Creating policies

In addition to creating policies, you can modify, clone, or remove a policy.

Create a policy

Use this section to create a policy. The steps follow the menu fields on the Policy Builder screen.

Follow these steps:

  1. Click Setup > Policy Builder to open the Policy Finder or click Protect > Security Policies > Policy Builder to open the Policy Finder.
  2. A series of predefined policies (available for policy cloning) with access, exception and extrusion rules have been created for database events that demonstrate attempts to defeat the protect mechanisms. Such events that will generate log actions or alerts are: failed logins and SQL errors from certain groups or servers, access of certain database objects by certain users or groups, attempts to change SQL GRANT commands, and more. These predefined policies facilitate quicker creation of policies for compliance. For exmaple, GDPR, Basel II, and PCI.
    Attention: If a [template] version of a predefined policy is available, using the older version (not marked as a [template]) is not recommended because it will not receive updates. Instead, clone the [template] version and customize it as needed.
  3. Clone a predefined policy or click New to open the Policy Definition panel.
  4. Enter a unique name for the policy in the Policy Description box. Do not include apostrophe characters in the description.
  5. Optional. Enter a category in the Category box. A category is an arbitrary label that can be used to group policy violations for reporting purposes. The category specified here will be used as the default category for each rule (and it can be overridden in the rule definition).
  6. Optional. Select a baseline to use from the Policy Baseline list. Be sure that the baseline selected has been generated. If it has not been generated, the Policy Builder will not be able to suggest rules from that baseline. If the baseline you want to use does not display in the list, your Guardium user ID has not been assigned a security role authorized to use that baseline. Contact your Guardium® Administrator for further information.

    If the policy includes a baseline, the policy definition will initially contain only the baseline, and the action for a baseline is always allow without continuing to the next rule.

    When adding a baseline to an existing policy, it will be added as the first rule. You can move the baseline rule to any location in the policy. (Be aware if moving the baseline as the last rule, it will have no effect.)

    Attention: The Baseline Builder and related functionality is deprecated starting with Guardium V10.1.4.
  7. Optionally mark Log Flat to indicate that Guardium is to log data, but not analyze and aggregate the data to the internal database.
  8. If Log Flat is selected, optionally mark Rules on Flat to apply the policy rules to the flat log data (as opposed to the aggregated data).
  9. Optionally mark Selective Audit Trail to restrict what will be logged when this policy is installed:
    • When marked, only traffic requested by this policy will be logged. This is appropriate when the traffic of interest is a relatively small percentage of the traffic being seen by the inspection engines. When marked, there are two ways to signal what traffic to log: by specifying a string that can be used to identify the traffic of interest, in the Audit Pattern box; or by specifying Audit Only or any of the Log actions for one or more policy rules (rule actions are described later).
    • When not marked (the default situation), the Guardium appliance logs all traffic that is seen by the inspection engines. This provides comprehensive audit trail capabilities, but may result in capturing and analyzing much more information than is needed.
    • For more information, see Using Selective Audit Trail.
  10. Click Save to save the policy definition.
  11. Optionally click Roles to assign roles for the policy.
  12. Optionally click Comments to add comments to the definition.

Where to go from here

After creating a new policy definition, use the Policy Finder panel to access that definition. Complete the policy definition by performing one or more of the following tasks:

  • Create policy rules manually. See Add or Edit Rules.
  • If the policy includes a baseline, have the Policy Builder suggest rules from the baseline. You can optionally accept or tailor the generated rules as necessary. See Using Rules Suggested from the Baseline.
  • Have the Policy Builder suggest rules from the database access control (ACL) defined for that database. You can reject, or accept and optionally tailor each rule as necessary. See Using Rules Suggested from the Database ACL.

Modify/Clone/Remove a Policy

Use this section for the steps on how to modify, clone or remove a policy.

Modify a policy

Use caution before modifying a policy definition: be sure that you understand the implications of modifying a policy that is in use. If the existing policy has to be re-installed before all revisions have been completed, the policy may not install, or it may not produce the desired results when installed. For this reason, it is preferable to clone the policy, so that the original is always available to reinstall.

  1. Click Setup > Policy Builder to open the Policy Finder or click Protect > Security Policies > Policy Builder to open the Policy Finder.
  2. From the Policy Description list, select the policy to be modified.
  3. Do one of the following:
    • To edit overall policy settings (Category, Log Flat option, etc.) click Modify. To change any of these settings, see Create a Policy.
    • To edit the rules only, click Edit Rules. To modify any components of the rule definitions, see Add or Edit Rules.

Clone a policy

There are a number of situations where you may want to define a new policy based on an existing one, without modifying the original definition.

  1. Click Setup > Policy Builder to open the Policy Finder or click Protect > Security Policies > Policy Builder to open the Policy Finder.
  2. From the Policy Description list, select the policy to be cloned.
  3. Click Clone to open the Clone Policy panel.
  4. Enter a unique name for the new policy in the New Name box. Do not include apostrophe characters in the name.
  5. To clone the baseline constructs (the commands, basically) that have been generated for the baseline being cloned, mark the Clone Constructs checkbox.
  6. Click Save to save the new policy. You can then open and edit the new policy via the Policy Finder. See Modify a Policy.

Remove a policy

  1. Click Setup > Policy Builder to open the Policy Finder or click Protect > Security Policies > Policy Builder to open the Policy Finder.
  2. From the Policy Description list, select the policy to be cloned.
  3. Click the Delete button. You will be prompted to confirm the action.

Add or Edit Rules

Use this section to add or edit rules within a policy.

  1. Click Setup > Policy Builder to open the Policy Finder or click Protect > Security Policies > Policy Builder to open the Policy Finder.
  2. From the Policy Description list, select the policy to be edited.
  3. Click the Edit Rules button to open the Policy Rules panel.
  4. Do one of the following:
    • To edit a rule, click the Edit this rule individually button.
    • To add a new rule, click one of the following buttons:

      Add Access Rule

      Add Exception Rule

      Add Extrusion Rule (will only be available if the administrator user has set the Inspection Engine configuration to Inspect Returned Data)

      Extrusion matches allow the user to define how many matched records will be grouped together when logged and reported on by Guardium. Extrusion rules must have an action of LOG FULL DETAILS and a rule name that includes guardium://(some text)?split=(number) where (some text) is any text or one of the predefined words such as CREDIT CARD and (number) is the number of returned data records per Guardium log record.

  5. The attributes that can be tested for in each type of rule vary, but regardless of the rule type, each rule definition begins with the following four items:
    • Rule Description - Enter a short, descriptive name for the rule. To use a special pattern test, enter the special pattern test name followed by a space and one or more additional characters to make the rule name unique, for example: guardium://SSEC_NUMBER employee.
    • Category - The category will be logged with violations, and is used for grouping and reporting purposes. If nothing is entered, the default for the policy is used.
    • Classification - Optionally enter a classification in the Classification box. Like the category, these are logged with exceptions and can be used for grouping and reporting purposes.
    • Severity - Select a severity code: Info, Low, Med, or High (the default is Info).
  6. Use the remaining fields of the Rule Definition panel to specify how to match the rule. Many of the same fields are available for Access, Exception, and Extrusion Rules; and some fields are available only after selecting various other options. For an alphabetical reference of all fields available in the rules definition panels, see Rule Definition Reference. Also, for instructions on how to use combinations of groups and individual values, see Specify Values and/or Groups of Values in Rules.
  7. For each type of rule, you can enter one or more regular expressions in a Pattern box, to match against strings in the traffic. Enter the expression manually, or click the regex icon icon to open the Build Regular Expression tool, which allows you to enter and test regular expressions.
  8. For exception rules only, select a single exception type to which the rule will be sensitive, from the Exception Type box. The rule count is incremented only when the selected exception type is encountered.
  9. When a rule action is selected, the following two fields are enabled:
    • Min. Ct. - Enter the minimum number of times the rule must be matched before the rule action is triggered. The count of times the rule has been met will be reset each time the action is triggered or when the reset interval expires. The default of zero is identical to 1, meaning that every time the rule is matched the action will be triggered.
    • Reset Interval (minutes) - Used only when the minimum count is greater than zero, and required in that case. Enter the number of minutes after which the rule counter will be reset to zero. The counter is also reset to zero each time that the rule action is triggered.
  10. Check the Continue to Next Rule box to indicate that when this rule is satisfied and its action is triggered, testing of the same request, exception, or results should continue with the next rule. This means that multiple rules may be satisfied and multiple actions taken based on a single request or exception. If not marked (the default), no additional rules will be tested when this rule is satisfied. If marked, rule testing will continue with the next rule, regardless of whether or not this rule is satisfied.
  11. When the Rec. Vals box is marked, the actual construct causing the rule to be satisfied will be logged in the SQL String attribute and is available in reports. If not marked, no SQL statement will be logged.
  12. Message templates are used to generate alerts. Multiple Named Message Templates are created and modified from Global Profile.
  13. Select the action to take when the rule is satisfied.
  14. If an alert action is specified, the Notification pane opens, and at least one notification type must be defined. For instructions on how to add notifications, see Notifications.
  15. Click Save to save the rule. This closes the Rule Definition panel and returns to the Policy Rules panel.

Filter Rules to Display Only a Subset

When a policy contains many rules, it can be useful to view a subset of the rules having common attributes.

The Filter box in the Rules Definition panel can be used for this purpose. The process of defining a filter is similar to the process of defining a rule.
  1. Click Setup > Policy Builder to open the Policy Finder or click Protect > Security Policies > Policy Builder to open the Policy Finder.
  2. From the Policy Description list, select the policy to be viewed or modified.
  3. Click Edit Rules.
  4. In the Filter boxd do one of the following:
    • Select a filter from the Filter list.
    • Click Edit to modify a filter definition.
    • Click New to define a new filter.

    Once the filtered set of rules is displayed, you can perform any of the actions described in this section on the displayed rules.

Copy Rules

Use this procedure to copy selected rules from one policy to another, or to a different location in the same policy.

All of the rules copied will be copied to a single location - after rule 3, for example. To copy rules to different locations in the receiving policy, either perform multiple copy operations, or copy all of the rules in one operation, and then edit the receiving policy to move the rules as necessary.

  1. Click Setup > Policy Builder to open the Policy Finder or click Protect > Security Policies > Policy Builder to open the Policy Finder.
  2. From the Policy Description list, select the policy from which you want to copy one or more rules.
  3. Click Edit Rules.
  4. Mark the checkbox for each rule to be copied.
  5. Click Copy Rules.
  6. From the Copy selected rules to policy list, select the policy to receive the copied rules.
  7. From the Insert after rule list, select the rule after which the copied rules should be inserted, or select Top to insert the copied rules at the beginning of the list.
  8. Click Copy. You will be informed of the success of the operation.
  9. You should now edit the policy to which you copied the rules, to verify that you have copied the correct rules to the correct location.

Using Rules Suggested from the Baseline

Use Policy Builder to suggest rules from the baseline included in the policy.

  1. Click Setup > Policy Builder to open the Policy Finder or click Protect > Security Policies > Policy Builder to open the Policy Finder.
  2. From the Policy Description list, select the policy to work with. (It must include a baseline.)
  3. Click the Edit Rules button.
  4. Set the Rule minimum count value. This is the minimum number of like commands that the system should find in order to suggest a rule. The default is zero. The smaller the number entered, the more suggested rules the system will generate. (Be aware that the Count that displays in the suggested rules panel does not reflect this value.)
  5. Set the Object Group minimum count value, to determine how many instances of an object group the system should find to generate a suggested object group. The default is one. The smaller the number entered here, the greater the number of suggested object groups.
  6. Click the Suggest Rules button. The suggested rules display in a separate window, in the Suggested Rules panel.
  7. The suggested rules are sorted in descending order by the count of occurrences in the baseline period, which is listed for each suggested rule. If you select one or more of the suggested rules and click Save, they are inserted in the same order, just before the BASELINE rule in the Policy Rules panel. You can then change the order of the suggested rules or edit them as necessary, from the Policy Rules panel.
  8. Expand the rules and check the membership of the suggested object groups. In the Object column of the Suggested Rules panel, if any suggested object groups have been created, these begin with the name Suggested Object Group and are displayed as hypertext links. For information about how to view, accept, or reject suggested object groups, see Using Suggested Object Groups.
  9. Mark the Select box for each suggested rule to include in the policy.
  10. Click Save to accept the selected rules.
  11. You can now edit or modify the suggested rules as you would any rules that you added manually.

Using Suggested Object Groups

The Policy Builder can suggest rules from both the baseline included in the policy and the database security policy (internal to the DBMS) defined for a server.

In either case, it attempts to generate the minimal set of rules by grouping database objects (tables, procedures, or views) into suggested object groups. You can accept or reject the suggested object groups.

Before accepting a suggested object group, you can edit the generated Group Description field (Suggested Object Group603-25 11:54, for example) to provide a more meaningful name. After accepting a suggested object group, you can view its membership. You can reject the use of that group within any suggested rule, but you cannot edit the membership of that group.

If you reject a suggested object group, the suggested rule for that group is replaced with a separate suggested rule for each member of the rejected group. You can accept or reject each of those suggested rules separately. After accepting a suggested rule, you can edit that rule.

Viewing Suggested Object Groups

Suggested object groups display in the Object column of the Suggested Rules panel as hypertext links beginning with the words Suggested Object Group.

To view a suggested object group's membership, click the hypertext link for that group. If the group has not yet been accepted, the group membership displays in the Edit Group panel. If the group has already been accepted, it displays in the View Group panel.

Accepting Suggested Object Groups
To accept a suggest object group:
  1. Enter a meaningful name in the Group Description field in the Edit Group panel. (Not required, but strongly recommended). Do not include apostrophe characters in the name. This is the only opportunity you have to name this group. Otherwise, the group gets a name beginning with Suggested Object Group and followed by a number, as described previously.
  2. Click Save to accept the edited group for the suggested rule, or click Save for All to accept the edited group for all suggested rules in which it appears. The new object name will replace the old one in the rule.
Rejecting Suggested Object Groups
When you reject a suggested object group, the use of that group is replaced by one or more suggested rules. To reject a suggested object group, do one of the following:
  • To reject the group for this suggested rule only: Click the Reject button.
  • To reject the group for all suggested rules: Click the Reject for All button.
Note: If you accept a suggested object group in one rule, open that same suggested object group again from another rule, and then click the Reject for All button, that group will be retained in any rule where it was explicitly accepted, but rejected in the remaining rules in which it was used.

Using Rules Suggested from the Database ACL

For a specified database server, the Policy Builder can suggest access rules using the security policy defined internally by the DBMS.

The Policy Builder does this by examining the permissions granted to user groups and database objects (tables, procedures, and views) within the DBMS, then grouping the database objects into suggested object groups so that the total number of suggested rules can be minimized. You can accept or reject any suggested object group (see Using Suggested Object Groups). You can also accept or reject any suggested rule.

To have the Policy Builder suggest rules from the database ACL:

Note: When suggesting rules from the database ACL, the system does not use the Rule minimum count or the Object Group minimum count fields. Those fields are used only when suggesting rules from the baseline.
  1. Click Suggest from DB to open the Database Definition panel in a separate browser window.
  2. Click Add Datasource to select the database from which you want to access the DB ACL.
    Note: If adding an Oracle, DB2® or DB2 for z/OS® datasource to access the DB ACL, the Query Parameters section, in the Database Definition pop-up window, will be disabled.
  3. Click Suggest Rules to generate the rules. The Suggested Rules panel opens in a separate window (as described previously, for the Rules Suggested from Baseline). If you select one or more of the suggested rules and click Save, they will be inserted in the same order into the list of rules in the Policy Rules panel, just before the BASELINE rule. If there is no BASELINE rule, they will be inserted at the beginning of the list. Once the suggested rules have been inserted into the Policy Rules panel, you can change the order of the rules or edit them, as necessary.
  4. Check the membership of the suggested object groups. In the Object column, any suggested object groups that have been created begin with the name Suggested Object Group and display as hypertext links (in blue and underlined). For information about how to view, edit, accept, or reject suggested object groups, see Using Suggested Object Groups).
  5. Mark the Select box for each suggested rule you want included in the policy. Click Save to accept the selected rules.

Using the Policy Simulator

Use the Policy Simulator to test access rules without installing the policy.

It does not test exception rules or extrusion rules. The simulator replays logged network traffic and applies all access rules in the policy. It produces a special report in a separate window, listing the SQL that triggered alert or log only actions. The report includes the following columns: Timestamp, Category Name, Access Rule Description, Client IP, Server IP, DB User Name, Full SQL String, Severity Description, and Count of Policy Rule Violations. Use the CLI command, store allow_simulation, to make the Policy Simulation button active in the GUI.

The Policy Simulator can be used to test only the following types of access rule actions:

  • Log Only
  • Any Alert action: Alert Daily, Alert Once Per Session, Alert Per Match, Alert Per Time Granularity

The Policy Simulator will not produce any results if the policy includes logging actions other than Log Only. To use the simulator for such a policy, temporarily change all logging actions to Log Only.

To use the Policy Simulator:

  1. Click Setup > Policy Builder to open the Policy Finder or click Protect > Security Policies > Policy Builder to open the Policy Finder.
  2. From the Policy Description list, select the policy to work with.
  3. Click Edit Rules.
  4. Click the Policy Simulator button to open the Policy Simulator panel.
  5. Supply both From and To dates to define the time period to use for the simulation.
    Note: Historical data can be archived and purged from your Guardium appliance on a schedule defined by your Guardium administrator. Be sure that data from the time period you specify is available (and has not been purged).
  6. Click Test. When the test starts and while it is running, the message * is running is displayed in the Policy Simulator panel. When the test completes, a special report opens in a separate window listing all rule matches that were logged. If no alert or log only rules were triggered, you will receive a No Drill Down Report Available message. In the latter case, you may not have included enough data in the test period.
Parent topic: Policies
Related information:
Creating and installing a policy (video)
Guardium groups and policies (video)