Selective audit trail
Use the selective audit trail option to limit the amount of logging on the Guardium system.
This is appropriate when the traffic of interest is a relatively small percentage of the traffic being accepted by the inspection engines, or when all of the traffic you might ever want to report upon can be completely identified.
Without a selective audit trail policy, the Guardium appliance logs all traffic that is accepted by the inspection engines. Each inspection engine on the appliance or on an S-TAP is configured to monitor a specific database protocol (Oracle, for example) on one or more ports. In addition, the inspection engine can be configured to accept traffic from subsets of client/server connections. This tends to capture more information than a selective audit trail policy, but it may cause the Guardium appliance to process and store much more information than is needed to satisfy your security and regulatory requirements.
- By specifying a string that can be used to identify the traffic of interest, in the Audit Pattern box of the Policy Definition panel. This might identify a database or a group of database tables, for example. An audit pattern is a pattern that is applied (via regular expression matching) to EACH SQL that the logger processes to see if it matches. This pattern match is strictly a string match. It does NOT match against the session variables (DB name, etc) the way the policy rules do.
- Or by specifying Audit Only or any of the Log actions (Log Only, Log Full Details, etc.) for one or more policy rules in a Rule Definition panel. With policy rules you can be extremely precise, specifying exact values, groups or patterns to match for every conceivable type of attribute (DB Type, DB Name, User Name, etc.).
If the Guardium security policy has Selective Audit Trail enabled, and a rule has been created on a group of objects, the string on each element in the group is checked. If there is a match, a decision is made to log the information and continue. If the Guardium security policy has Selective Audit Trail enabled, and a rule has been created on a group of objects using a NOT designation on the object group, there is still a need to check the string on each element in the group, and decide to log and continue only if none of the elements match. NOT designated rules behave the same as normal rules when used with Selective Audit Trail.
- OR situations such as rules based on multiple objects or commands;
- Situations with two NOT conditions (for example, NOT part of a group of objects and NOT part of a group of commands); and,
- Situations with one NOT condition and one YES condition (for example, a NOT part of a group of objects and a YES part of a group of commands).
Selective Audit Trail and Application Events API
When a selective audit trail policy is used, and application users or events are being set via the Application Events API, the policy must include an Audit Only rule that fires whenever a set/clear application event, or set/clear application user command is encountered. See Identify Users with API for information about setting the application user via the Application Events API.
Selective Audit Trail and Application User Translation
- The policy will ignore all of the traffic that does not fit the application user translation rule (for example, not from the application server).
- Only the SQL that matches the pattern for that policy will be available for the special application user translation reports.
Selective Audit Trail and specifying an empty group
An empty tuple group attached to a rule will NOT cause a rule action to match.