IBM Support

Guardium S-GATE Attach rule does not trigger on sqlplus login of Oracle SYS user

Troubleshooting


Problem

I am logging in as SYS user on Oracle via sqlplus. I notice S-GATE policy actions do not trigger as expected on the session login.

Symptom

S-GATE actions do not trigger on the login of SYS user in the case of:

  • Logging in with sqlplus on Oracle.
  • Firewall is in open mode (firewall_default_state=0)

S-GATE actions do trigger on the first SQL statement in the session.

Cause

SYS login via sqlplus does not produce any SQL associated with the login packets. The S-GATE firewall actions need an SQL statement to trigger in the normal way because the functionality is controlled by the logger part of the sniffer.

Diagnosing The Problem

You might see this problem in the below example:

1. firewall_default_state=0 in the guard_tap.ini
2. Policy with S-GATE attach action for DB User=SYS
3. Policy with S-GATE terminate action for DB User=SYS and Command = Insert

After logging in via sqlplus as SYS an insert statement is able to be run without terminating the session. This is the case even if a long time is left in between login and running the insert.

This is because the login packet does not trigger the attach rule. The insert triggers the attach rule, then another SQL is required to trigger the terminate rule.

Assuming good performance of the sniffer, the session terminate signal is sent when a second insert statement is run. Note that if firewall is in open mode there is always a risk of further SQL statements being run before the session is terminated. Be aware of the trade-offs between firewall in open and closed mode as discussed here.

Resolving The Problem

This problem is resolved in v9.5 p609 and above. Follow these steps:

1.Install p609 or more recent GPU on the affected appliances.



2. Create GDM_ANALYZER rule via cli to attach affected sessions immediately on the login packet. Use the command as follows:

store gdm_analyzer new

    Set the parameters:

    Rule type: 3. Send Verdict

    Rule Action: 1. Watch

    Database Protocol: 34. Oracle

    Server IP (optional): <server IP of affected traffic>

    Server IP mask (optional): <appropriate mask for the ip>

    Service Name (optional): <service name of affected traffic>

    Pattern: DB_USER

    Format: SYS


3. S-GATE actions should now trigger on the login packets of SYS user. If you find the problem remains, sniffer performance may be the cause. If you need to contact IBM support for this issue attach the output of cli support must_gather sniffer_issues.

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Data-Level Access Control","Platform":[{"code":"PF033","label":"Windows"}],"Version":"10.0;8.2;9.0;9.1;9.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21973039

Page Feedback