Sybase ASE and Sybase IQ SQL / command difference
I have created a checklist and a script from the free CIS Security Benchmark for the auditee to get the data and setting from the database. However, the auditee said they are using Sybase IQ Database, so I have to modify the statement below for them. I have there use Sybase IQ Database before and there are no such benchmark / checklist on the web. I hope someone can help!
Script
/* 1.0
Please provide the results by executing the following commands:
*/
use master
select @@servername
exec sp_helpserver
exec sp_loginconfig "login mode"
exec sp_loginconfig "default account"
exec sp_configure "allow resource limit"
exec sp_configure "select on syscomments.text"
exec sp_configure "log audit logon failure"
exec sp_configure "log audit logon success"
select name from syssrvroles where password = NULL
exec sp_configure "current audit table"
exec sp_configure "suspend audit when device full"
exec sp_configure "unified login required"
/* 1.1
Perform the following to determine ASE’s authentication mode:
*/
exec sp_configure 'enable pam user auth'
exec sp_configure 'enable ldap user auth'
exec sp_configure ‘use security services’
/* 1.2
Capture the following Registry Key:
HKEY_LOCAL_MACHINE\SOFTWAR
*/
/* 1.3
Connect to the database as a user with the sso_role and execute the following SQL statement:
*/
exec sp_passwordpolicy 'list', 'allow password downgrade'
/* 1.4
Connect to the ASE server as a user with the sso_role and execute the following SQL statement to verify that the sa account does not have privileged roles:
*/
exec sp_displaylogin sa
/* 1.5
Connect to the ASE server as a user that has select permission on master.dbo.syslogins (such as a user with the sso_role) and execute the following SQL statement to retrieve a list of database usernames:
*/
use master select name from syslogins
/* 1.6
Perform the following to audit password complexity requirements while operating in Standard login mode:
Connect to the ASE server (the sso_role is not required) and execute the following SQL statement to confirm a system-wide minimum password length is enforced:
*/
exec sp_configure 'minimum password length'
/*
Execute the following statement to verify that password require at least one digit:
*/
exec sp_configure 'check password for digit'
/*
Connect to the ASE server as a user with the sso_role and execute the following SQL statement to retrieve the password policy settings in effect:
*/
exec sp_passwordpolicy 'list'
/* 1.7
Connect to the ASE server (the sso_role is not required) and execute the following SQL statement:
*/
exec sp_configure 'maximum failed logins'
/* 1.8
Connect to the ASE server (the sso_role is not required) and execute the following SQL statement to retrieve the system-wide password expiration:
*/
exec sp_configure 'systemwide password expiration'
/* 1.9
Connect to the ASE server (the sso_role is not required) and execute the following SQL statement to retrieve the system-wide password expiration:
*/
exec sp_configure 'systemwide password expiration'
/* 1.10
Connect to the ASE server with a user that has the sso_role and execute the following SQL statement where <Login_Name> should be substituted for the username for which the login trigger status is being determined:
*/
exec sp_displaylogin <Login_Name>
/*
Determine the presence of a global login trigger via connecting to the ASE Server with a user that has the sso_role and executing the following SQL statement:
*/
exec sp_logintrigger
Script
/* 1.0
Please provide the results by executing the following commands:
*/
use master
select @@servername
exec sp_helpserver
exec sp_loginconfig "login mode"
exec sp_loginconfig "default account"
exec sp_configure "allow resource limit"
exec sp_configure "select on syscomments.text"
exec sp_configure "log audit logon failure"
exec sp_configure "log audit logon success"
select name from syssrvroles where password = NULL
exec sp_configure "current audit table"
exec sp_configure "suspend audit when device full"
exec sp_configure "unified login required"
/* 1.1
Perform the following to determine ASE’s authentication mode:
*/
exec sp_configure 'enable pam user auth'
exec sp_configure 'enable ldap user auth'
exec sp_configure ‘use security services’
/* 1.2
Capture the following Registry Key:
HKEY_LOCAL_MACHINE\SOFTWAR
*/
/* 1.3
Connect to the database as a user with the sso_role and execute the following SQL statement:
*/
exec sp_passwordpolicy 'list', 'allow password downgrade'
/* 1.4
Connect to the ASE server as a user with the sso_role and execute the following SQL statement to verify that the sa account does not have privileged roles:
*/
exec sp_displaylogin sa
/* 1.5
Connect to the ASE server as a user that has select permission on master.dbo.syslogins (such as a user with the sso_role) and execute the following SQL statement to retrieve a list of database usernames:
*/
use master select name from syslogins
/* 1.6
Perform the following to audit password complexity requirements while operating in Standard login mode:
Connect to the ASE server (the sso_role is not required) and execute the following SQL statement to confirm a system-wide minimum password length is enforced:
*/
exec sp_configure 'minimum password length'
/*
Execute the following statement to verify that password require at least one digit:
*/
exec sp_configure 'check password for digit'
/*
Connect to the ASE server as a user with the sso_role and execute the following SQL statement to retrieve the password policy settings in effect:
*/
exec sp_passwordpolicy 'list'
/* 1.7
Connect to the ASE server (the sso_role is not required) and execute the following SQL statement:
*/
exec sp_configure 'maximum failed logins'
/* 1.8
Connect to the ASE server (the sso_role is not required) and execute the following SQL statement to retrieve the system-wide password expiration:
*/
exec sp_configure 'systemwide password expiration'
/* 1.9
Connect to the ASE server (the sso_role is not required) and execute the following SQL statement to retrieve the system-wide password expiration:
*/
exec sp_configure 'systemwide password expiration'
/* 1.10
Connect to the ASE server with a user that has the sso_role and execute the following SQL statement where <Login_Name> should be substituted for the username for which the login trigger status is being determined:
*/
exec sp_displaylogin <Login_Name>
/*
Determine the presence of a global login trigger via connecting to the ASE Server with a user that has the sso_role and executing the following SQL statement:
*/
exec sp_logintrigger
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.