Scribd
Upload
62 views26 pages

Working With Audit Policies

This document provides guidance on configuring database activity monitoring policies in Imperva. It describes how to create policies, define audit criteria, configure general settings and apply policies to monitored databases.

Uploaded by

vijay konduru
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
62 views26 pages

Working With Audit Policies

This document provides guidance on configuring database activity monitoring policies in Imperva. It describes how to create policies, define audit criteria, configure general settings and apply policies to monitored databases.

Uploaded by

vijay konduru
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

v14.

7 Database Activity Monitoring User Guide

v14.7 Database Activity Monitoring User


Guide

v14.7 Database Activity Monitoring User Guide 1


Contents

Contents
Working with Audit Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Creating an Audit Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Configuring an Audit Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Configuring Audit Policy Match Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Configuring an Audit Policy Using the Advanced Criteria Match Criteria. . . . . . . . . . . . . . . . . . . . . . . . . 9
Configuring General Audit Policy Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configuring General Settings for Database Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuring Audit Policy Database Response Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Configuring Tables and Columns for Database Response Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configuring Audit Policy External Logger Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

v14.7 Database Activity Monitoring User Guide


v14.7 Database Activity Monitoring User Guide

Working with Audit Policies

Imperva enables you to create and manage Audit policies from the Policies window.

For a list of pre-defined database audit policies, see Predefined Database Audit Policies.

Note: SecureSphere comes with a Default Rule - All Events policy for Auditing, which is
applied by default to all services. This policy audits all events in the system for its
relevant service type. You can unapply the policy or modify it according to your needs.
For example, you can unapply this policy and create custom policies that will audit only
specific events.

The following are the main tasks involved in managing audit policies:

• Creating an Audit Policy


• Configuring an Audit Policy
• Configuring Audit Policy Match Criteria
• Configuring an Audit Policy Using the Advanced Criteria Match Criteria
• Configuring General Audit Policy Settings
• Configuring Audit Policy External Logger Settings

v14.7 Database Activity Monitoring User Guide 3


v14.7 Database Activity Monitoring User Guide

Creating an Audit Policy

To create an audit policy:

1. In the Main workspace, select Policies > Audit.In the Audit Policies pane, click , then select a policy type.
The Create New Policy window opens.
2. In the Create New Policy window, enter a Name for the audit policy.
3. Select either From Scratch, or Use Existing and select an audit policy from the list.

If you select Use Existing, the new audit policy will inherit its parameters from the existing audit policy you
choose from the list.

4. Click Create. The new audit policy is created and its details are displayed in the details pane.
5. Configure the audit policy. For more information, see Configuring an Audit Policy.
6. Click Save. Settings are saved. If you are in delayed activation mode, you need to activate these settings. For
more information, see Activating Settings.

v14.7 Database Activity Monitoring User Guide 4


v14.7 Database Activity Monitoring User Guide

Configuring an Audit Policy

Imperva offers a number of features that enable you to configure and customize audit policies.

To configure an audit policy:

In the Main workspace, select Policies > Audit.The Audit Policies window appears displaying a list of available audit
policies.

1. In the Audit Policies window, select the policy you want to configure. That policy’s configuration details are
displayed in the Details pane.
2. Configure the policy based as described in the table below.
3. Click Save. Settings are saved. If you are in delayed activation mode, you need to activate these settings. For
more information, see Activating Settings.

Tab Description

Select one or more match criteria by which you want to define the policy and
Match Criteria configure its details. For more information, see Configuring Audit Policy Match
Criteria.

Apply the audit policy to the desired components. For more information see Applying
Apply to
Policies.

Configure various aspects of how the audit policy collects and displays information
Settings including data collection, data indexing, quota and fast view definitions. For more
information see Configuring General Audit Policy Settings.

Optionally configure audit archive settings that define how audit policy data is
Archiving
archived. For more information see Configuring and Applying Archive Settings.

Optionally configure external logger settings to send audit logs directly using syslog
External Logger to any third-party vendors. For more information see Configuring Audit Policy
External Logger Settings.

EXAMPLE: Audit Policy for Sensitive Data Extraction

You can configure policies that perform auditing of generic and sensitive data extraction from the database. First you
need to define the sensitive data and then you can configure the audit policies. During policy configuration, you need

v14.7 Database Activity Monitoring User Guide 5


v14.7 Database Activity Monitoring User Guide

to define criteria with the exact location in the event where you want to look for the predefined patterns. This
optimizes the search process and saves system resources, as the search is applied only to the relevant part in the
database.

1. Create a Sensitive Data Dictionary group.

For information, see Configuring Sensitive Data Protection.

2. In the Main workspace, select Policies > Audit.In the Audit Policies pane, click .
3. In the Create New Policy window, enter a Name for the audit policy.
4. Click Create.
5. In the Match Criteria tab, select and expand Generic Dictionary Search.

Click the green arrow to move the Generic Dictionary Search criteria up to the Match Criteria section. For
more information about these Match Criteria, see Audit Report Criteria.

6. In Search Mode, select Contains or Exact, depending on what you are looking for.
7. Enable or disable Search Numeric Values, as required.
8. In Dictionaries, select the dictionaries that contain the patterns that you want to participate in the auditing
process by moving them to Selected.
9. In Locations, select where to search for the patterns defined in the selected dictionaries: Query, Parsed Query
or SQL response.

v14.7 Database Activity Monitoring User Guide 6


v14.7 Database Activity Monitoring User Guide

Configuring Audit Policy Match Criteria

Audit policy match criteria enable you to define characteristic that determine what data is audited.

To configure audit policy match criteria:

1. In the Main workspace, select Policies > Audit.In the Audit Policies pane, select the Audit Policy whose match
criteria you want to configure. That policies details are displayed in the Details pane.
2. Select the Match Criteria tab. Match Criteria options are displayed.
3. Click the green arrow of the Match Criteria you want to add as part of the search. The field is moved up to
the Match Criteria pane.
4. Click the plus sign (+) next to the desired criteria.
5. Configure the criteria as required. Information selected here is used to determine what constitutes the policy.
6. Repeat steps 4-6 to add additional filtering criteria as required.

Note: For audit policy criteria, see DB Audit Report Criteria, File Audit Policy Criteria Data
Scope, or SharePoint Audit Report Criteria.

7. Click Save. The audit policy is saved. If you are in delayed activation mode, you need to activate these settings.
For further information, see Activating Settings.

EXAMPLE: Audit Policy based on DDL Commands

In the predefined audit policy DDL Commands, the criteria Command Groups is configured. If the command groups
listed in this criteria and detected, the DDL Commands policy is applied, and an audit record is generated.

Note: Command Groups are defined in Global Objects. For more information, see
Working with Privileged Operations and Command Groups.

EXAMPLE: Audit Policy based on SAP Audit Accounting Documents tables Activity

In the predefined audit policy SAP - Audit Accounting Documents Tables Activity, two criteria are defined, the
Select operation criteria and SAP Accounting Documents Tables table group criteria are configured. If both these
criteria are met, the SAP - Audit Accounting Documents Tables Activity is applied, and an audit record is generated.

EXAMPLE: Configuring an Audit Policy based on a Generic Dictionary Search

In the criterion Generic Dictionary Search, you can define the following fields:

v14.7 Database Activity Monitoring User Guide 7


v14.7 Database Activity Monitoring User Guide

• Search Mode: Select Contains or Exact.


• Search Numeric Values: Enable or disable as required.
• Dictionaries: Select dictionaries by moving them to Selected.
• Locations: Select where to search for the patterns defined in the selected dictionaries: Query, Parsed Query or
SQL response.

For more information about these match criteria, see .

v14.7 Database Activity Monitoring User Guide 8


v14.7 Database Activity Monitoring User Guide

Configuring an Audit Policy Using the Advanced Criteria Match Criteria

Advanced Criteria (one of the match criteria) is a powerful feature that enables you to define complex match criteria
from a single location. The following examples illustrate the usage of this feature in DB audit policies.

EXAMPLE: Audit Access by Certain Users

You want to monitor the access to your database by all users defined as Clerks. In your Imperva setup, Clerks are
defined by their membership of the lookup dataset, Clerks.

To audit access by certain users:

1. In the Main workspace, select Policies > Audit.Create a new DB audit service policy as in the steps below, or
select an existing DB audit service policy:
1. In the Policies pane, click New .

2. From the drop down list, select DB Service. The Create New Database Policy dialog box appears.
3. Enter a Name for the policy.
4. Click Create. The new policy is created.
2. Verify that your new DB audit policy is selected in the Policies pane, or select another policy you want to
configure.
3. In the Match Criteria tab, click the green arrow next to Advanced Criteria. It appears at the top under Match
Criteria.
4. Click Expand. The Advanced Criteria dialog box expands.

5. From the Define advanced criteria for: drop down list, select Database User Name.

v14.7 Database Activity Monitoring User Guide 9


v14.7 Database Activity Monitoring User Guide

6. Expand the box Condition based on groups of Database User Name values.

v14.7 Database Activity Monitoring User Guide 10


v14.7 Database Activity Monitoring User Guide

7. Click the select values button . The Configure Database User Name Groups dialog box appears.
8. Click OK.

9. Click Add and, from the drop down list, select the lookup data set Clerks.

10. Click OK.


11. Click Save.

The dialog box now states the following match criteria:

Match (i.e. include in the audit) if the Database User Name satisfies at least one of
the following conditions:

v14.7 Database Activity Monitoring User Guide 11


v14.7 Database Activity Monitoring User Guide

Database User Name is found in one of the following groups: Clerks.

And

Don't match (i.e. exclude from the audit) if the Database User Name is unknown.

EXAMPLE: Ensure that an Audit does not Include Trusted Internal Processes

You want to exclude from the audit occasions where trusted internal processes are being used to access the database -
these are processes that have been thoroughly tested and are deemed as trustworthy, so there is no need for them to
appear. In this example, you will exclude activity from a tool called SQL Server Integration Services (SSIS) by using the
Source Application criterion from Advanced Criteria. SSIS is comprised of several applications and you will need to
catch all of them using prefix matching.

To ensure that an audit does not include trusted internal processes:

1. Create a new DB audit policy in accordance with steps 1 to 3 of the procedure above, or use an existing DB audit
policy.
2. In the Match Criteria tab, click the green arrow next to Advanced Criteria. It appears at the top under Match
Criteria.
3. Click Expand . The Advanced Criteria dialog box expands.

4. From the Define advanced criteria for: drop down list, select Source Application.

v14.7 Database Activity Monitoring User Guide 12


v14.7 Database Activity Monitoring User Guide

5. At the top, from the drop down list, select Don't match if.

6. Expand the box Condition based on Application values.


7. From the Application drop down list, select starts with one of the strings.

v14.7 Database Activity Monitoring User Guide 13


v14.7 Database Activity Monitoring User Guide

8. Click select values . The Configure Application Values dialog box appears.

v14.7 Database Activity Monitoring User Guide 14


v14.7 Database Activity Monitoring User Guide

9. Click the Add button and type ssis in the field.

10. Click OK.


11. For the Application is unknown condition at the bottom, select Match if from the drop down list.

v14.7 Database Activity Monitoring User Guide 15


v14.7 Database Activity Monitoring User Guide

12. Click Save.

The dialog box now states the following match criteria:

Don't match (i.e. exclude from the audit) if the Application satisfies at least one of
the following conditions:

Application starts with one of the strings: ssis*.

And

Match (i.e. include in the audit) if the Application is unknown.

EXAMPLE: Exclude from the Audit those Queries that Access Non-Sensitive Tables

You would like your audit to exclude those queries that access selected tables that you deem contain non-sensitive
data. If a query contains access to a non-sensitive table, the audit should exclude it. However, if a query contains
access to a non-sensitive table together with access to a sensitive table, the audit should include it. In order to achieve
this, you will use the Don’t match if each condition. The Don't match if each condition checks to make sure that
each and every table seen in the query appears in the exclusion list. The appearance of even one table that has
sensitive data will cause the criteria to match.

In this example, you are using a regular expression to define the set of tables that you deem as non-sensitive. For the
purposes of this example, the definition of a non-sensitive table is given by the regular expression
^temp(.*)_table. This is obviously not the only way (nor perhaps the best way) to make such a definition, but
serves to illustrate how the Advanced Criteria can work with regular expressions.

v14.7 Database Activity Monitoring User Guide 16


v14.7 Database Activity Monitoring User Guide

1. Create a new DB audit policy in accordance with steps 1 to 3 of the first procedure above, or use an existing DB
audit policy.
2. In the Match Criteria tab, click the green arrow next to Advanced Criteria. It appears at the top under Match
Criteria.
3. Click Expand . The Advanced Criteria dialog box expands.

4. From the Define advanced criteria for: drop down list, select Destination Tables.

5. From the next drop down list, select Don't match if each.

6. Expand the box Condition based on Destination Table values.

v14.7 Database Activity Monitoring User Guide 17


v14.7 Database Activity Monitoring User Guide

7. From the Destination Table drop down list, select matches regular expression.

8. Click select values . The Configure Destination Table Values dialog box appears.

9. Click in the text field and enter the following regular expression: ^temp(.*)_table

v14.7 Database Activity Monitoring User Guide 18


v14.7 Database Activity Monitoring User Guide

This regular expression defines all tables that begin with the string temp and end with the string _table.

10. Click OK.


11. Click Save.

The dialog box now states the following match criteria:

Don't match (i.e. exclude from the audit) if each of the Destination Tables satisfy at
least one of the following conditions:

Destination Table matches the regular expression: ^temp(.*)_table (i.e. begins with
the string temp and ends with the string _table).

v14.7 Database Activity Monitoring User Guide 19


v14.7 Database Activity Monitoring User Guide

Configuring General Audit Policy Settings

You can configure a variety of settings regarding an Audit Policy including what data is collected, parameters for the
data index, quota levels, and fast view settings.

Note: The default settings for the fields in the Settings tab are usually adequate for most
requirements.

Available settings depend on the type of audit policy being configured and may include the following:

• Configuring General Settings for Database Auditing


• Configuring Audit Policy Database Response Settings
• Configuring Tables and Columns for Database Response Auditing

v14.7 Database Activity Monitoring User Guide 20


v14.7 Database Activity Monitoring User Guide

Configuring General Settings for Database Auditing

To configure general settings for database auditing:

1. In the Main workspace, select Policies > Audit.


2. In the Audit Policies pane, select the Audit Policy whose settings you want to configure. That policies details are
displayed in the Details pane.
3. Select the Settings tab. Settings options are displayed. These include the items in the table below.
4. Configure the options.
5. Click Save. Settings are saved. If you are in delayed activation mode, you need to activate these settings. For
more information, see Activating Settings.

Field Description

Event Aggregation time (minutes): The policy aggregates and counts hits of
similar events within the predefined period of time. Reducing the value of the
Event aggregation time (minutes) parameter adversely affects performance
Frequently Used Event and requires additional disk space.
Information
Audit parsed query: Enables presenting query content in addition to audit event
information. Note, that the parsed query parameter values are replaced with '?'
(i.e. select * from my_table where username=?).

Adds up to 5 user-defined fields from Data Enrichment policies to indexed data.


This speeds up filtering and viewing resulting data in Imperva On-Premises.

Among the fields you can select is OS-User-Chain, a text field containing the list
User Defined Fields
of OS user names of local DB users whose activity was monitored by a DB Agent.

To list each value independently when a single field has multiple values, select
the Split multiple values options.

Fast Viewing is the process of SecureSphere automatically maintaining current


data on the management appliance, making it immediately available at any
time. This option saves the latest audit data for faster usage in the GUI and
Fast View reports. It is not relevant for the data collected using the Extended Collection
option.

Note: Fetching of fast view data may take some time for large amounts of
information.

v14.7 Database Activity Monitoring User Guide 21


v14.7 Database Activity Monitoring User Guide

Field Description

In Number of days' data to fetch for fast viewing, specify the number of days
of audit policy data to be retrieved in advance. The retrieval process runs
periodically, on a schedule defined by the administrator.

Whole days are retrieved, and the day ends at midnight. For example, if you
specify 3 days, then on Wednesday the data for Sunday, Monday and Tuesday,
that is, the data between 00:00:00 Sunday to 23:59:59 Tuesday, will be retrieved,
no matter what time of day on Wednesday the retrieval takes place. On
Thursday, Sunday's data will be erased and Wednesday's data added.

Note: Do not run the fast view retrieval process at the same time as scheduled
reports, as this may interfere with the successful execution of the scheduled
reports.

The most frequently used information is collected by default.

Data Collection determines what items will be collected in addition to the


default audit data collection. Options include:

• Events: Collect events only if you need the following additional


information: Detailed event time, response size, number of effected rows
or full query information.
Data Collection
• DB Responses: Audits database responses for relevant events. Database
responses can only be collected if you first enable Events. If you enable the
collection of DB Responses, configure additional options as described in
Configuring Audit Policy Database Response Settings.

Note: Enabling these options adversely affects performance and requires


additional disk space. Selecting the Responses requires significantly more
processing in addition to the disk space.

DB Response Auditing Enables selection of full DB responses, or the addition or removal of columns.

Audit data is stored on a dedicated disk partition /var. Imperva On-Premises


reserves 24GB of the audit partition disk space for internal use. (* If the total disk
size is less than 80GB, 30% of the partition is reserved instead of 24G). The
Quota effective disk space available under the audit partition is the size of the partition
minus the reserved space (typically 24GB).

When configuring an audit policy it is possible to limit its maximum disk quota.
This limit can be expressed in terms of absolute size of the effective disk space,

v14.7 Database Activity Monitoring User Guide 22


v14.7 Database Activity Monitoring User Guide

Field Description

percentage of the effective disk space, or both. This enables you to define
thresholds that limit the disk space for some policies, which reserves proper disk
space for other policies. When a threshold for a Gateway is reaches its maximum,
the data collection process in this Gateway is stopped.

Enter the following information:

• To Size: Disk space threshold for audit policy in GB. If this value is larger
than the effective disk space, then the effective size is used as the limit.
• To Disk Percentage: Disk space limit for an audit policy as a percentage of
the effective disk space.

Note: You must specify values for both To Size and To Disk Percentage. The
lower of the two values is used as the effective quota setting.

CounterBreach Settings If you check CounterBreach Policy, then only a sample of the data will be taken.

v14.7 Database Activity Monitoring User Guide 23


v14.7 Database Activity Monitoring User Guide

Configuring Audit Policy Database Response Settings

If you have configured an Audit Policy to collect DB responses, there are a number of additional options that may
need to be configured to determine just what information is included or excluded during auditing.

Note: When two or more audit policies are auditing the same information, all information
that was audited is available. This means that if one policy audited one column (for
example, users), and a second policy audited a second column (for example,
permissions), both of these columns appear in resulting audit data.

To configure audit policy DB response settings:

1. In the Main workspace, select Policies > Audit.In the Audit Policies pane, select the Audit Policy whose settings
you want to configure. That policy’s details are displayed in the Details pane.
2. Select the Setting tab. Settings options are displayed.
3. Under Data Collection, enable the DB Responses option. DB Response Auditing options become enabled.
Select one of the options in the table below.
4. Click Save. Settings are saved. If you are in delayed activation mode, you need to activate these settings. For
more information, see Activating Settings.

Option Description

Includes the full response in the audit data. This option is selected by default when
Full DB Responses
enabling the DB Responses option.

Includes only the table groups, tables and columns that have been configured to
Include only the following appear in audit data. For more information on how to configure tables and columns,
tables and columns see Configuring Tables and Columns for Database Response Auditing. This reduces
processing overhead and provides a more detailed audit report.

Excluded only the table groups, tables and columns that have been configured to
Exclude only the following appear in audit data. For more information on how to configure tables and columns,
tables and columns see Configuring Tables and Columns for Database Response Auditing. This reduces
processing overhead and provides a more detailed audit report.

v14.7 Database Activity Monitoring User Guide 24


v14.7 Database Activity Monitoring User Guide

Configuring Tables and Columns for Database Response Auditing

You can configure specific table groups, tables and columns to be include or excluded in database auditing. This
assists in providing a more detailed audit report by selectively choosing those items to be audited.

To configure table groups, tables and columns:

1. In the Main workspace, select Policies > Audit.In the Audit Policies pane, select the Audit Policy whose settings
you want to configure. That policy’s details are displayed in the Details pane.
2. Select the Setting tab. Settings options are displayed.
3. Under Data Collection, enable the DB Responses option. DB Response Auditing options become enabled.
4. Select one of the following:
◦ Include only the following tables and columns: Includes the configured tables in database response
auditing.
◦ Exclude only the following tables and columns: Excludes the configured tables in database response
auditing.
5. Configure Table Groups, Tables and Columns, as follows:
◦ Table Groups: In the Table Groups title bar, click New. Then type the name of the table you want to be
included or excluded. Repeat as required.
◦ Table Groups and Columns: In the Table title bar, click New. Then type the name of the table and column
to be included or excluded. Repeat as required. To include all tables or columns, leave the related option
blank.
6. Click Save. Settings are saved. If you are in delayed activation mode, you need to activate these settings. For
more information, see Activating Settings.

v14.7 Database Activity Monitoring User Guide 25


v14.7 Database Activity Monitoring User Guide

Configuring Audit Policy External Logger Settings

Audit external logger settings optionally enable you to send audit logs to any third-party SIM/SIEM system. Imperva
enables you to optionally send audit logs directly from the Gateway by configuring a gateway group with External
Logger parameters, or from the Management Server. For more information on configuring audit policies to interface
with external loggers and examples, see Integrating Auditing with SIEMs.

Note: Audit data sent via a syslog interface is sent using UTC (Universal Standard Time) and not
local time.

To configure audit external logger settings:

1. In the Main workspace, select Policies > Audit.


2. In the Audit Policies pane, select the Audit Policy whose settings you want to configure. That policies details are
displayed in the Detail pane.
3. Select the External Logger tab. External Logger options are displayed.
4. Configure external logging options as follows:
◦ Audit syslog action: Select an existing syslog audit action interface by which to send audit logs from
Management server. For more information on action interfaces, see Working with Action Sets and
Followed Actions
◦ Enable using gateway configuration if exists: Enable this option to sends audit logs directly from the
Gateway group, which must be configured with External Logger settings (Main > Setup > Gateways >
Gateway Group details under External Logger) for this option to work. Using this option reduces the load
on the Management Server.

Note: The Enable using gateway configuration if exists option is available only for audit
policies, not for security policies, and is therefore not applicable to WAF-only
deployments. In this case, the external logger must be configured individually for every
Action Set.

5. Click Save. Settings are saved. If you are in delayed activation mode, you need to activate these settings. For
more information, see Activating Settings.

v14.7 Database Activity Monitoring User Guide 26

You might also like