Database Local Account Security Reports
7 min
once a database audit job has finished, a separate pdf is generated for every database engine that is present in the configuration (sql server, oracle, postgresql, mysql) each pdf follows the same three parts, inactive accounts, expired accounts and accounts are not managed by vault so the reader can move from a each one of them oracle, mssql, postgresql and mysql have different columns from each other below are explanation of each database microsoft sql server – database local account security report chart interpretation data source inactive accounts the percentage of logins whose last login value exceeds the inactivity threshold configured in security ⇒ policy settings sys dm exec sessions, sys dm exec connections expired accounts logins whose passwords have passed the age defined by the sql server password policy engine (password expiration date) sys sql logins accounts not managed by vault logins whose credentials are not rotated by kron pam vault (vault enrolment flag is false ) dam credential inventory column description populated from hostname / ip address instance name and listener ip detected by the collector collector metadata user name login identifier sys server principals name user type system, normal, windows login, certificate, etc sys server principals type desc server roles comma separated roles granted at server scope (sysadmin, securityadmin, …) sys server role members → sys server principals server level permissions explicit server scope privileges (connect sql, view any definition, …) sys server permissions oracle – database local account security report chart interpretation data source inactive accounts users whose last login is older than the inactivity window dba users expired accounts users whose password expire flag is set or whose password lifetime has ended dba users, profile limits accounts not managed by vault users whose passwords are outside kron pam vault management dam credential inventory column description populated from hostname / ip address database service (or scan for rac) plus listener ip collector metadata user name oracle user/schema dba users username user type system, normal, super (for sys type accounts) dba users account status + role check dba role displays dba when the role is granted, otherwise “–” dba role privs powerful roles union of high impact roles (e g , aq administrator role, oem monitor) dba role privs postgresql – database local account security report the three charts mirror the mssql/oracle semantics, calculated from pg authid rolvaliduntil (expiration) and dam inactivity tracking column description populated from hostname / ip address server identifier and interface ip collector metadata user name role name pg roles rolname user type system (catalog roles), normal (customer defined), super (if rolsuper) pg roles flags privileges aggregated role attributes superuser, create databases, create roles, replication, can login, inherit rights derived from pg roles boolean columns no extra paragraphs are appended; all role attributes are compressed into the privileges column mysql – database local account security report the three charts mirror the mssql/oracle semantics column description populated from hostname / ip address server identifier and interface ip collector metadata user name role name mysql user user, mysql user host user type aggregated role attributes superuser, create databases, create roles, replication, can login, inherit rights flag and name inspection in mysql user no extra paragraphs are appended; all role attributes are compressed into the privileges column