Using rules for file activity policies
A file activity monitoring policy specifies how Guardium handles different file activity events. Each policy consists of a set of ordered rules. Each rule in a policy defines a conditional action that is taken when the rule matches. The conditional test can be simple, for example a user accesses a specific location, or a complex test that considers multiple conditions. The action ranges from nothing to blocking the event. Multiple grouping and alerting actions can be combined and ordered to create sophisticated responses to matched rules.
- Log a policy violation if John writes into the CONFIDENTIAL folder
- Block a group of users from deleting the file SALARIES.XLS
- Send an e-mail to Krishna if JENNY reads from any files that begin with the name sample*
- Audit all accesses to any file that has been classified as containing sensitive data related to PCI
- Groups
- Guardium uses the concept of groups for policy and report creation.
- Rule Guidelines
-
- A overly broad rule (a rule that monitors too many files) can overload the system and increase processing and response time.
- A FAM rule can have more than one pattern in it. To protect both a directory and its contents, define a rule with two patterns /FAMtest/* and /FAMtest.
- A group comprised of file paths: each path must be unique irrespective of case. For example, these two paths can co-exist in a group: C:\ABC and C:\abcdef. However, these two paths cannot co-exist in a group C:\ABC and C:\abc. The Group builder is not case sensitive. It is not required to input members with all upper case characters or all lower case characters. However, in UNIX, which is case sensitive, the path /IBM/Guardium is different from the path /ibm/guardium. If the user wants to monitor both of these paths, the current Group builder has a limitation and will not see them as two paths.
- The ordering of rules in the security policy is very important. The rules are sent to the S-TAP
as a set and are processed strictly in order. Any given user activity is checked against each rule
in the policy in order. The first rule that meets the criteria of this file access is applied and
subsequent rules are ignored. In most cases, put the most specific rule first and the most general
rule last. For example, you have two rules:
- Rule A: audit only all access to /data/*
- Rule B: block, log violation and audit user 'joe' from accessing /data/salaries
If you put Rule A first, and Joe tries to read /data/salaries, there is no need to go to the next rule, and Joe will be audited. If you put Rule B first, Joe is blocked from accessing /data/salaries and there is no need to go to the next rule.
- Rule attributes
- Rule name
- A unique name.
- Datasource
- The datasource can be:
- Datasource selected from drop-down list
- Group selected from drop-down list
- Group created from selected groups in the Create New Rule window
- Manually entered path
- Rule Action
- The rule action is the action taken when the criteria are met. Actions are defined for:
- One action for any file access that matches the rule criteria
- Multi-action rule comprised of multiple actions, each one is per a specified command category or a specified group. Note that Continue to next rule is not supported when using Multi-action rules.
The rule actions are:- Alert and audit: Send an alert directly generated from the sniffer with specific behavior, and log the event.
- Audit only: Log the event in GDM tables
- Block, log violation, and audit: Block access to the object, log a policy violation, and log the event. A blocking action requires an alert configuration as well.
- Ignore: No action taken.
- Log as violation and audit: Log this as a policy violation and log the event.
Notification types- Email messages: You can specify a Guardium user email, or an external email. Emails are sent using the SMTP server configured for the Guardium system.
- SNMP traps: alerts the trap community configured for the Guardium system.
- Syslog messages: generates messages that are written to the syslog.
- Custom notifications: user-created notification handlers implemented as Java classes.
- Rule criteria
- For any given file access, rule criteria are used to evaluate whether a particular action should be taken. For any datasource or group of datasources (file servers), the rule criteria that you can specify include:
- GuardAPI examples: create policy with two rules
-
grdapi create_policy ruleSetDesc=policy1 isFam=true grdapi create_fam_rule policyName=policy1 ruleName=rule1 serverHost="x.x.x.x" filePath="/famtest/*" command="DELETE" actionName="Alert and Audit" notificationType="SYSLOG" grdapi create_fam_rule policyName=policy1 ruleName=rule2 serverHost="x.x.x.x" filePath="/famtest/*" command="READ" actionName="Alert and Audit" notificationType="MAIL"
- GuardAPI examples: create policy with multi-Action Rule
- Multi-Action Rule for FAM - Multi-action rules are comprised of multiple actions, each one is
per a specified command category or a specified group. The commands in a FAM context are: Read,
Write, Delete, Execute and File Operation. If the system does not support Multi-Action Rules, it
ignores the rule and continues to the next rule.
grdapi create_policy ruleSetDesc=policy1 isFam=true grdapi create_fam_rule policyName=policy1 ruleName=rule1 serverHost="x.x.x.x" filePath="/famtest/*" add_action_to_fam_rule policyName=policy1 ruleName=rule1 command="DELETE, READ" actionName="Alert and Audit" notificationType="SYSLOG" add_action_to_fam_rule policyName=policy1 ruleName=rule1 command="WRITE" actionName="Alert and Audit" notificationType="MAIL"