Administrative users and applications

The Security incidents: admininistrative users and applications template provides a number of rules that track and report on possible security incidents that might be encountered at run time. You can choose which rules you need for your security scenario.

Some rule definitions are tagged as either PCI or GDPR. These tags indicate that the rule can help meet compliance with either payment card information (PCI) or General Data Protection Regulation (GDPR) rules.

By default, each rule includes the MARK SESSION action, which sets the trust for this session to LOW and generates an exception in the Security Incidents report.
Note: The security incident policies analyze authentication methods, but do not log or analyze passwords.
The Security incidents: admininistrative users and applications contains the following rules:
Admin user using plain text password
This rule identifies when plain-text passwords are used in the authentication process for admin users. Any connection to a database that uses a driver or a database that allows sending a password in clear text over the network generates a security incident.
This rule generates exception messages in the Security Incident report for each unique DB_USER and SERVER_IP.
Prerequisite: Admin users group.
Administrative program using plain text password
This rule identifies when plain-text passwords are used in the authentication process for applications and programs. Any program or application that allows sending a password in clear text over the network generates a security incident.
This rule generates exception messages in the Security Incident report for each unique CLIENT_IP and SOURCE_PROGRAM.
Prerequisite: Admin programs group.
Unencrypted administrative session
This rule checks that the session is not encrypted and the user is part of the administrative group. This rule generates a security incident for unencrypted administrative sessions.
This rule generates exception messages in the Security Incident report for each unique CLIENT_IP, DB_USER, and SOURCE_PROGRAM.
Prerequisite: Admin users group.
Unencrypted administrative program
This rule checks that the session is not encrypted and the program is part of the administrative group. This rule generates a security incident only for unencrypted administrative programs, rather than the entire session.
This rule generates exception messages in the Security Incident report for each unique CLIENT_IP and SOURCE_PROGRAM.
Prerequisite: Admin programs group.
Suspicious administrative activity
This rule finds and reports on users with administrative privileges who connect to a database, but either do not have administrative privileges or are not members of the administrative group. These activities can indicate an intrusion into the database.
This rule generates a security incident when a user might have inappropriate admin privileges.
This rule generates exception messages in the Security Incident report for each unique DB_USER, SOURCE_PROGRAM, and SERVER_IP.
Prerequisite: Admin users group.
Suspicious administrative program activity
This rule generates a security incident when it finds connections to a database by a program that has administrative privileges, but either the program does not have administrative privileges or it was not accounted for in the administrative group. These activities can indicate an intrusion into the database.
Prerequisite: Admin programs group
Repeated failed login per server IP and admin user (5 in 3 minutes)
Repeated failed log-ins by an admin user (specified as five logins within 3 minutes) generate a security incident.
Note: This rule is similar to the User Activity Monitoring policy Failed Login - Alert if repeated rule. However, the rule triggers only when a user unsuccessfully attempts to log on to the same server five times within 3 minutes (rather than logging in to multiple servers within 5 minutes).
This rule generates exception messages in the Security Incident report for each unique DB_USER and SERVER _IP.
Prerequisite: Admin users group.
Password sent using vulnerable encryption method for admin user
Guardium® generates a security incident when passwords are sent using insufficiently secure methods. For example, when a database uses a driver with outdated encryption methods or a database sends passwords that use outdated or vulnerable encryption methods over the network.
This rule generates exception messages in the Security Incident report for each unique DB_USER, CLIENT_IP, and SOURCE_PROGRAM.
Prerequisite: Admin users group.
Repeated login failures from same Program and different Admin DB users per period of time (5 in 3 minutes)
Repeated failed log-ins by an admin user (specified as five log ins within 3 minutes) generate a security incident.
Note: This rule is similar to the User Activity Monitoring policy Failed Login - Alert if repeated rule. However, the rule triggers only when a user unsuccessfully logs on to the same server five times within 3 minutes (rather than logging in to multiple servers within 5 minutes).
This rule generates exception messages in the Security Incident report for each unique DB_USER and SERVER _IP.
Prerequisite: Admin users group.
Admin users re-using passwords
Reusing passwords across multiple sites poses serious security risks. If an attacker can steal credentials and gain access to one account, they can also log in to any other account that uses the same password.
This rule generates exception messages in the Security Incident report when at two or more DB_USERs use identical passwords.
Prerequisite: Admin users group.
Failed login for admin user re-using passwords
This rule generates exception messages in the Security Incident report when two identical or similar passwords are found for different DB_USER login failures on the same server.
Prerequisite: Admin users group.