Database Monitoring
list Venkatesh Subbaramu
Hi All , We have implemented db monitoring using dbcheck.pl for our Oracle and SQL Server databases which requires the database user id and password to be stored in dbcheck.ini (its config file) .However the security team has raised concerns about this and proposed that we instead go for a agent based model like say leverage the BBWIN agent for windows to perform the database monitoring as well . Can you please let me know if this is possible to implement .If yes ,please provide some details /sample scripts for implementation . Thank You, Regards, Venky **************** CAUTION - Disclaimer ***************** This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS******** End of Disclaimer ********INFOSYS***
list Larry Barber
You're still going to need to have the account name and password stored somewhere, even if it is local to the database machine. The real way to provide good security in this case is to make sure the account that Xymon uses only has the permissions it needs, only "select" permissions on the DBA tables. This way nobody can use the account information to subvert your database nor will they be able to use it to obtain sensitive information. You can also make the file holding the passwords hard to access, zero out the permissions using chmod and then use setfacl to add in read permissions for the Xymon user. I haven't used dbcheck.pl, but I strongly suspect that you could run on the Xymon clients that are hosting your databases, there are certainly other monitoring scripts, available at Xymonton and deadcat that do operate locally, but you will still need passwords stored in a plain text file somewhere. Thanks, Larry Barber On Wed, Oct 31, 2012 at 7:41 AM, Venkatesh Subbaramu <
▸
user-836ee4520eff@xymon.invalid> wrote:
Hi All ,**** ** ** We have implemented db monitoring using dbcheck.pl for our Oracle and SQL Server databases which requires the database user id and password to be stored in dbcheck.ini (its config file) .However the security team has raised concerns about this and proposed that we instead go for a agent based model like say leverage the BBWIN agent for windows to perform the database monitoring as well . Can you please let me know if this is possible to implement .If yes ,please provide some details /sample scripts for implementation .**** ** ** Thank You,**** ** ** Regards,**** Venky**** **************** CAUTION - Disclaimer ***************** This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS******** End of Disclaimer ********INFOSYS***
list Venkatesh Subbaramu
Thanks Larry ! The concern was more about having all credentials stored in one single location . I will check out the sites . Regards, Venky
▸
From: Larry Barber [mailto:user-6ef9c2864140@xymon.invalid]
Sent: Wednesday, October 31, 2012 7:30 PM
To: Venkatesh Subbaramu
Cc: xymon at xymon.com
Subject: Re: [Xymon] Database Monitoring
You're still going to need to have the account name and password stored somewhere, even if it is local to the database machine. The real way to provide good security in this case is to make sure the account that Xymon uses only has the permissions it needs, only "select" permissions on the DBA tables. This way nobody can use the account information to subvert your database nor will they be able to use it to obtain sensitive information. You can also make the file holding the passwords hard to access, zero out the permissions using chmod and then use setfacl to add in read permissions for the Xymon user.
I haven't used dbcheck.pl<http://dbcheck.pl>;, but I strongly suspect that you could run on the Xymon clients that are hosting your databases, there are certainly other monitoring scripts, available at Xymonton and deadcat that do operate locally, but you will still need passwords stored in a plain text file somewhere.
▸
Thanks,
Larry Barber
On Wed, Oct 31, 2012 at 7:41 AM, Venkatesh Subbaramu <user-836ee4520eff@xymon.invalid<mailto:user-836ee4520eff@xymon.invalid>> wrote:
Hi All ,
We have implemented db monitoring using dbcheck.pl<http://dbcheck.pl>; for our Oracle and SQL Server databases which requires the database user id and password to be stored in dbcheck.ini (its config file) .However the security team has raised concerns about this and proposed that we instead go for a agent based model like say leverage the BBWIN agent for windows to perform the database monitoring as well . Can you please let me know if this is possible to implement .If yes ,please provide some details /sample scripts for implementation .
▸
Thank You,
Regards,
Venky
**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
for the use of the addressee(s). If you are not the intended recipient, please
notify the sender by e-mail and delete the original message. Further, you are not
to copy, disclose, or distribute this e-mail or its contents to any other person and
any such actions are unlawful. This e-mail may contain viruses. Infosys has taken
every reasonable precaution to minimize this risk, but is not liable for any damage
you may sustain as a result of any virus in this e-mail. You should carry out your
own virus checks before opening the e-mail or attachment. Infosys reserves the
right to monitor and review the content of all messages sent to or from this e-mail
address. Messages sent to or from this e-mail address may be stored on the
Infosys e-mail system.
***INFOSYS******** End of Disclaimer ********INFOSYS***