Professional Documents
Culture Documents
Corporate Headquarters:
IPLocks Inc.
2665 North First Street, Suite 110
San Jose, CA 95134
Tel: +1 408-383-7500
Fax: +1 408-383-5269
http://www.iplocks.com
info@iplocks.com
Customer Satisfaction:
Tel: +1 408-383-1500
Fax: +1 408-383-5269
FTP: ftp://blinder.iplocks.com
Tech Support Portal: https://na4.salesforce.com/sserv/login.jsp?orgId=00D300000005yKU
Email: support@iplocks.com
Company and general product questions as well as white paper requests may be submitted to
info@iplocks.com.
Contents
IPLocks Feature Summary......................................................................................................... 5
CLI Guide Introduction ............................................................................................................... 7
Supported Tasks ..................................................................................................................... 7
Convention for File Locations and Environment Variables ..................................................... 8
The XML Input File .................................................................................................................... 10
The project Element.......................................................................................................... 11
The target Element............................................................................................................ 11
Using CLI ................................................................................................................................... 13
The Sample Input File ........................................................................................................... 14
Specifying a Command-Line Input File ................................................................................. 14
Specifying a Command-line Target....................................................................................... 14
Specifying Task Values......................................................................................................... 14
Specifying Command-Line Task-Attribute Values ..................................................... 15
Using the property task ............................................................................................. 15
Using the loadPropertyFile Task ........................................................................... 15
Automatically Generated Task Values ........................................................................ 15
Running Multiple Tasks......................................................................................................... 15
Using the List Type..................................................................................................... 16
foreach Task-Utility....................................................................................................... 16
Database Tasks......................................................................................................................... 18
Managing Database Connections ......................................................................................... 18
addDatabase.................................................................................................................. 18
updateDatabase ............................................................................................................ 19
openDatabase................................................................................................................ 21
closeDatabase ............................................................................................................... 21
deleteDatabase.............................................................................................................. 22
Scheduling, Scanning, and Reporting Tasks ......................................................................... 23
Scheduling Tasks.................................................................................................................. 23
addCalendarSchedule .................................................................................................. 23
updateCalendarSchedule ............................................................................................. 24
deleteCalendarSchedule .............................................................................................. 25
setTimerSchedule ......................................................................................................... 26
deleteTimerSchedule .................................................................................................... 27
Scanning Tasks..................................................................................................................... 28
scan ................................................................................................................................ 28
scanServer..................................................................................................................... 28
Reporting Tasks .................................................................................................................... 29
cliReport......................................................................................................................... 29
statusReport .................................................................................................................. 30
generateVAReport......................................................................................................... 31
Guarded Items Tasks................................................................................................................ 35
setStatus ............................................................................................................................... 35
Attribute Descriptions .................................................................................................. 35
Possible Contained Elements ...................................................................................... 35
setSeverity ............................................................................................................................ 36
Attribute Descriptions .................................................................................................. 36
Possible Contained Elements ...................................................................................... 36
addUDR ................................................................................................................................ 37
© 2002-2007 IPLocks, Inc. Version 6.2.00 Page 3
All rights reserved. www.iplocks.com Phone 408.383.1500
IPLocks Command-Line Interface (CLI) Guide
• Alert notifications to assigned security personnel. Presented via the IPLocks GUI, email,
or SNMP traps, these alerts originate from the target database, access information,
system data and the content and get stored in the IPLocks internal database
• Separation from your enterprise-database servers. IPLocks resides on its own Windows,
Solaris, or Linux server.
• Capability of monitoring both local and remote databases within your enterprise via a web-
based management console.
• The IPLocks Command Line Interface (CLI) for managing enterprise-database
environments.
• Auto Discovery. By supplying a range of IP addresses and port numbers, you can have
IPLocks discover all active, distributed databases, registered or not, within your enterprise.
• Penetration Testing. Provides the ability to do an aggressive password attack on
selected databases to determine if user passwords are easy to detect thus allowing
access into your database.
Supported Tasks
Supported tasks include:
$IPLOCKS_HOME/conf
implies this Windows location as well:
%IPLOCKS_HOME%\conf
targetA
task1
depends
task2
project
task3
default
targetB
task4
task5
Figure 2: Block diagram of XML file
This diagram represents a file with:
• A project whose name is project and which has a default task, targetB
• Two targets within project where one, targetB, depends upon the other, targetA
• Multiple tasks to be performed in each target
The CLI expects the XML element 1 format to describe targets and tasks. Here is the XML file
represented by the diagram.
<project name = "project" default = "targetB">
..<target name = "targetA" depends = "targetB">
....<task name = "task1">
....</task>
....<task name = "task2">
....</task>
....<task name = "task3">
....</task>
1
In XML, an element is comprised of an opening tag, some attribute data in name-value-pair format, and a closing
tag; for example, <iceCream flavor = "chocolate">this tastes great</iceCream>
..</target>
..<target name = "targetB">
....<task name = "task4">
....</task>
....<task name = "task5">
....</task>
..</target>
</project>
where [ ] enclose optional items. Each target must have a unique name as defined by its name
attribute. This attribute is mandatory.
Targets may depend upon other targets. Use the target attribute depends in order to indicate
target interdependency. This attribute is optional.
Independent targets are executed by either:
• Specifying the target by the -t command line option
• Specifying the default in the input XML file
• The task Element
2
You can override the default contained in the input file with a command-line specified one.
project
target
task
<task attributeName1 =
"attributeValue1"
...
attributeNameN ="attributeValueN"
/>
Using CLI
There are several ways to use the CLI, all involving the cli.bat for Windows or, for Linux, cli.
These files are shipped in $IPLOCKS_HOME/bin. The syntax is:
cli[.bat] [–f <my_XML_input_file>] [-t <my_default_target>] \ 3
[-p <my_task_values.properties>]
where:
• my_XML_input_file is the name of an XML input file that contains your project and
task definitions. (IPLocks ships with an example input file called sample_cli.xml located in
$IPLOCKS_HOME/etc/cli that contains examples of some of the tasks and their attributes.)
• my_default_target is the target you want to be considered the default--instead of the
one in the input file 4 .
• my_task_values.properties is the name of a file containing task-attribute names and
values that you want to substitute for variables in the input file. Values in your .properties
file 5 can be used in your input file by using the $property 6 format. (IPLocks ships with an
example task-attribute-values file called sample_cli.properties located in
$IPLOCKS_HOME/etc/cli.
• [ ] are brackets which enclose optional command-line arguments
Here are some examples:
# Example Description
3
• \ is a line-continuation symbol. You don't actually key it.
4
A default target is required in the input file.
5
See Example Input - Project File for sample properties file
6
A $-prefixed reference to the name of the variable.
# Example Description
7
\ is a line-continuation symbol. It is not actually keyed.
For a more complete task attributes-values file, see Sample Task-Attribute-Values File
Note: Property names are case sensitive. You should only put one attribute name-value pair per
line in the task-attribute-values file.
In order to have variable substitution occur at runtime, prepend an '$' to the names, exactly as
they appear in your task-attribute-values file. Then place the resultant, concatenated string
inside of double quotes in your XML input file as shown here:
Example
<property name = "connections" type = "List">
<item
alias = "iplocks1"
host = "192.168.5.1"
type = "ora"
login = "SYSTEM"
/>
<item
alias = "iplocks2"
host = "192.168.5.2"
type = "msql"
login = "sa"
/>
</property>
foreach Task-Utility
The foreach task-utility element is used in conjunction with the List property to iterate
through the list items that must be performed.
<foreach List = "$propertyListName">
<task
attribute1 = "$propertyListName.subpropertyName1"
attribute2 = "$propertyListName.subpropertyName2"
. . .
attributeN = "$propertyListName.subpropertyNameN"
/>
</foreach>
In first iteration of foreach, the first item from List is executed; in the second iteration, the
next item is executed, etc.
Example
<foreach List ="$connections">
<addDatabase
alias = "$connections.alias"
host = "$connections.host"
database = "iplocks"
type = "$connections.type"
username = "$connections.login"
password = "iplocks"
/>
</foreach>
Database Tasks
Managing Database Connections
addDatabase
This task sets database-connection parameters. The following table describes the possible
addDatabase attributes. You must specify the first six attributes.
Attribute Descriptions
Name Description
alias Connection name in the IPLocks system
type Database server type. The allowable types, and their corresponding RDBMS,
are:
ora Oracle
msql Microsoft SQL Server
sybase Sybase
db2 IBM DB2 V7
db28 IBM DB2 V8
username Username
password Password
location Location
region Region
division Division
Name Description
dba2tel Secondary DBA phone number
agentIp Agent IP
verifyConnection Enable verify-connection functionality. Possible values are true and false.
The default is false.
Example
<project ...>
<target ...>
...
<addDatabase
alias = "pubs"
host = "127.0.0.1"
database = "pubs"
type = "msql"
username = "sa"
password = "123"
verifyConnection = "true"
/>
...
</target>
</project>
updateDatabase
This task changes database-connection information. The following table describes the possible
updateDatabase attributes. Only the alias attribute is mandatory.
Attribute Descriptions
Name Description
alias Connection name in the IPLocks system
host [IP address | fully qualified server name][:target-database port number]. (Depending
upon the RDBMS, you may need to enter the default Port Number or, perhaps, a non-
default one of your own, when specifying a host value.)
Name Description
username Username
password Password
location Location
region Region
division Division
usage Usage
agentIp Agent IP
verifyConnec Enable verify-connection functionality. Possible values are true and false. The default
tion is false.
Example
<project ...>
<target ...>
...
<updateDatabase
alias = "pubs"
username = "admin"
password = "456"
verifyConnection = "true"
/>
...
</target>
</project>
openDatabase
This task opens and runs a particular database connection. Both attributes are required.
Attribute Descriptions
Name Description
database Database name
Example
<project ...>
<target ...>
...
<openDatabase
database = "pubs"
application = "cva"
/>
...
</target>
</project>
closeDatabase
This task closes a particular database connection. Both attributes are required.
Attribute Descriptions
Name Description
database Database name
Example
<project ...>
<target ...>
...
<closeDatabase
database = "pubs"
application = "cva"
/>
...
</target>
</project>
deleteDatabase
This task deletes database-connection information from the IPLocks system. The alias
attribute is the only possible attribute and is required.
Name Description
alias Connection name in the IPLocks system
Example
<project ...>
<target ...>
...
<deleteDatabase
alias = "pubs"
/>
...
</target>
</project>
addCalendarSchedule
The addCalendarSchedule task enables you to schedule tasks within the IPLocks module.
The following table describes the possible addCalendarSchedule attributes. All attributes are
required except database. If you do not specify database, the schedule will apply to all
databases within the module.
Attribute Descriptions
Name Description
application Module in IPLocks. The possible values are:
cva Vulnerability Assessment
mas Metadata Monitor
asas Privilege Monitor
database Connection name in the IPLocks system
Example
<project ...>
<target ...>
...
<addCalendarSchedule
application = "cva"
database = "pubs"
day = "Everyday"
time = "10:00 AM"
/>
...
</target>
project>
updateCalendarSchedule
The updateCalendarSchedule task modifies previously established schedule information.
The following table describes the possible updateCalendarSchedule attributes. All attributes
are required except database. If you do not specify database, the schedule will apply to all
databases within the module.
Attribute Descriptions
Name Description
application Module in IPLocks. The possible values are:
cva Vulnerability Assessment
mas Metadata Monitor
asas Privilege Monitor
oldDay Scheduled execution day of the original schedule. Possible values are:
Everyday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Sunday
oldTime Scheduled execution time of the original schedule. The format is: "hh:mm a"
newTime New scheduled execution time. The format is: "hh:mm a"
Example
<project ...>
<target ...>
...
<updateCalendarSchedule
application = "cva"
database = "pubs"
oldDay = "Everyday"
oldTime = "10:00 AM"
newDay = "Monday"
newTime = "12:00 AM"
/>
...
</target>
</project>
deleteCalendarSchedule
The deleteCalendarSchedule task deletes the calendar schedule from the IPLocks system
for the specified day and time.
The following table describes the possible deleteCalendarSchedule attributes. All attributes
are required except database. If you do not specify database, IPLocks will delete the
schedule for all databases within the module.
Attribute Descriptions
Name Description
application Module in IPLocks. The possible values are:
cva Vulnerability Assessment
mas Metadata Monitor
asas Privilege Monitor
Example
<project ...>
<target ...>
...
<deleteCalendarSchedule
application = "cva"
database = "pubs"
day = "Everyday"
time = "10:00 AM"
/>
...
</target>
</project>
setTimerSchedule
The setTimerSchedule task sets the schedule in the IPLocks scans with a defined
interval from startTime.
The following table describes the possible setTimerSchedule attributes. All attributes are
required except database. If you do not specify database, IPLocks will create the schedule
for all databases within the module.
Attribute Descriptions
Name Description
application Module in IPLocks. The possible values are:
cva Vulnerability Assessment
mas Metadata Monitor
asas Privilege Monitor
random Enable random interval scanning. Possible values are "true" and "false".
"false" is the default.
Example
<project ...>
<target ...>
...
<setTimerSchedule
application = "cva"
interval = "10:10:10"
startTime = "12:00 PM"
/>
...
</target>
</project>
deleteTimerSchedule
The deleteTimerSchedule task deletes the schedule for the specified application and
database connection.
The following table describes the possible deleteTimerSchedule attributes. All attributes are
required except database. If you do not specify database, IPLocks will delete the schedule
for all databases within the module.
Attribute Descriptions
Name Description
application Module in IPLocks. The possible values are:
cva Vulnerability Assessment
mas Metadata Monitor
asas Privilege Monitor
random Enable random interval scanning. Possible values are "true" and "false".
"false" is the default
Example
<project ...>
<target ...>
...
<deleteTimerSchedule
application = "cva"
database = "pubs"
/>
...
</target>
</project>
Scanning Tasks
scan
Use the scan task to specify a module- or database-level scan-and-report process that you
want to begin immediately upon execution of cli.bat (or cli).
The following table describes the scan attributes. All are required, except report.
Attribute Descriptions
Name Description
application Module in IPLocks. The possible values are:
cva Vulnerability Assessment
mas Metadata Monitor (a snapshot scan is performed on the target database
asas Privilege Monitor (a snapshot scan is performed on the target database
report Enable log reporting for current scan. Possible values are "true" and "false". The
default value is "false". If you specify report= "true", you will get a report of the
results of running the scan task.
Example
<project ...>
<target ...>
...
<scan
application = "cva"
database = "pubs"
report = "true"
/>
...
</target>
</project>
scanServer
The scanServer task scans an RDBMS server in order to collect a list of its databases. It then
uploads to IPLocks the connection information about those databases and generates a report
for each.
Note: This task applies only to RDBMS types for which server-level assessment is supported
such as MS-SQL and Sybase.
The following table describes the possible scanServer attributes. All are required, except
report.
Attribute Descriptions
Name Description
host [IP address | fully qualified server name][:target-database port number]. (Depending upon
the RDBMS, you may need to enter the default Port Number or, perhaps, a non-default
one of your own, when specifying a host value.)
serverType Database server type. The allowable types, and their corresponding RDBMS, are:
msql Microsoft SQL Server
sybase Sybase
password Password
Report Enables log reporting for each database scan. Possible values are "true" and "false". The
default is "false". If you specify report= "true", you will get a report of the results of
running the scan task.
Example
<project ...>
<target ...>
...
<scanServer
host = "127.0.0.1"
serverType = "sybase"
username = "DBA"
password = "SQL"
report = "true"
/>
...
</target>
</project>
Reporting Tasks
cliReport
The cliReport task allows you to parse the CLI log file and it generates an XML report file.
The following table describes the required cliReport attributes.
Attribute Descriptions
Name Description
runId Run ID for which to generate a report
Example
<project ...>
<target ...>
...
<cliReport
runId = "1898713123"
outputFolder =
"usr/local/reports"
/>
...
</target>
</project>
Example Output
<?xml version="1.0" encoding="UTF-8"?>
<report runId="1115385323046">
<task connection="oracle" name="Add Database Task"
result="success" time="05/06/2005 17:15:34"/>
<task connection="oracle" name="Add Calendar Schedule Task"
result="success" time="05/06/2005 17:15:35"/>
<task connection="oracle"
name="Add Calendar Schedule Task (oracle) - failure - Schedule already
exist
1115385323046 05/06/2005 17:15:35 WARNING: Add Calendar Schedule
Task (oracle) - failure - Schedule already exist
1115385323046
05/06/2005 17:15:35 WARNING: Add Calendar Schedule Task"
reason="Schedule already exist" result="failure"
time="05/06/2005 17:15:35"/>
</report>
statusReport
Use the statusReport task to generate an XML-file report for the last n scans.
The following table describes the possible statusReport attributes. All are required, except
database. If you do not specify database, IPLocks will create the schedule, dictated by the
addCalendarSchedule task) for all databases within the module.
Attribute Descriptions
Name Description
application Module in IPLocks. The possible values are:
cva Vulnerability Assessment
mas Metadata Monitor
asas Privilege Monitor
nRuns Number of last scans in the report. If set to 0(zero) or 1, only the last scan is reported.
Example
<project ...>
<target ...>
...
<statusReport
application = "cva"
database = "publs"
nRuns = "10"
reportFile = "/reports/report.xml"
/>
...
</target>
</project>
generateVAReport
Use the generateVAReport task to generate VA reports.
Note: You should run either the scan or scanServer task before using generateVAReport.
The following table describes the possible generateVAReport attributes. All are required,
except database which is not required if the reportType is global.
You can generate more than one type of report at the same type by delimiting the various
reportTypes with spaces. For example:
reportType="score summary"
You can generate reports in more than one format at the same time by delimiting the various
reportFormats with spaces. For example:
reportFormat="tab csv"
The names of the generated report files use the following format:
yyyyMMdd_hhmmss_<database connection name>_<reporttype>.<file type extension>
where:
• yyyyMMdd_hhmmss represents the current system time
Attribute Descriptions
Name Description
database Connection name in the IPLocks system
This example shows how the foreach task may be used for generating reports for multiple
database connections. (See foreach)
< property name = "connections" type = "List">
<item databasename = "cli-ora"/>
<item databasename = "cli-sql"/>
</property>
The connections list would be used as follows:
<foreach List ="$connections">
<generateVAReport
database = "$connections.databasename"
reportType = "trend score"
reportFormat = "pdf"
reportLocation = "c:\vareports"/>
</foreach>
Attribute Descriptions
Name Description
application Module in IPLocks. The possible values are:
mas Metadata Monitor
asas Privilege Monitor
Example
<project ...>
<target ...>
...
<setStatus
application = "asas"
database = "test"
<item
name = "Check Password"
itemType = "PDR"
status = "enable"
© 2002-2007 IPLocks, Inc. Version 6.2.00 Page 35
All rights reserved. www.iplocks.com Phone 408.383.1500
IPLocks Command-Line Interface (CLI) Guide
/>
</setStatus>
...
</target>
</project>
setSeverity
The setSeverity task sets the severity level for one or more guarded items in the Privilege
Monitor and Metadata Monitor modules.
The following table describes the possible setSeverity attributes. The application and
database attributes are required.
Attribute Descriptions
Name Description
application Module in IPLocks. The possible values are:
mas Metadata Monitor
asas Privilege Monitor
Example
<project ...>
<target ...>
...
<setSeverity
application = "asas"
database = "test"
<item
name = "Check Password"
itemType = "PDR"
severity = "Critical"
/>
</setSeverity>
...
</target>
</project>
addUDR
The addUDR task adds a new UDR (User-defined Rule) for the specified module.
The following table describes the possible addUDR attributes. The application, name and
database attributes are required.
Attribute Descriptions
Name Description
application Module in IPLocks. The possible values are:
cva Vulnerability Assessment
mas Metadata Monitor
asas Privilege Monitor
showRecords Number of first-violating records in alert messages. You many also use:
All show all violating records in alert message;
No show no violating records in alert message
Name Description
Minor
Cautionary
Informational
Example
<project ...>
<target ...>
...
<addUDR
application = "cva"
database = "test"
name = "Check Users"
category = "User"
sqlType = "sql"
showRecords = "60"
<description>
Select all users
</description>
<sqlQuery>
Select * from users
</sqlQuery>
</addUDR>
/>
...
</target>
</project>
deleteUDR
The deleteUDR task deletes a UDR (User-defined Rule) for the specified module.
The following table describes the possible deleteUDR attributes. All attributes are required.
Attribute Descriptions
Name Description
application Module in IPLocks. The possible values are:
cva Vulnerability Assessment
mas Metadata Monitor
asas Privilege Monitor
Example
<project ...>
<target ...>
...
<deleteUDR
application = "pm"
database = "test"
name = "Check Users"
</deleteUDR>
...
</target>
</project>
Utility Tasks
foreach
See foreach Task-Utility
autoDiscovery
The autoDiscovery task allows you to "discover" any number of databases within a specified
IP range and DB Type. All attributes are required.
Note: The output-file directory must exist prior to running this task.
Attribute Descriptions
Name Description
fromip IP address of the start of the IP-address range
type Database server type. The allowable types, and their corresponding RDBMS, are:
ora Oracle
msql Microsoft SQL Server
sybase Sybase
db2 IBM DB2
ouputFileType Output file type. The allowable types, with descriptions, are:
xls Microsoft Excel
comma comma-delimited file
tab tab delimited file
outputFile Database server type. The allowable types, and their corresponding RDBMS, are:
ora Oracle
msql Microsoft SQL Server
sybase Sybase
db2 IBM DB2
Example
<project ...>
<target ...>
...
<autoDiscovery outputFile="c:\result.xls" outputFileType="xls"/>
<range fromip="192.168.001.001" toip="192.168.001.256" type="ora"/>
<range fromip="192.168.001.001" toip="192.168.001.256" type="msql,sybase"/>
</autoDiscovery>
...
</target>
</project>
property
The property task sets name, value, and type values for the context. It uses this syntax:
<property
name = "propertyName"
[value = "propertyValue"]
type = "propertyType"
/>
The following table describes the possible property attributes. The name and type attributes
are required.
Attribute Descriptions
Name Description
name Property name
Notes:
A property task may have properties which will be declared as String (for one task) or as
List (for multiple tasks). If a property task is of type String, then value is a required
parameter. But if a property task is of type List then value is not a required parameter.
For example:
<property name = "application"
value = "cva"
type = "String" /> - value is required.
If you don't specify the value parameter then, in the case where type=String, the value
parameter will be set to "", by default.
For example:
© 2002-2007 IPLocks, Inc. Version 6.2.00 Page 41
All rights reserved. www.iplocks.com Phone 408.383.1500
IPLocks Command-Line Interface (CLI) Guide
Example
<property
name = "application"
value = "cva"
type = "String"
/>
loadPropertyFile
The loadPropertyFile task allows you to load properties from a file into a running project's
context, where the property values can be referenced with the $ prefix. This task adds additional
properties (from the file) into the project's context. If a particular property already exists in the
context, it will be re-initialized.
You may also use the loadPropertyFile task within your input file in order to specify the
name and location of a file that contains task values, using this syntax:
<loadPropertyFile
file = "propertyFileName"
/>
The following table describes the only possible loadPropertyFile attribute, which is
mandatory.
Attribute Descriptions
Name Description
file Full path 8 and name of a text file that contains the properties you want to load.
Example
<project ...>
<target ...>
...
< loadPropertyFile
file = "c:\work\properties.txt"
/>
...
</target>
</project>
8
Specifying a filename without the path is also possible if the text file is located in the same directory as the cli.bat or
cli.sh file
Notes
• The required file format is ASCII text
• The individual properties within the file should adhere to the same 'name=value' format
as in the current dssConfig.properties file
• The file must exist.
Appendix A: Definitions
Definitions
These definitions may clarify the example that follows:
• project: root element of the input file. Each project may have a default target or set of
tasks.
• target: a set of tasks to be executed. Each may depend upon other targets. Each project
may have a default target. In the example, the default target is scheduleAndScan, which
depends upon the updateConnection target.
• task: name of an action. In the example, the updateConnection target element includes
several tasks: addDatabase, updateDatabase, and deleteDatabase.
• property: task parameter expressed as a name-value pair.
• item: List-related entity
• subproperty: item-related property
Index
auditing, 19, 20 monitoring, 5, 6, 7, 8
best practice, 5 policy, 5
CLI, 1, 3, 6, 7, 8, 10, 13, 15, 29, 33, 45 property, 2, 3, 4, 8, 13, 15, 16, 34, 41, 42,
compliance, 5 44
dssConfig.properties, 43 Severity level, 7
license, 2 SNMP traps, 6
login, 2, 15, 16, 17, 41 violation, 5
metadata, 5 vulnerability, 5