Rule definition fields

DB2® client info: For access rules only. For z/OS® only, a CLIENT INFO field (and CLIENT_INFO_GROUP_ID) will be visible if DB_TYPE is either DB2,  DB2 COLLECTION Profile or VSAM COLLECTION Profile.

The type of information that can be placed in this field is USER=x; WKSTN=y; APPL=z.

• Any client: Leave all client fields blank. The count will be incremented every time any client satisfies the rule. (You cannot leave all fields blank if the Not box is marked.)
• All clients selected by an IP address and mask: Enter a client IP address in the first box and network mask in the second box. The count will be incremented each time that any of the specified clients satisfies the rule. For example, to select all clients in subnet 192.168.9.x, enter 192.168.9.1 in the first box and 255.255.255.0 in the second box. For more information selecting IP addresses, see Selecting IP Addresses Using a Mask.
• A group of clients: Select a group of client IP addresses from the Group drop-down list, or click the Groups button to define a new group and then select that group. The count will be incremented each time that any member of the selected group satisfies the rule.
• All clients selected by an IP address and mask AND a group of clients: Use both the Client IP and Group fields. The count will be incremented each time that any client specified using either method satisfies the rule.

Allow wildcard in IP address. Wildcard % is permitted in a policy for Client IP group.

7-tuple group - Client IP/Src App/DB User/Server IP/Svc. Name/OS User/DB

5-tuple group type available for access, exception and extrusion rules.

A tuple allows multiple attributes to be combined together to form a single group member.

Tuple supports the use of one slash and a wildcard character (%). It does not support the use of a double slash.

Wildcard % is permitted in a policy for Client IP/Source Program/DB User/ Server IP/Service Name group.

To make the rule sensitive to a single client MAC address, enter the address in nn:nn:nn:nn:nn:nn format, where each n is a hexadecimal digit (0-F) OR Enter a dot (.) in the Client MAC box to indicate that a separate count should be maintained for each client MAC address OR Leave the Client MAC box empty to ignore client MAC addresses.

The command. See Specify Values and/or Groups of Values in Rules if a commands group cannot be edited, and the and/or Group label changes to Collect Only, indicating that commands from only the selected group are to be selected.

If the Every box is checked, every field in the SQL statement must be a member of the group.

Every type of rule (Access, Exception, Extrusion) can have Data pattern, but it is required for Extrusion rules.

For use in defining Extrusion Rules - A regular expression to be matched, in the Data Pattern box. Click the Regex button to open the Build Regular Expression tool, which allows you to enter and test regular expressions. This enables more complex masking patterns. Put parentheses around the section that should be masked. Use this function to mask data retrieved from the database.

For example,

Windows S-TAP: ([0-9][0-9][0-9][0-9[-, ]?[0-9][0-9][0-9][0-9][-, ]?[0-9][0-9][0-9][0-9][-, ]?)[0-9][0-9][0-9][0-9]

Unix S-TAP: ([0-9]{4}[-, ]?[0-9]{4}[-, ]?[0-9]{4}[-, ]?)[0-9]{4}[ ]{0,20}

Additional regular expressions (Regex) for use only in Data Patterns with an action of Redact (Scrub):

For Windows S-TAP
Name:                     Pattern:            Masked to:
SCRUB_SSN_ANSI            AAA-AA-AAAA         ***-***-AAAA
SCRUB_SSN_UNICODE         UUU-UU-UUUU         ***-***-UUUU
SCRUB_CC_SPACES_ANSI      AAAA AAAA AAAA AAAA **** **** **** AAAA
SCRUB_CC_SPACES_UNICODE   UUUU UUUU UUUU UUUU **** **** **** UUUU
SCRUB_CC_SOLID_ANSI       AAAAAAAAAAAAAAAA    ************AAAA
SCRUB_CC_SOLID_UNICODE    UUUUUUUUUUUUUUUU    ************UUUU
SCRUB_CC_AX_SOLID_ANSI    AAAAAAAAAAAAAAA     ***********AAAA
SCRUB_CC_AX_SOLID_UNICODE UUUUUUUUUUUUUUU     ***********UUUU

UNIX S-TAP
Name:                     Pattern:            Masked to:
SCRUB_SSN_ANSI            AAA-AA-AAAA         ***-***-AAAA
SCRUB_SSN_UNICODE         UUU-UU-UUUU         ***-***-UUUU
SCRUB_CC_SPACES_ANSI      AAAA AAAA AAAA AAAA A*** **** **** 1234
SCRUB_CC_SPACES_UNICODE   UUUU UUUU UUUU UUUU U*** **** **** ****
SCRUB_CC_SOLID_ANSI       AAAAAAAAAAAAAAAA    A***************
SCRUB_CC_SOLID_UNICODE    UUUUUUUUUUUUUUUU    U***************
SCRUB_AMEX_SOLID_ANSI     AAAAAAAAAAAAAAAA    A***************
SCRUB_AMEX_SOLID_UNICODE  UUUUUUUUUUUUUUUU    U***************

Regex with Redact - Use of Regular expressions (regex) in the IBM Security Guardium solution (including the masking in the policy) are executed on the appliance, and allow advanced regexp capabilities.

However, the regex library for use with Redaction is executed in the kernel of the database server and is limited to most basic regex. Only basic regex patterns can be used with Redaction.

For example, the regular expression nomenclature [0-9]* cannot be used to indicate any number of digits. It is necessary to use basic regular expression nomenclature [0-9]-[0-9]-[0-9]... to specify a sequence of digits.  

Access rule, data pattern and replacement character - Using a data pattern, for example, [a-z,2]{3}([_][0-9]{1,2}) with a replacement character of * will change the values between the parentheses in the data pattern to ***. Use this function to mask values.

User Defined Character Sets

Available for Oracle, Sybase, MySQL, & MSSQL and for extrusion rules only, users may influence the character set used by defining special extrusion rules. These character set policy rules are only used to set the character set a user would like to convert traffic to, setting an action is irrelevant. In order to have an action for that traffic the user needs to define additional rules after that character set rule. Two examples of setting a character set rule are possible (hint or force) as defined in the following examples:

Example of extrusion rule (with hint)

Will convert the traffic by character set as defined in the extrusion rule of the installed policy ONLY if the regular conversion failed.

Character set EUC-JP (code 274).

Extrusion rule pattern: guardium://char_set?hint=274

Example of extrusion rule (with force)

Will convert the traffic by character set as defined in the extrusion rule of the installed policy for ALL data.

Character set EUC-JP (code 274).

Extrusion rule pattern: guardium://char_set?force=274

See List of possible character set codes at end of this topic.

Supported DB Types

For access rule: Cassandra, CIFS, CouchDB, DB2, DB2 COLLECTION PROFILE* (only for use with z/OS), FTP, GreenPlumDB, Hadoop, HTTP, IBM® INFORMIX (DRDA), IBM iSeries, IMS, IMS COLLECTION PROFILE (only for uses with z/OS, Informix®, MongoDB, MS SQL SERVER, MYSQL, NETEZZA, Oracle, PostgreSQL, Sybase, TERADATA, VSAM or VSAM COLLECTION PROFILE* (only for use with z/OS).

For exception and extrusion rules: Cassandra, CIFS, CounchDB, DB2, FTP, GreenPlumDB, Hadoop, IBM INFORMIX (DRDA), IBM iSeries, Informix, MongoDB, MS SQL SERVER, MYSQL, NETEZZA, Oracle, PostgreSQL, Sybase, or TERADATA. Note: Informix supports two protocols SQLEXEC (native Informix protocol) or DRDA (IBM protocol). These protocols are automatically identified for Informix traffic with no additional settings. The Server Type attribute will show INFORMIX (for SQLEXEC protocol) and IBM INFORMIX (DRDA) (for DRDA protocol).

The type of exception (selected from the list).

The field name. See Specify Values and/or Groups of Values in Rules.

If the Every box is checked, every field in the SQL statement must be a member of the group.

The object name. See Specify Values and/or Groups of Values in Rules.

For Sybase and MS SQL Server, there are two groups, MASKED_SP_EXECUTIONS_SYBASE and MASKED_SP_EXECUTIONS_MS_SQL_SERVER respectively that include names of stored procedures. If there is an execution of an included procedure than everything will be masked.

If the Every box is checked, every field in the SQL statement must be a member of the group.

Access rule only. Set a threshold value for matched records. Example: Let 1000 instances take place before taking action.

This field affects the output of the rule rather than the definition of the rule (example, what happens when it is triggered, rather than when should it trigger).

Records affected threshold is based on rule and session. It is accumulated returned rows from all queries that meet the rule condition. Once all accumulated records affected reach the threshold, the rule will trigger and the records affected on the statement (if the action log full details) will be the accumulated value of the records affected.

Define a masking character.

Should the output produced by the extrusion rule match the regular expression, the portions that match sub-expressions between parenthesis '(' and ')' will be replaced by the Masking character.

The name of the rule. To use a special pattern test in the rule, enter the special pattern test name followed by a space and one or more additional characters to make the rule name unique, for example: guardium://SSEC_NUMBER employee. (See Special Pattern Tests for more information.)

When displayed, the name will be prefaced with the rule number and the label Access Rule, Exception Rule, or Extrusion Rule, to identify the rule type. If the rule was generated using the Suggest From DB function, the generated name is in the format: Suggested Rule <n>_mm-dd hh:mm, consisting of the following components

n is sequence number for the generated rule

mm-dd is the month and day the rule was generated

hh:mm is the time the rule was generated

Clear the Not box to include, or mark the Not box to exclude:

• Any server: Leave all server fields blank. The count will be incremented every time any server satisfies the rule. (You cannot leave all fields blank if the Not box is marked.)
• All servers selected by an IP address and mask: Enter a server IP address in the first box, and network mask in the second box. The count will be incremented each time that any of the specified servers satisfies the rule. For example, to select all servers in subnet 192.168.3.x, enter 192.168.3.1 in the first box, and 255.255.255.0 in the second box.
• A group of servers: Select a group of server IP addresses from the Group drop-down list or click the Groups button to define a new group and then select that group. The count will be incremented each time that any member of the specified group satisfies the rule.
• All servers selected by an IP address and mask AND a group of servers: Use both the Server IP and Group fields. The count will be incremented each time that any server specified using either method satisfies the rule.

Allow wildcard in IP address. Wildcard % is permitted in a policy for Server IP group.

Do not analyze session for same rule after first match. Especially effective for “Selective Audit” policies.

A regular expression to be matched, in the Pattern box. You can enter a regular expression manually, or click Regex to open the Build Regular Expression tool, which allows you to enter and test regular expressions.

A regular expression to be matched can be used in this box. The regular expression must be entered manually.

In MSSQL, sp_cursoropen and sp_cursorfetch stored procedures are used for SELECT database queries.

Sp_cursoropen holds the original statement, while the FULL_SQL return value in an Extrusion rule will appear as sp_cursorfetech instead of Select * from ___________.