Hello all,

I was requested for an alert in IBM Guardium (11) when a user granted a dba privilegies to a user. I made a rule with command criteria for a group inside of it a GRANT DBA, but the rule doesn't match. I think that the criteria search for GRANT as command pure not the argument (dba). The rol that we need monitor is dba only. Any knows how do it?

Regards,

------------------------------
Carlos Espinoza Chandia
------------------------------

Hi Carlos,

I would suggest you to try below policy change

1. Create one group with GROUP TYPE is commands and add command as GRANT, Create , Delete etc as group member of that group.
1. Create access rule in data security policy as name DCL user management
3. Select "SQL criteria" as command and  and add condition "In Group" from group created in step 1. Select the action rule as your requirement as alert per match.

4. Reinstall the policy and restart inspection engines. 



------------------------------
Sachin Shende
Security Consultant
IBM
+91-9561-650-383
------------------------------

Original Message:
Sent: Wed August 26, 2020 01:50 PM
From: Carlos Espinoza Chandia
Subject: How can I alert GRANT DBA command?

Hello all,

I was requested for an alert in IBM Guardium (11) when a user granted a dba privilegies to a user. I made a rule with command criteria for a group inside of it a GRANT DBA, but the rule doesn't match. I think that the criteria search for GRANT as command pure not the argument (dba). The rol that we need monitor is dba only. Any knows how do it?

Regards,

------------------------------
Carlos Espinoza Chandia
------------------------------

Hi Sachin,

Thank you for your answer. I did it this, but the rule doesn't match, I think this is because the Rule search for command only (in this case for GRANT) but the argument isn't compared, the command that I search if the user typed or use a tool that made a sql sentence, like this:

GRANT dba TO sshende;

I need alerter when the command in blue is executed. The user must be appears in the SYSLOG message. I see the group GRANT thats come inbuilt, the command comes as GRANT only.

Regards

------------------------------
Carlos Espinoza Chandia
------------------------------

Original Message:
Sent: Thu August 27, 2020 01:52 AM
From: Sachin Shende
Subject: How can I alert GRANT DBA command?

Hi Carlos,

I would suggest you to try below policy change

1. Create one group with GROUP TYPE is commands and add command as GRANT, Create , Delete etc as group member of that group.
1. Create access rule in data security policy as name DCL user management
3. Select "SQL criteria" as command and  and add condition "In Group" from group created in step 1. Select the action rule as your requirement as alert per match.

4. Reinstall the policy and restart inspection engines. 

------------------------------
Sachin Shende
Security Consultant
IBM
+91-9561-650-383

Original Message:
Sent: Wed August 26, 2020 01:50 PM
From: Carlos Espinoza Chandia
Subject: How can I alert GRANT DBA command?

Hello all,

I was requested for an alert in IBM Guardium (11) when a user granted a dba privilegies to a user. I made a rule with command criteria for a group inside of it a GRANT DBA, but the rule doesn't match. I think that the criteria search for GRANT as command pure not the argument (dba). The rol that we need monitor is dba only. Any knows how do it?

Regards,

------------------------------
Carlos Espinoza Chandia
------------------------------

Carlos,  this is a thought, I have not tried it out.   1) Capture all GRANT SQL Commands with "Log Full Details' to capture Full SQL,  Next review, and see if you can create a "Selective Audit" alert with the exact information that you are looking for if you are able to capture it.

------------------------------
Frederic Delos
Data Protection Engineer, Global Security Fusion Center
Data Protection Services – Technical Lead  Data Activity Monitoring and Response
Allstate Insurance Company
------------------------------

Original Message:
Sent: Thu August 27, 2020 10:35 AM
From: Carlos Espinoza Chandia
Subject: How can I alert GRANT DBA command?

Hi Sachin,

Thank you for your answer. I did it this, but the rule doesn't match, I think this is because the Rule search for command only (in this case for GRANT) but the argument isn't compared, the command that I search if the user typed or use a tool that made a sql sentence, like this:

GRANT dba TO sshende;

I need alerter when the command in blue is executed. The user must be appears in the SYSLOG message. I see the group GRANT thats come inbuilt, the command comes as GRANT only.

Regards

------------------------------
Carlos Espinoza Chandia

Original Message:
Sent: Thu August 27, 2020 01:52 AM
From: Sachin Shende
Subject: How can I alert GRANT DBA command?

Hi Carlos,

I would suggest you to try below policy change

1. Create one group with GROUP TYPE is commands and add command as GRANT, Create , Delete etc as group member of that group.
1. Create access rule in data security policy as name DCL user management
3. Select "SQL criteria" as command and  and add condition "In Group" from group created in step 1. Select the action rule as your requirement as alert per match.

4. Reinstall the policy and restart inspection engines. 

------------------------------
Sachin Shende
Security Consultant
IBM
+91-9561-650-383

Original Message:
Sent: Wed August 26, 2020 01:50 PM
From: Carlos Espinoza Chandia
Subject: How can I alert GRANT DBA command?

Hello all,

I was requested for an alert in IBM Guardium (11) when a user granted a dba privilegies to a user. I made a rule with command criteria for a group inside of it a GRANT DBA, but the rule doesn't match. I think that the criteria search for GRANT as command pure not the argument (dba). The rol that we need monitor is dba only. Any knows how do it?

Regards,

------------------------------
Carlos Espinoza Chandia
------------------------------

Hello Carlos,

If alerting on all GRANTs is not acceptable.  You can use the PATTERN criteria to be more specific.  Please see the attached file for screen shots of the rule definition and a report showing the alert to syslog.  Please contact me if you would like to walk through the process via webex.

------------------------------
BERN LORD
------------------------------

Original Message:
Sent: Wed August 26, 2020 01:50 PM
From: Carlos Espinoza Chandia
Subject: How can I alert GRANT DBA command?

Hello all,

I was requested for an alert in IBM Guardium (11) when a user granted a dba privilegies to a user. I made a rule with command criteria for a group inside of it a GRANT DBA, but the rule doesn't match. I think that the criteria search for GRANT as command pure not the argument (dba). The rol that we need monitor is dba only. Any knows how do it?

Regards,

------------------------------
Carlos Espinoza Chandia
------------------------------

Ben,

Thank you, I followed your suggestion and finally I put the Pattern as:

GRANT ["DBA"] *

Thats works.


------------------------------
Carlos Espinoza Chandia
------------------------------

Original Message:
Sent: Thu August 27, 2020 05:37 PM
From: BERN LORD
Subject: How can I alert GRANT DBA command?

Hello Carlos,

If alerting on all GRANTs is not acceptable.  You can use the PATTERN criteria to be more specific.  Please see the attached file for screen shots of the rule definition and a report showing the alert to syslog.  Please contact me if you would like to walk through the process via webex.

------------------------------
BERN LORD

Original Message:
Sent: Wed August 26, 2020 01:50 PM
From: Carlos Espinoza Chandia
Subject: How can I alert GRANT DBA command?

Hello all,

I was requested for an alert in IBM Guardium (11) when a user granted a dba privilegies to a user. I made a rule with command criteria for a group inside of it a GRANT DBA, but the rule doesn't match. I think that the criteria search for GRANT as command pure not the argument (dba). The rol that we need monitor is dba only. Any knows how do it?

Regards,

------------------------------
Carlos Espinoza Chandia
------------------------------

Also be advised that if you have any session based ignore rules these will likely get triggered before the GRANT command is executed, meaning the GRANT may not be seen by Guardium. This will depend on if you have ignored a user who has the ability to GRANT dba.

------------------------------
Chase Walkup
------------------------------

Original Message:
Sent: Wed August 26, 2020 01:50 PM
From: Carlos Espinoza Chandia
Subject: How can I alert GRANT DBA command?

Hello all,

I was requested for an alert in IBM Guardium (11) when a user granted a dba privilegies to a user. I made a rule with command criteria for a group inside of it a GRANT DBA, but the rule doesn't match. I think that the criteria search for GRANT as command pure not the argument (dba). The rol that we need monitor is dba only. Any knows how do it?

Regards,

------------------------------
Carlos Espinoza Chandia
------------------------------