Working With Audit Policies
Working With Audit Policies
Contents
Working with Audit Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Creating an Audit Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Configuring an Audit Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Configuring Audit Policy Match Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Configuring an Audit Policy Using the Advanced Criteria Match Criteria. . . . . . . . . . . . . . . . . . . . . . . . . 9
Configuring General Audit Policy Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configuring General Settings for Database Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuring Audit Policy Database Response Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Configuring Tables and Columns for Database Response Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configuring Audit Policy External Logger Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Imperva enables you to create and manage Audit policies from the Policies window.
For a list of pre-defined database audit policies, see Predefined Database Audit Policies.
Note: SecureSphere comes with a Default Rule - All Events policy for Auditing, which is
applied by default to all services. This policy audits all events in the system for its
relevant service type. You can unapply the policy or modify it according to your needs.
For example, you can unapply this policy and create custom policies that will audit only
specific events.
The following are the main tasks involved in managing audit policies:
1. In the Main workspace, select Policies > Audit.In the Audit Policies pane, click , then select a policy type.
The Create New Policy window opens.
2. In the Create New Policy window, enter a Name for the audit policy.
3. Select either From Scratch, or Use Existing and select an audit policy from the list.
If you select Use Existing, the new audit policy will inherit its parameters from the existing audit policy you
choose from the list.
4. Click Create. The new audit policy is created and its details are displayed in the details pane.
5. Configure the audit policy. For more information, see Configuring an Audit Policy.
6. Click Save. Settings are saved. If you are in delayed activation mode, you need to activate these settings. For
more information, see Activating Settings.
Imperva offers a number of features that enable you to configure and customize audit policies.
In the Main workspace, select Policies > Audit.The Audit Policies window appears displaying a list of available audit
policies.
1. In the Audit Policies window, select the policy you want to configure. That policy’s configuration details are
displayed in the Details pane.
2. Configure the policy based as described in the table below.
3. Click Save. Settings are saved. If you are in delayed activation mode, you need to activate these settings. For
more information, see Activating Settings.
Tab Description
Select one or more match criteria by which you want to define the policy and
Match Criteria configure its details. For more information, see Configuring Audit Policy Match
Criteria.
Apply the audit policy to the desired components. For more information see Applying
Apply to
Policies.
Configure various aspects of how the audit policy collects and displays information
Settings including data collection, data indexing, quota and fast view definitions. For more
information see Configuring General Audit Policy Settings.
Optionally configure audit archive settings that define how audit policy data is
Archiving
archived. For more information see Configuring and Applying Archive Settings.
Optionally configure external logger settings to send audit logs directly using syslog
External Logger to any third-party vendors. For more information see Configuring Audit Policy
External Logger Settings.
You can configure policies that perform auditing of generic and sensitive data extraction from the database. First you
need to define the sensitive data and then you can configure the audit policies. During policy configuration, you need
to define criteria with the exact location in the event where you want to look for the predefined patterns. This
optimizes the search process and saves system resources, as the search is applied only to the relevant part in the
database.
2. In the Main workspace, select Policies > Audit.In the Audit Policies pane, click .
3. In the Create New Policy window, enter a Name for the audit policy.
4. Click Create.
5. In the Match Criteria tab, select and expand Generic Dictionary Search.
Click the green arrow to move the Generic Dictionary Search criteria up to the Match Criteria section. For
more information about these Match Criteria, see Audit Report Criteria.
6. In Search Mode, select Contains or Exact, depending on what you are looking for.
7. Enable or disable Search Numeric Values, as required.
8. In Dictionaries, select the dictionaries that contain the patterns that you want to participate in the auditing
process by moving them to Selected.
9. In Locations, select where to search for the patterns defined in the selected dictionaries: Query, Parsed Query
or SQL response.
Audit policy match criteria enable you to define characteristic that determine what data is audited.
1. In the Main workspace, select Policies > Audit.In the Audit Policies pane, select the Audit Policy whose match
criteria you want to configure. That policies details are displayed in the Details pane.
2. Select the Match Criteria tab. Match Criteria options are displayed.
3. Click the green arrow of the Match Criteria you want to add as part of the search. The field is moved up to
the Match Criteria pane.
4. Click the plus sign (+) next to the desired criteria.
5. Configure the criteria as required. Information selected here is used to determine what constitutes the policy.
6. Repeat steps 4-6 to add additional filtering criteria as required.
Note: For audit policy criteria, see DB Audit Report Criteria, File Audit Policy Criteria Data
Scope, or SharePoint Audit Report Criteria.
7. Click Save. The audit policy is saved. If you are in delayed activation mode, you need to activate these settings.
For further information, see Activating Settings.
In the predefined audit policy DDL Commands, the criteria Command Groups is configured. If the command groups
listed in this criteria and detected, the DDL Commands policy is applied, and an audit record is generated.
Note: Command Groups are defined in Global Objects. For more information, see
Working with Privileged Operations and Command Groups.
EXAMPLE: Audit Policy based on SAP Audit Accounting Documents tables Activity
In the predefined audit policy SAP - Audit Accounting Documents Tables Activity, two criteria are defined, the
Select operation criteria and SAP Accounting Documents Tables table group criteria are configured. If both these
criteria are met, the SAP - Audit Accounting Documents Tables Activity is applied, and an audit record is generated.
In the criterion Generic Dictionary Search, you can define the following fields:
Advanced Criteria (one of the match criteria) is a powerful feature that enables you to define complex match criteria
from a single location. The following examples illustrate the usage of this feature in DB audit policies.
You want to monitor the access to your database by all users defined as Clerks. In your Imperva setup, Clerks are
defined by their membership of the lookup dataset, Clerks.
1. In the Main workspace, select Policies > Audit.Create a new DB audit service policy as in the steps below, or
select an existing DB audit service policy:
1. In the Policies pane, click New .
2. From the drop down list, select DB Service. The Create New Database Policy dialog box appears.
3. Enter a Name for the policy.
4. Click Create. The new policy is created.
2. Verify that your new DB audit policy is selected in the Policies pane, or select another policy you want to
configure.
3. In the Match Criteria tab, click the green arrow next to Advanced Criteria. It appears at the top under Match
Criteria.
4. Click Expand. The Advanced Criteria dialog box expands.
5. From the Define advanced criteria for: drop down list, select Database User Name.
6. Expand the box Condition based on groups of Database User Name values.
7. Click the select values button . The Configure Database User Name Groups dialog box appears.
8. Click OK.
9. Click Add and, from the drop down list, select the lookup data set Clerks.
Match (i.e. include in the audit) if the Database User Name satisfies at least one of
the following conditions:
And
Don't match (i.e. exclude from the audit) if the Database User Name is unknown.
EXAMPLE: Ensure that an Audit does not Include Trusted Internal Processes
You want to exclude from the audit occasions where trusted internal processes are being used to access the database -
these are processes that have been thoroughly tested and are deemed as trustworthy, so there is no need for them to
appear. In this example, you will exclude activity from a tool called SQL Server Integration Services (SSIS) by using the
Source Application criterion from Advanced Criteria. SSIS is comprised of several applications and you will need to
catch all of them using prefix matching.
1. Create a new DB audit policy in accordance with steps 1 to 3 of the procedure above, or use an existing DB audit
policy.
2. In the Match Criteria tab, click the green arrow next to Advanced Criteria. It appears at the top under Match
Criteria.
3. Click Expand . The Advanced Criteria dialog box expands.
4. From the Define advanced criteria for: drop down list, select Source Application.
5. At the top, from the drop down list, select Don't match if.
8. Click select values . The Configure Application Values dialog box appears.
Don't match (i.e. exclude from the audit) if the Application satisfies at least one of
the following conditions:
And
EXAMPLE: Exclude from the Audit those Queries that Access Non-Sensitive Tables
You would like your audit to exclude those queries that access selected tables that you deem contain non-sensitive
data. If a query contains access to a non-sensitive table, the audit should exclude it. However, if a query contains
access to a non-sensitive table together with access to a sensitive table, the audit should include it. In order to achieve
this, you will use the Don’t match if each condition. The Don't match if each condition checks to make sure that
each and every table seen in the query appears in the exclusion list. The appearance of even one table that has
sensitive data will cause the criteria to match.
In this example, you are using a regular expression to define the set of tables that you deem as non-sensitive. For the
purposes of this example, the definition of a non-sensitive table is given by the regular expression
^temp(.*)_table. This is obviously not the only way (nor perhaps the best way) to make such a definition, but
serves to illustrate how the Advanced Criteria can work with regular expressions.
1. Create a new DB audit policy in accordance with steps 1 to 3 of the first procedure above, or use an existing DB
audit policy.
2. In the Match Criteria tab, click the green arrow next to Advanced Criteria. It appears at the top under Match
Criteria.
3. Click Expand . The Advanced Criteria dialog box expands.
4. From the Define advanced criteria for: drop down list, select Destination Tables.
5. From the next drop down list, select Don't match if each.
7. From the Destination Table drop down list, select matches regular expression.
8. Click select values . The Configure Destination Table Values dialog box appears.
9. Click in the text field and enter the following regular expression: ^temp(.*)_table
This regular expression defines all tables that begin with the string temp and end with the string _table.
Don't match (i.e. exclude from the audit) if each of the Destination Tables satisfy at
least one of the following conditions:
Destination Table matches the regular expression: ^temp(.*)_table (i.e. begins with
the string temp and ends with the string _table).
You can configure a variety of settings regarding an Audit Policy including what data is collected, parameters for the
data index, quota levels, and fast view settings.
Note: The default settings for the fields in the Settings tab are usually adequate for most
requirements.
Available settings depend on the type of audit policy being configured and may include the following:
Field Description
Event Aggregation time (minutes): The policy aggregates and counts hits of
similar events within the predefined period of time. Reducing the value of the
Event aggregation time (minutes) parameter adversely affects performance
Frequently Used Event and requires additional disk space.
Information
Audit parsed query: Enables presenting query content in addition to audit event
information. Note, that the parsed query parameter values are replaced with '?'
(i.e. select * from my_table where username=?).
Among the fields you can select is OS-User-Chain, a text field containing the list
User Defined Fields
of OS user names of local DB users whose activity was monitored by a DB Agent.
To list each value independently when a single field has multiple values, select
the Split multiple values options.
Note: Fetching of fast view data may take some time for large amounts of
information.
Field Description
In Number of days' data to fetch for fast viewing, specify the number of days
of audit policy data to be retrieved in advance. The retrieval process runs
periodically, on a schedule defined by the administrator.
Whole days are retrieved, and the day ends at midnight. For example, if you
specify 3 days, then on Wednesday the data for Sunday, Monday and Tuesday,
that is, the data between 00:00:00 Sunday to 23:59:59 Tuesday, will be retrieved,
no matter what time of day on Wednesday the retrieval takes place. On
Thursday, Sunday's data will be erased and Wednesday's data added.
Note: Do not run the fast view retrieval process at the same time as scheduled
reports, as this may interfere with the successful execution of the scheduled
reports.
DB Response Auditing Enables selection of full DB responses, or the addition or removal of columns.
When configuring an audit policy it is possible to limit its maximum disk quota.
This limit can be expressed in terms of absolute size of the effective disk space,
Field Description
percentage of the effective disk space, or both. This enables you to define
thresholds that limit the disk space for some policies, which reserves proper disk
space for other policies. When a threshold for a Gateway is reaches its maximum,
the data collection process in this Gateway is stopped.
• To Size: Disk space threshold for audit policy in GB. If this value is larger
than the effective disk space, then the effective size is used as the limit.
• To Disk Percentage: Disk space limit for an audit policy as a percentage of
the effective disk space.
Note: You must specify values for both To Size and To Disk Percentage. The
lower of the two values is used as the effective quota setting.
CounterBreach Settings If you check CounterBreach Policy, then only a sample of the data will be taken.
If you have configured an Audit Policy to collect DB responses, there are a number of additional options that may
need to be configured to determine just what information is included or excluded during auditing.
Note: When two or more audit policies are auditing the same information, all information
that was audited is available. This means that if one policy audited one column (for
example, users), and a second policy audited a second column (for example,
permissions), both of these columns appear in resulting audit data.
1. In the Main workspace, select Policies > Audit.In the Audit Policies pane, select the Audit Policy whose settings
you want to configure. That policy’s details are displayed in the Details pane.
2. Select the Setting tab. Settings options are displayed.
3. Under Data Collection, enable the DB Responses option. DB Response Auditing options become enabled.
Select one of the options in the table below.
4. Click Save. Settings are saved. If you are in delayed activation mode, you need to activate these settings. For
more information, see Activating Settings.
Option Description
Includes the full response in the audit data. This option is selected by default when
Full DB Responses
enabling the DB Responses option.
Includes only the table groups, tables and columns that have been configured to
Include only the following appear in audit data. For more information on how to configure tables and columns,
tables and columns see Configuring Tables and Columns for Database Response Auditing. This reduces
processing overhead and provides a more detailed audit report.
Excluded only the table groups, tables and columns that have been configured to
Exclude only the following appear in audit data. For more information on how to configure tables and columns,
tables and columns see Configuring Tables and Columns for Database Response Auditing. This reduces
processing overhead and provides a more detailed audit report.
You can configure specific table groups, tables and columns to be include or excluded in database auditing. This
assists in providing a more detailed audit report by selectively choosing those items to be audited.
1. In the Main workspace, select Policies > Audit.In the Audit Policies pane, select the Audit Policy whose settings
you want to configure. That policy’s details are displayed in the Details pane.
2. Select the Setting tab. Settings options are displayed.
3. Under Data Collection, enable the DB Responses option. DB Response Auditing options become enabled.
4. Select one of the following:
◦ Include only the following tables and columns: Includes the configured tables in database response
auditing.
◦ Exclude only the following tables and columns: Excludes the configured tables in database response
auditing.
5. Configure Table Groups, Tables and Columns, as follows:
◦ Table Groups: In the Table Groups title bar, click New. Then type the name of the table you want to be
included or excluded. Repeat as required.
◦ Table Groups and Columns: In the Table title bar, click New. Then type the name of the table and column
to be included or excluded. Repeat as required. To include all tables or columns, leave the related option
blank.
6. Click Save. Settings are saved. If you are in delayed activation mode, you need to activate these settings. For
more information, see Activating Settings.
Audit external logger settings optionally enable you to send audit logs to any third-party SIM/SIEM system. Imperva
enables you to optionally send audit logs directly from the Gateway by configuring a gateway group with External
Logger parameters, or from the Management Server. For more information on configuring audit policies to interface
with external loggers and examples, see Integrating Auditing with SIEMs.
Note: Audit data sent via a syslog interface is sent using UTC (Universal Standard Time) and not
local time.
Note: The Enable using gateway configuration if exists option is available only for audit
policies, not for security policies, and is therefore not applicable to WAF-only
deployments. In this case, the external logger must be configured individually for every
Action Set.
5. Click Save. Settings are saved. If you are in delayed activation mode, you need to activate these settings. For
more information, see Activating Settings.