Example: Using groups to create rules and policies

Use groups to quickly specify rule conditions in a policy.

About this task

Each policy is composed of one or more rules. Specify which conditions will enact a rule, and then choose one or more actions to take when that rule is triggered. This example shows you how to use groups to identify unauthorized users, log details of their access on a group of sensitive objects, and send an alert indicating that the access occurred.

Procedure

  1. Login to your Guardium system, and open the Policy Builder by clicking Setup > Tools and Views > Policy Builder for Data.
  2. Create a new policy by clicking the create new policy icon to open the Policy Definition window.
  3. Define the policy definition, then click Apply to save the policy.
  4. Click Edit Rules to open the Policy Rules window and begin adding rules to the policy.
  5. Click Add Rules > Add Access Rule to add a new rule to the policy.
  6. Begin by providing a Description for the rule. Optionally provide Category and Classification labels.
  7. Specify where to look for data. From the Server IP row, select the (Public) PCI Authorized Server IPs group. The rule will apply to all activity from all PCI servers.
    Note: You can view the members of any group or modify any group by going to the Group Builder.
  8. Specify unauthorized users. From the DB User row, mark the Not check box and select the (Public) Authorized Users group. The rule will apply to all users who are not in the (Public) Authorized Users group.
  9. Specify sensitive objects. From the Object row, select the (Public) PCI Cardholder Sensitive Objects group. The rule will now apply to all unauthorized users on PCI servers looking to access PCI sensitive objects.
  10. Add an action to the rule by clicking Add Action and selecting Action > LOG FULL DETAILS from the menu. Click Apply to save the rule. This action logs details of the access, including an exact timestamp of the access.
  11. Add another action to the rule by clicking Add Action and selecting Action > ALERT ONCE PER SESSION from the menu. Specify an alert destination, then click Apply to save the rule. This action sends or logs an alert indicating that the rule was triggered.
  12. Click Save to save the rule.
  13. Install the policy.
    1. Find the policy that you created. Click Back twice, or click Policy Builder to get to the Policy Finder and browse the list of policies.
    2. With the policy selected, choose Install & Override from the installation action menu.
    3. Click OK to confirm the policy installation, and then check Latest Logs and Violations to verify the policy was installed.

      The policy is now installed and active. Any person not in the (Public) Authorized Users group attempting to access an object in the (Public) PCI Cardholder Sensitive Objects groups will have their session logged and will trigger an alert indicating the access.

Parent topic: Groups