IBM Support

Rule does not trigger if the Command field of a Guardium policy rule is misconfigured

Troubleshooting


Problem

Administrators should be very careful using the Command field when configuring Infosphere Guardium policy rules. The command field value should match the value of "SQL verb" in the Command entity plus a wildcard if necessary. Administrators can build a report showing the SQL Verb for the traffic they expect to monitor with the policy.

Symptom

Rules with a value in the policy Command field do not trigger as expected.

Resolving The Problem

The value in the Command field of the rule should exactly match a value shown in SQL Verb, plus a wildcard (%) as needed.

Correct:


    GRANT

    GRANT%


Incorrect:

    GRANT% TO PUBLIC

    %GRANT% ADMIN OPTION%


In the example above, "ADMIN OPTION" and "TO PUBLIC" will never match and trigger a rule because the Guardium parser does not recognize them as a part of a command. Generally, the parser does not consider command modifiers to be part of a command.

Create a report to inspect the traffic the policy should monitor and include the SQL Verb field from the Command entity in that report. Anything listed in the SQL Verb field will be recognized by the parser and may be used in the Command field of a policy rule.

If desired, several commands can be added to a group and the group can be used in the rule instead of a single command. In this case, each group member should exactly match an entry in SQL Verb. Guardium includes several such command groups which you can use or clone.

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Central Manager and Aggregator","Platform":[{"code":"PF016","label":"Linux"}],"Version":"9.0;8.2;8.0","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21641798

Page Feedback