Rule definition fields
You can use these fields when you define policy rules.
Field | Description |
---|---|
Action | Indicates the action to be taken when the rule is true. For a comprehensive description of all rule actions, see Rule Actions Overview. |
App Event Exists | Match for an application event only. See the App Event Note. |
App Event Values | Match the specified application event Text, Numeric, or Date values. Also allow a Group to be chosen for the event string as an option. See the App Event Note. |
(App) Event Type | Match the specified application event. See the App Event Note. |
(App) Event User Name | Match the specified application event username only. See the App Event Note. |
App Event Note | The App Event fields cannot be used when the Flat Log box is marked. |
App. User | Application User. For more information, see Values and groups of values in rules. |
Category | An arbitrary label that can be used to group policy violations for reporting purposes. A default category can be specified in the policy definition, but the default can be overridden for each rule. |
Classification | An arbitrary label that can be used to group policy violations for reporting purposes. A default classification can be specified in the policy definition, but the default can be overridden for each rule. |
Client Info | DB2® client information: For access rules only. For z/OS® only, a CLIENT INFO field (and CLIENT_INFO_GROUP_ID) is visible if DB_TYPE is either Db2, Db2 COLLECTION Profile or VSAM COLLECTION Profile. The type of information that can be placed in this field is USER=x; WKSTN=y; APPL=z. |
Client IP | Clear the Not box to include, or mark the Not box to exclude:
Allow wildcard in IP address. Wildcard % is permitted in a policy for Client IP group. |
Client IP/Source Program/DB User/ Server IP/Service Name | 7-tuple group - Client IP/Src App/DB User/Server IP/Svc. Name/OS User/DB 5-tuple group type available for access, exception, and extrusion rules. A tuple allows multiple attributes to be combined together to form a single group member. Tuple supports the use of one slash and a wildcard character (%). It does not support the use of a double slash. Wildcard % is permitted in a policy for Client IP/Source Program/DB User/ Server IP/Service Name group. |
Client MAC |
To make the rule sensitive to a single client MAC address, you can take one of
the following steps:
|
Command |
The command. You can have situations in which a command group cannot be edited, and the and/or Group label changes to Collect Only, indicating that commands from only the selected group are to be selected. For more information, see Values and groups of values in rules. If the Every member in group option is selected, all fields of
the SQL statement must be a member of the defined group. However, the SQL statement does not need to
contain all members of the group. For example, for the group
DB_TABLES_PROD with
members students, module, marks :
|
Continue to Next Rule | If marked, rule testing will continue with the next rule, regardless of whether this rule is satisfied. This means that multiple rules can be satisfied (and multiple actions taken) by a single SQL statement or exception. If not marked (the default), no additional rules are tested for the current transaction when this rule is satisfied. |
Data Pattern | Every type of rule (Access, Exception, Extrusion) can have Data pattern, but it is required for Extrusion rules. For use in defining Extrusion Rules - A regular expression to be matched, in the Data Pattern box. Click Regex to open the Build Regular Expression tool, which allows you to enter and test regular expressions. This enables more complex masking patterns. Put parentheses around the section that you want to mask. Use this function to mask data retrieved from the database. For example,
Additional regular expressions (Regex) for use only in Data Patterns with an action of Redact (Scrub):
Regex with Redact - Use of Regular expressions (regex) in the IBM® Guardium® solution (including masking in the policy) runs on the appliance, and allows advanced regex capabilities. However, the regex library for use with Redaction runs in the kernel of the database server and is limited to most basic regex. Only basic regex patterns can be used with Redaction. For example, the regular expression nomenclature [0-9]* cannot be used to indicate
any number of digits. Use basic regular expression nomenclature, for example,
Note: S-TAP accepts only the predefined
SCRUB pattern names; ignoring any other name.
Access rule, data pattern, and replacement character - Using a data pattern such as
Note: Keep in mind that extrusion rules usually attached to the session with delay.
Therefore short sessions or beginning of a session might not be immediately affected by character
set change.
|
DB Name | The database name. For more information, see Values and groups of values in rules. |
DB Type | Supported DB Types For access rule: Cassandra, CIFS, CouchDB, Db2, Db2 COLLECTION PROFILE* (only for use with z/OS), FTP, GreenPlumDB, Hadoop, HTTP, IBM INFORMIX (DRDA), IBM iSeries, IMS, IMS COLLECTION PROFILE (only for uses with z/OS, Informix®, MongoDB, MS SQL SERVER, MYSQL, NETEZZA, Oracle, PostgreSQL, Sybase, TERADATA, VSAM, or VSAM COLLECTION PROFILE* (only for use with z/OS). For exception and extrusion rules: Cassandra, CIFS, CounchDB, Db2, FTP, GreenPlumDB, Hadoop, IBM INFORMIX (DRDA), IBM iSeries, Informix, MongoDB, MS SQL SERVER, MYSQL, NETEZZA, Oracle, PostgreSQL, Sybase, or TERADATA. Note: Informix supports two protocols SQLEXEC (native Informix protocol) or DRDA (IBM protocol). These protocols are automatically identified for Informix traffic with no additional settings. The Server Type attribute shows INFORMIX (for SQLEXEC protocol) and IBM INFORMIX (DRDA) (for DRDA protocol). Note: TERADATA has a silent login and allows clients to auto-reconnect. To block
Teradata statements in a policy, use the S-TAP firewall function
with default state ON and unwatch safe users.
|
DB User | The database user. For more information, see Values and groups of values in rules. |
Error Code | The error code (for an exception). For more information, see Values and groups of values in rules. |
Exception Type | The type of exception (selected from the list). SECURITY_INCIDENT is an exception type generated using the session level policy actions LOG EXCEPTION or THROW EXCEPTION. In general, security incidents are detected either through manually-created policy actions or by one of the predefined security incident templates. For more information, see Security incident policies. Note: A session closed by GUI timeout, in an Exception rule, does not produce a
Session Error (Session_Error).
|
Field Name | The field name. For more information, see Values and groups of values in rules. If the Every member in group option is selected, all fields of
the SQL statement must be a member of the defined group. However, the SQL statement does not need to
contain all members of the group. For example, for the group
DB_TABLES_PROD with
members students, module, marks :
|
Min. Ct. | The minimum number of times the condition that is contained in the rule must be matched before the rule is satisfied (subject to the Reset interval). |
Net. Protocol | The network protocol. For more information, see Values and groups of values in rules. |
Object | The object name. For more information, see Values and groups of values in rules. For Sybase and MS SQL Server, two groups MASKED_SP_EXECUTIONS_SYBASE and MASKED_SP_EXECUTIONS_MS_SQL_SERVER include names of stored procedures. If an included procedure runs, then everything is masked. If the Every member in group option is selected, all fields of
the SQL statement must be a member of the defined group. However, the SQL statement does not need to
contain all members of the group. For example, for the group
DB_TABLES_PROD with
members students, module, marks :
|
Object/Command Group | Match a member of the selected Object/Command group. |
Object/Field Group | Match a member of the selected Object/Field group. |
OS User | Operating system user. For more information, see Values and groups of values in rules. |
Pattern | A regular expression to be matched, in the Pattern box. You can enter a regular expression manually, or click theRegex) button to open the Build Regular Expression tool, which allows you to enter and test regular expressions. |
Time Period | To make the rule sensitive to a single time period, select a pre-defined time period from the Period list or click thePeriod) button to define a new time period. |
Rec. Vals. | When marked, the actual construct causing the rule to be satisfied will be logged, and available in reports, in the SQL String attribute. For a policy violation only, if not marked, no SQL statements will be logged. |
Records Affected Threshold |
Access rule only. Set a threshold value for matched records. For example: Let 100 instances take place before taking action. This field affects the rule output rather than the rule definition (that is, what happens when it is triggered, rather than when should it trigger). You can select how to calculate the records affected threshold. The choices are
as follows:
If the threshold reaches the specified number, and any other rule criteria are matched, the defined rule actions are triggered. |
Replacement Character | Define a masking character. Should the output produced by the extrusion rule match the regular expression, the portions that match sub-expressions between parenthesis '(' and ')' will be replaced by the Masking character. |
Reset Interval | Used only if the Min. Ct. field is greater than zero. This value is the number of minutes after which the condition met counter will be reset to zero. |
Response length threshold | For access rules: Tracks the size of data packets, in bytes, returned from the
server for a successful SQL query. You can set the response length and the response length threshold
as follows:
|
Revoke | This checkbox appears on extrusion rules only. It allows you to exclude from logging a response that has already been selected for logging by a previous rule in the policy. In most cases you can accomplish the same result more simply by defining a single rule with one or more NOT conditions to exclude the responses you do not want, while logging the remaining ones that satisfy the rule. (The Revoke checkbox pre-dates NOT conditions, and is provided mainly for backward compatibility to support existing policies.) |
Rule Description | The name of the rule. To use a special pattern test in the rule, enter the special pattern test name followed by a space and one or more additional characters to make the rule name unique, for example: guardium://SSEC_NUMBER employee. (See Special Pattern Tests for more information.) When displayed, the name will be prefaced with the rule number and the label Access Rule, Exception Rule, or Extrusion Rule, to identify the rule type. If the rule was generated using the Suggest From DB function, the generated name is in the format: Suggested Rule <n>_mm-dd hh:mm, consisting of the following components n is sequence number for the generated rule mm-dd is the month and day the rule was generated hh:mm is the time the rule was generated |
Server IP | Clear the Not box to include, or mark the Not box to exclude:
Allow wildcard in IP address. Wildcard % is permitted in a policy for Server IP group. |
Service Name | The service name. For more information, see Values and groups of values in rules. |
Severity | Select a severity code from the list: INFO, LOW, NONE, MED or HIGH. If HIGH is selected and email alerts are sent by this rule, the email will be flagged Urgent. |
SQL Pattern | A regular expression to be matched, in the Pattern box. You can enter a
regular expression manually, or click Regex
to open the Build Regular Expression tool, which allows you to enter and test regular
expressions. Restriction: SQL Pattern is not supported for
redaction rules.
|
Src app | Application source program. For more information, see Values and groups of values in rules. |
Trigger Once Per Session | Do not analyze session for same rule after first match. Especially effective for “Selective Audit” policies. |
XML Pattern | A regular expression to be matched, in the Pattern box. You can enter a regular expression manually, or click Regex to open the Build Regular Expression tool, which allows you to enter and test regular expressions. A regular expression to be matched can be used in this box. The regular expression must be entered manually. |
Full_SQL return values using MSSQL | In MSSQL, sp_cursoropen and sp_cursorfetch stored procedures are used for SELECT database queries. Sp_cursoropen holds the original statement, while the FULL_SQL return value in an Extrusion rule will appear as sp_cursorfetech instead of Select * from ___________. |