Rule definition fields

You can use these fields when you define policy rules.

Table 1. Reference Table of Rule Definition Fields
Field Description
Action Indicates the action to be taken when the rule is true. For a comprehensive description of all rule actions, see Rule Actions Overview.
App Event Exists Match for an application event only. See the App Event Note.
App Event Values Match the specified application event Text, Numeric, or Date values. Also allow a Group to be chosen for the event string as an option. See the App Event Note.
(App) Event Type Match the specified application event. See the App Event Note.
(App) Event User Name Match the specified application event username only. See the App Event Note.
App Event Note The App Event fields cannot be used when the Flat Log box is marked.
App. User Application User. For more information, see Values and groups of values in rules.
Category An arbitrary label that can be used to group policy violations for reporting purposes. A default category can be specified in the policy definition, but the default can be overridden for each rule.
Classification An arbitrary label that can be used to group policy violations for reporting purposes. A default classification can be specified in the policy definition, but the default can be overridden for each rule.
Client Info

DB2® client information: For access rules only. For z/OS® only, a CLIENT INFO field (and CLIENT_INFO_GROUP_ID) is visible if DB_TYPE is either Db2,  Db2 COLLECTION Profile or VSAM COLLECTION Profile.

The type of information that can be placed in this field is USER=x; WKSTN=y; APPL=z.
Client IP Clear the Not box to include, or mark the Not box to exclude:
  • Any client: Leave all client fields blank. The count is incremented every time that any client satisfies the rule. (You cannot leave all fields blank if the Not box is marked.)
  • All clients that are selected by an IP address and mask: Enter a client IP address in the first box and network mask in the second box. The count is incremented each time that any of the specified clients satisfies the rule. For example, to select all clients in subnet 192.168.9.x, enter 192.168.9.1 in the first box and 255.255.255.0 in the second box.
  • A group of clients: Select a group of client IP addresses from the Group list, or click Groups to define a new group and then select that group. The count is incremented each time that any member of the selected group satisfies the rule.
  • All clients that are selected by an IP address and mask AND a group of clients: Use both the Client IP and Group fields. The count is incremented each time that any client is specified who uses either method that satisfies the rule.

Allow wildcard in IP address. Wildcard % is permitted in a policy for Client IP group.
Client IP/Source Program/DB User/ Server IP/Service Name

7-tuple group - Client IP/Src App/DB User/Server IP/Svc. Name/OS User/DB

5-tuple group type available for access, exception, and extrusion rules.

A tuple allows multiple attributes to be combined together to form a single group member.

Tuple supports the use of one slash and a wildcard character (%). It does not support the use of a double slash.

Wildcard % is permitted in a policy for Client IP/Source Program/DB User/ Server IP/Service Name group.
Client MAC
To make the rule sensitive to a single client MAC address, you can take one of the following steps:
  • Enter the address in nn:nn:nn:nn:nn:nn format, where each n is a hexadecimal digit (0-F).
  • Enter a dot (.) in the Client MAC box to indicate to maintain a separate count for each client MAC address.
  • Leave the Client MAC box empty to ignore client MAC addresses.
Command

The command. You can have situations in which a command group cannot be edited, and the and/or Group label changes to Collect Only, indicating that commands from only the selected group are to be selected. For more information, see Values and groups of values in rules.

If the Every member in group option is selected, all fields of the SQL statement must be a member of the defined group. However, the SQL statement does not need to contain all members of the group. For example, for the group DB_TABLES_PROD with members students, module, marks:
  • For the query select * from students;, the object students is in the group and triggers the rule.
  • For query select * from students, module, marks;, all three objects are in the group, which triggers the rule.
  • For the query select * from students, test;, the object test is not in the group and does not trigger the rule when the Every member in group option is selected. However, it triggers the rule if the In group option is selected, since students is a member of the group.
Continue to Next Rule If marked, rule testing will continue with the next rule, regardless of whether this rule is satisfied. This means that multiple rules can be satisfied (and multiple actions taken) by a single SQL statement or exception. If not marked (the default), no additional rules are tested for the current transaction when this rule is satisfied.
Data Pattern

Every type of rule (Access, Exception, Extrusion) can have Data pattern, but it is required for Extrusion rules.

For use in defining Extrusion Rules - A regular expression to be matched, in the Data Pattern box. Click Regex to open the Build Regular Expression tool, which allows you to enter and test regular expressions. This enables more complex masking patterns. Put parentheses around the section that you want to mask. Use this function to mask data retrieved from the database.

For example, 

Windows S-TAP: ([0-9][0-9][0-9][0-9[-, ]?[0-9][0-9][0-9][0-9][-, ]?[0-9][0-9][0-9][0-9][-, ]?)[0-9][0-9][0-9][0-9] 
Unix S-TAP: ([0-9]{4}[-, ]?[0-9]{4}[-, ]?[0-9]{4}[-, ]?)[0-9]{4}[ ]{0,20}

Additional regular expressions (Regex) for use only in Data Patterns with an action of Redact (Scrub):

For Windows S-TAP
Name:                     Pattern:            Masked to:
SCRUB_SSN_ANSI            AAA-AA-AAAA         ***-***-AAAA
SCRUB_SSN_UNICODE         UUU-UU-UUUU         ***-***-UUUU
SCRUB_CC_SPACES_ANSI      AAAA AAAA AAAA AAAA **** **** **** AAAA
SCRUB_CC_SPACES_UNICODE   UUUU UUUU UUUU UUUU **** **** **** UUUU
SCRUB_CC_SOLID_ANSI       AAAAAAAAAAAAAAAA    ************AAAA
SCRUB_CC_SOLID_UNICODE    UUUUUUUUUUUUUUUU    ************UUUU
SCRUB_CC_AX_SOLID_ANSI    AAAAAAAAAAAAAAA     ***********AAAA
SCRUB_CC_AX_SOLID_UNICODE UUUUUUUUUUUUUUU     ***********UUUU
UNIX S-TAP
Name:                     Pattern:            Masked to:
SCRUB_SSN_ANSI            AAA-AA-AAAA          ***-***-AAAA
SCRUB_SSN_UNICODE         UUU-UU-UUUU          ***-***-UUUU
SCRUB_CC_SPACES_ANSI      AAAA AAAA AAAA AAAA  A*** **** **** 1234
SCRUB_CC_SPACES_UNICODE   UUUU UUUU UUUU UUUU  U*** **** **** ****
SCRUB_CC_SOLID_ANSI       AAAAAAAAAAAAAAAA     A***************
SCRUB_CC_SOLID_UNICODE    UUUUUUUUUUUUUUUU     U***************
SCRUB_AMEX_SOLID_ANSI     AAAAAAAAAAAAAAAA     A***************
SCRUB_AMEX_SOLID_UNICODE  UUUUUUUUUUUUUUUU     U***************

Regex with Redact - Use of Regular expressions (regex) in the IBM® Security Guardium® solution (including masking in the policy) runs on the appliance, and allows advanced regex capabilities.

However, the regex library for use with Redaction runs in the kernel of the database server and is limited to most basic regex. Only basic regex patterns can be used with Redaction.

For example, the regular expression nomenclature [0-9]* cannot be used to indicate any number of digits. Use basic regular expression nomenclature, for example, [0-9]-[0-9]-[0-9]... to specify a sequence of digits.  

Note: S-TAP® only the predefined SCRUB pattern names; ignoring any other name.

Access rule, data pattern, and replacement character - Using a data pattern such as [a-z,2]{3}([_][0-9]{1,2}) with a replacement character of * changes the values between the parentheses in the data pattern to ***. Use this function to mask values.

User-Defined Character Sets

Available for Oracle, Sybase, MySQL, and MSSQL and for extrusion rules only, users can influence the character set used by defining special extrusion rules. These character set policy rules are only used to set the character set a user wants to convert traffic to, setting an action is irrelevant. To have an action for that traffic, the user needs to define additional rules after that character set rule. Two examples of setting a character set rule are possible (hint or force) as defined in the following examples:

Example of extrusion rule (with hint).

Converts the traffic by character set as defined in the extrusion rule of the installed policy ONLY if the regular conversion failed. 

Character set EUC-JP (code 274).

Extrusion rule pattern: guardium://char_set?hint=274

Example of extrusion rule (with force).

Converts the traffic by character set as defined in the extrusion rule of the installed policy for ALL data. 

Character set EUC-JP (code 274).

Extrusion rule pattern: guardium://char_set?force=274

Note: Keep in mind that extrusion rules usually attached to the session with delay. Therefore short sessions or beginning of a session might not be immediately affected by character set change.
DB Name The database name. For more information, see Values and groups of values in rules.
DB Type

Supported DB Types

For access rule: Cassandra, CIFS, CouchDB, Db2, Db2 COLLECTION PROFILE* (only for use with z/OS), FTP, GreenPlumDB, Hadoop, HTTP, IBM INFORMIX (DRDA), IBM iSeries, IMS, IMS COLLECTION PROFILE (only for uses with z/OS, Informix®, MongoDB, MS SQL SERVER, MYSQL, NETEZZA, Oracle, PostgreSQL, Sybase, TERADATA, VSAM, or VSAM COLLECTION PROFILE* (only for use with z/OS).

For exception and extrusion rules: Cassandra, CIFS, CounchDB, Db2, FTP, GreenPlumDB, Hadoop, IBM INFORMIX (DRDA), IBM iSeries, Informix, MongoDB, MS SQL SERVER, MYSQL, NETEZZA, Oracle, PostgreSQL, Sybase, or TERADATA. Note: Informix supports two protocols SQLEXEC (native Informix protocol) or DRDA (IBM protocol). These protocols are automatically identified for Informix traffic with no additional settings. The Server Type attribute shows INFORMIX (for SQLEXEC protocol) and IBM INFORMIX (DRDA) (for DRDA protocol).

Note: TERADATA has a silent login and allows clients to auto-reconnect. To block Teradata statements in a policy, use the S-TAP firewall function with default state ON and unwatch safe users.
DB User The database user. For more information, see Values and groups of values in rules.
Error Code The error code (for an exception). For more information, see Values and groups of values in rules.
Exception Type

The type of exception (selected from the list).

SECURITY_INCIDENT is an exception type generated using the session level policy actions LOG EXCEPTION or THROW EXCEPTION. In general, security incidents are detected either through manually-created policy actions or by one of the predefined security incident templates. For more information, see Security incident policies.

Note: A session closed by GUI timeout, in an Exception rule, does not produce a Session Error (Session_Error).
Field Name

The field name. For more information, see Values and groups of values in rules.

If the Every member in group option is selected, all fields of the SQL statement must be a member of the defined group. However, the SQL statement does not need to contain all members of the group. For example, for the group DB_TABLES_PROD with members students, module, marks:
  • For the query select * from students;, the object students is in the group and triggers the rule.
  • For query select * from students, module, marks;, all three objects are in the group, which triggers the rule.
  • For the query select * from students, test;, the object test is not in the group and does not trigger the rule when the Every member in group option is selected. However, it triggers the rule if the In group option is selected, since students is a member of the group.
Min. Ct. The minimum number of times the condition that is contained in the rule must be matched before the rule is satisfied (subject to the Reset interval).
Net. Protocol The network protocol. For more information, see Values and groups of values in rules.
Object

The object name. For more information, see Values and groups of values in rules.

For Sybase and MS SQL Server, two groups MASKED_SP_EXECUTIONS_SYBASE and MASKED_SP_EXECUTIONS_MS_SQL_SERVER include names of stored procedures. If an included procedure runs, then everything is masked.

If the Every member in group option is selected, all fields of the SQL statement must be a member of the defined group. However, the SQL statement does not need to contain all members of the group. For example, for the group DB_TABLES_PROD with members students, module, marks:
  • For the query select * from students;, the object students is in the group and triggers the rule.
  • For query select * from students, module, marks;, all three objects are in the group, which triggers the rule.
  • For the query select * from students, test;, the object test is not in the group and does not trigger the rule when the Every member in group option is selected. However, it triggers the rule if the In group option is selected, since students is a member of the group.
Object/Command Group Match a member of the selected Object/Command group.
Object/Field Group Match a member of the selected Object/Field group.
OS User Operating system user. For more information, see Values and groups of values in rules.
Pattern A regular expression to be matched, in the Pattern box. You can enter a regular expression manually, or click theRegex) button to open the Build Regular Expression tool, which allows you to enter and test regular expressions.
Time Period To make the rule sensitive to a single time period, select a pre-defined time period from the Period list or click thePeriod) button to define a new time period.
Rec. Vals. When marked, the actual construct causing the rule to be satisfied will be logged, and available in reports, in the SQL String attribute. For a policy violation only, if not marked, no SQL statements will be logged.
Records Affected Threshold

Access rule only. Set a threshold value for matched records. For example: Let 100 instances take place before taking action.

This field affects the rule output rather than the rule definition (that is, what happens when it is triggered, rather than when should it trigger).

You can select how to calculate the records affected threshold. The choices are as follows:
  • Per session
  • Per single query
  • By the exceeded row count, that is, when the number of affected records exceeds the number of records that the Guardium sniffer is configured to process at one time)

If the threshold reaches the specified number, and any other rule criteria are matched, the defined rule actions are triggered.
Replacement Character

Define a masking character.

Should the output produced by the extrusion rule match the regular expression, the portions that match sub-expressions between parenthesis '(' and ')' will be replaced by the Masking character.
Reset Interval Used only if the Min. Ct. field is greater than zero. This value is the number of minutes after which the condition met counter will be reset to zero.
Response length threshold For access rules: Tracks the size of data packets, in bytes, returned from the server for a successful SQL query. You can set the response length and the response length threshold as follows:
  • Per session (calculates the sum of all response lengths in the session)
  • Per single query (stores the response length for each SQL query)
Revoke This checkbox appears on extrusion rules only. It allows you to exclude from logging a response that has already been selected for logging by a previous rule in the policy. In most cases you can accomplish the same result more simply by defining a single rule with one or more NOT conditions to exclude the responses you do not want, while logging the remaining ones that satisfy the rule. (The Revoke checkbox pre-dates NOT conditions, and is provided mainly for backward compatibility to support existing policies.)
Rule Description

The name of the rule. To use a special pattern test in the rule, enter the special pattern test name followed by a space and one or more additional characters to make the rule name unique, for example: guardium://SSEC_NUMBER employee. (See Special Pattern Tests for more information.)

When displayed, the name will be prefaced with the rule number and the label Access Rule, Exception Rule, or Extrusion Rule, to identify the rule type. If the rule was generated using the Suggest From DB function, the generated name is in the format: Suggested Rule <n>_mm-dd hh:mm, consisting of the following components

n is sequence number for the generated rule

mm-dd is the month and day the rule was generated

hh:mm is the time the rule was generated
Server IP

Clear the Not box to include, or mark the Not box to exclude:

  • Any server: Leave all server fields blank. The count will be incremented every time any server satisfies the rule. (You cannot leave all fields blank if the Not box is marked.)
  • All servers selected by an IP address and mask: Enter a server IP address in the first box, and network mask in the second box. The count will be incremented each time that any of the specified servers satisfies the rule. For example, to select all servers in subnet 192.168.3.x, enter 192.168.3.1 in the first box, and 255.255.255.0 in the second box.
  • A group of servers: Select a group of server IP addresses from the Group drop-down list or click the Groups button to define a new group and then select that group. The count will be incremented each time that any member of the specified group satisfies the rule.
  • All servers selected by an IP address and mask AND a group of servers: Use both the Server IP and Group fields. The count will be incremented each time that any server specified using either method satisfies the rule.

Allow wildcard in IP address. Wildcard % is permitted in a policy for Server IP group.
Service Name The service name. For more information, see Values and groups of values in rules.
Severity Select a severity code from the list: INFO, LOW, NONE, MED or HIGH. If HIGH is selected and email alerts are sent by this rule, the email will be flagged Urgent.
SQL Pattern A regular expression to be matched, in the Pattern box. You can enter a regular expression manually, or click Regex Regex to open the Build Regular Expression tool, which allows you to enter and test regular expressions.
Restriction: SQL Pattern is not supported for redaction rules.
Src app Application source program. For more information, see Values and groups of values in rules.
Trigger Once Per Session

Do not analyze session for same rule after first match. Especially effective for “Selective Audit” policies.

XML Pattern

A regular expression to be matched, in the Pattern box. You can enter a regular expression manually, or click Regex Regexto open the Build Regular Expression tool, which allows you to enter and test regular expressions.

A regular expression to be matched can be used in this box. The regular expression must be entered manually.
Full_SQL return values using MSSQL

In MSSQL, sp_cursoropen and sp_cursorfetch stored procedures are used for SELECT database queries.

Sp_cursoropen holds the original statement, while the FULL_SQL return value in an Extrusion rule will appear as sp_cursorfetech instead of Select * from ___________.