background image

Rule Chaining 

Chaining with Parameterized User-Defined Rules

FortiDB Version 3.2 Utilities  User Guide
15-32000-81369-20081219

11

After the database has been specified and you have clicked on

 [Add Item]

, you 

will be presented with the 

Create Rule Chaining Settings

 page.

Here, you need to:

• Name the Rule Chain

• Select the policy you want to use as the 

Source Rule

• Select the target rule (

Chained Rule

) you want to execute, once the first rule 

had been violated.

• Specify whether you want the chain to run immediately upon source-rule 

violation or not. 

Run Immediately 

means that the target rule will run as soon 

as there is a source-rule violation. 

Run as Scheduled

 means that the target 

rule will run according to the module-, database-, or item-specific schedule that 
is in effect for the source rule.

• Decide whether you want to immediat

1

ely enable the chain or not. Unless you 

check the 

Enable Chain?

 checkbox, the chain won't be in effect. This allows 

you to create the chain and then only use it when needed.

You can see the Module and the name of the available guarded items for all 
policies. For example, 'PM|' or 'UBM|' preceding the rule name indicates the PM, 
or UBM module, respectively.

After the Rule Chain is invoked, alerts will appear with those of other policies. 

Chaining with Parameterized User-Defined Rules

Parameters, specific to the RDBMS type of your target database, can be passed 
from the source to the target in order to permit the target to perform specific tasks, 
such as to kill the session of a suspicious user. 

The source rule can be a UBM User, Object, or Session Policy. The target rule can 
only be a User-Defined Rule (UDR) and specifically one that can accept 
parameters: a Parameterized User Defined Rule (PUDR). The PUDR functionality 
can be accessed within the UBM module. (See the 

FortiDB MA User Behavior 

Monitor (UBM) User Guide

)

When there is a violation of the source rule, the target UDR gets executed, with 
the parameters passed from the source rule. An alert is generated both for the 
source violation and for the PUDR execution.

1.

 A module schedule will be overridden by a database-specific schedule, if one is set. A 

database-specific schedule will be overridden by an item-specific schedule if one is set.

Note: 

For UBM policies, which are indicated in green, you can pass parameters 

from the Source Rule to the Chained Rule, if the latter is a Parameterized User-
Defined Rule (PUDR) and if the Chain meets certain other conditions. For more 
information on how to create a PUDR see the FortiDB MA User Behavior Monitor 
(UBM) User Guide. For more information on using PUDRs in a chain, see 

 

Chaining with Parameterized User-Defined Rules

).

Содержание FortiDB

Страница 1: ...www fortinet com FortiDB Version 3 2 Utilities User Guide...

Страница 2: ...ose without prior written permission of Fortinet Inc Trademarks ABACAS APSecure FortiASIC FortiBIOS FortiBridge FortiClient FortiDB FortiGate FortiGuard FortiGuard Antispam FortiGuard Antivirus FortiG...

Страница 3: ...ating SQL Statement 18 Report Manager 20 Alert Report Manager 20 Setting a Report Schedule 20 Reporting by Time 23 Enabling Email Recipients 23 Specifying Report Parameters 23 Activating ARM 27 Runnin...

Страница 4: ...IT Objectives and Setup Requirements 46 Report Body Columns 46 Abnormal Termination of Database Activity Report ATD 47 COBIT Objectives and Setup Requirements 47 Report Body Columns 47 End of Period A...

Страница 5: ...A provides several utilities to help you use other modules Auto Discovery to ease the burden of manually setting up database connections Connection Summary to show which database connections are Open...

Страница 6: ...Selecting Addresses for Auto Discovery In order to use this feature 1 Select the Database New menu and click the Auto Discovery button on the Create New Database Connection screen Or you can just sele...

Страница 7: ...Auto Discovery FortiDB Version 3 2 Utilities User Guide 15 32000 81369 20081219 5 Selecting Non Standard Ports for Auto Discovery 5 Click the Begin Discovery button Results from Auto Discovery...

Страница 8: ...ions screen the database connections you wish to assess or monitor The additional required and recommended fields will need to be completed manually See the FortiDB MA Administration Guide for more in...

Страница 9: ...ort whose number is specified in the dss udpport property in dssConfig properties Note FortiDB MA sends a packet to port 1434 which MSSQL uses in order to return information about itself such as insta...

Страница 10: ...81369 20081219 MS SQL Connection Summary Connection Summary The Connection Summary utility allows you to see by FortiDB MA module and in one place a dashboard view of all of your database connections...

Страница 11: ...ng Screen FortiDB MA offers two types of chained rule pairs Rule pairs in which there are no parameters passed In this case you may use Guarded Items from Privilege Monitor PM Metadata monitor MM Cont...

Страница 12: ...fic Target Database Connection You can perform the following Choose the target database the database you want to run the rules against Add item new chain Delete item View Modify item make changes to a...

Страница 13: ...l appear with those of other policies Chaining with Parameterized User Defined Rules Parameters specific to the RDBMS type of your target database can be passed from the source to the target in order...

Страница 14: ...n alert is generated 2 FortiDB MA determines if there is a PUDR that is chained to the source rule If a rule is chained FortiDB MA fetches the information on the chain relationship 3 FortiDB MA checks...

Страница 15: ...er Guide 15 32000 81369 20081219 13 PUDR Eligible Rules Disabled Parameter Checkboxes If the chosen target rule cannot accept parameters they will be grayed out Validating the PUDR before Saving If on...

Страница 16: ...haining Chaining the UBM Policy and PUDR Together Associating a Source Rule That Can Pass parameters with a PUDR Example of Chaining to a PL SQL based PUDR In this Oracle PL SQL kill session example w...

Страница 17: ...Time 2 Create a UBM Session Policy our Source rule in order to monitor BAD_GUY and generate an alert to trigger our Target rule a PUDR We will pass the Session ID from the Source to the Target rule 3...

Страница 18: ...chine VARCHAR 50 program VARCHAR 50 BEGIN SELECT sid serial username osuser machine program INTO sesid serial username osuser machine program FROM v session WHERE audsid sessionid v_statement v_str se...

Страница 19: ...g Killed Session 8 Notice that our SQLPlus session has been killed Alert Behavior This topic describes various alert behavior users should be aware of Table Columns That Could Appear in Alerts Be care...

Страница 20: ...of how many times the source rule gets violated A source rule alert will appear for each violation objectowner is replaced by the creator parameter which represents the authorization ID of the user wh...

Страница 21: ...Chaining with Parameterized User Defined Rules FortiDB Version 3 2 Utilities User Guide 15 32000 81369 20081219 19 In this case the alert will be generated only for first object in the SELECT list na...

Страница 22: ...Generated Time or Day ARM can retrieve historical reports and alerts thus providing a basis for regulatory or legal compliance And you can export reports in comma or tab delimited format for further e...

Страница 23: ...lete Timer button Deleting a Timer Schedule Setting a Calendar based Schedule For a Calendar based Schedule 1 Click on the Add Schedule button at the bottom of the Schedule Setting screen 2 Specify th...

Страница 24: ...hedule that while dependent on your chosen Interval value won t run exactly that often Setting a Randomized Interval If you check the Randomized checkbox a random number is used to modify your specifi...

Страница 25: ...ious other modules ARM Reporting by Time ARM Reporting by Time Calendar Pop up In order to reduce the number of alerts on your report to only those you are interested in you may now filter alerts base...

Страница 26: ...ties User Guide 24 15 32000 81369 20081219 Alert Report Manager Report Manager New Reports Menu In the New Reports page fill in the necessary data information that you want to show in the report New R...

Страница 27: ...Severity Critical Informational etc FortiDB MA module from which you want to see the alert report Database you are assessing Rule type you want to use to assess vulnerabilities Guarded Items the spec...

Страница 28: ...Violations checkbox enables whether similar violations are put in a single Alert record otherwise each violation has its own record You must check the Enable Report checkbox for your report to run You...

Страница 29: ...eduled reports you should use the Reports Status menu Check the Yes checkbox and click the Save button Status Menu Status Dialog Running and Analyzing Reports You may elect to see all reports or just...

Страница 30: ...utton you can get to a screen provides summary information for each alert The Summary Action gives high level information about each alert By clicking on the Id number in the row of interest you can g...

Страница 31: ...n you can also click on the Id for the alarm of interest and be taken to the Alert Details screen Limitation Report Size The reporting functionality has been tested up to a size of about 40 000 rows p...

Страница 32: ...e Custom Reports feature are 1 Set a schedule for all reports or for an individual report 2 Go to the Company Information page and provide the appropriate information 3 Generate the report a Choose th...

Страница 33: ...2 Utilities User Guide 15 32000 81369 20081219 31 You can select Time only schedule Daily schedule Weekly schedule Monthly schedule Time only Schedule Settings Daily Schedule Settings You can have you...

Страница 34: ...y Schedule Settings You can have your reports run on a monthly basis Customer and Company Information You can have a custom logo and address or other descriptive text appear on each report To set a cu...

Страница 35: ...81219 33 Company Information Dialog Report and Template Generation and Management Custom Reports Main Page From the Custom Reports main page you can Add a report Modify a report Delete a report Modify...

Страница 36: ...he Add Report button The Add Report dialog displays 3 Enter your report name and description 4 Click the Add Report button Adding a Report Modifying Reports To modify a report take the following steps...

Страница 37: ...B Version 3 2 Utilities User Guide 15 32000 81369 20081219 35 Modifying a Report Deleting Reports 1 Select the report you want to delete 2 Click the Delete Report button The confirmation window displa...

Страница 38: ...orts database You can also export the template from the internal reports database and store it as a jrxml file on local file system Templates Manager Page Click on the Manage Template s button on the...

Страница 39: ...o filter the report data click the Settings button You may limit the rows returned by Specifying a like or not like Column Name condition The Filter Value is case sensitive You can use a wild card wit...

Страница 40: ...ys 5 Enter URL of FortiDB host server for example http myserver mydomain com If you enter a URL with http prefix you need to uncheck Require server verification https for all sites in this zone check...

Страница 41: ...Version 3 2 Utilities User Guide 15 32000 81369 20081219 39 Report History Report History Report History allows you to View a list of previously generated reports Regenerate a particular report Delete...

Страница 42: ...Reports radio button on the User Administration screen The FortiDB MA license file excerpt shown above includes a license to use the Custom Reports and SOX Reports features Custom Report Properties Th...

Страница 43: ...the FortiDB MA Custom Reports database jdbc postgresql localho st reportdb jdbc oracle thin 192 1 68 5 12 1521 ipref cr user Defines the user name for the FortiDB MA Custom Reports database fortidbma...

Страница 44: ...One type of Custom Reports is the Sarbanes Oxley SOX Compliance reports Alert Statstics Report Contains detailed information about alerts Database Connection name Guarded item name Application name Po...

Страница 45: ...Accounts Report AUS Abnormal Termination of Database Activity Report ATD End of Period Adjustments Report EPA Verification of Audit Settings Report VAS Acronym representing all SOX Compliance reports...

Страница 46: ...5 DS5 3 DS5 4 Changes to escalate or reduce database user access privileges are tracked for review on a quarterly basis by the IT manager and the application business manager PM using the Audit data r...

Страница 47: ...his will focus on data changes in specific tables containing financial information Column Description User ID The ID of the database user that conducted the flagged activity Object The name and owner...

Страница 48: ...udit data retrieval method UBM Object or User policies Column Description User ID The ID of the database user that conducted the flagged activity Terminal Name The terminal IP address or name Origin A...

Страница 49: ...val method MM using the Audit data retrieval method UBM object policies or user policies and the failed logins policy within the session policy to capture failed logins Column Description User ID The...

Страница 50: ...Code The proprietary error code generated by the originating application Objective Number s Objective Description FortiDB MA Module Setup Requirement AI2 3 End of period adjustments to the general led...

Страница 51: ...is July 1 8 days until July 1 15 days Conclusion The resulting report period is June 23 until July 16 inclusive Case 2 Assumption You are running your End of Period Adjustments EPA report sometime be...

Страница 52: ...e Number s Objective Description FortiDB MA Module Setup Requirement DS3 5 DS5 5 DS13 3 Audit tracking is configured on all financial databases changes to audit functionality is reviewed by IT Managem...

Страница 53: ...duce out of memory errors Archiving Reports You will not be able to generate the same reports after you archive as you were able to prior to archiving since reports are not archived Object The name an...

Страница 54: ...FortiDB Version 3 2 Utilities User Guide 52 15 32000 81369 20081219 Verification of Audit Settings Report VAS SOX Report Specifics...

Страница 55: ...1 12 18 47 privilege 44 property 7 R Randomized Interval 22 Report Detailed 29 Report History 39 Report Manager 20 Report Result 37 Report Summary 28 Rule Chaining Parameterized User Defined Rules 11...

Страница 56: ...FortiDB Version 3 2 Utilities User Guide 54 15 32000 81369 20081219 Index...

Отзывы: