IBM Guardium

IBM Guardium

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Security Policy Creation using schema name

    Posted Tue February 18, 2025 11:08 AM

    Im trying to Create a security policy for generating logs when any command is fired on the specified db.

    1. 

    I tried creating an basic rule policy by just using DB server ip and net mask where logs come for only SELECT Operation as seen below:


    2. 

    Also tried another rule by giving object group type - schema.% and members - schema.tablename.

    still no logs found.

    3. Tried giving service name and then taking the schema name as DB name then also there was no log found in the incident management panel.

    DB server is Oracle DBCS, from a troubleshooting point of view i had also tried to check the connectivity from collector appliance to the DB server on default oracle port but Connection Timeout is the Prompt. 



    ------------------------------
    Meet Todankar
    ------------------------------


  • 2.  RE: Security Policy Creation using schema name

    Posted Thu February 20, 2025 03:08 AM
    Edited by Moaz Saadeldin Thu February 20, 2025 03:10 AM

    Dear @Meet Todankar,

    for the schema point 

    Try to create a group with type 'object', the query with schema name should be like this "Schema.​TableName" , you should put a a wild card '%' in place of the Table name.
    for example "YourSchema.%"
     Create rule in your policy sql criteria= Object and group members should be like this :

    Best regards,



    ------------------------------
    Moaz Saadeldin
    ------------------------------



  • 3.  RE: Security Policy Creation using schema name
    Best Answer

    Posted Thu February 20, 2025 08:51 AM
    Edited by Kristen Park Wed February 26, 2025 02:41 PM

    Hi @Meet Todankar,

    Database Name is included as part of the session level criteria and can be included in your policy by way of the seven (7) tuple entity group, but with any policy rule, you need to profile what you want to monitor. Assuming you are seeing the Database Name in your session profiles, then my recommendation would be to include a rule with a Session Level Criteria using the seven (7) tuple entity and you can wild card all entities except the Database Name.


    If you use this methodology, then you can use this rule to accommodate your use case for many databases that fall into this scope.

    If the requirement is simply to log the SQL's, I recommend the following configurations depending on your policy type: selective or non-selective audit trail.

    • Selective I would use - In Group and LOG MASKED DETAILS
    • Non-Selective I would use - Not In Group - IGNORE S-TAP SESSION

    Also to mention, because you're saying you can't find your logs, make sure the report you're using is set with the proper Main Entity. In most cases your Main Entity should be SQL, not FULL SQL. 

    Note, you can also target the Database Name by itself in the Session Level Criteria, but the tuple option allows for more flexibility if you want to layer in some of the other conditions.

    ------------------------------
    Wendy Zemba
    Sr. Consultant, Data Protection
    Converge Technology Solutions
    wendy.zemba@convergetp.com

    Need help with your Guardium deployment? Contact me directly to discuss engagement opportunities. Currently serving North America.
    ------------------------------



Related Content