Best Practices Guide. Database Activity Monitoring Best Practices



Similar documents
McAfee Certified Product Specialist McAfee epolicy Orchestrator

McAfee Endpoint Protection for SMB. You grow your business. We keep it secure.

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Power, Patch, and Endpoint Managers Expand McAfee epo Platform Capabilities While Cutting Endpoint Costs

McAfee Web Reporter Turning volumes of data into actionable intelligence

What s New in AppliDis Fusion 4 Service Pack 1

NTP Software File Reporter Analysis Server

Data Collection Agent for NAS EMC Isilon Edition

How To Buy Nitro Security

Data Collection Agent for Active Directory

McAfee Security Architectures for the Public Sector

Obtaining Value from Your Database Activity Monitoring (DAM) Solution

McAfee Certified Assessment Specialist Network

Technology Blueprint. Secure Your Virtual Desktop Infrastructure. Optimize your virtual desktop infrastructure for performance and protection

McAfee Public Cloud Server Security Suite

Parallels Mac Management v4.0

Security Analysis. Spoofing Oracle Session Information

GOOD PRACTICE GUIDE 13 (GPG13)

<Insert Picture Here> Oracle Database Security Overview

DEPLOYMENT ROADMAP March 2015

Enterprise Vault 11 Feature Briefing

Oracle Identity Management: Integration with Windows. An Oracle White Paper December. 2004

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

SapphireIMS Business Service Monitoring Feature Specification

An Oracle White Paper March Integrating Microsoft SharePoint Server With Oracle Virtual Directory

White Paper. McAfee Real-Time Database Monitoring, Auditing, and Intrusion Prevention

Version 9. Active Directory Integration in Progeny 9

TelePresence Migrating TelePresence Management Suite (TMS) to a New Server

Verax Service Desk Installation Guide for UNIX and Windows

Password Management. Password Management Guide HMS 9700

McAfee Enterprise Mobility Management Versus Microsoft Exchange ActiveSync

McAfee Endpoint Encryption Manager

Technology Blueprint. Assess Your Vulnerabilities. Maintain a continuous understanding of assets and manage vulnerabilities in real time

Oracle Database Security Myths

Oracle Enterprise Manager

DocAve for Office 365 Sustainable Adoption

FileMaker Security Guide The Key to Securing Your Apps

McAfee Server Security

White Paper. PCI Guidance: Microsoft Windows Logging

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

Setup Guide Revision B. McAfee SaaS Archiving for Microsoft Exchange Server 2010

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

Centrify Identity Service and Mac - Online Training

NovaBACKUP xsp Version 15.0 Upgrade Guide

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Installation Guide. Tech Excel January 2009

Netop Remote Control Security Server

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

Auditing Data Access Without Bringing Your Database To Its Knees

How To Manage Em Sourceone In Windows Exchange

Intel Storage System SSR212CC Enclosure Management Software Installation Guide For Red Hat* Enterprise Linux

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Managing BlackBerry Enterprise Service 10 version 10.2

Configuration Guide. for the Lepide User Password Expiration Reminder

Encryption Made Simple

Application Monitoring for SAP

SapphireIMS 4.0 BSM Feature Specification

Installing Sage SalesLogix on Microsoft Windows 8, Windows Server 2012, and Internet Explorer 10 Version Developed by Sage SalesLogix User

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

OpenText Media Management Audit Module FAQ

Total Protection for Compliance: Unified IT Policy Auditing

IBM Tivoli Network Manager V3.9

TECHNICAL NOTES. Technical Notes P/N REV 01

Intel Security Certified Product Specialist McAfee Network Security Platform (NSP)

Centrify Cloud Connector Deployment Guide

Release Notes for Version

Application Performance Monitoring for WhatsUp Gold v16.1 Getting Started Guide

CommVault Simpana Archive 8.0 Integration Guide

AvePoint Record Rollback for Microsoft Dynamics CRM

McAfee Application Control / Change Control Administration Intel Security Education Services Administration Course

Symantec Enterprise Security Manager Oracle Database Modules Release Notes. Version: 5.4

FileMaker Security Guide

An Oracle Technical White Paper May How to Configure Kaspersky Anti-Virus Software for the Oracle ZFS Storage Appliance

Symantec ESM Agent For IBM iseries AS/400

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Oracle Audit Vault Administrator s Guide Oracle Audit Vault Auditor s Guide Oracle Enterprise Manager Cloud Control Administrator s Guide

An Oracle White Paper September Oracle WebLogic Server 12c on Microsoft Windows Azure

HP Device Manager 4.7

IBM WebSphere Application Server Communications Enabled Applications

An Oracle White Paper March Managing Metadata with Oracle Data Integrator

NTP Software VFM Administration Web Site for Azure

Infor SyteLine Integration Guide for Infor Factory Track

High Availability And Disaster Recovery

Spotlight Management Pack for SCOM

IBM Tivoli Provisioning Manager V 7.1

MySQL Security: Best Practices

McAfee Security Information Event Management (SIEM) Administration Course 101

How to Audit the Top Ten E-Business Suite Security Risks

Banner overview. Authentication to Banner & 3 rd Party Apps. Authorization to Banner & 3 rd Party Apps

PowerBroker for Windows

LANDESK Service Desk. Supported Platforms and Feature Compatibility

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

An Oracle White Paper February Oracle Data Integrator 12c Architecture Overview

TIBCO ActiveMatrix BusinessWorks Plug-in for Microsoft SharePoint Release Notes

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Transcription:

Best Practices Guide

Table of Contents Recommended Object Groups 3 Generic groups 3 Application-specific groups 4 Recommended Rules 6 Generic rules 6 Application-specific rules 7 Summary 7 2

This document contains recommendations from McAfee for creating custom rules and rule objects. It should serve both as a starting point for the implementation of McAfee Database Activity Monitoring and as an example of the ease of rule creation and management. Recommended Object Groups Object groups are groups of elements that can be used as replacement variables inside rules with the $groupname notation. It allows you to decouple the rules from the actual parameters that the rules apply to so that changing those parameters will affect all rules using the group without the need to actually change the rules themselves. Generic groups The generic groups are groups relevant to all applications and databases. Those groups will be later used in generic rules as well as in application related rules. admin_ips object type = IP Create a group that will contain either a list of IPs for administrator machines or an administrative subnet (if it exists). Example: 192.168.1.1, 192.168.1.2, 192.168.0.0/255.255.0.0 suspect_programs object type = application This pre-populated group contains a list of programs that allow you to directly manipulate database content without the restrictions of an application. You can edit this group to add various applications used in your organization that should be restricted. Example sqlplus, toad, DbVisualizer, SQL Developer, SQL Server Management Studio, osql, Microsoft Office, sqlcmd, plsqldeveloper, sqlplusw, sqlnavigator, dbartisan, tora, rapidsql suspect_modules object type = module This group is essentially the same as the above suspect_programs group but contains a list of suspect modules such as SQL*Plus. Modules are harder to fake than applications. Example SQL*Plus, T.O.A.D work_day object type = weekday This pre-populated group contains the list of working days for your organization. Example: MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY work_hours object type = hour This group should contain a list of regular working hours. Example 07, 08, 09, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19 3

admin_db_usernames object type = user This group should contain the list of database administrator usernames. The group can be populated by running McAfee Vulnerability Manager scans and collecting the list of all administrative accounts. Example sys, system, dbsnmp, sysman, sa admin_os_usernames object type = osuser This group should contain the list of administrator usernames. The group can be populated by integrating with Microsoft Active Directory or LDAP and pointing to the security group the DBAs are part of. Example oracle, joe, john, jane Application-specific groups The following groups are groups that should be specified per application. The <app> notation in the group name should be replaced with a TLA representing the actual application such as CRM, ERP, or others. <app>_allowed_programs object type = application This group should contain a list of application names that the given application consists of. Please review application mapping to see the actual application names connecting to the database. Example apps.exe, console <app>_allowed_module object type = module This group should contain a list of modules that the application uses. If the application passes the module to the database, you can use this group. Alternatively, you can take advantage of the McAfee Database Activity Monitoring Identifier application plug-in to propagate application modules into the database. Please review application mapping to see the actual module names connecting to the database. Example admin, customer, account <app>_allowed_ips object type = IP This group should contain the list of IPs that are allowed to access the application databases. You can also use subnets. Example 192.168.0.0/255.255.0.0 <app>_db_users object type = user This list should contain the database users that own or access the application data. Usually, an application will use a single central database user to own all application tables. Please review application mapping to see the actual users connecting to the database. Example apps 4

<app>_os_users object type = osuser This group should contain the list of OS users that the application server is running with (in the case of a three-tier application) or a list of allowed OS users in client server architecture. Please review application mapping to see the actual users connecting to the database. Example local_system, oracle_ias <app>_db_admins object type = user This group should contain application-specific administrative accounts in the database. Example apps_admin <app>_os_admins object type = osuser This group should contain application-specific OS users that have administrative privileges in the database. The group can be populated by integrating with Active Directory or LDAP and pointing to the security group the application DBAs are part of. Example oracle, joe, john, jane <app>_sensitive_objects object type = object This group should contain the list of sensitive objects that should be given extra protection. Such objects are usually either tables containing sensitive data (PII, CC) or stored program units used for encryption/ decryption of sensitive data. The group can be populated by running vulnerability manager scans and performing data discovery. Example customers, cc_table, encryption_pkg <app>_end_user_administrators object type = clientid This group should contain a list of end-user application administrative accounts. It can be used either if the application is setting the client_identifier database field or by taking advantage of the McAfee Database Activity Monitoring Identifier application plug-in to propagate application end users into the database. Example joe, john, jane <app>_admin_module object type = module This group should contain a list of administrative modules in the application. If the application passes the module to the database, you can use this group. Alternatively, you can take advantage of the Database Activity Monitoring Identifier application plug-in to propagate application modules into the database. Example admin, account 5

Recommended Rules The following paragraph will specify custom rules that an organization is advised to create to protect its databases. It is recommended that several database groups be created and that the rules be applied to the relevant groups. Examples for such groups are test, staging, and production so that rules will first be applied to the test databases then to staging and then to production. Also, if there are several databases for specific applications, it is recommended that groups be created for them as well. Please note that the following rules should be viewed as recommendations and will probably require refinement for each organization. It is also recommended that rules be created with an initially lower alert level than what s specified below for the first three months (as you are learning about all the applications that connect to the database) and then tighten app the configuration with higher level alerts after the initial refinement. For each rule, we specify rule name in the title, the actual rule text in quotes and the recommended level of alert. Generic rules The following rules should be applied across all the databases (starting from the test group and gradually moving to production). They contain recommended generic protections to restrict access to administrative accounts and to alert on unusual activities in the database. Restrict admin access Rule = user = $admin_db_usernames and (ip not in $admin_ips or osuser not in $admin_os_ usernames) Alert on suspect programs Rule = application contains $suspect_programs or module contains $suspect_modules Alert = Medium Alert on suspect activity Rule = weekday not in $work_days or hour not in $work_hours Alert = Low DDL/DCL activity Rule = cmdtype contains $ddl_cmdtypes and cmdtype <> alter session or cmdtype contains $dcl_ cmdtypes Alert = Low Suspicious activities The rule will catch access to dictionary views to help catch someone doing reconnaissance. Syntax here is Oracle-specific, but similar rules can be applied to other databases. Rule = object in ( user_users, user_tables, user_tab_cols, user_sys_privs, user_role_privs, user_ tab_privs, all_users, all_tables, all_tab_cols, all_sys_privs, all_role_privs, all_tab_privs, dba_users, dba_tables, dba_tab_cols, dba_sys_privs, dba_role_privs, dba_tab_privs ) Alert = Low 6

Application-specific rules The following rules should be applied per application. As with the previous section, it is recommended to apply them to the test databases first and move gradually to the production. Restrict access to <app> Rule = user in $app_db_users and (application not in $<app>_allowed_programs or module not in $<app>_allowed_modules or ip not in $<app>_allowed_ips or osuser not in $<app>_os_users) Alert = Medium Protect <app> sensitive objects Rule = object in $<app>_sensitive_objects and (user not in $<app>_db_users or application not in $<app>_allowed_programs or module not in $<app>_allowed_modules or ip not in $<app>_allowed_ ips or osuser not in $<app>_os_users) Restrict <app> administrators Rule = user in $app_db_admins and osuser not in $app_os_admins Restrict <app> admin modules Rule = module in $<app>_admin_modules and clientid not in $<app>_end_user_administrators Restrict <app> sensitive table access Rule = object in $<app>_sensitive_objects and statement not contains where Summary Need more information? For technical support and detailed product documentation, please visit the McAfee Support Service Portal. In addition, you can find valuable knowledge posted by members of McAfee s user community here. 7

Disclaimer: These recommendations for rule objects and rules will require some refinement for each implementation of McAfee Database Activity Monitoring. 2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2012 McAfee, Inc. 51500gde_dam_0912_fnl_ETMG

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information