User Manual - Database scanning for securing payment card details
Contents
1. 19 23 31 02 NFO Database Credit Card Scanner v1 2 NFO Reading config file orile cfg NFO Local database opened OK I I I I 2012 12 19 23 31 03 NFO Checking DB connection details usr1 dbhost01 1521 ORADB WORLD 2012 12 19 23 31 04 INFO Connected OK 2012 12 19 23 31 04 INFO License check OK Days left 3 2012 12 19 23 31 04 INFO Loading scanning parameters 2012 12 19 23 31 04 INFO Schema parameter Schema USR1 Object type Tables 2012 12 19 23 31 05 INFO Table parameter USRI PKT SML Exclude Yes 2012412519 23 31 205 INFO Table parameter USR1 EVENT LOG Exclude Yes 2012 12 19 23 31 05 INFO Starting Scanning Run 2012 12 19 23 31 06 INFO Scanning configuration 2012 12 19 23 31 06 INFO Parallel Threads 2 2012 12 19 23 31 06 INFO DB Parallelism 1 2012 12 19 23 31 06 INFO Resume Unfinished Scans Yes 2012 12 19 23 31 06 INFO Ignore Truncated Cards No 2012 12 19 23 31 06 INFO Scan CLOB Columns No 2012 12 19 23 31 06 INFO Scan Last 2 Days Data only No 2012 12 19 23 31 06 INFO Created parallel slaves 2 2012 12 19 23 31 06 INFO SLAVE 1 Got object USRI TABLEI 2012 12 19 23 31 06 INFO SLAVE 2 Got object USR1 TABLE2 2012 12 19 23 31 06 INFO SLAVE 2 Got object USR1 TABLE3 2012 12 19 23 31 06 INFO SLAVE 1 Got object USRl another table 2012 12 19 23 31 06 INFO SLAVE 1 completed 2012 12 19 23 31 07 INFO SLAVE 2 completed 20122. 12 19 23 31 14 INFO PDF Report has been successfully generated home userl dclscanner 1 2 reports dcls ORADB scan 20121219 233109 pdf 2012 12 19 23 31 14 INFO Scanning Run has been closed with status C Cards found 2012 12 19 23 31 14 INFO Scanning run statistics 2012 12 19 23 31 14 INFO Total tables partitions checked 4 2012 12 19 23 31 14 INFO Errors 0 2012 12 19 23 31 14 INFO Cards found 2012 12 19 23 31 14 INFO VISA 770 2012 12 19 23 31 14 INFO Master Card 384 2012 12 19 23 31 14 INFO AMEX 384 2012 12 19 23 31 14 INFO Diners O0 2012 12 19 23 31 14 INFO JCB 0 2012 12 19 23 31 14 INFO Discover 0 2012 12 19 23 31 14 INFO Elapsed time 00 00 04 2012 12 19 23 31 14 INFO Scanning run completed 2012 12 19 23 31 16 INFO Local database shut down Database Command Line Scanner v1 2 User Manual DbScanLabs 2012 Appendix B Below there are screenshots showing sample PDF report produced by DCLScanner db scan Database Scan Report Scan Result Payment Card Numbers found Scan Started 2012 10 03 10 00 00 Scan Finished 2012 10 03 15 00 00 Elapsed time hh mm ss 05 00 00 Tables Partitions scanned 1037 Card Type Summary VISA 0 Master Card 1 AMEX 0 Diners 3 JCB 0 Discover 0 Truncated cards Included Database Details Connection Name DB Service Name Host name User name Schema Scan Parameters Num of Range Partitions to scan if
3. Database Command Line Scanner v1 2 User Manual DbScanLabs 2012 Database Command Line Scanner v1 2 Database Command Line Scanner v1 2 User Manual DbScanLabs 2012 Contents l OVETVIEW 3 11 ET 3 1 2 er 3 PAM Clio eC E ER E E T 4 Za Unix ire LA 4 Basic VISAGE 5 Parameters D TO 5 3 1 1 Configuring database 5 3 2 SCAM mr 5 GN PICU 7 4 1 Advanced Scanning Parameters aceite onte 7 Appendix n 9 P We UM di PEN Cr 10 wende M UP 12 Database Command Line Scanner v1 2 User Manual DbScanLabs 2012 1 Overview This document describes Database Command Line Credit Card Scanning DCL Scanner software This module enables the Scanner to be run in a command line stand alone mode as opposed to using a web server that would required a separate install This is useful in high security areas where running a web server may not be feasible The Scanner searches the database for clear text paym
4. ent card numbers and provides a PDF report with the detailed result of the scan The scanning is done in non intrusive way no data is stored in the target databases and no agents are installed on database servers It provides important information for PCI Payment Card Industry related audits The generated reports can be used as proof that no clear payment card data exists in a given database 1 1 Architecture The command line scanner is a standalone module Extract it into a directory on the database server or any other server client It just required a TNS based connection to the databases to be scanned There is no web server and no web interface All actions are controlled by a single configuration file 1 2 Key features The scanner has a number of key features Itis specifically written to work with Oracle databases and takes advantage of advanced Oracle features Itis designed to run with minimal performance impact So for example it can be run on a mission critical production database safely It provides full control of the degree of parallelism to be used scan be paused and resumed as required Itcan be run on multi terabyte databases It runs on Oracle RAC databases and on Oracle Exadata machines A PDF report can be generated from a partial failed or unfinished scan So for example when scanning a very large database interim reports can be obtained Ithas features for enabling a quick i
5. example if parallel_threads 2 db_parallelism 4 Two separate worker threads will be launched and the tables will be allocated to each As they scan the tables a database parallel degree of 4 will be used by ALL the queries This provides the user with the flexibility to allocate more resources to the scanning operations during times where the database load is low and to allocate fewer resources when the database load is high for example during a batch window If the parameter resume_unfinished_scans is set to YES then failed or aborted scans can be resumed from the point they failed at For example if the database was shutdown for maintenance the scan can be resumed once it was available The parameter update_runtime_stats_intvl controls the frequency at which the log file is updated The parameter ignore truncated cards allows truncated cards to be ignored For example patterns like 123456 000000 8765 The parameters scan last 2 days data allows the scan to be limited to only data that has changed in the last two days The parameter scan clob columns allows large CLOB columns to be omitted as part of an initial scan All the parameters in this section can be changed on the fly by terminating the scan changing the parameters and resuming the scan Database Command Line Scanner v1 2 User Manual DbScanLabs 2012 Schema Scanning Parameters The Schema scanning parameter schema_list allows the user to p
6. guration files located at DCLScanner Install Dir instantclient 11 2Wietwork admin directory These ora files can be used for any custom TNS configuration 3 2 Running a Scan To launch a scan run delscanner sh c filename cfg A detailed log file that provides an ongoing progress report can be found at installation directory logs dclscanner log for example dclscanner 1 2 logs dclscanner log Database Command Line Scanner v1 2 User Manual DbScanLabs 2012 A sample log file is shown in Appendix A After the scan has successfully finished a PDF report is generated and stored in the lt installation_directory gt reports directory Since reports contain sensitive data location of the reports directory cannot be changed for security reasons If scan is stopped due to a database error e g target database became unavailable it can be resumed later after database has become available A sample PDF Report file is shown in Appendix B Database Command Line Scanner v1 2 User Manual DbScanLabs 2012 4 Advanced Usage 4 1 Advanced Scanning Parameters The advanced scanning parameters fall under the following categories Setup DB Connections Schema Scanning Parameters Table Scanning Parameters Excluded Tables Setup Parallelism can be controlled in two ways The number of individual threads that will be run parallel_threads and the in database parallelism db_parallelism So for
7. ning Database Command Line Scanner v1 2 User Manual DbScanLabs 2012 Basic Usage 3 1 Scanning Parameters The scanning parameters are specified in the cfg file The following are the key parameters Please refer to Appendix C for the complete list of configuration parameters and their syntax tns name o TNS connection to the database can be in the form of a TNS name or an Easy Connect String please see section 3 1 1 Configuring database connection for more details db user o Database user under which the scan will be run o This user will require select privileges on all the tables to be scanned password o Password of db user This will be encrypted automatically in the config file Schema list o List of schemas to be scanned 3 1 1 Configuring database connection The easiest way to configure a database connection is to use Oracle EZ Connect URL hostname port SERVICE_NAME However standard canonical TNS names can be used as well It is normally recommended to install the DCL Scanner on a database server to eliminate network latency So if DCL Scanner has read access to the set of ora configuration files on the database server e g in SORACLE HOMEB network admin directory the scanner can use them via TNS ADMIN environment variable If for any reason the ora configuration files are not available to use an independent TNS configuration can be created DCL Scanner has its own set of standard Oracle confi
8. nitial or sample scan to be conducted For example specific tables can be included or excluded for large partitioned tables the scan can be limited to the latest range partitions Scans can be limited to only the data that has changed in the last 2 days Database Command Line Scanner v1 2 User Manual DbScanLabs 2012 large CLOB columns can be omitted 2 Installation The command line scanner runs on Linux Solaris AIX and HPUX The software is distributed in the form of self extracting packages 2 1 Unix Installation Required Privileges None if installed in the local home directory Otherwise root privileges may be required Unix Installation package can be downloaded from this URL http www dbscanlabs com dcls_download html To install the software the following steps need to be performed 1 Create a directory in which DCL Scanner will reside 2 Download the DCL Scanner Installer and save it into the created directory for example for Linux 32bit OS it will be dclscanner x x Linux 32b install sh where x x is the version 3 The installer is a self extracting archive so first make it executable chmod u x dcelscanner 1 2 Linux 32b install sh 4 Run the installer dclscanner 1 2 Linux 32b install sh 5 After the installation has completed create a config file for your database use sample cfg as a template and then run the command dclscanner sh c config file name to start scan
9. rameter defines the list of individual tables to be scanned for credit card numbers format table list SCHEMA TABLE NAME X ALL SCHEMA TABLE NAME X ALL where X all the number of range partitions to be scanned for the table if table is partitioned by range X last partitions to be scanned ALL range partitions to be scanned If ommitted default number of partitions to scan is 2 For example table list app schema l tablel app schema 2 table2 1 app schema 3 table3 all table list Excluded tables Database Command Line Scanner v1 2 User Manual DbScanLabs 2012 This parameter defines the list of individual tables or individual table columns to be excluded from scanning If column list is not specified the whole table is excluded from scan format table list SCHEMA TABLE COLUMN NAME1 COLUMN NAME2 SCHEMA TABLE NAME For example table list app schema l tablel app schema 2 table2 app schema 3 table3 coll col2 exclude table list
10. reated changed during the last 2 days will be scanned for the credit card numbers NO Table default PARALLEL degree will be used if defined Scan last 2 days data no Scan clob columns YES NO YES scan CLOB columns for credit card data NO ignore CLOB columns Scan clob columns no DB connection tns name parameter can be either a standard TNS name from tnsnames ora file located in the DCLS DIRECTORY instantclient 11 2 network admin directory or an EZConnect URL hostname portNo SERVICE NAME tns name db user When database password gets changed DCLScanner detects the new password and encrypts it so the password is stored in the clear text only until DCLScanner has been run for the first time after the change password Schema scanning parameters This parameter defines the list of schemas to be scanned for credit card numbers format schema list SCHEMA NAME X ALL SCHEMA NAME X ALL where X all the number of range partitions to be scanned for the schema if table is partitioned by range X last partitions to be scanned ALL range partitions to be scanned If ommitted default number of partitions to scan is 2 For example schema list app schema 1 schema 2 1 app schema 3 all Schema list Table scanning parameters This pa
11. rovide a list of schemas to be scanned It also controls the number of last partitions to be scanned for partitioned tables Table Scanning Parameters Table scanning parameters table_list and exclude_table_list are designed to configure various exceptions to scan database tables when Schema scanning parameters are too broad and or not suitable Table scanning parameters can be used for e Excluding a database table from scanning the object falls under Schema scanning parameters e Excluding individual columns of a table from scanning for instance to avoid unnecessary false positives e Scanning just a single database table or a small group of tables as oppose to scanning the whole schema via Schema scanning parameters e Overriding scanning rules for a database table For example a schema is configured with number of Range partitions to scan set to Last 2 A particular table can be configured so that all its range partitions are scanned Excluded Tables This parameter exclude table list allows specific tables to be omitted from a scan This is useful when running repeated scans or when trying to obtain a quick scan by omitting some of the largest tables in a schema Also individual table columns can be excluded from the scan Database Command Line Scanner v1 2 User Manual DbScanLabs 2012 Appendix A Below there is a sample log file from DCL Scanner run 2012 12 19 23 30 59 2012 12 19 23 30 59 2012 12
12. to scan if partitioned All Database Command Line Scanner v1 2 User Manual DbScanLabs 2012 db scan ta lab Tables with Card Numbers SCHEMA1 CUSTOMER ID partition P 1 SCHEMA1 SALE SAMPLE Card Number Details Table SCHEMA1 CUSTOMER D partition P 1 Cards 2 Column Name Number Card Type ROWID GARDD __ 5288122XXXXXX32581 MASTER CARD AAAVOBAAbAAIYaiAAJ STORED CARD NUMBER 301047XXXX4622 DINERS AAAWyTAASAAEeShAA Table 1 SAMPLE Cards 2 Column Name Number ROWID CARD NUMBER 5 DINERS AAAWyUAASAAECIMAAY CARD NUMBER 382030XXXX3801 DINERS AAAWyUAASAAISYFAAe Please note 1 Clear card numbers are shown in the masked form 2 Only the following datatypes have been scanned CHAR VARCHAR2 CLOB NCHAR NVARCHAR2 NUMBER Licensed to Some Company amp DB Scan Labs 2012 Database Command Line Scanner v1 2 User Manual DbScanLabs 2012 Appendix C Below there is the full list of DCLScanner configuration parameters along with comments and their syntax This is a configuration file for the Database Credit Card Command Line Scanner DCLScanner This file defines only one database connection and scanning parameters associated with it Only one instance of DCLScanner can be active at any moment in time File format parameter value Comment symbol List delimiter Multiline parameter val
13. ues are NOT supported This section defines general parameters to run DCLScanner parallel threads the number of parallel threads that are used for scanning parallel threads 1 resume_unfinished scans YES NO YES if unfinished interrupted scan has been found it will be resumed from the point where it stopped NO The new scanning run will be started from the beginning resume_unfinished_scans yes update runtime stats intvl the number of minutes after which the current scanner runtime statistics is displayed update runtime stats intvl 2 ignore truncated cards YES NO YES means card numbers like 123456 000000 8765 will be skipped NO all the cards numbers are reported ignore truncated cards no db parallelism empty value 1 2 N empty value means that default table PARALLEL degree will be used defined during table creation 1 PARALLEL options will be disabled for ALL the tables to be scanned 2 N Specified parallel degree will be forced for EACH table to be scanned db parallelism 1 Scan last 2 days data This parameter allows to avoid scanning very large tables and scan ONLY the data that has been created modified during the last 2 days Note database must have been running for at least 2 days Database Command Line Scanner v1 2 User Manual DbScanLabs 2012 Scan last 2 days data YES NO YES Only the data that has been c
Download Pdf Manuals
Related Search