Net password encryption option lets you specify whether to initiate a remoteserver connection by using the client side password encryption handshake or the'unencrypted password' handshake sequence.
The following table lists the message for the check.
35Understanding ESM Sybase ASE modulesAbout the Sybase ASE Configuration module
Table 2-27 Message for Net password encryption
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Net passwordencryption
Description: Theremote server option'net passwordencryption' is set tofalse for the reportedremote server. The'net passwordencryption' option letsyou specify whetherto initiate a remoteserver connection byusing the client-sidepassword encryptionhandshake or the'unencryptedpassword' handshakesequence.
UNIX (226159)String ID:ESM_SYBASE_NO_NET_PASSWD_ENCRYPT
Category: PolicyCompliance
Sample databases (UNIX)Module: Sybase ASE Configuration
This check reports the sample databases that you should remove from the SybaseASE servers. Use the name list to include the database names that the check shouldreport on. If the name list is left empty the check reports no problems found.
The following table lists the message for the check.
36Understanding ESM Sybase ASE modulesAbout the Sybase ASE Configuration module
Table 2-28 Message for Sample databases
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Sampledatabase
Description: Thereported sampledatabase should beremoved inaccordance with thebest practice principalof attack surfacereduction.
UNIX (226163)String ID:ESM_SYBASE_SAMPLE_DB
Category: PolicyCompliance
Sybase homes (UNIX)Module: Sybase ASE Configuration
This check reports the Sybase home and the OCS directory for the Sybase ASEservers that are configured in the SybaseModule.dat file.
The following table lists the message for the check.
Table 2-29 Message for Sybase homes
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Sybase home
Description: TheSybase home andOCS directory of theconfigured SybaseASE servers.
UNIX (226161)String ID:ESM_SYBASE_HOME_DATFILE
Category: PolicyCompliance
Trusted remote logins (UNIX)Module: Sybase ASE Configuration
37Understanding ESM Sybase ASE modulesAbout the Sybase ASE Configuration module
This check reports any remote logins with the trusted status that are found on theSybase ASE servers.
The use of trusted mode reduces the security of your server as the passwords ofthese trusted users are not verified. Set the trusted option to false, if you want toensure user authorization.
The following table lists the message for the check.
Table 2-30 Message for Trusted remote logins
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Trusted remotelogin
Description: Thereported remote loginhas trusted status.Using the trustedmode reduces thesecurity of yourserver as passwordsfrom such trustedusers are not verified.To ensure that userauthorization takesplace the optiontrusted should be setto false.
UNIX (226162)String ID:ESM_SYBASE_TRUSTED_REMOTE_LOGIN
Category: PolicyCompliance
Databases on master device (UNIX)Module: Sybase ASE Configuration
This check reports the databases that are present on the master device. Use thename list to include or exclude the database names.
The following table lists the message for the check.
38Understanding ESM Sybase ASE modulesAbout the Sybase ASE Configuration module
Table 2-31 Message for Databases on master device
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Databases onmaster device
Description: TheSybase ASEdatabase is presenton the master device.
UNIX (226160)String ID:ESM_SYBASE_DATABASE_ON_MASTER
Category: PolicyCompliance
SSL encryption and strong cipher (UNIX)Module: Sybase ASE Configuration
This check reports whether SSL support is enabled and that the cipher suitepreference is set to strong or FIPS. This check is supported on Sybase ASE 15.0.0and later.
The following table lists the message for the check.
Table 2-32 Message for SSL encryption and strong cipher
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: SSL supportwith strong cipher notset
Description: EnableSSL support andensure that the ciphersuite preference is setto strong or FIPS.
UNIX (226164)String ID:ESM_SYBASE_SSL_STRONG_CIPHER
Category: PolicyCompliance
Prohibited extended stored procedures (UNIX)Module: Sybase ASE Configuration
39Understanding ESM Sybase ASE modulesAbout the Sybase ASE Configuration module
This check reports prohibited extended stored procedures that should be removedfrom the Sybase ASE Servers. Use the name list to include extended storedprocedure names. If the name list is left empty the check reports no problems found.
The following table lists the message for the check.
Table 2-33 Message for Prohibited extended stored procedures
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Prohibitedextended storedprocedure found
Description:Prohibited extendedstored proceduresmust be removed.
UNIX (226165)String ID:ESM_SYBASE_PROHIBITED_ESP
Category: PolicyCompliance
About the Sybase ASE Object moduleThis module checks for the Sybase server for database existence and its objectpermission that is based on the options that you have specified.
Automatically update snapshots (UNIX)Module: Sybase ASE Object
Enable this option to automatically update the snapshots with the current information.
Database status (UNIX)Module: Sybase ASE Object
This check reports the databases and the status levels that were configured to theSybase ASE. Use the name list to specify the database names that should beincluded or excluded from this check.
The following table lists the message for the check.
40Understanding ESM Sybase ASE modulesAbout the Sybase ASE Object module
Table 2-34 Message for Database status
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Database
Description: TheSybase ASEdatabase.
UNIX (226351)String ID:ESM_SYBASE_DATABASE
Category: PolicyCompliance
Databases to check (UNIX)Module: Sybase ASE Object
Use the name list to specify the databases that should be excluded or included forthe Sybase ASE Object checks.
Deleted database (UNIX)Module: Sybase ASE Object
This check reports the databases that were deleted from the Sybase ASE after thelast snapshot update. Use the name list to specify the database names that shouldbe included or excluded from this check.
The following table lists the message for the check.
41Understanding ESM Sybase ASE modulesAbout the Sybase ASE Object module
Table 2-35 Message for Deleted database
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deleteddatabase
Description: TheSybase ASEdatabasewas deletedafter the lastsnapshot update.
UNIX (226353)String ID:ESM_SYBASE_DELETED_DATABASE
Category: ChangeNotification
Deleted granted object perm (UNIX)Module: Sybase ASE Object
This check reports the objects or the granted object permissions that were deletedfrom the Sybase ASE after the last snapshot update.
■ Use the Grantors to check name list to include or exclude the grantors thecheck to report on.
■ Use the Object types to check name list to include or exclude the object typesfor the check to report on.
■ Use the Databases to check name list to include or exclude the databases forthe check to report on.
■ Use the Object actions to check name list to include or exclude the objectactions for the check to report on.
■ Use the Objects to check name list to include or exclude the object names forthe check to report on.
The following table lists the messages for the check.
42Understanding ESM Sybase ASE modulesAbout the Sybase ASE Object module
Table 2-36 Messages for Deleted granted object perm
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deleted object
Description: TheSybase ASE objectwas deleted after thelast snapshot update.
UNIX (226359)String ID:ESM_SYBASE_DELETED_OBJECT
Category: ChangeNotification
Severity: yellow-2
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deleted grantedobject actionpermission
Description: TheSybase ASE grantedobject actionpermission wasdeleted after the lastsnapshot update.
UNIX (226360)String ID:ESM_SYBASE_DELETED_OBJ_ACTION
Category: ChangeNotification
Severity: yellow-2
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deleted grantedobject columnpermission
Description: TheSybase ASE grantedobject columnpermission wasdeleted after the lastsnapshot update.
UNIX (226361)String ID:ESM_SYBASE_DELETED_OBJ_COLUMN
Category: ChangeNotification
Exclude granted object perm (UNIX)Module: Sybase ASE Object
This check excludes the granted object permissions that are reported by the Grantedobject permission check. Use the name list to specify the template that containsthe entries for exclusion. Note that this check works only if the Granted objectpermission is selected.
43Understanding ESM Sybase ASE modulesAbout the Sybase ASE Object module
Grantable object permission (UNIX)Module: Sybase ASE Object
This check reports the object permissions that are grantable.
■ Use the Grantors to check name list to include or exclude the grantors thecheck to report on.
■ Use the Object types to check name list to include or exclude the object typesfor the check to report on.
■ Use the Databases to check name list to include or exclude the databases forthe check to report on.
■ Use the Object actions to check name list to include or exclude the objectactions for the check to report on.
■ Use the Objects to check name list to include or exclude the object names forthe check to report on.
The following table lists the message for the check.
Table 2-37 Message for Grantable object permission
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Grantable objectpermission
Description: TheSybase ASEgrantable objectpermission.
UNIX (226354)String ID:ESM_SYBASE_GRANTABLE_PERM
Category: PolicyCompliance
Granted object permission (UNIX)Module: Sybase ASE Object
This check reports object permissions that are granted.
Use the following name lists with this check:
■ Use the Grantors to check name list to include or exclude the grantors thecheck to report on.
44Understanding ESM Sybase ASE modulesAbout the Sybase ASE Object module
■ Use the Object types to check name list to include or exclude the object typesfor the check to report on.
■ Use the Databases to check name list to include or exclude the databases forthe check to report on.
■ Use the Object actions to check name list to include or exclude the objectactions for the check to report on.
■ Use the Objects to check name list to include or exclude the object names forthe check to report on.
The following table lists the message for the check.
Table 2-38 Message for Granted object permission
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Granted objectpermission
Description: TheSybase ASE grantedobject permission.
UNIX (226355)String ID:ESM_SYBASE_GRANTED_PERM
Category: PolicyCompliance
Grantors to check (UNIX)Module: Sybase ASE Object
Use the name list to specify the grantors that should be excluded or included forthe Sybase ASE Object checks.
New database (UNIX)Module: Sybase ASE Object
This check reports the databases that were added to the Sybase ASE after the lastsnapshot update. Use the name list to specify the database names that should beincluded or excluded from this check.
The following table lists the message for the check.
45Understanding ESM Sybase ASE modulesAbout the Sybase ASE Object module
Table 2-39 Message for New database
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New database
Description: TheSybase ASEdatabase was addedafter the lastsnapshot update.
UNIX (226352)String ID:ESM_SYBASE_NEW_DATABASE
Category: ChangeNotification
New granted object permission (UNIX)Module: Sybase ASE Object
This check reports the objects or the granted object permissions that were addedto the Sybase ASE after the last snapshot update.
■ Use the Grantors to check name list to include or exclude the grantors thecheck to report on.
■ Use the Object types to check name list to include or exclude the object typesfor the check to report on.
■ Use the Databases to check name list to include or exclude the databases forthe check to report on.
■ Use the Object actions to check name list to include or exclude the objectactions for the check to report on.
■ Use the Objects to check name list to include or exclude the object names forthe check to report on.
The following table lists the messages for the check.
46Understanding ESM Sybase ASE modulesAbout the Sybase ASE Object module
Table 2-40 Messages for New granted object permission
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New object
Description: TheSybase ASE objectwas added after thelast snapshot update.
UNIX (226356)String ID:ESM_SYBASE_NEW_OBJECT
Category: ChangeNotification
Severity: yellow-2
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New grantedobject actionpermission
Description: TheSybase ASE grantedobject actionpermission wasadded after the lastsnapshot update.
UNIX (226357)String ID:ESM_SYBASE_NEW_OBJ_ACTION
Category: ChangeNotification
Severity: yellow-2
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New grantedobject columnpermission
Description: TheSybase ASE grantedobject columnpermission wasadded after the lastsnapshot update.
UNIX (226358)String ID:ESM_SYBASE_NEW_OBJ_COLUMN
Category: ChangeNotification
Object actions to check (UNIX)Module: Sybase ASE Object
Use the name list to specify the object actions that should be excluded or includedfor the Sybase ASE Object checks.
47Understanding ESM Sybase ASE modulesAbout the Sybase ASE Object module
Object permission (UNIX)Module: Sybase ASE Object
This check reports the unauthorized object permissions as specified in the enabledSybase ASE Object Permission templates.
The following table lists the messages for the check.
Table 2-41 Messages for Object permission
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Unauthorizedobject permission(Green level)
Description: TheSybase ASE objectpermission matchesa green leveltemplate entry.
UNIX (226362)String ID:ESM_SYBASE_SYB_GREEN_LEVEL
Category: PolicyCompliance
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Unauthorizedobject permission(Yellow level)
Description: TheSybase ASE objectpermission matchesa yellow leveltemplate entry.
UNIX (226363)String ID:ESM_SYBASE_SYB_YELLOW_LEVEL
Category: PolicyCompliance
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Unauthorizedobject permission(Red level)
Description: TheSybase ASE objectpermission matchesa red level templateentry.
UNIX (226364)String ID:ESM_SYBASE_SYB_RED_ LEVEL
Category: PolicyCompliance
48Understanding ESM Sybase ASE modulesAbout the Sybase ASE Object module
Table 2-41 Messages for Object permission (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Objectexistence (Greenlevel)
Description: TheSybase ASE objectexistence matches agreen level templateentry.
UNIX (226365)String ID:ESM_SYBASE_SYB_OBJ_GREEN_LEVEL
Category: PolicyCompliance
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Objectexistence (Yellowlevel)
Description: TheSybase ASE objectexistence matches ayellow level templateentry.
UNIX (226366)String ID:ESM_SYBASE_SYB_OBJ_YELLOW_LEVEL
Category: PolicyCompliance
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Objectexistence (Red level)
Description: TheSybase ASE objectexistence matches ared level templateentry.
UNIX (226367)String ID:ESM_SYBASE_SYB_OBJ_RED_LEVEL
Category: PolicyCompliance
Object types to check (UNIX)Module: Sybase ASE Object
Use the name list to specify the object types that should be included for the SybaseASE Object checks.
49Understanding ESM Sybase ASE modulesAbout the Sybase ASE Object module
Objects to check (UNIX)Module: Sybase ASE Object
Use the name list to specify the object names that should be excluded or includedfor the Sybase ASE Object checks.
Servers to check (UNIX)Module: Sybase ASE Object
Use the name list to specify the servers that should be excluded or included for allSybase ASE Object checks.
User access to database (UNIX)Module: Sybase ASE Object
This check reports the Adaptive Server databases that allow user access, such asguest. Use the Databases name list to include the databases for this check. Usethe value field to include the user names for this check.
The following table lists the message for the check.
Table 2-42 Message for User access to database
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: User accessdatabase
Description: TheSybase ASE allowsuser access todatabase.
UNIX (226350)String ID:ESM_SYBASE_USER_ACCESS_DATABASE
Category: PolicyCompliance
Accounts with CREATE permission (UNIX)Module: Sybase ASE Object
This check reports the database users, roles, and groups that are explicitly grantedCREATE permissions and CONNECT action permission. Use theKeys list to specifythe CREATE permissions that the check should report on. Use the Databases to
50Understanding ESM Sybase ASE modulesAbout the Sybase ASE Object module
check name list to include or exclude the databases that you want the check toreport on. Use the Grantees to check name list to include or exclude the granteesthat the check should report on.
The following table lists the message for the check.
Table 2-43 Message for Accounts with CREATE permission
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Accounts withCREATE permission
Description: TheSybase ASEdatabase accountthat has beenreported hasCREATE permissionsexplicitly assigned toit. Please referinformation field formore details.
UNIX (226371)String ID:ESM_SYBASE_CREATE_PERM
Category: PolicyCompliance
Accounts with set proxy permission (UNIX)Module: Sybase ASE Object
This check reports the database users, roles, and groups that are explicitly grantedthe set proxy or set session authorization permissions. Use theGrantees to checkname list to include or exclude the grantees that the check should report on.
The following table lists the message for the check.
51Understanding ESM Sybase ASE modulesAbout the Sybase ASE Object module
Table 2-44 Message for Accounts with set proxy permission
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Accounts withset proxy permission
Description: TheSybase ASEdatabase account hasa set proxy or setsession authorizationpermissions explicitlyassigned to it. Formore details, refer tothe Information field.
UNIX (226372)String ID:ESM_SYBASE_SET_PROXY_PERM
Category: PolicyCompliance
Grantees to check (UNIX)Module: Sybase ASE Object
Use the name list to specify the grantees that should be excluded or included forthe Accounts with CREATE permissions check and Proxy access permissioncheck.
Stored procedure signature (UNIX)Module: Sybase ASE Object
This check reports the occurrences of the stored procedures, whose signatures aredifferent from the signatures that you define in the template. If you do not defineany signature for the stored procedure in the template, then the check reports thesignatures of the matched stored procedure. You can use the Template updatefeature to update the template with the signatures that the check reports.
Note: This check only supports the stored procedures and does not support theextended stored procedures.
For more information on the Sybase Stored Procedure Signatures template, seethe Symantec™ Enterprise Security Manager Checks and Templates Referencehelp available at the Security Updates Website.
52Understanding ESM Sybase ASE modulesAbout the Sybase ASE Object module
To update the template
1 Right-click on the message.
2 Choose Update Template.
Note: You can use the Sybase Stored Procedure Signatures template to report onthe custom stored procedure such as sp_extrapwdchecks, sp_cleanpwdchecks,and so on.
The following table lists the message for the check.
Table 2-45 Message for Stored procedure signature
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Storedprocedure signaturemismatch
Description: TheSybase ASE storedprocedures signaturedoes not match withthe one that has beenspecified within thetemplate. If thesignature isauthorized then youcan update the newsignature by using thetemplate updateaction.
UNIX (226368)String ID:ESM_SYBASE_SP_SIG_MISMATCH
Category: PolicyCompliance
Severity: yellow-2
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Hidden storedprocedure
Description: TheSybase ASE storedprocedure is hidden.
UNIX (226369)String ID:ESM_SYBASE_HIDDEN_SP
Category: PolicyCompliance
53Understanding ESM Sybase ASE modulesAbout the Sybase ASE Object module
Table 2-45 Message for Stored procedure signature (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Missing storedprocedure
Description: Theprohibited rolesshould not be grantedto all accounts.
UNIX (226370)String ID:ESM_SYBASE_MISSING_SP
Category: PolicyCompliance
Database owners to check (UNIX)Module: Sybase ASE Object
Use the name list to include or exlcude the Sybase ASE database login names forthe Database status check to report on.
Owners to check (UNIX)Module: Sybase ASE Object
Use the name list to include or exclude the object owners for the Objectownerscheck to report on.
Object owners (UNIX)Module: Sybase ASE Object
This check reports the objects and their owners that are present in the Sybase ASEDatabase.
■ Use the Object types to check name list to include or exclude the object typesfor the check to report on.
■ Use the Databases to check name list to include or exclude the databases forthe check to report on.
■ Use the Objects to check name list to include or exclude the object names forthe check to report on.
■ Use the Owners to check name list to include or exclude the object owners forthe check to report on.
54Understanding ESM Sybase ASE modulesAbout the Sybase ASE Object module
The following table lists the message for the check.
Table 2-46 Message for Object owners signature
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Database objectowner
Description: Reviewwhether the owner ofthe Sybase ASEdatabase object is aauthorised owner.
UNIX (226373)String ID:ESM_SYBASE_OBJECT_OWNER
Category: PolicyCompliance
Database backups protected (UNIX)Module: Sybase ASE Object
This check reports the database backup files that are not password protected. Usethe name list to specify the full path of the database dump files that should beincluded in this check. If the name list is empty, this check reports no problemsfound.
The following table lists the message for the check.
Table 2-47 Message for Database backups protected
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Databasebackups are notpassword protected
Description: Thespecified databasebackup file is notpassword protected.
UNIX (226374)String ID:ESM_SYBASE_PASS_PROTECT_DBDUMP
Category: PolicyCompliance
55Understanding ESM Sybase ASE modulesAbout the Sybase ASE Object module
About the Sybase ASE Password Strength moduleThis module checks for the password integrity that Sybase server account usesbased on the options that you have specified.
Double occurrences (UNIX)Module: Sybase ASE Password Strength
This option causes the password checks to report logons with passwords that matchthe double versions of logon names or entries in the enabled word files. To applythis option to the application role passwords, enable this option and the Applicationrole password check in the same policy.
Empty password (UNIX)Module: Sybase ASE Password Strength
This check reports the Sybase ASE logons with empty or NULL passwords.
The following table lists the message for the check.
Table 2-48 Message for Empty password
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Emptypassword
Description: Thereported Sybase ASElogin has an empty orNULL password.Assign a password toit now, then instructthe user to log on withthe assignedpassword and changethe password again.
UNIX (226250)String ID:ESM_SYBASE_NULL_PASSWORD
Category: PolicyCompliance
Minimum password age (UNIX)Module: Sybase ASE Password Strength
56Understanding ESM Sybase ASE modulesAbout the Sybase ASE Password Strength module
This check reports the Sybase ASE with a system-wide password expirationconfiguration parameter that is higher than the specified number of days for thischeck.
The following table lists the message for the check.
Table 2-49 Message for Minimum password age
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Minimumpassword age
Description: Thischeck reportsAdaptive Servers thathave a system-widepassword expirationconfigurationparameter setting thatis higher than thespecified numberdays for this check.
UNIX (226254)String ID:ESM_SYBASE_MIN_PASSWORD_AGE
Category: PolicyCompliance
Minimum password length (UNIX)Module: Sybase ASE Password Strength
This check reports the Adaptive Servers that have a minimum password lengthconfiguration parameter setting lower than the specified value for this check.
The following table lists the message for the check.
57Understanding ESM Sybase ASE modulesAbout the Sybase ASE Password Strength module
Table 2-50 Message for Minimum password length
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: MinimumPassword Length
Description: Thischeck reportsAdaptive Servers thathave a minimumpassword lengthconfigurationparameter setting thatis lower than thespecified value forthis check.
UNIX (226253)String ID:ESM_SYBASE_MIN_PASSWORD_LEN
Category: PolicyCompliance
Password = any login name (UNIX)Module: Sybase ASE Password Strength
This check reports the Sybase ASE logins with passwords that match any logonname. To apply this check to the application role passwords, enable this check andthe Application role password check in the same policy.
The following table lists the message for the check.
58Understanding ESM Sybase ASE modulesAbout the Sybase ASE Password Strength module
Table 2-51 Message for Password = any login name
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Guessedpassword
Description:Symantec ESMguessed thepasswords of theseSybase ASE logins.Assign more securepasswords to theselogins or removethem. A securepassword shouldhave six to eightcharacters, shouldnot be found in anydictionary, and shouldhave at least onenon-alphabeticcharacter. A securepassword should alsonot match login orhost name.
UNIX (226251)String ID:ESM_SYBASE_GUESSED_PASSWORD
Category: PolicyCompliance
Password = login name (UNIX)Module: Sybase ASE Password Strength
This check reports the Sybase ASE logons with matching logon names andpasswords. To apply this check to the application role passwords, enable this checkand the Application role password check in the same policy.
The following table lists the message for the check.
59Understanding ESM Sybase ASE modulesAbout the Sybase ASE Password Strength module
Table 2-52 Message for Password = login name
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Guessedpassword
Description:Symantec ESMguessed thepasswords of theseSybase ASE logins.Assign more securepasswords to theselogins or removethem. A securepassword shouldhave six to eightcharacters, shouldnot be found in anydictionary, and shouldhave at least onenon-alphabeticcharacter. A securepassword should alsonot match login orhost name.
UNIX (226251)String ID:ESM_SYBASE_GUESSED_PASSWORD
Category: PolicyCompliance
Password = wordlist word (UNIX)Module: Sybase ASE Password Strength
This check tries to match the Sybase ASE logon passwords with words in theenabled word files, and reports the matches. To apply this check to the applicationrole passwords, enable this check and the Application role password check in thesame policy.
The following table lists the message for the check.
60Understanding ESM Sybase ASE modulesAbout the Sybase ASE Password Strength module
Table 2-53 Message for Password = wordlist word
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Guessedpassword
Description:Symantec ESMguessed thepasswords of theseSybase ASE logins.Assign more securepasswords to theselogins or removethem. A securepassword shouldhave six to eightcharacters, shouldnot be found in anydictionary, and shouldhave at least onenon-alphabeticcharacter. A securepassword should alsonot match login orhost name.
UNIX (226251)String ID:ESM_SYBASE_GUESSED_PASSWORD
Category: PolicyCompliance
Password contains Digits (UNIX)Module: Sybase ASE Password Strength
This option reports the Adaptive Servers that do not have the configuration parameterenabled to require the new passwords to contain at least one digit.
The following table lists the message for the check.
61Understanding ESM Sybase ASE modulesAbout the Sybase ASE Password Strength module
Table 2-54 Message for Password contains Digits
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Passwordcontains a digit
Description: AdaptiveServer does not havethe configurationparameter enabled torequire newpasswords to containat least one digit.
UNIX (226252)String ID:ESM_SYBASE_PASSWORD_CONTAINS_DIGIT
Category: PolicyCompliance
Plural (UNIX)Module: Sybase ASE Password Strength
This option causes the password checks to report the logons with passwords thatmatch the plural forms of logon names or entries in the enabled word files. To applythis option to the application role passwords, enable this option and the Applicationrole password check in the same policy.
The following table lists the message for the check.
62Understanding ESM Sybase ASE modulesAbout the Sybase ASE Password Strength module
Table 2-55 Message for Plural
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Guessedpassword
Description:Symantec ESMguessed thepasswords of theseSybase ASE logins.Assign more securepasswords to theselogins or removethem. A securepassword shouldhave six to eightcharacters, shouldnot be found in anydictionary, and shouldhave at least onenon-alphabeticcharacter. A securepassword should alsonot match login orhost name.
UNIX (226251)String ID:ESM_SYBASE_GUESSED_PASSWORD
Category: PolicyCompliance
Prefix (UNIX)Module: Sybase ASE Password Strength
This option causes the password checks to report the logons with passwords thatmatch the forms of logon names or the entries in the enabled word files with a prefix.Use the option's name list to specify the prefixes to be used. To apply this optionto the application role passwords, enable this option and the Application rolepassword check in the same policy.
Reverse order (UNIX)Module: Sybase ASE Password Strength
This option enables the module checks that guess the passwords to report thelogons with passwords that match the reverse order of the logon names or theentries in the enabled word files. To apply this option to the application role
63Understanding ESM Sybase ASE modulesAbout the Sybase ASE Password Strength module
passwords, enable this option and the Application role password check in the samepolicy.
Roles without passwords (UNIX)Module: Sybase ASE Password Strength
This check reports the roles that do not have the assigned passwords. Use theRoles list to include or exclude the roles for this check.
The following table lists the message for the check.
Table 2-56 Message for Roles without passwords
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Role withoutpassword
Description: Thischeck reports rolesdefined in theAdaptive ASE thathave no passwordassigned.
UNIX (226255)String ID:ESM_SYBASE_ROLE_NO_PASSWORD
Category: PolicyCompliance
Servers to check (UNIX)Module: Sybase ASE Password Strength
Use the name list to specify the servers that are to be excluded or included for allthe Sybase ASE Password Strength checks.
Suffix (UNIX)Module: Sybase ASE Password Strength
This option affects the behavior of the enabled Password = username, Password= any username, and Password = wordlist word security checks. When this optionis enabled, the specified suffixes are added to the user names and the wordlistwords that are used to guess passwords, for example, golf -> golfball. Use theoption's name list to specify the suffixes to be used. To apply this option to theapplication role passwords, enable this option and the Application role passwordcheck in the same policy.
64Understanding ESM Sybase ASE modulesAbout the Sybase ASE Password Strength module
Hide guessed password details (UNIX)Module: Sybase ASE Password Strength
When you enable this check, the security checks no longer display the details ofthe guessed password. This check works with the Password = login name,Password = any login name, password =wordlist word,Reverse order,Doubleoccurrences, Plural, Prefix, and Suffix checks.
Login options(account) (UNIX)Module: Sybase ASE Password Strength
This check works with thePassword expiration,Minimumpassword length, andMaximum failed login attempts checks. The Login options(account) checkreports the individual login accounts that do not satisfy the condition that you specifyin the login configuration parameters-related checks. Use the name list to includeor exclude the logon accounts that the check should report on.
Maximum failed login attempts (UNIX)Module: Sybase ASE Password Strength
This check reports the Sybase ASE servers that have the system-wide 'maximumfailed login attempts' configuration parameter set higher than the value you specifyin the Maximum failed login attempts text box or that have the 'maximum failedlogin attempts' configuration parameter less than or equal to 0. Enable this checkwith the Login options(account) check to report all the login accounts that havethe 'maximum failed login attempts' configuration set higher than the value that youspecify in theMaximum failed login attempts text box or that have the 'maximumfailed login attempts' configuration parameter less than or equal to 0. Enable thischeck with the Roles to check name list to specify the roles whose members youwant to include or exclude from reporting the violations in the Maximum failedlogin attempts settings.
The following table lists the message for the check.
65Understanding ESM Sybase ASE modulesAbout the Sybase ASE Password Strength module
Table 2-57 Message for Maximum failed login attempts
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Maximum failedlogin attempts
Description: Eitherthe 'max failed_logins'setting is found to beset as 'accountsnever get locked onany number of failedlogins' or is found tobe of higher valuethan the one that hasbeen specified.Please seeinformation field formore details.
UNIX (226259)String ID:ESM_SYBASE_MAX_FAIL_LOGIN_ATMPT
Category: PolicyCompliance
Maximum reported messages (UNIX)Module: Sybase ASE Password Strength
This check limits the number of messages that the module returns.
You can specify a limit for the number of messages that the module returns. Onreaching the maximum limit for a single message, the module displays the messageagain with the number of the repeating instances of the message that are notreported.
Monitor password age (UNIX)Module: Sybase ASE Password Strength
This check reports any unlocked accounts with the passwords that are older thanthe limit that you specify. This check works with the use Roles to check name list.Use Roles to check name list to include or exclude the roles. The check Monitorpassword age reports on the members of the included roles that you include inthe name list.
This check proves to be beneficial if there is no password expiration setting presenton the server. In this case, the check Monitor password age reports the loginaccounts that have not changed their password within the specified days.
66Understanding ESM Sybase ASE modulesAbout the Sybase ASE Password Strength module
The following table lists the messages for the check.
Table 2-58 Message for Monitor password age
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Monitorpassword age
Description: The userhas not changed thepassword for morethan the specifiednumber of days.
UNIX (226261)String ID:ESM_SYBASE_MONITOR_PASSWORD_AGE
Category: PolicyCompliance
Password complexity parameters (UNIX)Module: Sybase ASE Password Strength
This check reports the values for the password complexity options that do not matchwith the values that you specify in the template. You can use the sp_passwordpolicystored procedure to set the password complexity options. The sp_passwordpolicystored procedure is available on Sybase ASE 12.5.4 and later and 15.0.2 and laterversions.
Note: Sybase ASE 12.5.4, 15.0.2, and 15.0.3 versions support this check.
For more information on the Sybase Stored Procedure Signatures template, seethe Symantec™ Enterprise Security Manager Checks and Templates Referencehelp available at the Security Updates Website.
The following table lists the messages for the check.
67Understanding ESM Sybase ASE modulesAbout the Sybase ASE Password Strength module
Table 2-59 Message for Password complexity parameters
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Unauthorizedpassword complexityparameter (Greenlevel)
Description: TheSybase ASEpassword complexityparameter matches agreen level templateentry.
UNIX (226256)String ID:ESM_SYBASE_SP_GREEN_LEVEL
Category: PolicyCompliance
Severity: yellow-2
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Unauthorizedpassword complexityparameter (Yellowlevel)
Description: TheSybase ASEpassword complexityparameter matches ayellow level templateentry.
UNIX (226257)String ID:ESM_SYBASE_SP_YELLOW_LEVEL
Category: PolicyCompliance
Severity: red-4
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Unauthorizedpassword complexityparameter (Red level)
Description: TheSybase ASEpassword complexityparameter matches ared level templateentry.
UNIX (226258)String ID:ESM_SYBASE_SP_RED_LEVEL
Category: PolicyCompliance
Roles to check (UNIX)Module: Sybase ASE Password Strength
Use the name list to specify the roles that you want to include or exclude fromreporting violations. Use this name list with the Login options(account) check toreport the members of the roles that you want to include or exclude from reportingviolations.
68Understanding ESM Sybase ASE modulesAbout the Sybase ASE Password Strength module
Roles - maximum failed login attempts (UNIX)Module: Sybase ASE Password Strength
This check reports the roles that have the maximum failed login attemptsconfiguration parameter set higher than the value specified in theMaximum failedlogin attempts text box or the roles that have the maximum failed login attemptsconfiguration parameter less than or equal to 0. Enable this check with the Rolesto check name list to specify the roles you want to include or exclude from reportingthe violations in the maximum failed login attempts settings.
Roles - password expiration (UNIX)Module: Sybase ASE Password Strength
This check reports the roles that have the password expiration configurationparameter higher than the value that you specify or the roles that have the passwordexpiration configuration parameter value set to 0. Enable this check with the Rolesto check name list to specify the roles you want to include or exclude from reportingthe violations in the password expiration settings.
Roles - minimum password length (UNIX)Module: Sybase ASE Password Strength
This check reports the roles that have the password length set less than the valuespecified in the Minimum password length text box. Enable this check with theRoles to check name list to specify the roles you want to include or exclude fromreporting the violations in the minimum password length settings.
System encryption password (UNIX)Module: Sybase ASE Password Strength
This check reports the databases of Sybase ASE Servers that are not configuredwith a strong system encryption password. Use the name list Databases to checkto either include or exclude the databases that are to be verified.
Note: This check is supported on Sybase ASE 15.0.1 and later.
The following table lists the messages for the check.
69Understanding ESM Sybase ASE modulesAbout the Sybase ASE Password Strength module
Table 2-60 Message for System encryption password
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Systemencryption passwordnot set
Description: Thedatabase mastermust have a strongsystem encryptionpassword set.
UNIX (226262)String ID:ESM_SYBASE_SYSTEM_ENCRYPT_PASSWORD
Category: PolicyCompliance
Encryption keys in database (UNIX)Module: Sybase ASE Password Strength
This check reports the databases of Sybase ASE Servers that contains theencryption keys. Use the name listDatabases to check to either include or excludethe databases that are to be verified.
Note: This check is supported on Sybase ASE 15.0.1 and later.
The following table lists the messages for the check.
Table 2-61 Message for Encryption keys in database
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Encryption keysare in database
Description: Thedatabase of SybaseASE server containsthe encryption keys.
UNIX (226263)String ID:ESM_SYBASE_DB_ENCRYPT_KEYS
Category: PolicyCompliance
70Understanding ESM Sybase ASE modulesAbout the Sybase ASE Password Strength module
Note: If none of the databases of a configured Sybase ASE server containsencryptions keys and if the name list is empty, ESM displays the note Encryptionkeys not found in any databases.
Password protect encryption keys (UNIX)Module: Sybase ASE Password Strength
This check reports the encryption keys that are not password protected. Encryptionkey passwords are used to limit the DBO and system administrator access to thedata. Use the name list Databases to check to either include or exclude thedatabases that are to be verified.
Note: This check is supported on Sybase ASE 15.0.2 and later.
The following table lists the messages for the check.
Table 2-62 Message for Password protect encryption keys
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Systemencryption passwordnot set
Description: Theencryption keys in thedatabase of SybaseASE server must bepassword protected.Sybase ASE 15.0.2and later supports perencryption keypasswords that canbe used to restrictaccess to encrypteddata.
UNIX (226264)String ID:ESM_SYBASE_PASSPROTECT_ENCRYPTKEY
Category: PolicyCompliance
About the Sybase ASE Patches moduleThis module identifies the Sybase patches that are not installed on Sybase server.
71Understanding ESM Sybase ASE modulesAbout the Sybase ASE Patches module
Patch templates (UNIX)Module: Sybase ASE Patches
Use this option to specify the Sybase ASE Patch template files to be used by thismodule.
The following table lists the message for the check.
Table 2-63 Message for Patch templates
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Patch not found
Description: TheSybase ASE Patchnot found.
UNIX (226750)String ID:ESM_SYBASE_PATCH_NOT_FOUND
Category: PolicyCompliance
Servers to check (UNIX)Module: Sybase ASE Patches
Use the name list to specify the servers that are to be excluded or included for allthe Sybase ASE Patches security checks.
About the Sybase ASE Roles and Groups moduleThis module checks for the roles and groups that are based on the options youhave specified.
Automatically update snapshots (UNIX)Module: Sybase ASE Roles and Groups
Enable this option to automatically update the snapshots with the current information.
Database groups (UNIX)Module: Sybase ASE Roles and Groups
72Understanding ESM Sybase ASE modulesAbout the Sybase ASE Roles and Groups module
This check reports the database groups. Use the name list to include or excludethe databases for this check.
The following table lists the message for the check.
Table 2-64 Message for Database groups
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Database group
Description: TheSybase ASEdatabase group.
UNIX (226455)String ID:ESM_SYBASE_DATABASE_GROUP
Category: PolicyCompliance
Deleted groups (UNIX)Module: Sybase ASE Roles and Groups
This check reports the database groups and members that were deleted from thedatabase after the last snapshot update. Use the name list to specify the databasenames that should be included or excluded from this check.
The following table lists the messages for the check.
Table 2-65 Messages for Deleted groups
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deleteddatabase group
Description: TheSybase ASEdatabase group wasdeleted after the lastsnapshot update.
UNIX (226459)String ID:ESM_SYBASE_DELETED_GROUP
Category: ChangeNotification
73Understanding ESM Sybase ASE modulesAbout the Sybase ASE Roles and Groups module
Table 2-65 Messages for Deleted groups (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deleted groupmember
Description: TheSybase ASEdatabase groupmember was deletedafter the lastsnapshot update.
UNIX (226460)String ID:ESM_SYBASE_DELETED_GROUP_MEMBER
Category: ChangeNotification
Deleted roles (UNIX)Module: Sybase ASE Roles and Groups
This check reports the roles and the grantees that were deleted from the databaseafter the last snapshot update. Use the name list to specify the role names thatshould be included or excluded from this check.
The following table lists the messages for the check.
Table 2-66 Messages for Deleted roles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deleted role
Description: TheSybase ASE role wasdeleted after the lastsnapshot update.
UNIX (226453)String ID:ESM_SYBASE_DELETED_ROLE
Category: ChangeNotification
74Understanding ESM Sybase ASE modulesAbout the Sybase ASE Roles and Groups module
Table 2-66 Messages for Deleted roles (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: Deleted rolegrantee
Description: TheSybase ASE rolegrantee was deletedafter the lastsnapshot update.
UNIX (226454)String ID:ESM_SYBASE_DELETED_ROLE_GRANTEE
Category: ChangeNotification
Users to check (UNIX)This option lets you create name lists of the sybase users and sybase databasegroups that are included in the Group members check.
Group members (UNIX)Module: Sybase ASE Roles and Groups
This check reports the group members. Use the name list to include or exclude thedatabases for this check.
The following table lists the message for the check.
Table 2-67 Message for Group members
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Group member
Description: TheSybase ASEdatabase groupmember.
UNIX (226456)String ID:ESM_SYBASE_GROUP_MEMBER
Category: PolicyCompliance
75Understanding ESM Sybase ASE modulesAbout the Sybase ASE Roles and Groups module
New groups (UNIX)Module: Sybase ASE Roles and Groups
This check reports the database groups and members that were added to thedatabase after the last snapshot update. Use the name list to specify the databasenames that should be included or excluded from this check.
The following table lists the messages for the check.
Table 2-68 Messages for New groups
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New databasegroup
Description: TheSybase ASEdatabase group wasadded after the lastsnapshot update.
UNIX (226457)String ID:ESM_SYBASE_NEW_GROUP
Category: ChangeNotification
Severity: yellow-2
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New groupmember
Description: TheSybase ASEdatabase groupmember was addedafter the lastsnapshot update.
UNIX (226458)String ID:ESM_SYBASE_NEW_GROUP_MEMBER
Category: ChangeNotification
New roles (UNIX)Module: Sybase ASE Roles and Groups
This check reports the roles and the grantees that were added to the database afterthe last snapshot update. Use the name list to specify the role names that shouldbe included or excluded from this check.
The following table lists the messages for the check.
76Understanding ESM Sybase ASE modulesAbout the Sybase ASE Roles and Groups module
Table 2-69 Messages for New roles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-2
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New role
Description: TheSybase ASE role wasadded after the lastsnapshot update.
UNIX (226451)String ID:ESM_SYBASE_NEW_ROLE
Category: ChangeNotification
Severity: yellow-2
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: [%s]
Title: New rolegrantee
Description: TheSybase ASE rolegrantee was addedafter the lastsnapshot update.
UNIX (226452)String ID:ESM_SYBASE_NEW_ROLE_GRANTEE
Category: ChangeNotification
Role grantees (UNIX)Module: Sybase ASE Roles and Groups
This check reports the role grantees. Use the role list to include or exclude the rolesfor this check.
The following table lists the message for the check.
77Understanding ESM Sybase ASE modulesAbout the Sybase ASE Roles and Groups module
Table 2-70 Message for Role grantees
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Role grantee
Description: TheSybase ASE rolegrantee.
UNIX (226461)String ID:ESM_SYBASE_ROLE_GRANTEE
Category: PolicyCompliance
Role status (UNIX)Module: Sybase ASE Roles and Groups
This check reports the roles and the status. Use the role list to include or excludethe roles for this check.
The following table lists the message for the check.
Table 2-71 Message for Role status
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Role status
Description: TheSybase ASE rolestatus information.
UNIX (226450)String ID:ESM_SYBASE_ROLE_STATUS
Category: PolicyCompliance
Servers to check (UNIX)Module: Sybase ASE Roles and Groups
78Understanding ESM Sybase ASE modulesAbout the Sybase ASE Roles and Groups module
Use the name list to specify the servers for exclusion or inclusion for all the SybaseASE Roles security checks.
Accounts to check (UNIX)Module: Sybase ASE Roles and Groups
Use this check to include or exclude the login accounts for theGranted prohibitedroles check.
Granted prohibited roles (UNIX)Module: Sybase ASE Roles and Groups
This check reports the accounts that have been granted specified roles. Use thename list to include or exclude the prohibited roles that the check should report on.
The following table lists the message for the check.
Table 2-72 Message for Granted prohibited roles
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: red-4
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: GrantedProhibited roles
Description: Theprohibited rolesshould not be grantedto all accounts.
UNIX (226462)String ID:ESM_SYBASE_PROHIBIT_ROLE
Category: PolicyCompliance
Groups and group members to check (UNIX)This check reports the unauthorized combination of database, groups, and groupmembers as specified in the Sybase ASE Groups and group members templates.
This check uses the Sybase ASE groups and group members template.
The following table lists the messages for the check.
79Understanding ESM Sybase ASE modulesAbout the Sybase ASE Roles and Groups module
Table 2-73 Messages for Groups and group members to check
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: green-0
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Group memberrecord (Green level)
Description: TheSybase ASE groupmember recordmatches a green leveltemplate entry.
■ UNIX (226463)String ID:ESM_SYBASE_GUM_GREEN_LEVEL
Category: PolicyCompliance
Severity: yellow-2
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Group memberrecord (Yellow level)
Description: TheSybase ASE groupmember recordmatches a yellowlevel template entry.
■ UNIX (226464)String ID:ESM_SYBASE_GUM_YELLOW_LEVEL
Category: PolicyCompliance
Severity: red-4
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: [%s]
Title: Group memberrecord (Red level)
Description: TheSybase ASE groupmember recordmatches a red leveltemplate entry.
■ UNIX (226465)String ID:ESM_SYBASE_GUM_RED_LEVEL
Category: PolicyCompliance
About the Sybase ASE Discovery moduleThe checks in the Sybase ASE Discovery module automate the detection andconfiguration of new Sybase ASE servers that are not yet configured on the ESMagent computers. The Sybase ASEDiscovery module also detects and automaticallyremoves the deleted Sybase ASE servers from the /esm/config/SybaseModule.datconfiguration file.
80Understanding ESM Sybase ASE modulesAbout the Sybase ASE Discovery module
Detect new database server (UNIX)Module: Sybase ASE Discovery
This check reports the Sybase ASE servers that are newly detected on the ESMagent computers and that were not configured earlier.
The following table lists the message for the check.
Table 2-74 Message for Detect new database server
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Added newdatabase server
Description: The ESMSYBASE Discoverymodule has detecteda new databaseserver. The moduleby using the genericcredentials has addedthe configurationrecord of the newlydetected databaseserver in theconfiguration file.
UNIX (226832)String ID:ESM_SYBASE_NEW_DB_SERVER_ADDED
Category: ESMAdministrativeInformation
81Understanding ESM Sybase ASE modulesAbout the Sybase ASE Discovery module
Table 2-74 Message for Detect new database server (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: true
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Failed to addnew database server
Description: The ESMSYBASE Discoverymodule by using thegeneric credentialshas failed to add theconfiguration recordof the newly detecteddatabase server inthe configuration file.Either invalid logoncredentials are usedor the databaseserver is not running.Use the Correctoption and enter thecustom credentials toconfigure the newlydetected databaseserver.
UNIX (226833)String ID:ESM_SYBASE_ADD_DB_SERVER_FAILED
Category: ESMAdministrativeInformation
Detect deleted database server (UNIX)Module: Sybase ASE Discovery
This check reports the Sybase ASE servers that are deleted or unreachable butare still configured in the /esm/config/SybaseModule.dat configuration file.
The following table lists the message for the check.
82Understanding ESM Sybase ASE modulesAbout the Sybase ASE Discovery module
Table 2-75 Message for Detect deleted database server
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Deleteddatabase server
Description: The ESMSYBASE module hasdetected a deleteddatabase server onthe local ESM agentcomputer. Use theUpdate option todelete theconfigurationinformation from theconfiguration file.
UNIX (226834)String ID:ESM_SYBASE_DEL_DB_SERVER_DETECTED
Category: ESMAdministrativeInformation
Automatically add new database server (UNIX)Module: Sybase ASE Discovery
This check works with the Detect new database server check. The checkAutomatically add new database server uses the generic credentials toautomatically configure the newly detected Sybase ASE servers.
The following table lists the message for the check.
83Understanding ESM Sybase ASE modulesAbout the Sybase ASE Discovery module
Table 2-76 Message for Automatically add new database server
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: true
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: %s
Title: New DatabaseServer
Description: The ESMSybase Discoverymodule has detecteda new databaseserver on the localESM agent computer.To configure thenewly detecteddatabase server, usethe Update option toconfigure thedatabase server withgeneric credentials.Else, use the Correctoption to provide theappropriate logoncredentials.
UNIX (226831)String ID:ESM_SYBASE_NEW_DB_SERVER_DETECTED
Category: ESMAdministrativeInformation
Automatically remove deleted database server (UNIX)Module: Sybase ASE Discovery
This check works with the Detect deleted database server check to automaticallyremove the deleted or the unreachable Sybase ASE server records from the/esm/config/SybaseModule.dat configuration file.
The following table lists the message for the check.
84Understanding ESM Sybase ASE modulesAbout the Sybase ASE Discovery module
Table 2-77 Message for Automatically remove deleted database server
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: %s
Title: Deleteddatabase server
Description: The ESMSYBASE module hasdetected a deleteddatabase server onthe local ESM agentcomputer. Use theUpdate option todelete theconfigurationinformation from theconfiguration file.
UNIX (226834)String ID:ESM_SYBASE_DEL_DB_SERVER_DETECTED
Category: ESMAdministrativeInformation
Validate configuration (UNIX)Module: Sybase ASE Discovery
This check validates the entries of the configuration records for successfulconnection and assigned roles. The Sybase ASE Discovery module automaticallycorrects the accounts, if the generic credential that is used is sa and the configurationrecord entry is SYMESMDBA.
The following table lists the message for the check.
Table 2-78 Message for Validate configuration
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:false
Template Updatable:false
Information FieldFormat: %s
Title: Servervalidation successful
Description: Theconfiguration recordfor the databaseserver has beensuccessfully verified.
UNIX (226836)String ID:ESM_SYBASE_CREDENTIALS_VERIFIED
Category: ESMAdministrativeInformation
85Understanding ESM Sybase ASE modulesAbout the Sybase ASE Discovery module
Table 2-78 Message for Validate configuration (continued)
AdditionalInformation
Message Title andDescription
Platform andMessage NumericID
Message String IDand Category
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: %s
Title: Sybasevalidation failed
Description: Thevalidation ofconfiguration recordfor the databaseserver failed. Use theCorrect option toreconfigure the ESMuser account.
UNIX (226837)String ID:ESM_SYBASE_CREDENTIALS_FAILED
Category: ESMAdministrativeInformation
Severity: yellow-1
Correctable: false
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: %s
Title: Sybase servercredentials rectified
Description: Theconfiguration recordfor the databaseserver has beenrectified.
UNIX (226838)String ID:ESM_SYBASE_CREDENTIALS_RECTIFIED
Category: ESMAdministrativeInformation
Severity: yellow-1
Correctable: true
Snapshot Updatable:true
Template Updatable:false
Information FieldFormat: %s
Title: Sybase servercredentials rolesvalidation failed
Description: The ESMuser account is notconfigured with theroles sa_role andsso_role (or asspecified inesmsybaseenv.dat).Use the Correctoption to assign therequired roles.
UNIX (226839)String ID:ESM_SYBASE_CREDENTIALS_ROLES_FAILED
Category: ESMAdministrativeInformation
86Understanding ESM Sybase ASE modulesAbout the Sybase ASE Discovery module
Troubleshooting
This chapter includes the following topics:
■ Encryption exception
■ RDL error
■ LiveUpdate error
Encryption exceptionAn error may display when you run a policy asking you to reconfigure the module.
Table 3-1 lists the error message that is displayed and the solution for the error.
Table 3-1 Encryption exception
SolutionError
This error may occur if you have setSSLConfigure=0 after configuring the SybaseASE module. Or, if you have renamed ordeleted the AESConfigSYB.dat file.
To solve this problem, you need toreconfigure the Sybase ASE module.
If you want to generate logs for encryption,add Debugon=1 in the AESConfigSYB.datfile from the esm\config folder. It generatesSYBASEdebuglog.log in theesm\system\<platform> folder.
Encryption exception
3Chapter
RDL errorThe following list contains the RDL 6.5.3 error and its solution:
Table 3-2 lists the rdl message that is displayed and the solution for the error.
Table 3-2 RDL error
SolutionError
Upgrade RDL 6.5.3 to RDL 6.5.3 SP2.If you have ESM modules for Sybase ASEand RDL 6.5.3 installed on the samecomputer, the RDL database does not getpopulated with correct module IDs of theSybase modules.
LiveUpdate errorThe following two entries appear in theAgent Properties dialog box of the Console,if you are updating an agent from 3.0.0 to 3.1.0 using LiveUpdate:
3.1.0ESM_SYBASE
3.0.0ESM_Sybase
To solve this issue, remove the 3.0.0 LiveUpdate entries from the following twofiles:
■ Manifest.xml
■ Agent app.dat
Note: The LiveUpdate error occurs only on the ESM 9.0.1 agent. You must run thepolicy again to view the changes.
88TroubleshootingRDL error