Automate and integrate the following audit activities into a compliance
workflow:
- The ability to group multiple audit tasks (reports, vulnerability
assessments, etc.) into one process.
- Schedule these processes to run on a regular basis.
- Run these tasks in the background.
- Write the task results to a comma-separated value (CSV) file or
ArcSight Common Event Format (CEF) file and/or forward the results
to other systems using Syslog.
- Add comments and notations.
- Assign the process to its originator for viewing (he/she will
get a new item in their To-Do list once the result is ready).
- Assign the process for other users or to a group of users or a
role.
- Create the requirement that these assignees sign on the result.
- Allow escalation of the result (assign to someone outside of the
original audit trail).
The Audit Process Log report shows a detailed activity log for
all tasks including start and end times.
A compliance workflow automation process answers the following
questions:
- What type of report is needed?
- Who should receive this information and how are signoffs handled?
- What is the schedule for delivery?
Further elements of the compliance workflow automation process
include:
- A process definition
- A distribution plan, which:
- Defines receivers, who can be individual users, user groups, or
roles. (See Process Receivers.)
- Defines the review/sign responsibility for each receiver.
- Defines the distribution sequence by setting the Continuous flag.
- A set of reports that can be included in an audit process
- A schedule - The audit process can be run immediately, or a schedule
can be defined to run the process on a regular basis
Stop an audit process
Stopping an audit
process can be performed only if the audit tasks have not been run
or are running. Stopping an audit process will not execute any more
tasks that have not started. Stopping an audit process does not deliver
partial results. The audit process stops and a stopped error message
is the result. However, if tasks are complete, stopping an audit process
will not stop the sending of results.
Stop an audit process
by invoking GuardAPI (place the cursor on any line and double-click
for a drill-down) from the Audit Process Log Report.
For any
user, stopping an audit process, will display only the line belonging
to that user (just the tasks, not all the details). An admin user
can see all the details and can stop anyone's audit processes. A user
can only stop their own audit processes.
Note: Queries using
a remote source can not be stopped. Online reports using a remote
source can not be stopped.
Results Distribution
Audit process receivers
will be notified via email and/or their To-Do list of pending audit
process results. You can designate any receiver as a signer for a
process, in which case the results can optionally be held at that
point on the distribution list, until that receiver electronically
signs the results or releases them. Receivers can be individual users,
user groups, or roles.
Audit Process Summary
In the Audit Process
Finder screen is the Audit Process Status Summary. This section contains
information on scheduled audit processes, as well as results, receivers
outstanding and errors. This summary is a consolidation of data from
multiple audit process reports.
There is also a button to delete
any audit process results. See the Audit Process Finder screen. Look
for the Results button, next to the Run Once Now button (choices of
View or Delete).
Delete audit process results, but track or
log who deleted the report. The audit-delete role is used to track
or log when an audit process result has been deleted. Users with the
audit-delete role can delete reports. Admin users can also delete
reports. Tracking is done through the User Activity Audit Trail report.
Process Receivers
You can define any number
of receivers for a workflow automation process, and you control the
order in which they receive results. In addition, receivers can notify
additional receivers, using the Escalate function. It is also possible
to run an audit process with no defined receivers. For example, an
audit process with no receivers that writes to syslog and has no need
to review (or sign) the results.
Who can be a receiver?
On the Process Definition
panel, the drop-down list of receivers includes all Guardium® users, user groups, and roles (groups
and roles are labeled as such). When a group or role is selected,
all users belonging to the group or having that role will receive
the results.
If a group receiver is selected, and any workflow
automation task uses the special run-time parameter ./LoggedUser in
a query condition, the query will be executed separately for each
user in the group, and each user will receive only their results.
If a group receiver
is selected, and sign-off is required, each group member must sign
the results separately (as explained earlier, each member of the group
may be looking at a different set of results).
A receiver
can be solely an email address and results will be sent to that email
address. When entering an email address, the user will be required
to enter a user that will be used to filter the data. The user must
be the same user that is logged in or a user under the user that is
logged in the data hierarchy.
If a role receiver is selected,
only one user with that role will need to sign the results, and other
users with that role will be notified when the results have been signed.
Email Notification
Optionally, receivers
can be notified of new process results via email, and there are two
options for distributing results via email:
Hypertext Links to Process Results
In email
messages, there are conditions where links to process results on the Guardium system will not work.
For example:
- If you are accessing email from a location where you cannot normally
access the Guardium system,
the links will not work. For example, when out of the office, you
may have access to your email over the Internet, but not to your company's
private network or LAN, where the system is installed.
- If you have not accessed your email for a longer period of time
than the report results are kept, those results will not be available
when you click the link. For example, if the results are kept for
seven days but you have been on vacation for two weeks, your email
may contain links to results older than seven days, and those links
will not work.
About Frozen Receivers Links
Once a process
has been run, the existing receiver list is frozen, which means:
- You cannot delete receivers from the list.
- You cannot move existing receivers up or down in the list.
- You can add receivers to end of the list at any time, and reposition
the new receivers at that time.
- If the Guardium user
account for a receiver on the list is deleted, the admin user account
(which is never deleted) is substituted for that receiver. Thus the
admin user receives any email notifications that would have been sent
to a deleted receiver, and the admin user must act upon any results
released to that receiver.
- If you need to create a totally different set of receivers for
an existing process, deactivate the original process, make a clone
of it, and then make the modifications to the receivers list in the
cloned version before saving it.
How Results are Released to Receivers
Results
are released to the Guardium users
listed on the receivers list, subject to the Continuous check box,
as follows:
- If the Continuous check box is marked, distribution continues
to the next receiver on the list without interruption.
- If the Continuous check box is cleared, distribution to the next
receiver is held until the current receiver performs the required
action (review or sign).
For example, assume you want to define a workflow process
as follows:
- DBAs - All DBAs should receive their results at the same time,
with each DBA receiving a different result set based on the server
IPs associated with him/her
- Only when ALL DBAs have signed, the DBA Manager should see the
results
- Only when DBA Manager releases the report, the Auditors should
see the results
- All Auditors should receive the reports at the same time, but
only one of them (any of them) needs to sign each result. The others
will be updated when a result was signed.
- An auditor can escalate a result to the Audit Manager.
To define this flow:
- The DBAs group would be named as the first receiver
- The DBA Manager would be next on the list.
- The Auditors role (not group) would be next on the list. Any Auditor
could sign and others will be notified. Also, any auditor can escalate
a results set to the Audit Manager.
Note: The results will only distribute
to the next receiver when the current receiver has marked the Continuous
button. This is completely separate from the review/sign functionality
and does not depend on the review/sign functionality all.
Note: Process
results that are exported to CSV or CEF files are sent to another
network location by the Guardium archiving
and exporting mechanism. These results are not subject to the receivers
list or to any signing actions. They are subject to the Guardium CSV/CEF export schedule (if any
is defined), and they are subject to the access permissions that have
been granted for the directory in which they are ultimately stored.
Exporting Audit Task Output to CSV, CEF or PDF Files
Reports
containing information that can be used by other applications, or
reports containing large amounts of data, can be exported to other
file formats. Report, Entity Audit Trail, and Privacy Set task output
can be exported to CSV (Comma Separated Value) files, and output for
database activity reports can be exported to an ArcSight Common Event
Format (CEF) file.
In addition, CEF and CSV
file output can be written to syslog. If the remote syslog capability
is used, this will result in the immediate forwarding of the output
CEF/CSV file to the remote syslog locations. The remote syslog function
provides the ability to direct messages from each facility and severity
combination to a specific remote system. See the remotelog (syslog)
CLI command description for more information.
Each record
in the CSV or CEF file represents a row on the report.
The
exported file is created in addition to the standard task output,
it does not replace it. These files are useful when you need to:
- Integrate with an existing SIEM (Security Incident and Event Manager)
in your infrastructure (Qradar, ArcSight, Network Intelligence, LogLogic,
TSIEM, etc.).
- Review and analyze very large compliance task results sets. (Task
results sets that are intended for Web presentation are limited to
5,000 rows of output, whereas there is no limit to the number of rows
that will be written to an exported CSV or CEF file.)
Exported CSV and CEF files are stored on the Guardium system, and are named in the format:
process_task_YYYY_MMM_DD-HHMMSS.<csv | cef>
Where
process is a label you define on the audit process definition, task
is a second-level label that you can define for each task within the
process, and YYYY_MMM_DD-HHMMSS is a date-time stamp created when
the task runs.
You cannot access the exported CSV or CEF
files directly on the Guardium system.
Your Guardium administrator
must use the CSV/CEF Export function to move these files from the Guardium system to another
location on the network. To access those files, check with your Guardium administrator to determine
the location to which they have been copied.
The fact that
exported files are sent outside of the Guardium system has two important implications:
- The release of these files is not connected to the results distribution
plan defined for the audit process. These files are exported on a
schedule defined by the Guardium administrator.
- Once the CSV/CEF Export function runs, all exported files will
be available to anybody (Guardium user
or not) who can access the destination directory defined for the CSV/CEF
Export operation. For this reason, your Guardium administrator may want to schedule
additional jobs (outside of the Guardium system)
to copy sets of exported files from the Guardium CSV/CEF Export destination directory,
to directories with appropriate access permissions.
CSV/CEF Export activity is available in the Aggregation/Archive
Activity report.
Note: If observed data level security
has been enabled,
then audit process output (including files) will be filtered so users
will see only the information of their assigned databases. Files sent
to an email receiver as an attachment will be filtered. However, files
downloaded locally on the machine and then moved elsewhere using the
Results Export function from Administration Console are not subject
to data level security filtering. See CSV/CEF Export later in this
topic for further information on CSV/CEF Export.
The following
table summarizes what happens when exporting an Audit Process file
to CSV/CEF/PDF.
Table 1. Exporting Audit Task Output
to CSV, CEF or PDF FilesFunction |
Level |
CSV |
CEF |
PDF |
Attach to email |
Receiver |
Full Details radio --> PDF check box |
N/A |
Full Details radio --> PDF check box
The
radio buttons are only for receiver PDF
|
Export file |
Task |
Export CSV file check box |
Export CSV file check box |
Export CSV file check box |
Report empty and Approve if Empty = yes |
Receiver |
Export not affected (empty files will be
exported)
Attachment, no email attachment
|
Export not affected (empty files will be
exported)
Attachment, no email attachment
|
Export not affected (empty files will be
exported)
Attachment, no email attachment
|
Zip attachment |
Audit Process |
If no file generated, nothing to zip
Merge
all CSVs into one ZIP file
|
N/A |
If no file generated, nothing to zip
PDF
is not zipped
|
Compress (export) |
Task |
Compressed, separate file for each CSV file
|
Compressed, separate file for each CSV file
|
PDF is not compressed
|
How Zip for Email and Compress work for Audit Task
Output
Zip for Email is the highest level of control for
Audit Task Export. Zip for email produces a set of CSV or CEF files.
PDF is not ever zipped and is not ever compressed.
Compress
works on individual files.
Note: For CSV attachments, when
Zip for Email is cleared, Compress can still be applied. And Compress
can be per task. Thus one Audit Task may send a .csv file while another
may send a .csv.gz file, in the same email.
The interaction
of Zip for Email and Compress is as follows:
- With Zip for email checked (regardless of whether Compress is
also checked), the attachment is one zip file of CSV files.
- With Zip for email not checked, and Compress checked, the attachment
is a set of csv.gz files.
- With Zip for email not checked, and Compress not checked, the
attachment is a set of csv files.
- With Compress checked, Download All will be csv.gz.
- With Compress cleared, Download All will be csv.
- With Compress checked or cleared, Download displayed will still
be csv.
- With Compress checked, export of CSV/CEF files will be gzipped.
- With Compress cleared, export of CSV/CEF files will not be gzipped.
Creating or Changing Reports
Use the Report
Builder to create or customize reports, including customization
such as applying highlight colors to rows. To open the Report
Builder, navigate to .
Create an Audit Workflow Process
- Open the Audit Process Builder by navigating
to .
- Click the
button to open the Audit Process Definition panel.
The panel is divided into three sections: General, Receivers and Tasks.
- Go to the Tasks section first. You must
define at least one audit task before you can save the process. Work
your way through each task in setting choices. Perform the appropriate
procedure for each audit task you want to include in the audit process.
The task choices detailed in this section are:
- Go to the Receivers section. Open the drop-down
box and add the receivers. For the process, see Add Receivers. Checkoffs
are needed to determine action required, additions to To-do list,
notification via email notifications and continuous distribution.
Again see Add Receivers for complete information in setting these
choices.
- Go to the General section. Enter a name
in the Description box. Do not include apostrophe
characters.
- Check the Active box to associate a schedule
with this process.
- Mark the Archive Results box if you want
to store the results offline after the retention period has expired.
When results have been archived, you can restore them to the system
for viewing again, later.
- Use the Archive Result purge before Reviewed box
to delete the results of an ad-hoc process without holding until all
reviewers had reviewed, all sign-offs have taken place, all workflow
activities have been met. This feature gives the user an option of
deleting results in a specified period of time (such as 1-day) whether
the results have been reviewed or not.
- In the Keep for a minimum of (n) days or (n) runs boxes,
specify how long to keep the results, as either a number of days (0
by default) or a number of runs (5 by default). After that, the results
will be archived (if the Keep for a minimum box is marked) and purged
from the system.
Note: Results will only be shown if there are receivers
for the results. Add receivers, re-run the results and the run will
now show up in the dropdown list.
- If one or more tasks create CSV or CEF files, you can optionally
enter a label to be included in all file names, in the CSV/CEF File
Label box. These files can also be compressed, or Zipped, by clicking
on the Zip for mail box to add a checkmark.
Note: There is a limit
on export of CSV/CEF file sizes greater than 10240 MB (10.240 GB).
It is a recommended best practice to check the box Zip
for mail.
- The Email Subject field in the Audit Process
definition is used in the emails for all receivers for that audit
process. The subject may contain one (or more) of the following variables
that will be replaced at run time for the subject:
- %%ProcessName will be replaced with the audit process description
- %%ExecutionStart will be replaced with the start date and time
of the first task.
- %%ExecutionEnd will be replaced with the end date and time of
the last task.
Upon entering a subject, it will check whether any variable
(starting with %% is present) and will ensure all are valid variables.
- Optionally assign security roles.
- Optionally add comments.
- Click the appropriate buttons to Schedule or Run
an Audit Workflow Process.
- Click Save. Do not leave this menu screen
to perform another configuration before saving your work. Work-in-progress
is not saved and not held in half-created suspension if you leave
this section to go create something else needed for the audit task.
For
example, to define an assessment task in Audit Process Builder, it
is first necessary to go to Security Assessment Builder to create
assessment tests and then to Datasource Definitions to identify the
database(s) to be assessed. Save your work when creating Audit Workflow
and then go to other tasks or perform those other tasks first and
then create the Audit Workflow Process.
Add Receivers
- In the Receiver column, select a receiver
from the drop-down list of Guardium individual
users, groups, or roles. If you select a group or a role, all members
of the group or users with that role will receive the results; and
if signing is required, only one member or user will need to sign
the results.
- In the Action Required column, select one
option:
- Review (the default) - Indicates that this receiver does not need
to sign the results.
- Review and Sign - Indicates that this receiver must sign the results
(electronically, by clicking the Sign Results button when viewing
the results online).
- In the To-Do List column, either mark or
clear the Add check box to indicate whether
this receiver should be notified of pending results in their Audit
Process To-Do List.
Note: To send files on an external server without
sending email and without adding results to the to-do list, define
an audit process without receivers. Also clear the to-do list check
box in the Add Receiver section and remove/
do not add any receiver in the receiver section in order not to add
results to To-do list.
- In the Email Notification column, select
one option:
- No - email will not be sent to the receiver.
- Link Only - email will contain a hypertext link to the results
(on the Guardium system).
- Results - email will contain a copy of the results in PDF or CSV
format. Be aware that the results from Classification or Assessment
tasks may return sensitive information.
- The check box in the Continuous column
controls whether or not distribution of results continues to the next
receiver (the default), or stops until this receiver has taken the
appropriate action. If the Continuous box is
cleared, and this receiver is a group or a role, when any user who
is a member or that group or role performs the selected action, the
results will be released to the next receiver on the list.
Note: The
results will only distribute to the next receiver when the current
receiver has marked the Continuous button.
This is completely separate from the review/sign functionality and
does not depend on the review/sign functionality all.
- Click Add to add the receiver to the end
of the list, and repeat these steps for each receiver. One receiver
is required.
- Receivers who are not users are permitted. Choose: Email and then
enter an email address, and the results will be sent to that email
address. When entering a non-user email address, there is a requirement
that a user name that will be used to filter the data. The user must
be the same user that is logged in or a user under the user that is
logged in the hierarchy. This user will be saved in a new column in
the Receivers section of the screen.
- Approve if Empty - When this check box
is checked, if all the reports of the task are empty, it will do the
following: automatically sign the result (and/or mark it as viewed);
automatically click Continue (if relevant);
will NOT send the notification email; will NOT add the task to the
To-Do list of that user; will NOT generate any PDF/CSV/CEF files.
With this check box, empty audit results will be signed automatically
and the results will still look like any other complete (viewed/signed)
audit results when looking at the audit result logs. This action will
apply to empty reports and the empty security assessment results.
See table summarizing what happens when Approve If Empty = YES in
the section Exporting Audit Task Output to CSV, CEF or PDF Files.
Export a CSV or CEF File
Report, Entity
Audit Trail, and Privacy Set audit task output can be exported to
CSV files, and Report audit task output can be exported to a CEF file.
From the Report, Entity Audit Trail or Privacy Set section under Audit
Tasks, work through the following:
- Select title.
- Enter an optional label for the file in the CSV/CEF File Label
box. The default is from the Description for
the task. This label will be one component of the generated file name
(another will be the label defined for the workflow automation process).
- Mark either Export CSV file or Export
CEF file.
Note: CEF file output is appropriate for data
access domain reports only (Access, Exceptions, or Policy Violations,
for example). Other domains like the Guardium self-monitoring domains (Aggregation/Archive,
Audit Process, Guardium Logins,
etc.) do not map to CEF extensions.
- If Export CEF file was selected, optionally
mark the Write CEF to Syslog box to write the
CEF records to syslog. If the remote syslog facility is enabled, the
CEF file records will thus be written to the remote syslog.
- If the Compress box is checked, then the
CSV/CEF files to be exported will be compressed.
- If the Export PDF file box is checked,
then a PDF file (with similar name as CSV Export file) for this Audit
Task is created and exported together with the CSV/CEF files.
Note: The
Export PDF file will not be compressed, even if the Compress box in
the previous step is checked.
Define a Report Task
If you have not yet
started to define compliance workflow automation process, create a workflow process before performing this procedure.
If the report to be used has not yet been defined, do that first.
- If the Add New Task pane is not open, click Add
Audit Task.
- Click the Report radio button.
- There a number of choices for CSV/CEF File Label, Export CSV/CEF,
Export PDF, Write to Syslog, and Compress. See Export a CSV or CEF
File.
- The selection of PDF Options are: Report (the
current results), Diff (difference between
one earlier report and a new report) and Reports and Diff (both).
Note: The selection of PDF Options applies to both PDF attachments
and PDF export files. The
Diff result only
applies only AFTER the first time this task is run. There is no
Diff with
a previous result if there is no previous result. The maximum number
of rows that can be compared at one time is 5000. If the number of
result rows exceeds the maximum, the message
(compare first 5000 rows only)
will
show up in the
diff result.
- Enter all parameter values in the Task Parameters pane.
The parameters will vary depending on the report selected.
- Click Apply.
API for automatic execution
By default,
the Guardium application
comes with setup data that links many of the API functions to reports,
providing users, through the GUI, with prepared calls to APIs from
reporting data. Use API Assignment in Reports to link additional API
functions to predefined Guardium reports
or custom reports. The menu choice
API for automatic execution will appear in the Add Audit Task: Report
when selecting an appropriate predefined Guardium report or custom report that have
fields in the report that are linked to API parameters. Examples of
predefined reports where the API for automatic execution menu choice
will appear are Access Policy Violations, Databases Discovered, and Guardium Group Details.
View or Sign Results
- Open the Compliance Workflow Automation results.
- If signing is required, click the Sign Results button.
- Optional. To forward these results to another user, click Escalate,
and see Forward Results to Additional Receivers (in
Escalation section).
- Click Close this window link.
Note: If there are outstanding events, then the results can not
be signed either from the audit viewer or from the To-do list. If
there are outstanding events and an attempt is made to sign the results,
the following message appears:
Audit process cannot be signed - has pending events.
Please update all outstanding events prior to signing this result.
Note: When
viewing audit process results, if a result has events associated with
it, the Sign Results button is not available on this result until
all events are in a Final state or cannot be seen by this user (due
to data-level security).
Note: This report also contains a
date or Last Action Time, located in a column between Receiver and
Status. This report shows that the result was signed by user AAA,
but also when this user AAA signed this result.
Release Results without Signing or Viewing
- Open your To-Do List panel.
- Click the Continue button for the results
you want to release to the next receiver on the distribution list.
- Click Close this window link.
View Results Distribution
- Open the compliance workflow automation results.
- Expand the Distribution Status panel by
clicking the Show Details button.
- Click Close this window link.
View Receiver Comments Added to Results
- Open the compliance workflow automation results.
- Expand the Comments panel by clicking the Show
Details button.
Note: These are the comments that were
attached to the results when the report page was retrieved from the Guardium system. If you add
comments of your own, or if other receivers are adding comments simultaneously,
you will not see those comments until you refresh your page (using
your browser Refresh function).
- Click Close this window link.
Escalate Process Results
A receiver of process
results can forward the results notification for review and/or sign-off
to additional receivers. If you escalate the results to a receiver
outside of the original audit and sign-off trail, and the results
include a CSV file, that file will not be included with the notification.
Regardless of who is a receiver of an audit result, an escalation
can involve any user on the system, provided the Escalate result to
all users box is checked in the menu. A check mark in this box escalates audit process
results to all users, even if data level security at the observed
data level is enabled. The default setting is enable. If the check
box is disabled (no check mark in the check box), then audit process
escalation will only be allowed to users at a higher level in the
user hierarchy. If the check box is disabled, and there is no user
hierarchy, then no escalation is permitted.
Also, depending
on event permissions, if for example, the infosec user can only see
events in status1 and dba user can only see events in status2, the
dba user will receive a different result than the result the infosec
user saw when the infosec user clicked Escalate. It is possible that
infosec will escalate to dba, and dba will receive an audit result
with 0 rows in it.
- If the compliance workflow automation results you want to forward
are not open, open them now.
- Click Escalate.
- Select the receiver from the Receiver list.
- In the Action Required column, select Review (the
default) or Review and Sign.
- Click the Escalation button to complete
the operation.
Note:
Audit process results cannot be escalated to
a group of users, only to users or roles.
When escalating
to an user who already has the result in the user's to-do list, a
popup message will appear, asking if an additional email should be
sent. If yes, an additional email will be sent to the user, but the
to-do list will not be incremented.
Schedule or Run a Compliance Workflow Automation Process
- Open the Audit Process Builder by navigating
to .
- Select the process from the Process Selection List.
- Click Modify to open the Audit
Process Definition panel.
- To run the process once, click Run Once Now,
or to define a schedule for the process, click Modify Schedule.
Note: After
a schedule has been defined for a process, the process runs according
to that schedule only when it is marked active. To activate or deactivate
an audit process, see the next section.
Activate or Deactivate a Compliance Workflow Automation
Process
After a schedule has been defined for an audit process,
it runs according to that schedule, only when it is marked active.
To
activate or deactivate an audit process:
- Open the Audit Process Builder by navigating
to .
- Select the audit process from the Process Selection
List.
- Click Modify.
- In the Audit Process Definition panel,
mark the Active box to start running the process
according to the schedule; or clear the Active box
to stop running the process (ignoring any schedule defined).
Note: If
you are activating the process but there is no schedule, click Modify
Schedule to define a schedule for running the process.
- Click Save.