Server and S-TAP IP addresses example
For some Guardium® implementations, one collector serves multiple S-TAPs. In some cases, customers want to have separate sets of session-level policies for each S-TAP. Normally they can use SERVER_IP and SERVER_NET_MASK rule conditions. However, the server IP address can be different from STAP IP address. In these cases, use a session-level policy to associate the session-level policies by S-TAP.
You can manage this issue with either a group of IP addresses or by using a SENDER_NET_MASK. The two examples show both methods.
In the first example, the rule condition is set to check SENDER_IP, which is the STAP IP address on the database server and to check that the database user is SCOTT.
If the conditions are met, the rule action is triggered, In this example, the action transforms the APP_USER_NAME in GDM_CONSTRUCT_INSTANCE table to match the SERVER_HOSTNAME. In the OUTPUT_FORMAT field, the action inserts the value SERVER_HOSTNAME into the APP_USER_NAME field.
You can use a SENDER_IP condition if you have multiple S-TAPs that are installed on the database server. Use the SENDER_IP (which is the S-TAP IP address) to create a rule for one or more specified S-TAPs.
Specify S-TAP IP addresses in the GROUP of IP address. For example, to specify a single IP address in a group:
SENDER_IP = ('20.20.20.20',1)
Where: 1 is the number of members in the group.
For the second example, any NET_MASK is triggered on the subnet in the group, rather than on a specific IP address (as described for the first example). For this example, the .20 IP address is related to SENDER_IP, and .0 subnet IP is related to NET_MASK condition.
Example 1: Use a group of IP addresses.
- Session level criteria:
- Database User = fred@example.com
- Server IP address
In Group, where:
- Group type = Sender IP
- Members = A list of IP addresses.
- Rule actions:
- TRANSFORM SOURCE PROGRAM NAME
- Source = SOURCE PROGRAM NAME
- Search prefix = Microsoft
- Output format = GEORGE ODBC
- TRANSFORM SOURCE PROGRAM NAME
- Source = SOURCE PROGRAM NAME
- Output format = GEORGE ODBC
- TRANSFORM SOURCE PROGRAM NAME
Example 2: Use a subnet mask:
- Session level criteria:
- Server IP address
In Group, where Group type = Sender
IP
Members = A list of IP addresses.
- Subnet mask = 255.255.255.0
- Server IP address
In Group, where Group type = Sender
IP
- Rule action: TRANSFORM APP USER NAME
- Source = SERVER HOST NAME
- Output format = (.*)
SR language examples
SR_POLICIES
{
IF (SENDER_IP = ('20.20.20.1',1) DB_USER = 'fred@example.com')
{
TRANSFORM_SOURCE_PROGRAM SEARCH_PREFIX = 'Microsoft' OUTPUT_FORMAT = 'GEORGE ODBC'
TRANSFORM_SOURCE_PROGRAM OUTPUT_FORMAT = 'GEORGE ODBC'
}
GROUP_ID = 1 TYPE = IP_ADDRESS SIZE = 8 #SENDER_IP GROUP
{
'20.20.20.2' '20.20.20.3' '20.20.20.4' '20.20.20.5' '20.20.20.6' '20.20.20.7' '20.20.20.8' '20.20.20.9'
}
}
SR_POLICIES
{
IF (SENDER_IP = ('20.20.20.20',1) DB_USER = 'SCOTT' SENDER_NET_MASK = '255.255.255.0')
{
TRANSFORM_APP_USER SOURCE = SERVER_HOST_NAME OUTPUT_FORMAT = '(.*)'
}
GROUP_ID = 1 TYPE = IP_ADDRESS SIZE = 2 #SENDER_IP GROUP
{
'20.20.20.1' '20.20.20.0'
}
}