IBM Security Guardium

 View Only
  • 1.  Exclude specific SQL statements from a Policy rule

    Posted Tue July 09, 2019 10:37 AM
    Hello,
    I was wondering whether it is possible within the Guardium Policy to exclude specific SQL statement strings from a policy rule in Guardium 10.5.

    We have a Policy Rule 'Alert on Select * from Sensitive tables' .
    This has been defined within the Policy Builder by having an asterisk '*' in Field, 'Select' as the Command and a Group containing Sensitive tables in Object.
    In addition to alerting on genuine 'Select * from SensitiveTableName' SQL, alerts are also created for 'Select count(*) from SensitiveTableName' I am looking for a way to suppress alerts within Guardium on these 'Select count(*)' SQL statements as they are not required. Is this possible? (If not, I'll need to filter them out within Splunk - but would prefer to prevent them alerting in the first place ideally) Any assistance greatly appreciated.
    Many thanks.

    ------------------------------
    David Huckle
    ------------------------------


  • 2.  RE: Exclude specific SQL statements from a Policy rule

    Posted Wed July 10, 2019 09:05 AM
    Hi David,
    I understand your request but what if I will execute - "select count(*), * from table" - should be alerted or not? The idea to focus on table or column name without analyzing processing is much more secure.

    ------------------------------
    Zbigniew Szmigiero
    IBM
    Warsaw
    ------------------------------



  • 3.  RE: Exclude specific SQL statements from a Policy rule

    Posted Thu July 11, 2019 06:28 AM
    Thanks for your reply Zbigniew.
    I would expect your example "select count(*), * from table"  to alert, of course.
    I did previously look at the possibility of excluding by column name within the policy, but drew the same conclusion as you.
    I would need to exclude by string/s within the SQL - eg. "select count(*) from %". I don't see a way that this is possible within the policy rules so will look to remove these alerts once they reach the target alerting system (Splunk)
    Kind regards, David. 


    ------------------------------
    David Huckle
    ------------------------------



  • 4.  RE: Exclude specific SQL statements from a Policy rule

    Posted Wed July 10, 2019 09:05 AM
    "select count(*), * from table" is a good example why the analysis of column processing is not good idea.

    ------------------------------
    Zbigniew Szmigiero
    IBM Guardium CTP
    ------------------------------



  • 5.  RE: Exclude specific SQL statements from a Policy rule

    IBM Champion
    Posted Wed July 10, 2019 12:09 PM
    We see that rule fire on 'Select * from Dual' as well.  There is no data returned when Dual is called.  It's been on my list to look into but shouldn't fire this rule either.

    ------------------------------
    Wendy Zemba
    ------------------------------



  • 6.  RE: Exclude specific SQL statements from a Policy rule

    Posted Thu July 11, 2019 06:50 AM
    If we agree that monitoring column processing is difficult and hard to control I suggest for you this:

    If you would like to remove exact syntax "select count(*) from %" you can add additional rule to Ignore
    SQL Criteria: Pattern and put regular expression: "^SELECT count[(][*][)] from .*"

    In case of dual object I suggest similar approach:
    SQL Criteria: Pattern - regex: ".* from dual$"

    This rules should ignore syntaxes mentioned in your examples and will not send in the alert

    ------------------------------
    Zbigniew Szmigiero
    IBM
    Warsaw
    ------------------------------



  • 7.  RE: Exclude specific SQL statements from a Policy rule

    Posted Fri July 12, 2019 08:12 AM
    Many thanks Zbigniew.
    I've tested the regular expression with the rule action ALLOW (but not continuing on to next rule) as the different IGNORE variants all seem to ignore subsequent SQL within the session. This seems to work fine.

    ------------------------------
    David Huckle
    ------------------------------