Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Databases – Infrastructure – Security

Brian Kelley is an author, columnist, and Microsoft SQL Server MVP focusing primarily on SQL Server security. He is a contributing author for How to Cheat at Securing SQL Server 2005 (Syngress), Professional SQL Server 2008 Administration (Wrox), and Introduction to SQL Server (Texas Publishing). Brian currently serves as an infrastructure and security architect. He has also served as a senior Microsoft SQL Server DBA, database architect, developer, and incident response team lead.

Auditing VMware vCenter Actions (on SQL Server)

When you’ve got a SIEM appliance or application, you want actions and events going into it as a central repository. That allows you to see patterns and hopefully track incidents across systems. As a result, if you want to track actions in VMware’s vCenter and you’ve got the database hosted on SQL Server, you need to give access to the following two tables:

  • VPX_EVENT
  • VPX_EVENT_ARG

A standard tendency is to give the account that the SIEM product is using membership in the db_datareader role. Don’t do this. It’s a violation of the Principle of Least Privilege. It’s far better to create a user-defined role and granting it the appropriate permissions. Then make the account a member of the role. For instance:

USE VirtualCenterDB;
GO

CREATE ROLE [Auditor];
GO

GRANT SELECT ON OBJECT::dbo.VPX_EVENT TO [Auditor];
GRANT SELECT ON OBJECT::dbo.VPX_EVENT_ARG TO [Auditor];
GO

And then you make the user account being used by the SIEM product a member of the Auditor role.


Comments

Leave a comment on the original post [truthsolutions.wordpress.com, opens in a new window]

Loading comments...