Rule definition fields
You can use these fields when you define policy rules.
Field | Description |
---|---|
Action | Indicates the action to be taken when the rule is true. For a comprehensive description of all rule actions, see Rule Actions Overview. |
App Event Exists | Match for an application event only. See the App Event Note. |
App Event Values | Match the specified application event Text, Numeric, or Date values. Also allow a Group to be chosen for the event string as an option. See the App Event Note. |
(App) Event Type | Match the specified application event. See the App Event Note. |
(App) Event User Name | Match the specified application event user name only. See the App Event Note. |
App Event Note | The App Event fields cannot be used when the Flat Log box is marked. |
App. User | Application User. See Specify Values and/or Groups of Values in Rules. |
Category | An arbitrary label that can be used to group policy violations for reporting purposes. A default category can be specified in the policy definition, but the default can be overridden for each rule. |
Classification | An arbitrary label that can be used to group policy violations for reporting purposes. A default classification can be specified in the policy definition, but the default can be overridden for each rule. |
Client Info | DB2® client info: For access rules only. For z/OS® only, a CLIENT INFO field (and CLIENT_INFO_GROUP_ID) will be visible if DB_TYPE is either DB2, DB2 COLLECTION Profile or VSAM COLLECTION Profile. The type of information that can be placed in this field is USER=x; WKSTN=y; APPL=z. |
Client IP | Clear the Not box to include, or mark the Not
box to exclude:
Allow wildcard in IP address. Wildcard % is permitted in a policy for Client IP group. |
Client IP/Source Program/DB User/ Server IP/Service Name | 7-tuple group - Client IP/Src App/DB User/Server IP/Svc. Name/OS User/DB 5-tuple group type available for access, exception and extrusion rules. A tuple allows multiple attributes to be combined together to form a single group member. Tuple supports the use of one slash and a wildcard character (%). It does not support the use of a double slash. Wildcard % is permitted in a policy for Client IP/Source Program/DB User/ Server IP/Service Name group. |
Client MAC | To make the rule sensitive to a single client MAC address, enter the address in nn:nn:nn:nn:nn:nn format, where each n is a hexadecimal digit (0-F) OR Enter a dot (.) in the Client MAC box to indicate that a separate count should be maintained for each client MAC address OR Leave the Client MAC box empty to ignore client MAC addresses. |
Command | The command. See Specify Values and/or Groups of Values in Rules if a commands group cannot be edited, and the and/or Group label changes to Collect Only, indicating that commands from only the selected group are to be selected. If the Every box is checked, every field in the SQL statement must be a member of the group. |
Continue to Next Rule | If marked, rule testing will continue with the next rule, regardless of whether or not this rule is satisfied. This means that multiple rules may be satisfied (and multiple actions taken) by a single SQL statement or exception. If not marked (the default), no additional rules will be tested for the current transaction when this rule is satisfied. |
Data Pattern | Every type of rule (Access, Exception, Extrusion) can have Data pattern, but it is required for Extrusion rules. For use in defining Extrusion Rules - A regular expression to be matched, in the Data Pattern box. Click the Regex button to open the Build Regular Expression tool, which allows you to enter and test regular expressions. This enables more complex masking patterns. Put parentheses around the section that should be masked. Use this function to mask data retrieved from the database. For example, Windows S-TAP: ([0-9][0-9][0-9][0-9[-, ]?[0-9][0-9][0-9][0-9][-, ]?[0-9][0-9][0-9][0-9][-, ]?)[0-9][0-9][0-9][0-9] Unix S-TAP: ([0-9]{4}[-, ]?[0-9]{4}[-, ]?[0-9]{4}[-, ]?)[0-9]{4}[ ]{0,20} Additional regular expressions (Regex) for use only in Data Patterns with an action of Redact (Scrub):
Regex with Redact - Use of Regular expressions (regex) in the IBM Security Guardium solution (including the masking in the policy) are executed on the appliance, and allow advanced regexp capabilities. However, the regex library for use with Redaction is executed in the kernel of the database server and is limited to most basic regex. Only basic regex patterns can be used with Redaction. For example, the regular expression nomenclature [0-9]* cannot be used to indicate any number of digits. It is necessary to use basic regular expression nomenclature [0-9]-[0-9]-[0-9]... to specify a sequence of digits. Note: S-TAP® will only accept the predefined
SCRUB pattern names; ignoring any other name.
Access rule, data pattern and replacement character - Using a data pattern, for example, [a-z,2]{3}([_][0-9]{1,2}) with a replacement character of * will change the values between the parentheses in the data pattern to ***. Use this function to mask values.
Note: Keep in mind that extrusion
rules usually attached to the session with delay. Therefore short
sessions or beginning of a session may be not immediately affected
by character set change.
|
DB Name | The database name. See Specify Values and/or Groups of Values in Rules. |
DB Type | Supported DB Types For access rule: Cassandra, CIFS, CouchDB, DB2, DB2 COLLECTION PROFILE* (only for use with z/OS), FTP, GreenPlumDB, Hadoop, HTTP, IBM® INFORMIX (DRDA), IBM iSeries, IMS™, IMS COLLECTION PROFILE (only for uses with z/OS, Informix®, MongoDB, MS SQL SERVER, MYSQL, NETEZZA, Oracle, PostgreSQL, Sybase, TERADATA, VSAM or VSAM COLLECTION PROFILE* (only for use with z/OS). For exception and extrusion rules: Cassandra, CIFS, CounchDB, DB2, FTP, GreenPlumDB, Hadoop, IBM INFORMIX (DRDA), IBM iSeries, Informix, MongoDB, MS SQL SERVER, MYSQL, NETEZZA, Oracle, PostgreSQL, Sybase, or TERADATA. Note: Informix supports two protocols SQLEXEC (native Informix protocol) or DRDA (IBM protocol). These protocols are automatically identified for Informix traffic with no additional settings. The Server Type attribute will show INFORMIX (for SQLEXEC protocol) and IBM INFORMIX (DRDA) (for DRDA protocol). Note: TERADATA
has a silent login and allows clients to auto-reconnect. To block
Teradata statements in a policy, use the S-TAP firewall function with default state
ON and un-watch safe users.
|
DB User | The database user. See Specify Values and/or Groups of Values in Rules. |
Error Code | The error code (for an exception). See Specify Values and/or Groups of Values in Rules. |
Exception Type | The type of exception (selected from the list). Note: A session closed by GUI
timeout, in an Exception rule, will not produce a Session Error (Session_Error).
|
Field Name | The field name. See Specify Values and/or Groups of Values in Rules. If the Every box is checked, every field in the SQL statement must be a member of the group. |
Min. Ct. | The minimum number of times the condition contained in the rule must be matched before the rule will be satisfied (subject to the Reset interval). |
Net. Protocol | The network protocol. See Specify Values and/or Groups of Values in Rules. |
Object | The object name. See Specify Values and/or Groups of Values in Rules. For Sybase and MS SQL Server, there are two groups, MASKED_SP_EXECUTIONS_SYBASE and MASKED_SP_EXECUTIONS_MS_SQL_SERVER respectively that include names of stored procedures. If there is an execution of an included procedure than everything will be masked. If the Every box is checked, every field in the SQL statement must be a member of the group. |
Object/Command Group | Match a member of the selected Object/Command group. |
Object/Field Group | Match a member of the selected Object/Field group. |
OS User | Operating system user. See Specify Values and/or Groups of Values in Rules. |
Pattern | A regular expression to be matched, in the Pattern box. You can enter a regular expression manually, or click the (Regex) button to open the Build Regular Expression tool, which allows you to enter and test regular expressions. |
Time Period | To make the rule sensitive to a single time period, select a pre-defined time period from the Period list or click the (Period) button to define a new time period. |
Rec. Vals. | When marked, the actual construct causing the rule to be satisfied will be logged, and available in reports, in the SQL String attribute. For a policy violation only, if not marked, no SQL statements will be logged. |
Records Affected Threshold | Access rule only. Set a threshold value for matched records. Example: Let 1000 instances take place before taking action. This field affects the output of the rule rather than the definition of the rule (example, what happens when it is triggered, rather than when should it trigger). Records affected threshold is based on rule and session. It is accumulated returned rows from all queries that meet the rule condition. Once all accumulated records affected reach the threshold, the rule will trigger and the records affected on the statement (if the action log full details) will be the accumulated value of the records affected. |
Replacement Character | Define a masking character. Should the output produced by the extrusion rule match the regular expression, the portions that match sub-expressions between parenthesis '(' and ')' will be replaced by the Masking character. |
Reset Interval | Used only if the Min. Ct. field is greater than zero. This value is the number of minutes after which the condition met counter will be reset to zero. |
Revoke | This checkbox appears on extrusion rules only. It allows you to exclude from logging a response that has already been selected for logging by a previous rule in the policy. In most cases you can accomplish the same result more simply by defining a single rule with one or more NOT conditions to exclude the responses you do not want, while logging the remaining ones that satisfy the rule. (The Revoke checkbox pre-dates NOT conditions, and is provided mainly for backward compatibility to support existing policies.) |
Rule Description | The name of the rule. To use a special pattern test in the rule, enter the special pattern test name followed by a space and one or more additional characters to make the rule name unique, for example: guardium://SSEC_NUMBER employee. (See Special Pattern Tests for more information.) When displayed, the name will be prefaced with the rule number and the label Access Rule, Exception Rule, or Extrusion Rule, to identify the rule type. If the rule was generated using the Suggest From DB function, the generated name is in the format: Suggested Rule <n>_mm-dd hh:mm, consisting of the following components n is sequence number for the generated rule mm-dd is the month and day the rule was generated hh:mm is the time the rule was generated |
Server IP | Clear the Not box to include, or mark the Not box to exclude:
Allow wildcard in IP address. Wildcard % is permitted in a policy for Server IP group. |
Service Name | The service name. See Specify Values and/or Groups of Values in Rules. |
Severity | Select a severity code from the list: INFO, LOW, NONE, MED or HIGH. If HIGH is selected and email alerts are sent by this rule, the email will be flagged Urgent. |
SQL Pattern | A regular expression to be matched, in the Pattern box. You can enter a
regular expression manually, or click Regex
to open the Build Regular Expression tool, which allows you to enter and test regular
expressions. Restriction: SQL Pattern is not supported for
redaction rules.
|
Src app | Application source program. See Specify Values and/or Groups of Values in Rules. |
Trigger Once Per Session | Do not analyze session for same rule after first match. Especially effective for “Selective Audit” policies. |
XML Pattern | A regular expression to be matched, in the Pattern box. You can enter a regular expression manually, or click Regex to open the Build Regular Expression tool, which allows you to enter and test regular expressions. A regular expression to be matched can be used in this box. The regular expression must be entered manually. |
Full_SQL return values using MSSQL | In MSSQL, sp_cursoropen and sp_cursorfetch stored procedures are used for SELECT database queries. Sp_cursoropen holds the original statement, while the FULL_SQL return value in an Extrusion rule will appear as sp_cursorfetech instead of Select * from ___________. |