Fortinet FortiDB manual Multiple Source-Rule-Violation Behavior, DB Example

Page 20

Chaining with Parameterized User-Defined Rules

Rule Chaining

SELECT username, osuser, terminal FROM v$session WHERE osuser = '$osusername'

Multiple Source-Rule-Violation Behavior

When using the Rule Chaining feature with PUDRs, you might expect a target- policy alert for each source-policy alert. However, unless there is a change in the passed parameter, there will be only one PUDR alert--despite multiple source- policy alerts.

For example, assume you have a session policy for your source rule, are passing the terminal name to the target PUDR, and that the session policy is violated twice. In this case, you will get two session-policy alerts because, due to different timestamps, the session policy alerts are not the same. However, you will get only one PUDR alert because the terminal name doesn't change.

DB Example

For example, when using a DB2 target database and passing $objectowner, only one PUDR (target rule) alert will show up, regardless of how many times the source rule gets violated. (A source-rule alert will appear for each violation.)

$objectowner is replaced by the creator parameter which represents the authorization ID of the user who pre-compiled the application1. This ID does not change when a user executes multiple SQL queries thereby triggering multiple source-rule alerts. Therefore, you can expect only one PUDR alert.

For example, assume:

aYou set up a source-rule User Policy that monitors user X.

bYou have a target-rule PUDR that expects $objectowner to be passed; like this:

SELECT '$objectowner' FROM SYSIBM.SYSDUMMY1 AS

SYSDUMMY1

cUser X issues these two queries:

SELECT * from my.employee

SELECT * from x.table1

In this case, two source-rule alerts should show up but only one PUDR (target rule) alert.

PUDR Alert Behavior with Multiple SELECT-List Objects in the Violating SQL State- ment

FortiDB MA can detect, and alert on, only the first item in a multiple-object SELECT list.

For example, assume you have created a user policy which gets violated by a user's executing:

SELECT * FROM vje.test, vje.test1

1.For more information, see http://publib.boulder.ibm.com/infocenter/db2luw/v8/index.jsp?topic=/com.ibm.db2.udb.doc/admin/r000 7595.htm

	FortiDB Version 3.2 Utilities User Guide
18	15-32000-81369-20081219

Image 20

Contents Utilities User Guide FortiDB Utilities User Guide TrademarksTable of Contents Index FortiDB MA Utilities Auto Discovery Selecting Addresses for Auto-DiscoverySelecting Non-Standard Ports for Auto-Discovery Results from Auto-DiscoveryMS-SQL Discovered Database Information Populating Connection FormMS-SQL Connection Summary Connection Summary Button Connection Summary OutputRule Chaining Setting Screen Rule ChainingRule Chaining Chaining with Parameterized User-Defined Rules Parameterized User-Defined Rule Flow Diagram General Pudr StepsDisabled Parameter Checkboxes Validating the Pudr before SavingItem Setting for Session Policy Example of Chaining to a PL/SQL-based PudrPolicy Settings for Suspicious Login Time Immediate Resulting Killed Session Table Columns That Could Appear in AlertsChained-Rule Alerts UBM Session Policy and Pudr Multiple Source-Rule-Violation Behavior DB ExampleRule Chaining Alert Report Manager Setting a Report ScheduleSetting a Timer-based Schedule Deleting a Previously Set Timer Schedule Setting a Calendar-based ScheduleSetting a Timer-Based Schedule Deleting a Timer ScheduleSetting a Combined Schedule Setting a Randomized IntervalSetting a Calendar-Based Schedule Setting a Randomized IntervalReporting by Time Enabling Email RecipientsSpecifying Report Parameters ARM Reporting by Time ARM Reporting by Time Calendar Pop-upNew Report Setting Screen top New Reports MenuNew Report Setting Screen bottom Saved and Enabled Report Using the Select Checkbox to Affect Multiple ReportsActivating ARM Running and Analyzing ReportsStatus Menu Status Dialog View Reports Dropdown List on Current Reports ScreenCurrent Report Configuration Report Summary ActionChoosing Summary Report Action Summary-Action Output TypesReport Size Archiving Reports Report Detailed ActionLimitation Using This Feature Custom ReportsScheduling Custom ReportsTime-only Schedule Settings Daily Schedule Settings Customer and Company Information Weekly Schedule SettingsMonthly Schedule Settings Custom Reports Main Report and Template Generation and ManagementCompany Information Dialog Adding a Report Adding ReportsModifying Reports Deleting a Report Deleting ReportsModifying a Report Modifying Report Templates Templates Manager Modifying a Template Generating ReportsReport Result Generated Html Report Example Report History Report HistoryLicensing and Administration User Administration for Custom Reports and SOX ReportsReports radio button on the User Administration screen Property Purpose Possible Values DefaultProperty Purpose Possible Values Default1 LimitationsSOX Compliance Reports SOX Reports within Custom Reports ManagerGeneral Setup Instructions Reports and AcronymsCommon Report Header Fields Report Name AcronymCobit Objectives and Setup Requirements History of Privilege Changes Report HPCReport Body Columns HPC Report SampleAbnormal or Unauthorized Changes to Data Report AUC AUC Report SampleAbnormal Use of Service Accounts Report AUS AUS Report SampleAbnormal Termination of Database Activity Report ATD ATD Report SampleEPA Report Sample End of Period Adjustments Report EPASettings Dialog for the EPA Report Case AssumptionsVerification of Audit Settings Report VAS VAS Report SampleReport Size Licensing and AdministrationArchiving Reports Verification of Audit Settings Report VAS Index