IBM Support

REDACT function in InfoSphere Guardium might match to strings composed from multiple columns in the result set

Question & Answer


Question

REDACT function in InfoSphere Guardium policy rule may cause overly masked result or it may cause ORA-03106 error in Oracle traffic. Why could it happen?

Cause

REDACT function in InfoSphere Guardium policy rule is doing pattern match to the result set, and it has a feature to replace the matched string to the user specified character. This replacement feature is performed in the S-TAP side, and it'll not recognize each column data in the result set, and do pattern match to one concatenated string which contains all the column data in the result set, and it might contain some control codes which depend on the DBMS protocol.

For example, Oracle traffic contains the length information in front of the actual data of varchar2 column, so the length information might be replaced to other character if it matches to the regular expression defined in the policy.

Answer

This is a limitation of current version of Guardium. You need to find a good regular expression pattern so you can avoid having unexpectedly masked result.

For example, if you have 12 digit numbers in varchar2 column and you need to mask the last 4 digit numbers to '*' (e.g. "1111222233334444" should be replaced to "111122223333****") in Oracle traffic. In this case:

[bad example]

The regular expression "[0-9]{8}([0-9]{4})" should match to any 12 digit number, but it might hit to concatenated value composed of multiple columns due to the current limitation of REDACT function.

[workaround]

Use the regular expression "[\x0c]{1}[0-9]{8}([0-9]{4})". This regular expression ensures that it starts with the length of the column (0x1c = 12 bytes ) followed by 12 digit numbers, and replaces the last 4 digit numbers.

This workaround was verified/conformed by Guardium development with UNIX S-TAP. If it doesn't work in your environment, please contact IBM Technical Support if you need further analysis.

[NOTE] REDACT function of Windows S-TAP doesn't support [\x**] (where ** is 2 bytes hex code) nor {n} regular expression.

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.2;9.0;9.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21677608

Page Feedback