Administrative users and applications
The Security incidents: admininistrative users and applications
template
provides a number of rules that track and report on possible security incidents that might be
encountered at run time. You can choose which rules you need for your security scenario.
By default, each rule includes the MARK SESSION action, which sets the trust for this session to
LOW and generates an exception in the Security Incidents report.
Note: The security incident policies analyze authentication methods, but do
not log or analyze passwords.
The
Security incidents: admininistrative users and applications
contains the
following rules: - Admin user using plain text password
- This rule identifies when plain-text passwords are used in the authentication process for admin users. Any connection to a database that uses a driver or a database that allows sending a password in clear text over the network generates a security incident.
- Administrative program using plain text password
- This rule identifies when plain-text passwords are used in the authentication process for applications and programs. Any program or application that allows sending a password in clear text over the network generates a security incident.
- Unencrypted administrative session
- This rule checks that the session is not encrypted and the user is part of the administrative group. This rule generates a security incident for unencrypted administrative sessions.
- Unencrypted administrative program
- This rule checks that the session is not encrypted and the program is part of the administrative group. This rule generates a security incident only for unencrypted administrative programs, rather than the entire session.
- Suspicious administrative activity
- This rule finds and reports on users with administrative privileges who connect to a database, but either do not have administrative privileges or are not members of the administrative group. These activities can indicate an intrusion into the database.
- Suspicious administrative program activity
- This rule generates a security incident when it finds connections to a database by a program that has administrative privileges, but either the program does not have administrative privileges or it was not accounted for in the administrative group. These activities can indicate an intrusion into the database.
- Repeated failed login per server IP and admin user (5 in 3 minutes)
- Repeated failed log-ins by an admin user (specified as five logins within 3 minutes) generate a
security incident.Note: This rule is similar to the
User Activity Monitoring
policy Failed Login - Alert if repeated rule. However, the rule triggers only when a user unsuccessfully attempts to log on to the same server five times within 3 minutes (rather than logging in to multiple servers within 5 minutes). - Password sent using vulnerable encryption method for admin user
- Guardium® generates a security incident when passwords are sent using insufficiently secure methods. For example, when a database uses a driver with outdated encryption methods or a database sends passwords that use outdated or vulnerable encryption methods over the network.
- Repeated login failures from same Program and different Admin DB users per period of time (5 in 3 minutes)
- Repeated failed log-ins by an admin user (specified as five log ins within 3 minutes) generate a
security incident.Note: This rule is similar to the
User Activity Monitoring
policy Failed Login - Alert if repeated rule. However, the rule triggers only when a user unsuccessfully logs on to the same server five times within 3 minutes (rather than logging in to multiple servers within 5 minutes). - Admin users re-using passwords
- Reusing passwords across multiple sites poses serious security risks. If an attacker can steal credentials and gain access to one account, they can also log in to any other account that uses the same password.
- Failed login for admin user re-using passwords
- This rule generates exception messages in the Security Incident report when two identical or similar passwords are found for different DB_USER login failures on the same server.