Selective audit trail
When you create or edit a policy, click Selective audit trail to limit the amount of logging on the Guardium system.
- The traffic of interest is a relatively small percentage of the traffic that the inspection engines.
- All of the traffic you might ever want to report upon can be completely identified.
For any Guardium collector, if Selective audit trail is specified for one policy, then all policies for that collector use a selective audit trail. In this case, multiple policies are treated as a single policy, where rules are applied in the order that the policies are installed.
Without a selective audit trail policy, the Guardium appliance logs all traffic that the inspection engines accept. Each inspection engine on the appliance or on an S-TAP is configured to monitor a specific database protocol (Oracle, for example) on one or more ports. In addition, the inspection engine can be configured to accept traffic from subsets of client/server connections, which tends to capture more information than a selective audit trail policy. However, it might cause the Guardium appliance to process and store more information than is needed to satisfy your security and regulatory requirements.
- Specify a string to use to identify the traffic of interest in the Audit Pattern box of the Policy Definition window. You might identify a database or a group of database tables, for example. An audit pattern is a pattern that is applied (via regular expression matching) to EACH SQL that the logger processes to see whether it matches. This pattern match is strictly a string match. It does not match against the session variables (such as DB name) the way the policy rules do.
- Specify Audit Only or any of the Log actions (except for Log Full Details
Per Session) for one or more policy rules in a Rule Definition window. With
policy rules you can be precise, specifying exact values, groups, or patterns to match for every
conceivable type of attribute (such as DB Type, DB Name, or User Name). Note: The Log Full Details Per Session action is not supported for policies that use selective audit trail. Because you are selectively auditing the data, full details are not available.
- If you create a rule on a group of objects, the string on each element in the group is checked. If a match is found, a decision is made to log the information and continue.
- If you create a rule on a group of objects that use a NOT designation on the object group, Guardium still needs to check the string on each element in the group, and decide to log and continue only if none of the elements match. NOT designated rules behave the same as normal rules when used with selective audit trail.
- OR situations such as rules based on multiple objects or commands.
- Situations with two NOT conditions (for example, NOT part of a group of objects and NOT part of a group of commands).
- Situations with one NOT condition and one YES condition (for example, a NOT part of a group of objects and a YES part of a group of commands).
SELECT /*+ ORDERED USE_MERGE(m)
*/
, SELECT /*+ ORDERED */
, or SELECT /*+ all_rows */
are
allowed to pass through the parser and logged regardless of the rule definition to skip them (at
least with selective audit mode). A selective audit policy should not prevent logging of certain
SQLs that might be needed for other functions, like application user translation.Selective Audit Trail and Application Events API
When a selective audit trail policy is used, and application users or events are being set via the Application Events API, the policy must include an Audit Only rule that fires whenever a set/clear application event, or set/clear application user command is encountered. For more information about setting the application user via the Application Events API, see Identify Users with API.
Selective Audit Trail and Application User Translation
- The policy ignores all of the traffic that does not fit the application user translation rule (for example, not from the application server).
- Only the SQL that matches the pattern for that policy is available for the special application user translation reports.
Selective Audit Trail and specifying an empty group
An empty tuple group attached to a rule does not cause a rule action to match.