Configure database auditing

Enable auditing on the database so that object auditing data can get pulled by Guardium®. Modify the limit of objects added automatically to classification, and modify the collector.

About this task

The databases table presents various details of the discovered databases. You can use the colored indicators in the table to see the status of any datasource at a quick glance. Red indicates no configuration, for example the database is not cataloged, or the datasource was not assigned to a classification or VA process. There are hover tips on the color-coded status indicators to give you more information when the color is red or yellow. Use the predefined filter list to filter any of the columns that have the color-coded status indicators, or the free text filter for other values.

If there is a collector defined for the datasource, it appears in the Active Collector column if you are the owner. Otherwise the column is blank.

The DB Audit Owner is the CM host name in a CM environment. In a standalone system the value is the collector's host name.

The DB Auditing column has one of the following values.
  • Enabled. When followed by pending restart, indicates that the status will take effect upon instance restart.
  • Disabled. When followed by pending restart, indicates that the status will take effect upon instance restart.
  • configuration does not match requirement. (The AWS parameter audit trail is not configured according to Guardium's requirement XML, EXTENDED. Ask your DBA to modify this value.) When followed by pending restart, indicates that the status will take effect upon instance restart.
  • Not supported for this db engine. Activity monitoring is not currently supported by Guardium.

If you own the instance, a classification process is assigned, and DB audit is enabled, you should see results in the Objects column. The total is the number of objects identified by the classification processes assigned to this instance; Audited is the number of those objects that are enabled for Object Audit; New is the number of objects that have been found by a classification process but have not been enabled automatically. These objects require review. See Manage object auditing.

You should see results in the Objects column if the datasource is assigned to a classification process, the process has run since enabling the DB audit, and you are the owner. If you don't see objects, verify the classification process and run it again.

Modify limit of objects added automatically and collector

You can modify the limit of objects added automatically and the collector on one or more databases simultaneously. Fields that are left blank are not modified.

Procedure

  1. Select one or more databases.
  2. Click DB Auditing > DB Auditing Configuration .
  3. Modify the number of Limit objects added automatically. When the DB Auditing is enabled, you can specify the maximum number of objects that are found by classification to automatically enable for object auditing. You can modify the number of objects to find, per database, after they are discovered. Objects that are enabled automatically appear as Enabled in the managed objects window. To add objects automatically, set a high but reasonable limit of what you expect the classification process to find. To prevent an overflow of objects if there is an error in your classification, don't set the limit too high (which can affect the database performance). Let's say that you set the limit to 15, and classification identifies five objects on the first run. Those five objects are enabled for DB Audit. The next classification run identifies five more objects, and those objects are also enabled. However, no new objects are enabled if the number of audited objects plus the number of newly classified objects exceeds the specified limit. Therefore, if the next Classification run identifies seven objects, then those objects are not enabled, because that will exceed the specified limit (15). If set to zero, objects are not automatically enabled for object auditing.
  4. Collector appears in, and is mandatory for, a Central Manager environment. Select a collector from the drop-down list of all collectors in the CM environment. This is the collector that pulls the audit data (activities) from the DB.
  5. Click Apply.

Enable auditing on one database

You can enable DB auditing on one database at a time.

About this task

You can configure the parameter Limit objects added automatically or the collector with any permission level. Other changes require DB permissions. Your access keys may or may not include these permissions. The instructions below cover all levels of permission.

When you enable DB Auditing, your Guardium system becomes the unique owner of the DB Audit on this DB. No other Guardium system modify the DB Audit or the object audit. Another system can forcefully take ownership by clicking Start owning DB Audit.

Run classification at least once after enabling DB audit to see and manage objects for auditing. If no objects are found, check your policies.

CAUTION:
When you start managing the database, the Amazon RDS tag IBM Guardium IP is created with the value of your Guardium hostname. This tag should not be modified or removed.

Procedure

  1. Select the row of the database.
  2. Click DB Auditing > DB Auditing Configuration.
  3. Optionally modify the value of objects added automatically to the Object Audit.
  4. In CM environment, if there is no collector defined, select one from the drop-down list and click Apply. The dialog refreshes, and the buttons are enabled.
  5. If Enable DB Auditing is enabled, click it. The dialog and the table refreshes showing You are now owner of the DB audit. The dialog box refreshes. Either click Restart to restart the database now (a confirmation message appears), or click Wait for next manual restart for example, to wait for a maintenance window. If you choose Wait for next manual restart, you need to access the cloud console directly at a later time. If you click Restart and you do not have sufficient access rights, an error appears. Request your DBA to configure audit trail as XML, EXTENDED and restart the instance.
  6. If Enable DB Auditing is not enabled, click Own DB Audit. The dialog box refreshes. Click Wait for next manual restart and request your DBA to configure audit trail as XML, EXTENDED and restart the instance.
  7. If you made changes to the DB audit status, click Retrieve Status and wait for the message saying the status has changed, then click Refresh. The DB Audit Owner column shows the host name of the CM or the collector's hostname in a standalone Guardium, and the icon in the DB Auditing turns green.

Disable auditing on one database

You can disable DB auditing on one database at a time. When you disable the DB audit, you also relinquish ownership of the DB auditing.

About this task

When you stop owning or disable the DB Audit, the entire object audit is disabled as well and the list of objects that can be audited (the come from the classification results) are deleted.

Procedure

  1. Select the row of the database.
  2. Click DB Auditing > DB Auditing Configuration.
  3. Click Disable DB Auditing, then click Wait for next manual restart, for example to wait for a maintenance window, or click Restart to restart the database now. If you choose Wait for next manual restart, you need to access the cloud console directly at a later time. If don't have permission to change the configuration, click Stop Owning DB Audit and request your DBA to disable the DB audit on this instance.
  4. Click Retrieve Status to refresh the display with the latest status from the cloud.

Results

If there were changes, a message appears: DB auditing status has changed for some databases. Click Refresh to update the table. Click Refresh. The status changes to disabled or disabled pending restart, the icon in the DB Auditing turns red, and the DB Audit Owner column is blank.

Starting and stopping DB audit ownership

About this task

You can modify the DB ownership status of one database at a time.

Owning the DB Audit gives you exclusive rights to the DB Audit and Object Audit definitions, and access to the object audit data (see Manage object auditing). Other Guardium systems can access the same cloud account but can only see the DB details.

With full access rights, when you enable the DB audit, you also take ownership of the DB. If your access keys do not provide full access rights, then you take ownership without enabling the DB audit. When DB audit is enabled (by the DBA) you will have access to the audit data. Conversely, when you disable the DB Audit, you relinquish ownership. If your access keys do not provide full rights, you would stop owning DB audit, and request the DBA to disable the DB audit.

You can move ownership from one Guardium system to another.

If you are transferring ownership between two live systems, first stop owning the DB Audit on the current owner, then take ownership on the second Guardium system. All auditing is stopped when one Guardium system relinquishes ownership. You'll need to define the auditing process on the new Guardium system: assign the DB to a classification, run the process, and add objects to the Object Audit.
CAUTION:
Stop owning the DB Audit on one before starting to own it on the second. Otherwise the data will go to the previous collector, as well as the new collector. Two collectors with different policies (different CMs) receiving the same activities, produce different, or incomplete, results on each collector.

If you are transferring ownership from a Guardium system that has gone down without expectation of recovery, you can start owning the DBA Audit from another Guardium system, while maintaining the audit definitions, only the ownership changes. In this scenario, stop the original Guardium from owning the DB Audit in the DB console.

Procedure

  1. In the databases table, select the row of the database.
  2. To stop owning DB audit: Click DB Auditing > DB Auditing Configuration > Stop owning DB audit.
  3. To start owning DB audit: Click DB Auditing > DB Auditing Configuration > Start owning DB audit.