Database Activity Monitoring 5.0.0 Product Guide Introduction McAfee® Database Activity Monitoring (McAfee DAM) provides monitoring and management of database activity for multiple

Product Guide

McAfee Database Activity Monitoring5.0.0For use with ePolicy Orchestrator 4.6.3-5.0.1 Software

COPYRIGHTCopyright © 2013 McAfee, Inc. Do not copy without permission.

TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore,Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TotalProtection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States andother countries. Other names and brands may be claimed as the property of others.

Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Database Activity Monitoring 5.0.0 Product Guide

http://mcafee.com

Contents

1 Introduction 5Key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5How McAfee DAM works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Policy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Application Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Supported databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 Installation 9Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Implementation workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Install the extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Deploy the sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Deploy the sensor from McAfee ePO 4.6 . . . . . . . . . . . . . . . . . . . . . 11Deploy the sensor from McAfee ePO 5.0 . . . . . . . . . . . . . . . . . . . . . 11Default sensor install paths . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Operating system dependencies . . . . . . . . . . . . . . . . . . . . . . . . . 13

Confirm sensor deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Features added to McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Uninstall the extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3 Policy configuration 17Policy categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Assign a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18DAM Sensor Configuration policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Configure DAM Sensor Configuration policy . . . . . . . . . . . . . . . . . . . . 19DBMS Monitoring Configuration policy . . . . . . . . . . . . . . . . . . . . . . . . . 19

Configure DBMS Monitoring Configuration policy . . . . . . . . . . . . . . . . . . 19vPatch policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Configure vPatch policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Update the vPatch policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Custom Rules policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Configure Custom Rules policy . . . . . . . . . . . . . . . . . . . . . . . . . 22

vPatch rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Edit vPatch rule properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Add vPatch rule actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Enable or disable vPatch rules . . . . . . . . . . . . . . . . . . . . . . . . . 24Create an exception to a vPatch rule . . . . . . . . . . . . . . . . . . . . . . . 24Set the security level for a vPatch policy . . . . . . . . . . . . . . . . . . . . . 25Remove vPatch rule actions . . . . . . . . . . . . . . . . . . . . . . . . . . 25Create an allow rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Remove allow rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Custom rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Create a custom rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Remove a custom rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

McAfee Database Activity Monitoring 5.0.0 Product Guide 3

Change rule order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Copy a custom rule to another policy . . . . . . . . . . . . . . . . . . . . . . . 29

Rule objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Define rule objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Edit rule object properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Remove rule objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Configure dynamic DVM objects . . . . . . . . . . . . . . . . . . . . . . . . . 30

Rule syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Rule examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

DAM server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Edit DAM server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35DAM server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

4 Database monitoring configuration 37Database monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37View DBMS details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37View DBMSs attached to sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Manage DBMS clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Cluster DBMSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Change DBMS cluster type . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Break DBMS cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Disable monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Edit alternative connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Merge DBMSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Recalculate DBMS policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Reset application mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Clone DBMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Add a DBMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

5 Events, reporting, and troubleshooting 43View the DAM events list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43View Application Mapping events . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Create an allow rule based on Application Mapping . . . . . . . . . . . . . . . . . . . . 44View event details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Load archived events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44View quarantine events list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Remove a database user from quarantine . . . . . . . . . . . . . . . . . . . . . . . . 45Queries and reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Custom queries and reports . . . . . . . . . . . . . . . . . . . . . . . . . . 45Download the Sensor Analytic package . . . . . . . . . . . . . . . . . . . . . . . . . 46

Index 47

Contents


1 Introduction

McAfee®

Database Activity Monitoring (McAfee DAM) provides monitoring and management ofdatabase activity for multiple databases and vPatch service (optional). It also includes prevention,database cluster support, third-party integration, and advanced reporting functionality.

Contents Key features How McAfee DAM works Deployment Supported databases

Key featuresMcAfee DAM provides full visibility into database user activity and can issue alerts or stop suspiciousactivities based on predefined vPatch rules and custom rules.

It also includes prevention, cluster support, third-party integration, and advanced reportingfunctionality.

Database protection — Prevention of intrusion, data theft, and other attacks on your databases.McAfee DAM uses memory-based sensors to detect threats with a single, nonintrusive solution.

Threat identification and intervention — High-risk violations can be configured to automaticallyclose suspicious sessions and quarantine malicious users, allowing time for the security team toinvestigate the intrusion

Custom security policies — McAfee DAM enables you to create custom rule-based policies for users/queries and database objects.

vPatch updates — Virtual patching updates are provided regularly for newly discoveredvulnerabilities, protecting sensitive data until a patch is released by the database vendor and can beapplied. The updates can be implemented without database downtime.

Audit log — Access to sensitive data, including complete transaction details, can be logged for auditpurposes.

1


How McAfee DAM worksWhen the extension for McAfee DAM and the sensor is deployed on a database server with McAfeeAgent, it begins the process of discovering and monitoring your databases.

By default, the databases that McAfee DAM discovers are placed in the Lost & Found group in the SystemTree. You can configure the rule settings in McAfee ePO to place the databases in a different location.

Use of the terms DBMS (database management system) and database vary according to platformvendor. In general, DBMS refers to the overall database system, including the data and theinfrastructure around it, but database can refer to the data tables. In this document, the terms are usedinterchangeably.

Policy configurationThe monitoring policy for a DBMS is made up of the various rules that are enabled and applied on thatDBMS.

McAfee DAM provides enhanced DBMS security based on predefined vPatch rules and custom rules.vPatch rules are included in the product installation and help prevent attacks against knownvulnerabilities. In addition, you can define custom rules to define the level of monitoring and alerts,and further protect your DBMSs against potential threats.

Incoming statements are compared to the rules and policies enabled for the DBMS. Action is takenbased on the first rule that is matched. If a statement does not match any of the existing rules, thestatement is allowed.

Application MappingWhen the McAfee DAM sensor is deployed, it begins to collect sample information about access to theDBMS. Application Mapping provides baseline information about the activities that take place on theDBMSs during the sampling period, including which applications are run on the DBMS and which usersare running them.

The Application Mapping Events page also includes a count for each cluster of applications, users, IPaddresses, and each DBMS. This information can be used to create exceptions or allow rules (forexample, if a certain combination of IP address, application and user are audited elsewhere or are ofno security/audit interest). In addition, the information can be used to create monitoring rules.

DeploymentBefore the software can monitor and manage database activity, you must install the product extensionon the McAfee ePO server and deploy the sensors to a database server where McAfee® Agent isinstalled.

Required components

• McAfee ePolicy Orchestrator 4.6.3 or later with these extensions installed:

• McAfee Database Activity Monitoring extension

• McAfee® Vulnerability Manager for Databases extension

• McAfee® Rogue Database Detection extension 4.7 or later

• McAfee® Advanced Management Core extension

• McAfee® Agent 4.6.3 or later

1 IntroductionHow McAfee DAM works


Supported databasesMcAfee DAM can be used to monitor and manage activity on several different types of databases.

The supported databases include:

• IBM DB2 LUW 9.5 or later

• IBM DB2 for Z/OS

• IBM DB2 iSeries (AS/400)

• Microsoft SQL Server 2000 or later on any supported Windows platform

• MySQL 5.1 or later on Linux

• Oracle 8.1.7 or later on Sun Solaris, IBM AIX, Linux, HP-UX, or Microsoft Windows

• Sybase ASE 12.5 or later on all supported platforms

• Teradata 12, 13, 13.10, or 14 on Linux

vPatch supports:

• IBM DB2 LUW 9.5 or later

• Microsoft SQL Server 2000 or later on any supported Windows platform

• MySQL 5.1 or later on Linux

• Oracle 8.1.7 or later on Sun Solaris, IBM AIX, Linux, HP-UX, or Microsoft Windows

• Sybase ASE 12.5 or later on all supported platforms

The lists of supported databases are updated regularly. To view the current lists, see:

• McAfee DAM supported databases

• vPatch supported databases

IntroductionSupported databases 1


http://www.mcafee.com/us/products/database-activity-monitoring.aspx#vt=vtab-Requirements

http://http://www.mcafee.com/us/products/virtual-patching-for-databases.aspx#vt=vtab-Requirements

1 IntroductionSupported databases


2 Installation

For McAfee DAM to be used with McAfee ePO software, you must first download and install the productextension and deploy the sensor to McAfee Agent.

Contents Deployment Implementation workflow Install the extension Deploy the sensor Confirm sensor deployment Features added to McAfee ePO Uninstall the extension

DeploymentBefore the software can monitor and manage database activity, you must install the product extensionon the McAfee ePO server and deploy the sensors to a database server where McAfee® Agent isinstalled.

Required components

• McAfee ePolicy Orchestrator 4.6.3 or later with these extensions installed:

• McAfee Database Activity Monitoring extension

• McAfee® Vulnerability Manager for Databases extension

• McAfee® Rogue Database Detection extension 4.7 or later

• McAfee® Advanced Management Core extension

• McAfee® Agent 4.6.3 or later

Implementation workflowThese tasks must be performed to enable McAfee DAM to monitor and manage database activity.

1 Verify that the extensions for McAfee Vulnerability Manager for Databases, McAfee Rogue DatabaseDetection, and McAfee Advanced Management Core are installed in the McAfee ePO console.

2 Install the McAfee DAM extension using the McAfee ePO console.

2


3 Deploy the sensor on DBMSs using a product deployment task (in McAfee ePO 5.0.0) or a clienttask (McAfee ePO 4.6.3).

4 Confirm the success of the sensor deployment in the Products tab of the respective systeminformation pages.

See also Install the extension on page 10Deploy the sensor from McAfee ePO 4.6 on page 11Deploy the sensor from McAfee ePO 5.0 on page 11Confirm sensor deployment on page 13

Install the extensionThe McAfee Database Activity Monitoring extension is installed using the ePolicy Orchestrator console.

Before you begin• Back up the McAfee ePO back-end database.

• Verify that the extensions for McAfee Vulnerability Manager for Databases, McAfeeRogue Database Detection, and McAfee Advanced Management Core are installed.

• If the ePolicy Orchestrator console is not connected to the Internet, you need todownload the product extensions from the McAfee download site, then install them fromthe ePolicy Orchestrator Extensions page.

• If you previously installed and uninstalled the product extension, you need to removesome tables manually. Contact McAfee technical support for details.

TaskFor option definitions, click ? in the interface.

1 From the McAfee ePO console, click Menu | Software Manager.

2 In the Product Categories pane, select Software | Database Activity Monitoring.

All related components are listed, including the product extensions.

3 Select DBSecDAMPolicy extension, then click Download or Check In.

4 When prompted, select ZIP as the package type.

5 Repeat for the Database Activity Monitoring extension andDatabase Activity Monitoring help extension.

6 In the Software Manager, check in the McAfee DAM sensor managed product for the relevant operatingsystems.

When the installation is complete, Database Activity Monitoring and Help Content appear in the Componentslist.

By default, the extension is installed using a 30-day evaluation license, and EVAL appears on theshortcut icons and at the top of the vPatch Rules and DAM Server Settings pages. The evaluation version hasseveral limitations. For example, it does not include vPatch security updates. If you already have alicense, we recommend that you install it now.

2 InstallationInstall the extension


Deploy the sensorYou can create a client task to deploy the sensor to a DBMS that has McAfee Agent installed. Once thesensor is deployed, it starts automatically and appears in the System Tree.

Tasks• Deploy the sensor from McAfee ePO 4.6 on page 11

You can create a client task to deploy the sensor from the McAfee ePO 4.6 console.

• Deploy the sensor from McAfee ePO 5.0 on page 11You can deploy the sensor to DBMSs from the Product Deployment page of the McAfee ePO 5.0console.

Deploy the sensor from McAfee ePO 4.6 You can create a client task to deploy the sensor from the McAfee ePO 4.6 console.

Before you beginVerify that the Database Activity Monitoring package appears in the McAfee ePO Master Repository.


1 Click Menu | Policy | Client Task Catalog | Client Task Types | McAfee Agent | Product Deployment.

2 Click Actions | New Task.

3 In the Task Name field, enter the name of the new task.

4 From the Target Platforms drop‑down list, select a platform.

5 From the Products and components drop‑down list, select DBMS McAfee Sensor for Windows.

6 From the Action drop-down list, select Install.

7 Schedule the task deployment and configure more options as needed for any McAfee ePO clienttask. For more information, see the ePolicy Orchestrator documentation.

8 Click Save.

The deployment task is created and the sensor is deployed according to the task configuration.

The task is run as scheduled in the task properties. You can also manually deploy the task from theSystems Tree. Select Actions | Agent | Run Client Task Now, then select the task to run. The Run Client Task Nowoption is supported for Windows systems only. Do not use this option for scheduling deployments onUNIX or Linux systems. For more information on running client tasks, see the ePolicy Orchestratordocumentation.

See also Default sensor install paths on page 12Operating system dependencies on page 13

Deploy the sensor from McAfee ePO 5.0 You can deploy the sensor to DBMSs from the Product Deployment page of the McAfee ePO 5.0 console.

Before you beginVerify that the Database Activity Monitoring package appears in the McAfee ePO MasterRepository.

InstallationDeploy the sensor 2



1 Click Menu | Software | Product Deployment.

2 Click New Deployment.

3 Enter a task name and description, then define the type (Fixed or Continuous).

4 From the Products and components drop‑down list, select DBMS McAfee Sensor for Windows.

5 Schedule the task deployment and configure more options as needed for any McAfee ePO clienttask. For more information, see the ePolicy Orchestrator documentation.

6 Click Save.

The deployment task is created and the sensor is deployed according to the task configuration.

The task is run as scheduled in the task properties. You can also manually deploy the task from theSystems Tree. Select Actions | Agent | Run Client Task Now, then select the task to run. The Run Client Task Nowoption is supported for Windows systems only. Do not use this option for scheduling deployments onUNIX or Linux systems.For more information on running client tasks, see the ePolicy Orchestratordocumentation.

See also Default sensor install paths on page 12Operating system dependencies on page 13

Default sensor install pathsThe default sensor install paths and file names vary according to platform type.

Table 2-1 Default directories

Platform Installation directory Logs directory

AIX /opt/mfeagdbs.sensor /var/adm/mfe-agent-dbs-sensor

HPUX /opt/mfeagdbs.sensor /var/adm/mfe-agent-dbs-sensor

Linux /usr/local/mfe-agent-dbs.sensor /var/log/mfe-agent-dbs-sensor

Solaris /opt/MFEAgentDBSsensor /var/adm/mfe-agent-dbs-sensor

Windows C:\Program Files\McAfee\DatabaseSecurity Sensor

C:\Program Files\McAfee\Database SecuritySensor\logs

Table 2-2 File names

Platform Configuration file Binary name Startup script name

AIX /etc/mfe-agent-dbs-sensor mfeagtdbsensor /etc/rc.d/init.d/mfe-agent-dbs-sensor

HPUX /etc/rc.config.d/mfe-agent-dbs-sensor

mfeagtdbsensor /sbin/init.d/mfe-agent-dbs-sensor

Linux /etc/sysconfig/mfe-agent-dbs-sensor


Solaris /etc/default/mfe-agent-dbs-sensor


Windows C:\Program Files\McAfee\Database Security Sensor\McAfeeAgentDBSConfig.exe

McAfee-Agent-DBS-Sensor.exe Service name - "McAfeeDatabase SecuritySensor"

2 InstallationDeploy the sensor


Operating system dependenciesSuccessful installation of the sensor requires that specific packages be installed on the targetoperating system.

Platform Dependencies

AIX IBM XL C/C++ Enterprise Edition for AIX, V9.0 Runtime Environment andUtilities:• xlC.aix50 • xlsmp.msg.Ja_JP.rte

• xlC.msg.Ja_JP • xlsmp.msg.ZH_CN.rte

• xlC.msg.en_US • xlsmp.msg.Zh_CN.rte

• xlC.msg.ja_JP • xlsmp.msg.en_US.rte

• xlC.rte • xlsmp.msg.ja_JP.rte

• xlsmp.aix52.rte • xlsmp.msg.zh_CN.rte

• xlsmp.msg.EN_US.rte • xlsmp.rte

• xlsmp.msg.JA_JP.rte

For details, see the IBM website)

HPUX pa risc 11.11 orlater

• NFS.NFS-64SLIB

• OS-Core.CORE-64SLIB

• OS-Core.CORE-SHLIBS

• Streams.STREAMS-64SLIB

HPUX ia64 11.23 orlater

• NFS.NFS-64SLIB

• OS-Core.CORE2-64SLIB

• OS-Core.CORE2-SHLIBS

• Streams.STREAMS-64SLIB

Linux libstdc++33 (this library is almost always pre-installed)

Solaris N/A

Windows N/A

Confirm sensor deploymentYou can confirm the sensor deployment in the Products tab of the system details page.

Before you beginCreate and deploy the product deployment task.


1 Click Menu | Systems | System Tree, then select the Systems tab.

2 Click the system where the sensor is deployed.

3 In the system details page, select the Products tab.

InstallationConfirm sensor deployment 2


http://www-1.ibm.com/support/docview.wss?rs=2239&q1=vacpp.cmp.rte&uid=swg24015997&loc=en_US&cs=utf-8&cc=us&lang=all

The sensor deployment is indicated under Product.

Features added to McAfee ePOThe extension adds or uses these features in the McAfee ePO environment.

Feature Details

System Tree Adds the Database Monitoring submenu to the Actions menu in the Systems tab.

Policy submenu Adds two options to the Policy submenu:• vPatch Rules — View, add, and edit vPatch rules.

• Rule Objects — View, add, and edit rule objects.

Adds two predefined client task types to the Client Task Catalog:• DAM Sensor Analytic Package — Extracts diagnostic information for troubleshooting

purposes.

• DAM Sensor Restart — Restarts the monitoring sensor (according to instructions fromthe support team).

Configurationsubmenu

Adds one new option to the Configuration | Server Settings submenu:• DAM Server Settings — Manage the McAfee DAM server archive, log, and general

settings.

Reportingsubmenu

Adds three new options to the Reporting submenu:• DAM Events view — View the list of McAfee DAM events, and event properties.

• Application Mapping — View information about activities taking place on a DBMS,including applications and their users.

• Dashboards | Database Activity Monitoring — View charts and graphs related to McAfeeDAM events.

Adds the Database Activity Monitoring group of result types in Query Builder.

Permission sets Adds two predefined user roles:• Database Monitoring Manager — By default, the Database Monitoring Manager can

create, edit, or delete Scheduler tasks and queries, and can view and edit allMcAfee DAM policies, global vPatch rules and rule objects, events, andpermissions sets.

• Database Monitoring Reviewer — By default, the Database Monitoring Reviewer canview the System Tree, Database Activity Monitoring settings, and DAM Events view.

Uninstall the extensionYou can uninstall the McAfee Database Activity Monitoring extension using the McAfee ePO console.Uninstalling an extension permanently deletes its data.

2 InstallationFeatures added to McAfee ePO



1 Click Menu | Software | Extensions.

2 From the Extensions list, select Database Activity Monitoring and the corresponding Help Content extension,then click Remove.

3 When prompted to confirm, click OK.

Selecting Force removal is not recommended.

This task does not uninstall the sensor. Remove the sensor using a standard client task. For details,see ePolicy Orchestrator documentation.

InstallationUninstall the extension 2


2 InstallationUninstall the extension


3 Policy configuration

McAfee DAM policy configuration enables you to implement the policy settings that are mostappropriate for your organization.

Contents Policy categories Assign a policy DAM Sensor Configuration policy DBMS Monitoring Configuration policy vPatch policy Custom Rules policy vPatch rules Custom rules Rule objects Rule syntax DAM server configuration

Policy categoriesMcAfee DAM policies are grouped into several categories, with a default policy for each category.Each default policy is read-only. However, we provide a policy template, My Default, that you can use toedit and implement the policy settings for your organization.

DBMS Sensor ConfigurationThis policy determines the log configuration settings for the DAM sensor, and enables the definition ofadvanced parameters.

DBMS Monitoring ConfigurationThis policy category contains two default policies related to the McAfee DAM monitor configuration:

• McAfee Default Monitor Configuration — This policy is made up of the general monitoring settings,application mapping settings, and advanced logging parameters, as well as specific configurationsettings according to database type.

• McAfee Disable Monitor Configuration — This policy disables monitoring for a database.

vPatch rulesThe default Virtual Patching for Database (vPatch) rule policy is made up of the full list of predefinedvPatch rules in read-only format. The rules are applied in the order that they appear in the list. Youcan duplicate the default policy to create a custom rule set. Custom vPatch rule policies automaticallyinherit all of the rules contained in the default policy, however you can edit the rule properties in thecustomized policies.

3


The default policy is updated regularly by McAfee DAM to include up-to-date monitoring and protectionagainst known and zero-day vulnerabilities.

Custom rules

This policy is made up of the custom rules defined based on your organization's ongoing monitoring ofpotential risks and activities.

You can create your own rules in the My Default custom rules policy, or duplicate the Empty Rules Templateand create a custom rule policy.

Rule objects

This read-only policy is made up of the list of rule objects that can be used in dynamic rules. You canduplicate the default policy and create multiple rule object policies.

You can add rule objects to the read-only policy. All rule objects are included in all rule object policies,however you can edit the rule object values in duplicated policies.

Assign a policy You can assign a McAfee DAM policy to a managed system or DBMS.


1 Click Menu | Systems | System Tree | Systems, then select the group under the System Tree.

2 Select the system, then click Actions | Agent | Modify Policies on a Single System to open the Policy Assignmentpage for that system.

3 From the Product drop-down list, select Database Activity Monitoring. The relevant policy categories arelisted with the system’s assigned policy.

4 Locate the required policy, then click Edit Assignments.

5 If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.

6 From the Assigned policy drop-down list, select the policy.

The available policies depend on your role and permissions.

From this location, you can edit the selected policy or create a new policy. For more information,see the ePolicy Orchestrator documentation.

7 Select whether to lock policy inheritance.

Locking policy inheritance prevents any systems that inherit this policy from having another oneassigned in its place.

8 Click Save.

The policy is assigned to the selected managed system.

3 Policy configurationAssign a policy


DAM Sensor Configuration policyThe DAM Sensor Configuration policy determines the log configuration settings for the McAfee DAM sensor,and enables the definition of advanced parameters.

The default policy is read‑only. A policy template, My Default, enables you to edit and implement thepolicy settings based on your organization's needs.

Configure DAM Sensor Configuration policyAlthough a default DAM Sensor Configuration policy is provided, you can use the My Default policy template toimplement different policy settings on specific systems.


1 Click Menu | Policy | Policy Catalog, then:

a From the Product drop-down list, select Database Activity Monitoring.

b From the Category drop-down list, select DAM Sensor Configuration.

2 Click My Default.

3 Edit the policy settings as needed, then click Save.

DBMS Monitoring Configuration policyThe DBMS Monitoring Configuration policy determines various monitoring options, including applicationmapping and failed logon monitoring.

The default policy is read‑only. A policy template, My Default, enables you to edit and implement thepolicy settings based on your organization's needs. In addition, the read-only Disable Monitor Configurationpolicy is used to disable specific database instances from the System Tree.

You cannot assign the Disable Monitor Configuration policy and a default policy to the same database instanceat the same time.

Configure DBMS Monitoring Configuration policyAlthough a default DBMS Monitoring Configuration policy is provided, you can use the My Default policytemplate to implement different policy settings on specific systems.




b From the Category drop-down list, select DBMS Monitoring Configuration.

2 Click the My Default link.

The default policy properties are organized into a general tab and one tab for each type ofdatabase platform.

Policy configurationDAM Sensor Configuration policy 3


3 Edit the settings as needed, then click Save.

The policy settings are applied only to database instances where the policy is assigned.

vPatch policyThe default vPatch policy comprises a predefined set of vPatch rules. The default policy is read‑only.

You can duplicate the policy and edit the actions defined for specific rules. You can also duplicate thedefault vPatch policy and use it as the basis for creating a custom vPatch rule set. Custom vPatch rulepolicies automatically inherit all of the rules contained in the default policy, however you can edit therule properties in the customized policies

The global vPatch policy is updated by McAfee DAM regularly (every several weeks) to providemonitoring and protection from new vulnerabilities.

Different vPatch policies can be assigned to different DBMSs in the system.

You can disable a vPatch rule, but you can't remove a rule from the vPatch Rules list.

Configure vPatch policyYou can use a duplicate copy of the vPatch policy as the basis for creating a custom vPatch rule set.Although the conditions (rule syntax) of these predefined rules cannot be edited, you can edit theactions and tags defined for specific rules. You can also create exceptions within the rules.




b From the Category drop-down list, select vPatch Rules.

2 Click your duplicate copy of vPatch Rules to open its vPatch Rules page.

3 To view or edit the properties of an existing rule, click the rule name.

Update the vPatch policyMcAfee DAM sends out notifications whenever new vPatch rules are available. We recommend that youupdate the vPatch rule set to provide protection from new vulnerabilities.The currently installed version of the vPatch policy appears in the Note column on the vPatch Policy page.

Tasks• Update the vPatch rule set on page 20

When connected to the Internet, McAfee DAM automatically downloads the vPatch packageinto the Master Repository. The package must then be applied to your McAfee ePO installation.

• Download and check in the vPatch rule set on page 21When McAfee ePO is not connected to the Internet, you must manually download andcheck in the updated vPatch rules package.

Update the vPatch rule setWhen connected to the Internet, McAfee DAM automatically downloads the vPatch package into theMaster Repository. The package must then be applied to your McAfee ePO installation.

3 Policy configurationvPatch policy



1 Click Menu | Software | Master Repository.

2 Click Pull Now, then click Next.

3 Select the DAM vPatch package, then click Next.

4 Click Start Pull to apply the package.

The new vPatch rules are included in the default vPatch policy.

Download and check in the vPatch rule set When McAfee ePO is not connected to the Internet, you must manually download and check in theupdated vPatch rules package.

Before you beginYou must have Internet access to download the package.


1 Click the link in the notification you received to download the updated vPatch rules package, thensave the package.

2 Click Menu | Software | Master Repository, then click Check In Package.

3 Select the package type, specify the path to where you saved the vPatch rules package, then clickNext.

4 Click Save to check in the package.

The new vPatch rules are included in the default vPatch policy.

Custom Rules policyYou can create custom policies according to your audit and security needs. Different policies can beapplied to different DBMSs in your organization.

DAM custom rule policies support multi-slot functionality so that more than one policy can be assignedto a system. You can enforce different policies for different purposes on the same system. Forexample, different policies might be configured for auditing, database security, and monitoringpurposes.

In a multi-slot scenario, an allow rule affects only the policy where it is created.

Rule order

The order of the rules in the Custom Rules list is important. The first rule that is matched is the rule thatis applied to the statement. If a statement does not match any of the existing rules, the statement isallowed.

There are two approaches to defining policy:

Policy configurationCustom Rules policy 3


• Whitelist approach, which resembles the approach of firewalls, where you determine all the allowedactions first and then alert on all other actions (assuming that all other actions are suspect).

• Blacklist approach, which resembles the approach of IDS/IPS systems, where everything is allowedexcept actions that are considered suspect.

McAfee DAM users typically create a policy that integrates elements of both approaches, for example,using a Blacklist approach for all known attacks, while using a Whitelist approach for the use ofdevelopment SQL tools.

Incoming statements are checked against the vPatch Rules list before they are checked against theCustom Rules list.

Rule templates

Custom rule policies use these templates:

• My Default — This template is empty when the product is first installed. You can create your ownrules in this policy.

• Empty Rules Template — Duplicate this template and use it to create a custom rules policy.

• Integrity Monitoring — This template is made up of the rules that capture changes to the database,including the addition and removal of tables, and changes in table structure and data.

• Rule Examples — This template is made up of examples of custom rules that can be used as is or asmodels for creating new rules.

Configure Custom Rules policyYou can view and edit the rules that make up the Custom Rules policy.

By default, the Custom Rules policy does not contain any rules.




b From the Category drop-down list, select Custom Rules.

By default, the custom rules policy does not contain any predefined rules.

2 Select the policy that you want to edit.

3 (Optional) Click Create New Rule to define a rule and add it to the Custom Rules policy.

4 To view or edit the properties of an existing custom rule, click the rule name.

vPatch rulesvPatch rules help prevent attacks against known vulnerabilities and database misconfigurations. A setof predefined vPatch rules is included as part of the McAfee DAM installation.

McAfee DAM updates this set of rules regularly to provide monitoring and protection from newvulnerabilities.

vPatch rules are applied in the order they appear in on the vPatch rules page.

3 Policy configurationvPatch rules


Edit vPatch rule propertiesYou can edit the properties of a vPatch rule including its actions, tags, and description.

Changes to the properties in the default vPatch policy are applied to all vPatch policies unless Overrideglobal policy settings is configured in the rule in the duplicate policy.

Changes to the rule properties in a duplicate policy apply only to that policy.





2 Click the vPatch rule policy to display the list of vPatch rules.

3 Select the rule that you want to edit, then click Actions | Edit Properties.

4 Edit the rule properties as needed.

5 Click OK.

Add vPatch rule actionsYou can configure additional actions to be applied when vPatch rules are matched as part of themonitoring process. Duplicate vPatch policies automatically inherit the rules and rule actions containedin the default vPatch policy.

Changes to the rule actions in the default vPatch policy are applied to all vPatch policies unless Overrideglobal policy settings is configured in the rule in the duplicate policy.

Changes to the rule actions in a duplicate policy apply only to that policy.





2 Click the default vPatch rule policy or a duplicate policy to display the list of vPatch rules.

3 Select each of the rules where you want to add an action, then click Actions | Apply Actions.

4 If you are editing a copy policy of the default policy, select the Override global policy settings checkbox.

5 Select the actions that you want to apply to the selected rules:

• Log Level — Sets the level of criticality of the event.

• Threat event log — Sends an event to the threat event log if the rule is matched. If you selectTerminate, the Quarantine option is displayed. To quarantine a user, select Quarantine and enter thenumber of minutes during which the user is prevented from reconnecting.

You can't send events to both the threat event log and the archive.

• To archive — Sends an alert only to the archive if the rule is matched.

Policy configurationvPatch rules 3


• Syslog — Sends an alert to the syslog if the rule is matched.

• Windows event log — Sends an alert to the Windows event log if the rule is matched.

• Log file — Sends an alert to a log file if the rule is matched.

• Mask sensitive data with the following regular expression — Prevents the display of sensitive data in alerts.If selected, enter a regular expression in the Regular Expressions text box using standardregular expression syntax.

You can also configure an email notification for the rule using McAfee ePO by selecting Menu |Automation | Automatic Responses. Select ePO Notification Events, with Threats as the event type. In the filtersettings for the Threat Name, define the comparison criteria as Contains with RULE NAME as the value.For more information, see the ePolicy Orchestrator documentation.

6 Click OK.

Enable or disable vPatch rulesYou can enable or disable selected vPatch rules as needed.






3 Select the rules that you want to enable or disable, then click Actions | Enable/Disable Rules.

4 In the Enable/Disable rules dialog box, select Enable or Disable as required, then click OK.

Create an exception to a vPatch ruleYou can define an exception to a vPatch rule to allow specific conditions. Exceptions are defined inresponse to false positive results to prevent vPatch rule from identifying a specific behavior as anattack.





2 Select the policy where you want to add the exception.

3 Select the rule where you want to add an exception, then click Actions | Edit Properties.

4 In the rule properties page, underExceptions, click Add Exception.

5 In the text box that appears, enter the comparator statements that define the exception.

6 Click OK.



See also Rule syntax on page 31Rule examples on page 33

Set the security level for a vPatch policy You can set the security level for the vPatch policy that is applied to your databases based on apredefined security level or by setting a customized set of parameters.This feature enables you to control the tradeoff between security level and performance. The definedsettings are applied to the entire vPatch policy.

You can't set the security level for the global vPatch policy.





2 Select a copy of the vPatch Rules policy.

The security level for the vPatch policy appears as a link in the policy header.

3 Click the security level link to open the Security Level page.

4 Select a preconfigured security level (Top, High, Medium, or Low) or select Custom to define settingsbased on a combination of these parameters:

• Apply to DBMS Versions —• Vulnerable Versions Only: Enables vPatch rules based on relevant DBMS versions.

• All Versions: Enables vPatch rules on all DBMS versions.

• Level — Enables vPatch rules according to the selected severity level (High Only, Medium and High, orAll).

• Confidence — Enables vPatch rules according to the selected confidence level (High Only, Medium andHigh, or All).

5 Click OK.

Remove vPatch rule actionsYou can remove specific actions from a vPatch rule.






3 Select the rules where you want to remove an action, then click Actions | Remove Actions.

4 Deselect the actions that you want to remove from the selected rules, then click OK.

Policy configurationvPatch rules 3


The rule actions are updated. The removed actions are no longer applied when the selected vPatchrule is matched as part of the monitoring process.

Create an allow ruleAn allow rule enables you to define exceptions to specific conditions of an existing rule.

vPatch allow rules are always evaluated before built-in vPatch rules. If the allow rule is matched, ruleevaluation stops for all vPatch rules.

You can also create an allow rule from the Application Mapping page.


1 Click Menu | Policy | vPatch Rules.


3 Select each of the rules where you want to create an allow rule, then click Actions | Create allow rule.

4 In the Name field, enter a name for the rule.

5 Under Rule text, enter the comparator statements that make up the conditions of the rule.

6 Under Monitoring source, set the sources of information used to determine compliance with this rule:

• Auto (All) — The sources of information are detected and sampled automatically.

• All — All available sources of information are used.

• Memory — Information is collected by memory sampling.

• Network — Information is collected from network traffic.

7 (Optional) Add tags or comments to the rule.

8 Select Enable Rule to enable the rule on all vPatch policies.

9 Click OK to add the rule.

The rule is added.


Remove allow ruleYou can remove multiple allow rules from the vPatch Rules list.

TaskFor option definitions, click ? in the interface







3 Select the rules you want to remove, then click Actions | Remove allow rule.

4 When prompted for confirmation, click OK.

Custom rulesBased on ongoing monitoring of potential risks, custom rules can be defined to provide protectionagainst activity that your IT policy considers suspicious. Custom rules also help protect specific DBMSsaccording to their functionality.You can create and enable custom rules that determine how to handle statements received by theDBMS. Rules can allow statements that match (whitelist), or they can be used to generate alertsregarding statements that do not match the policy (blacklist). A rule can also be used to automaticallyclose potentially dangerous sessions.

Each rule consists of one or more comparator statements. Comparator statements are made up ofIdentifiers, Operators, and Literals.The relationship between multiple comparator statements is basedon Boolean logic, using AND, OR, or NOT.

You can define exceptions to a rule that does not allow certain conditions by creating an Allow rule forthe exception and placing it before the rule in the Rules list. You can also create an exception withinthe rule itself.

Create a custom ruleYou can create custom rules based on the needs of your organization. For example, you can monitoraccess to sensitive tables in an HR DBMS, or you can protect against the use of SQL query tools thatare not allowed on your production databases.

Before you beginBefore attempting to create custom rules, we recommend that you familiarize yourself withApplication Mapping, which can save time when you create custom rules.





2 Click the default vPatch rule policy or a duplicate policy to display the list of vPatch rules.

3 On the Custom Rules policy page, click Create New Rule.


5 Under Rule text, enter the comparator statements that make up the conditions of the rule.

6 Under Monitoring source, set the sources of information used to determine compliance with this rule:

• Auto (All) — The sources of information are detected and sampled automatically.

• All — All available sources of information are used.

• Memory — Information is collected by memory sampling.

• Network — Information is collected from network traffic.

Policy configurationCustom rules 3


7 (Optional) Under Exceptions, click Add Exception to display the rule exceptions section. In the text boxthat appears, enter the comparator statements that define the exception.

8 UnderActions, set the action to be taken when the rule conditions are met.

9 (Optional) Under Tags, add tags as needed.

10 (Optional) Under Comments, enter information for future reference.

11 Select Enable Rule to enable the rule.

12 Click Save.


Remove a custom ruleYou can remove a rule from the Custom Rules list.

TaskFor option definitions, click ? in the interface




c Select a Custom Rules policy to display its list of rules.

2 In the Custom Rules policy page, select the rule that you want to remove, then click Actions | Removerule.


Change rule orderThe order of the rules in the Custom Rules policy is important. The first rule that is matched is the rulethat is applied to the statement. If a statement does not match any of the existing rules, thestatement is allowed.





c Select a Custom Rules policy to display its list of rules.

2 In the Custom Rules policy page, select the rule that you want to reposition in the policy, then clickActions | Place New Location.

3 Set the location of the rule in the list, then click OK.

3 Policy configurationCustom rules


Copy a custom rule to another policyYou can copy a rule from one custom rule policy to another. This save you time if you need to includeit in more than one custom rule policy.


1 In the Custom Rules policy page, select the rule that you want to copy to another policy, then clickActions | Copy Rules to Another Policy.

2 Select the policy where you want to add the rule, then OK.

Rule objectsRule objects are components that can be used in defining dynamic rules.

These components are helpful when working with Allow rules. For example, you can use a rule objectin the definition of a rule intended to allow a specific range of IP addresses.

McAfee DAM comes with several predefined rule objects. These predefined objects are used in thepredefined rules and are listed on the Policy | Rule Objects page.

You can add rule objects to the global rule object policy. Rule objects can also be populated bydifferent methods such as LDAP queries and DVM checks.

All rule objects are included in all rule object policies. You can edit the rule object values in duplicatedpolicies.

Rule objects are managed on the Policy | Rule Objects page.

Define rule objectsYou add rule objects to the global Rule Objects policy. The rule objects can then be used as componentsin rules.


1 Click Menu | Policy | Rule Objects, then click Actions | New Object.

2 Configure these parameters:

• Name — The name of the rule object (must be in English without spaces).

• Type — The type of identifier for the rule object.

• Value — The object value (according to the selected type), which can be manually input orautomatically uploaded (see Dynamic Value ).

• Comment — A brief comment or description.

• Dynamic Value — Automatically uploads the object values based on the selected option.

• Static — Uploads a list of values from an existing CSV file, enter the file location in the Fileupload field or click Browse to locate and select the file, then click Upload CSV File.

• LDAP — Enables the use of LDAP Security groups for this rule object. Select the server, enterthe fully qualified name of the LDAP Group, then click Add.

Policy configurationRule objects 3


Click Show values to view the uploaded values in the Value text box.

• The use of dynamic LDAP objects is available only if LDAP server is configured inthe Menu | Configuration | Registered Servers page.

• The DVM option uploads the object values based on an object that was createdfrom a DVM result. It is not enabled here.

• The use of dynamic LDAP objects is available only if LDAP server is configured inthe Menu | Configuration | Registered Servers page.

The rule object is automatically added to the list of available values according to Identifier type andcan be used in rule definitions.

Edit rule object propertiesYou can view and edit the properties of a rule object.


1 Click Menu | Policy | Rule Objects.

2 Select the rule object, then click Actions | Edit Properties.

3 On the Rule Object page, edit the parameters, then click Save.

Remove rule objectsYou can remove a rule object provided that it is not in use in an existing rule.


1 Click Menu | Policy | Rule Objects.

2 Select at least one rule object, then click Actions | Remove Rule Objects.

3 When prompted for confirmation, click Yes.

Configure dynamic DVM objectsYou can configure a dynamic rule object based on the findings of a McAfee Vulnerability Manager forDatabases vulnerability scan.

If you are adding the object to the global Rule Objects policy, you can create a new rule object oroverride a selected rule object.


1 Click Menu | Reporting | DVM Events, then click the name of the event.

2 Click Actions | Set Rule Object.

This option is available only if data appears in the data set table.

3 Select the policy where you want to add the rule object.

3 Policy configurationRule objects


4 Select one of these options:

• New Object — Creates a new object in the global Rule Objects policy. This option is enabled if GlobalRule Object Policy is selected.

• Override Object — Overrides the settings of an existing rule object.

5 Under Pattern, set the type of values to fetch and how they appear in the rule object by selecting atleast one option (Type, Username or Lock).

The syntax for the value appears in the text box.

6 Click OK.

Rule syntaxEach rule consists of one or more comparator statements, which are made up of Identifiers, Operatorsand Literals.

The relationship between multiple comparator statements is based on Boolean logic, using AND, OR,or NOT. Comparator statements can be grouped using parentheses. If parentheses are not used, theorder of precedence is:

1 NOT

2 AND

3 OR

IdentifiersThree basic types of identifiers are used in rule comparator statements.

Identifier type Description

String-based Types that are matched against strings.

Number-based Types that can be translated into a number representation. Numbers can be in aspecific range. Number-based types can be enforced to equal only a fixed set ofconstants.

Enumerated Types that represent a fixed set of constants that cannot be translated into anumber representation.

McAfee DAM supports these identifiers.

All rules are case-insensitive. An identifier can be specified in lowercase, uppercase, or a combination ofboth. For example: user, User, USER, and uSEr are all legal for the user identifier. Constant values arecase-insensitive, so SUNDAY and SunDAy are equivalent.

Identifier Type Description

action string The application action.

application string The application used to connect to the DBMS.

client_appl_name string The Sybase client application name. (Sybase only)

client_host_name string The Sybase client host name. (Sybase only)

client_name string The Sybase client name. (Sybase only)

clientid string The application set clientid accessing the DBMS. (Oracle only)

cmdtype string An action the statement is trying to perform, for example, select.

Policy configurationRule syntax 3



context_info string Microsoft SQL context information. (Microsoft SQL only)

date number The date the statement is executed. The date must be in the formMM/DD/YY (US date format), for example 1/25/07.

error_code number The error code returned by the DBMS (for example, when the user istrying to access a table that does not exist).

exec_user string If a user logs on to an application and then changes to another user, theexec_user is the new user.

host string The domain name of the connecting application.

hour number The hour when the statement is executed. The hour must be in the formHH[:MM] where HH is in the range of 0–23 and MM in the range of 0–59.Note the minutes setting is optional.

inflow string The inflow PL/SQL object that originated the current executingstatement. Same format as object.

inflowsql string The SQL statement part that originated the current executing command.

instance string The instance where the execution takes place. In Oracle, this value is theSID of the database instance. In Sybase, this value is the instance name.In MS SQL, it is the full instance name including the host (for example:MYHOST\SQLSERVER).

ip number The IP address where the statement is executed. IP addresses must bein the form of: XXX.XXX.XXX.XXX (single IP address) orXXX.XXX.XXX.XXX/YYY.YYY.YYY.YYY (IP with subnet). Each IP address isvalidated by McAfee DAM to prevent errors.

module string The application set module.

month number The month when the statement is executed: JANUARY, FEBRUARY,MARCH, APRIL, MAY, JUNE, JULY, AUGUST, SEPTEMBER, OCTOBER,NOVEMBER, DECEMBER. Alternatively, the short form of month name isalso supported for example: JAN.

nethost string The host name of the network (this might differ from the host namereported for an application). Applicable only when network monitoring isenabled.

netip number The IP address of the network (this might differ from the IP addressreported for an application). Applicable only when network monitoring isenabled.

object string The DBMS object being accessed. Supports syntax of the form[owner.]objectname. DBMS objects include tables, triggers, and storedprocedures. In Oracle, the format is owner.objectname; in MS SQL, andSybase it is database.owner.objectname.

osuser string The operating system user.

schema string The default schema of the session.

session_state string • session_state=NEW_SESSION for monitoring session logons

• session_state=END_SESSION for logoffs

• session_state=NEW_LOGIN and session_state=END_LOGIN formonitoring change of user during transaction execution (specifically forMicrosoft SQL Server)

• session_state=CHANGE_SCHEMA for monitoring changes in schemaduring the session (Oracle only)

• session_state=EXECUTE for all other statements

statement string The raw statement sent to the server.

3 Policy configurationRule syntax



terminal string The machine where the user is logged on.

user string The DBMS user that is accessing the DBMS. See also exec_user.

version_mssql number The Microsoft SQL version. For example, version_mssql =9.0.4053 forthe relevant version of MS SQL 2005 (rarely used).

version_oracle number The full 5-digit oracle version. For example, 10.1.0.3.0 (rarely used).

version_sybase number The Sybase particular version. For example, version_sybase = 12.5 orlater (rarely used).

weekday value The day of the week when the statement is executed: SUNDAY, MONDAY,TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY. Alternatively,the short form is also supported, for example, TUE.

OperatorsMcAfee DAM supports these operators.

Operator Description

= Equals (all types)

< Less than (all types)

> Greater than (number types only)

<= Less than or equal to (number types only)

>= Greater than or equal to (number types only)

<> Not equal to (all types)

(not)?like Compare to a string supporting the % character as a symbol to any string (stringtypes only)

(not)?between Check if an identifier is between two values (number types only)

(not)?in Check if an identifier is in a list of values (all types)

(not)?matches Perform a regular expression match (string types only)

(not)?contains Perform a simple and fast string match (string types only)

length When inserted before an identifier, indicates a condition on the field's length. Forexample:• "length statement > 1024" catches statements longer than 1024 bytes.

• "length user < 10" catches SQL statements where a DB user name length isshorter than 10 characters.

Rule examplesThese examples illustrate the rule syntax.

More examples are provided in the Custom Rules | Rule Examples template.

Example 1OSUSER = 'mycompany\john' AND APPLICATION CONTAINS 'sqlplus' AND HOST ='johnlaptop.localdomain' AND IP = 192.168.1.7

Action: Allow

This rule allows John to use SQL*Plus from his station (defined by host name and IP address), therebybypassing many rules that come later, such as preventing SQL*Plus from being used.

Policy configurationRule syntax 3


Example 2

APPLICATION CONTAINS 'sqlplus' OR APPLICATION CONTAINS 'toad'

Action: Log-high, terminate

This rule blocks any access by the applications Toad or SQL*Plus. It logs an alert with high severity.

Example 3

STATEMENT CONTAINS 'emps'

Action: log-medium

This example assumes that the emps.* columns include sensitive data that require protection, andthat emps.salary and emps.cc are particularly sensitive.

This rule provides an alert every time a SQL statement includes the string emps. This rule alerts onany attempt to access columns containing the name emps (as well as any SQL statement componentthat includes the string emps). Even when the user is not actually accessing the objects (for example,the DBMS prohibits access based on authorization rules), this rule generates alerts (in contrast tousing object, see example 4).

Example 4

OBJECT = 'emps.salary' OR OBJECT = 'emps.cc'

Action: Log-high

This example assumes that the tables emps.salary and emps.cc are particularly sensitive.

This rule provides a high-level alert each time the specified objects are accessed. An alert appearswhether the object is accessed via a view, a stored procedure, a trigger, or another database. In thiscase, if the DBMS successfully restricts the user from accessing the objects, an alert is not generatedbecause the object is not accessed.

Example 5

Statement contains 'drop session' Alert low

Statement contains 'alter DBMS' Alert low

Statement contains 'drop table' Alert low

Statement contains 'grant' Alert low

Statement contains 'grant dba' Alert medium

Statement contains 'grant sysdba' Alert medium

Statement contains 'noaudit' and osuser <> 'mycompany\johnd' Alert high

Action: Alert-high

In this example, the user receives alerts when various DDL commands are executed when someoneother than the database administrator attempts to stop auditing.

3 Policy configurationRule syntax


DAM server configurationThe DAM server configuration includes the archiving and logging settings, external interface settings,licensed components, and advanced settings.

Edit DAM server settingsYou can modify the DAM server settings Server Settings page, for example, to change the externalinterface settings.


1 Click Menu | Configuration | Server Settings, then select Database Activity Monitoring.

2 Edit the settings as needed, then click Save.

DAM server settings Table 3-1 Archive settings

Option Definition

Enable Archive Select this option to enable saving of events in an archive.

Directory Path The full path to the location of the archive.

Rolling Interval The time period covered by each archive file (hourly or daily).

Table 3-2 Syslog settings

Option Definition

Enable Syslog Select this option to enable syslog to monitor events.

Host The IP address of the host where the syslog resides.

Port The port to be used for syslog communications.

Transport The transport type for connecting with the syslog server.

Maximum Packet Length The maximum length of a packet in the syslog.

Facilities The syslog facilities.

Format The file type to be used for the syslog (CSV, Sentinel, or Custom).

Table 3-3 Windows Event Log settings

Option Definition

Enable Windows Event Log Select this option to enable the Windows Event Log to monitor events.

Host The IP address of the host where the Windows Event Log resides (read-only).

Format The file type to be used for the Windows Event Log (CSV, Sentinel, or Custom).

Table 3-4 Log to File settings

Option Definition

Enable Log to File Select this option to enable saving of events in a file.

Directory Path The full path to the location of the log file.

Rolling Interval The time period covered by each log (hourly or daily).

Delete Files Older than The number of days after which the log file is deleted.

Format The file type of the log file (CSV, CEF, Sentinel, or Custom).

Policy configurationDAM server configuration 3


Table 3-5 Licensing and Advanced settings

Option Definition

Upload License Click Browse to locate and select a license key, then click Upload.

License Component Name The name of the licensed component.

License Type The type of license.

Expiration Date The date the license is set to expire.

Advanced Properties Consult with McAfee support before modifying these properties.

Key The name of the key.

Value The value assigned to the key.

3 Policy configurationDAM server configuration


4 Database monitoring configuration

McAfee DAM enables you to configure the monitoring settings for individual DBMSs and DBMS clusters.

Contents Database monitoring View DBMS details View DBMSs attached to sensor Manage DBMS clusters Disable monitoring Edit alternative connection Merge DBMSs Recalculate DBMS policies Reset application mapping Clone DBMS Add a DBMS

Database monitoringMcAfee Database Activity Monitoring works within McAfee ePO to monitor and manage databaseactivity for multiple databases.

Once a McAfee DAM sensor is installed, all detected databases are added to the System Tree. You canalso manually add or import databases.

View DBMS detailsYou can view the detailed properties of a DBMS, including monitoring settings, application mappingsettings, and policy timestamps.



2 Click the name of the DBMS where the sensor is deployed to display the DBMS properties page,then click the DBMS Details tab.

View DBMSs attached to sensorYou can view a list of the DBMSs attached to a specific sensor. The DBMSs attached to a sensor areaffected when changes are made to the DAM Sensor Configuration policy.

4




2 Select the system where the sensor is deployed, then click the DBMS Details tab.

The DBMSs attached to the sensor are listed. You can click a DBMS name to view its detailedproperties.

Manage DBMS clustersDBMSs can be grouped into clusters, enabling you to handle two DBMSs as a single managed system.All DBMSs in a cluster are managed and reported by the same DBMS entry.

DBMS clustering also enables the implementation of Active-Passive or Active-Active failover.

Tasks• Cluster DBMSs on page 38

You can select multiple DBMSs and group them into a single cluster. This is useful whenseveral nodes of the same DBMS cluster are detected, and you want to manage them as asingle DBMS.

• Change DBMS cluster type on page 39You can change the type of failover that is implemented on the database instances in acluster.

• Break DBMS cluster on page 39You can ungroup the databases in a DBMS cluster so that they are no longer treated as asingle DBMS.

Cluster DBMSsYou can select multiple DBMSs and group them into a single cluster. This is useful when several nodesof the same DBMS cluster are detected, and you want to manage them as a single DBMS.



2 Select at least one database of the type you want to include in the cluster, then click Actions |Database Monitoring | Cluster DBMSs.

3 On the Cluster DBMSs page, select the databases to include in the cluster, then click Actions | CreateCluster.

4 On the Create cluster page, set these cluster properties:

• Cluster Type — The type of failover clustering to implement:

• Active-Passive — One active database instance runs at a time, with the second instanceremaining idle. If failover occurs, the idle instance takes over for the database that is down.

• Active-Active — Two separate database instances run at the same time in the cluster. If failoveroccurs, the remaining instance handles the requests of both database instances.

4 Database monitoring configurationManage DBMS clusters


• Remove Merged DBMSs from System Tree — The databases that are contained in the cluster are mergedinto a single entry in the System Tree and the individual nodes are removed.

5 Click OK.

A cluster containing the selected databases is created.

Change DBMS cluster typeYou can change the type of failover that is implemented on the database instances in a cluster.



2 Select the database cluster, then click Actions | Database Monitoring | Change Cluster Type.

3 Select the required cluster type (Active Passive or Active-Active), then click OK.

Break DBMS clusterYou can ungroup the databases in a DBMS cluster so that they are no longer treated as a single DBMS.



2 Select the database cluster, then click Actions | Database Monitoring | Break DBMS Cluster.

3 When prompted for configuration, click Yes.

Disable monitoringYou can disable the default Monitoring Configuration policy for selected databases. For example, thedatabases discovered by the sensor might include databases outside the required auditing scope.

Disabling the Monitoring Configuration policy does not affect the enforcement of other types of policies(DBMS sensor configuration, vPatch rules, and custom rules).



2 Select the databases where you want to disable monitoring, then click Actions | Database Monitoring |Disable Monitoring.


Database monitoring configurationDisable monitoring 4


Edit alternative connectionYou can edit the alternative connection for one or more databases. The alternative connection isrequired for Sybase, MySQL, and Teradata databases. For other database types it is used when OSauthentication fails or if the user doesn't want to use OS authentication.



2 Select the databases, then click Actions | Database Monitoring | Edit Alternative Connection.

3 Set these connection parameters:

a Select Enable Alternative DBMS Connection.

b Set the authentication method by selecting Use Credential Set or Username, then enter the relevantdetails.

4 Click OK.

Merge DBMSsIf a database is detected more than once (for example, due to upgrade or changes in the uniqueidentifier or home directory), you must merge the DBMSs in the System Tree into a single entry.



2 Select at least one database of the type you want to include in the cluster, then click Actions |Database Monitoring | Merge DBMSs.

3 In the Merge DBMSs page, select the databases to include in the cluster, then click Actions | MergeDBMSs.

4 Click OK.

The selected databases are merged.

Recalculate DBMS policiesYou can manually trigger recalculation of the polices that are applied to selected DBMSs, for example,to ensure that policy changes are applied immediately.



2 Select the databases where you want to update the effective policy, then click Actions | DatabaseMonitoring | Recalculate DBMS Policies.

When the recalculation is complete, OK appears in the message area.

4 Database monitoring configurationEdit alternative connection


Reset application mappingApplication mapping is performed per DBMS and provides information about the activities taking placeon the DBMS, including which applications and users connect to the DBMS.

Application mapping reports on up to 50,000 events, and then stops monitoring the activity. You canreset application mapping on the DBMS to resume the application mapping activities.



2 Select the databases where you want to update the effective policy, then click Actions | DatabaseMonitoring | Reset Application Mapping.

When the application mapping is reset, OK appears in the message area.

See also Application Mapping on page 6

Clone DBMSCloning an existing database enables you to manually create a cluster node when a passive DBMS thatis part of cluster is not identified by the system. If the DBMS becomes active, it is then managed aspart of the cluster.



2 Select the database that you want to clone, then click Actions | Database Monitoring | Clone Database.

3 From the DBMS Type drop-down list, select the database type (for example, Oracle, MSSQL, or MYSQL).

4 In the SID field, enter the server ID.

5 In the DBMS Home field, enter the name of the DBMS home directory.

6 From the Architecture drop-down list, select 32 bit or 64 bit.

7 From the OS Type drop-down list, select the type of operating system.

8 Click Next to display the Select system page.

9 Select the systems you want to add the database to, then click Save.

Add a DBMSMcAfee DAM can be used to monitor multiple DBMSs. If the sensor does not automatically detected adatabase (for example, the passive node in a clustered database), you can manually add the DBMS tothe configuration.

Database monitoring configurationReset application mapping 4




2 Select Actions | Database Monitoring | Add DBMS (DAM).

3 From the DBMS Type drop-down list, select the database type (for example, Oracle, MSSQL, MYSQLn).

The available DBMS parameters are refreshed according to the selected DBMS type.

4 In the SID field, enter the server ID.

5 In the DBMS Home field, enter the name of the DBMS home directory.

6 From the Architecture drop-down list, select 32 bit or 64 bit, as applicable.

7 From the OS Type drop-down list, select the type of operating system.

8 Click Next to display the Select system page.

9 Select the systems where you want to add the database, then click Save.

The DBMS is added in the System Tree.

4 Database monitoring configurationAdd a DBMS


5 Events, reporting, and troubleshooting

Enforcement of McAfee DAM policies generates events that can be viewed in McAfee ePO. You can alsocreate customized queries and reports with the McAfee ePO Query Builder, and download the relevantMcAfee DAM product logs for troubleshooting.

Contents View the DAM events list View Application Mapping events Create an allow rule based on Application Mapping View event details Load archived events View quarantine events list Remove a database user from quarantine Queries and reports Download the Sensor Analytic package

View the DAM events listMcAfee DAM generates events based on compliance with its policies. These events are listed on theDAM Events page or in the McAfee ePO Threat Event Log.


1 Click Menu | Reporting | DAM Events.

The DAM Events View page lists the event ID and severity, as well as information on the policy thatdetected the event.

2 (Optional) Click the column header to sort events by that column. (Sorting might cause pages toload more slowly.)

3 (Optional) To view the details of a specific event, click the event row.

View Application Mapping eventsApplication Mapping provides baseline information about the activities that take place on thedatabases. This information can be used to create exceptions or allow rules, and to create monitoringrules.

5



• Click Menu | Reporting | Application Mapping.

The Application Mapping Events page lists the event ID and severity, as well as information on the policythat detected the event.

Create an allow rule based on Application MappingAn allow rule defines exceptions to specific conditions of an existing rule.

Place the allow rule before the rule in the Rules list so that its criteria are matched before the rule isapplied.

The allow rule affects only the policy where it is defined.


1 On the Application Mapping Events page, click the name of the event.

2 On the Application Mapping Event Details page, click Actions | Create allow rule.


4 (Optional) Add tags or comments to the rule.

5 Select Enable Rule.

6 Click OK.

View event detailsYou can view the details of a specific DAM or Application Mapping event.


• On the DAM Events page or Application Mapping Events page, click the name of the event.

The event details page lists information about the event in read-only format.

Load archived eventsYou can load events from an archived file and view the events in the DAM Events View | Archived Events tab.


1 Click Menu | Reporting | DAM Events, then click the Archive Management tab.

2 Select the archive, then click Actions | Load/Reload Archived Events.

5 Events, reporting, and troubleshootingCreate an allow rule based on Application Mapping


View quarantine events listMcAfee DAM places databases in quarantine based on the events generated by the monitoring policies.


1 Click Menu | Reporting | DAM Events, then click the Quarantine tab.

The Quarantine tab lists the databases under quarantine, the criteria for the quarantine action, andthe name fo the rule that triggered the quarantine, and various quarantine-related parameters.

2 (Optional) Click the column header to sort the events by that column.

3 (Optional) To remove a database from quarantine, select the database, then click Actions |Unquarantine.

Remove a database user from quarantineRemove a database user from quarantine enables renewed access to the database.


1 Click Menu | Reporting | DAM Events, then click the Quarantine tab.

2 (Optional) Select the database, then click Actions | Unquarantine.

Queries and reportsThe extension includes query and report generation through the McAfee ePO software.

You can create queries from properties stored in the McAfee ePO database or use predefined queries.For more information, see the ePolicy Orchestrator documentation.

The extension adds these reporting features to the McAfee ePO environment:

• Several predefined queries that can be run with or without editing.

• A group of Query Result Types, DAM, is included in the Query Builder. This group contains a set ofquery targets related to database activity monitoring, which allows you to create custom queries.

Organize and maintain custom queries to suit your needs, then use them to run reports. You canexport reports into various file formats.

Custom queries and reportsYou can create customized queries and reports with Query Builder. The result types selected in QueryBuilder identify what type of data the query retrieves.

The extension adds a new group of Query Result Types, Database Activity Monitoring, in Query Builder. The groupcontains a set of query targets related to database activity monitoring.

Query result type Shows this information...

Archived Events Events archived.

Archive Management Archive files.

Events, reporting, and troubleshootingView quarantine events list 5


Query result type Shows this information...

DBMS Connection State The state of the DBMS connection in real-time.

DBMS Monitoring History Historical data about DBMS status and policy updates.

Events The events generated by enforcement of McAfee DAM policies

Events Per Rule Events generated by enforcement of McAfee DAM policies, according tothe rule that triggered the event.

Quarantined DBMS User Users quarantined as a result of enforcement of McAfee DAM policies.

Sensor Connection State The state of the McAfee DAM sensor connection in real-time.

Sensor Connection State – History Historical data about the state of the McAfee DAM sensor connection.

For each result type, the extension adds various properties in Query Builder for use in custom queries.

For more information about creating and using queries and reports, see the ePolicy Orchestratordocumentation.

Download the Sensor Analytic packageThe Sensor Analytic package contains an aggregation of all McAfee DAM product logs that are used fortroubleshooting only.

You can create a client task that generates the package as a .zip file, and then download the file andsend it to McAfee support.


1 Click Menu | Policy | Client Task Catalog | DAM Sensor Analytic package, then click New Task.

2 Select DAM Sensor Analytic package as the task type.

3 Run the task to create the package.

4 From the System Tree, select the system where the sensor is deployed to view the system informationpage, then click the DBMS Details tab.

5 Click the Download Analytic Package link, then save the file.

The Sensor Analytic package is ready to be sent to McAfee.

5 Events, reporting, and troubleshootingDownload the Sensor Analytic package


Index

Aallow rules

creating 26

creating from application mapping 44

removing 26

alternative connection 40

application mapping 6creating allow rules 44

resetting 41

viewing events 43

archive management 44

archived eventsloading 44

assignment, policies 18

Bblacklist 21

Ccloning a database 41

clusters, See database clusters connection

alternative 40

custom queries 45

custom ruleschanging order 28

copying to another policy 29

creating 27

overview 27

policy 22

removing 28

rule order 21

DDAM server settings 35

details 35

database clustersbreaking 39

changing type 39

defining 38

databasesadding 41

advanced properties 41

databases (continued)cloning 41

clusters 38, 39

disabling monitor configuration policy 39

edit alternative connection 40

merging 40

recalculating policies 40

removing users from quarantine 45

resetting application mapping 41

viewing by sensor 37

viewing details 37

DBMS sensor configuration policyabout 19

configuring 19

DBMSsSee also databases

supported 7deployment of Database Activity Monitoring 6, 9downloads, Database Activity Monitoring extension 10

dynamic rule objects 30

dynamic values 29

Eevaluation license, limitations 10

eventsapplication mapping 43

DAM, view list 43

loading from archive 44

quarantine 45

viewing details 44

exceptionsadding to a custom rule 27

adding to a vPatch rule 24

extension, McAfee Database Activity Monitoring 10

installing 10

uninstalling 14

Ffailed logon monitoring 19

failover 38

featuresadded to McAfee ePO environment 14


features (continued)Database Activity Monitoring 5

Iidentifiers 31

installation, McAfee Database Activity Monitoringdeploying the package 10

downloading the package 10

product extension 10

workflow 9

Mmonitor configuration policy 19

disabling 39

overview 19

Ooperators 33

overviewfeatures added to McAfee ePO environment 14

Ppackages

deploying 10

downloadinginstalling 10

installing 10

permission setsDatabase Activity Monitoring 14

policiesabout 6assigning 18

categories 17

custom rules 22

DBMS sensor configuration 19

monitor configuration 19

monitor configuration, disabling 39

recalculating 40

timestamps 37

vPatch rules 20

Qquarantine

removing database users 45

viewing events 45

queriescustom 45

Database Activity Monitoring 45

Query Builder, Database Activity Monitoring additions 45

query result types 45

Rreports 45

rule actionsediting 23

removing 25

rule objects 29

creating 29

dynamic, configuring 30

editing properties 30

removing 30

rule syntax 31

examples 33

identifiers 31

operators 33

ruleschanging order 28

order 21

syntax examples 33

Ssecurity level, vPatch policy 25

Sensor Analytic package 46

sensorschecking in 10

confirming deployment 13

default install paths 12

deploying 11

deploying, ePO 4.6 11

deploying, ePO 5.0 11

viewing attached DBMSs 37

server settingsDAM, editing 35

System Treeactions added by Database Activity Monitoring 14

adding DBMSs 41

application mapping 41

breaking DBMS clusters 39

changing DBMS cluster type 39

creating DBMS clusters 38

merging DBMSs 40

recalculating DBMS policies 40

Ttroubleshooting 46

VvPatch policies

allow rules 26

checking in rule set 21

overview 20

security level 25

updating rule set 20

Index


vPatch rulesadding exceptions 24

applying actions 23

checking in rule set 21

configuring policy 20

disabling 24

editing properties 23

enabling 24

vPatch rules (continued)removing actions 25

updating rule set 20

Wwhitelist 21

Index


00

Documents

Database Activity Monitoring 5.0.0 Product Guide Introduction McAfee® Database Activity Monitoring (McAfee DAM) provides monitoring and management of database activity for multiple