Quest InTrust for Databasesusdownloads.quest.com.edgesuite.net/Repository/support...Chapter 1 9 Introduction to InTrust for Databases Console Console Users There are two types users

3.0Quest InTrust for Databases

User Guide

2 InTrust for DatabasesUser Guide

© 2008 Quest Software, Inc. ALL RIGHTS RESERVED.This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software, Inc.

If you have any questions regarding your potential use of this material, please contact:

Quest Software World HeadquartersLEGAL Dept5 Polaris WayAliso Viejo, CA 92656

www.quest.comemail: [email protected]

Refer to our web site for regional and international office information.

Disclaimer: The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.

Trademarks Quest, Quest Software, the Quest Software logo, Foglight, and vFoglight are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners.

Third-Party Contributions This product includes Microsoft software.

InTrust for Databases 3.0User GuideNovember 2008

Table of Contents

Introduction to InTrust for Databases................................................................................................................7Introduction to InTrust for Databases User Console ........................................................................................................ 8

Console Users ......................................................................................................................................................... 9Features ......................................................................................................................................................................... 10Get Started ..................................................................................................................................................................... 11

Suggestions for an OPERATOR ........................................................................................................................... 12Suggestions for a USER........................................................................................................................................ 13

Connect to an IDB Server .............................................................................................................................................. 14

Build Profiles and Policies ................................................................................................................................15Introduction to Profiles and Policies ............................................................................................................................... 16

About Profiles ........................................................................................................................................................ 16About Policies........................................................................................................................................................ 16

Use Profile and Policy Templates for a Quick Start ...................................................................................................... 17Create Policies Quickly.......................................................................................................................................... 18

Build Custom Profiles ................................................................................................................................................... 19Create Instance Profiles ........................................................................................................................................ 19Create Table Profiles............................................................................................................................................. 21Create User Profiles .............................................................................................................................................. 23Create Error Profiles.............................................................................................................................................. 25Create Time Profiles.............................................................................................................................................. 25Create Session Profiles ......................................................................................................................................... 25Apply Changes to Profiles ..................................................................................................................................... 26

Create Custom Policies ................................................................................................................................................. 26Create Threat Policies ........................................................................................................................................... 27Create Exploit Policies........................................................................................................................................... 28Define Actions to Take when an Incident Occurs.................................................................................................. 30


Apply Changes to Policies ..................................................................................................................................... 32Analyze Policy Details .................................................................................................................................................... 33

Get a Policy Overview............................................................................................................................................ 33View All Policies..................................................................................................................................................... 34Analyze the Incident Calendar ............................................................................................................................... 36View Details for a Specific Policy........................................................................................................................... 39

Improve Profiles and Policies ......................................................................................................................................... 41

Manage Tickets.................................................................................................................................................. 43Introduction to Tickets..................................................................................................................................................... 44Workflow Roles .............................................................................................................................................................. 44Analyze Ticket Details .................................................................................................................................................... 47

Get a Ticket Overview............................................................................................................................................ 47View All Tickets...................................................................................................................................................... 49View Details for a Specific Ticket........................................................................................................................... 49

Process Tickets ............................................................................................................................................................. 50

Perform Forensic Investigations ..................................................................................................................... 51Introduction to Forensics ................................................................................................................................................ 52View Sessions and Executions ...................................................................................................................................... 53Create Forensic Tickets ................................................................................................................................................. 54View Events .................................................................................................................................................................... 55

Monitor Application Sessions.......................................................................................................................... 57About Application Sessions ............................................................................................................................................ 58

Multi-tiered Applications......................................................................................................................................... 58Applications with Connection Pooling .................................................................................................................... 59Custom Applications .............................................................................................................................................. 59

Configure InTrust for Databases to Recognize Individual Sessions .............................................................................. 59Examples ............................................................................................................................................................... 61

Generate Reports .............................................................................................................................................. 65Introduction to Reports ................................................................................................................................................... 66Generate Reports from the User Console ..................................................................................................................... 66Generate Reports from the Command Line ................................................................................................................... 67Generate Reports from Report Builder .......................................................................................................................... 68

Preface 5

Create Subscriptions ..............................................................................................................................................69Analyze Trends ...............................................................................................................................................................70

Use the Federated Console...............................................................................................................................71Launch the Federated Console.......................................................................................................................................72Manage Multiple Servers ................................................................................................................................................73Monitor Policies...............................................................................................................................................................74Monitor Tickets ...............................................................................................................................................................74Review Profiles ..............................................................................................................................................................75

Appendix: Contact Quest..................................................................................................................................77Contact Quest Support ...................................................................................................................................................77Contact Quest Software ..................................................................................................................................................78About Quest ...................................................................................................................................................................78

Index....................................................................................................................................................................79


1

Introduction to InTrust for Databases

Contents

Introduction to InTrust for Databases User ConsoleFeaturesGet Started


Introduction to InTrust for Databases User ConsoleInTrust for Databases is a fully featured and independent database auditing solution that ensures that all your corporate database assets remain secure through real-time, detailed notification of critical events such as intrusion detection, data theft and data fraud. It tracks compliance policy violations and helps to resolve them in real-time with flexible reporting capabilities that make the decision process for data protection fast and reliable.

InTrust for Databases implements separation of duties throughout the product. There is a separate console for administrative tasks and a console for day-to-day user tasks. From the Administrator Console, you can implement configuration changes, review system health, and manage your InTrust for Database IDB server, IDB agents, and users. Only ADMIN users can connect to InTrust for Databases Administrator Console. As an OPERATOR or USER, you can access InTrust for Databases User Console, the Federated Console, and the Report Builder and perform the tasks described in this guide.

With the need to keep extended records for audit trail analysis, InTrust for Databases retains compliance records for long-term use. Most importantly, the DBA or security administrator can easily manage InTrust for Databases. The application is fully scalable for future security needs that come with the projected growth of business data.

InTrust for Databases uses patent-pending technology to gather audit data without the need to sniff the network, create triggers, use transaction logs, or rely on native audit. This innovative approach allows InTrust for Databases to audit precisely what happens inside the database regardless of how the activity was created. InTrust for Databases can audit any session including encrypted connections, Oracle Bequeath connections, named pipe connections, and shared memory connections.

Once the InTrust for Databases agent captures the audit data, it is encrypted using a FIPS grade encryption and sent to the InTrust for Databases audit server. At the server, the audit data is analyzed against policies (which are my audit rules) and then it is permanently stored in a self contained tamper-proof archive. There is no need to manage another database in order to store audit data. The audit server sends alerts though email, xml, and investigation tickets.

To get started, some setup and configuration needs to be done to identify your company’s database assets, configure policies, and define actions to take when an incident occurs.

Chapter 1 9Introduction to InTrust for Databases Console

Console UsersThere are two types users who can run the InTrust for Databases User Console:

• OPERATOR - Create and edit profiles, actions, policies, and policy tickets.• USER - View existing policies, profiles, and reports, but do not have

privileges to create or edit profiles, actions, policies, and policy tickets.

Note Users with OPERATOR and USER roles can also run the Federated Console and the Report Builder, which are included with InTrust for Databases. The Federated Console can connect to multiple IDB servers and view and compare database audit data from the entire set of servers from a single console.

In addition, these users can have workflow roles to control the tasks they can perform to conduct forensic investigations and to manage tickets.

This chapter assumes that the basic installation, configuration, and administration tasks are complete as described in the instructions in the InTrust for Databases Installation Guide and that your InTrust for Databases Administrator has configured your account so that you have permission to log on to an IDB server with an OPERATOR or USER role and has granted you workflow permissions to perform specific ticket tasks.


FeaturesInTrust for Databases is a database audit management system that is designed to provide maximum visibility into database activities and confidence that data assets are secure.

Examples described in the following chapters demonstrate many of the features of InTrust for Databases:

• Unique Architecture - InTrust for Databases patent-pending technology captures everything that happens in a database.

• Compliance Through Workflow - A workflow supports a best-practice approach of continuous improvement as well as support of the tasks needed to pass a database audit.

• Catalog of Database Assets - Profiles document your instances, tables, users, and group them by value or risk.

• Controls on Database Assets - Policies enforce real world controls to protect your database assets.

• Ticket System - A ticket system provides essential audit artifacts of the incidents that have occurred.

• Forensic Facility- A ticket investigation system that shows every session and every SQL statement that a session issued.

• Report Generation - Reports are snapshots in time which an auditor can compare with more recent snapshots and quickly see exactly what changed.You can generate reports from the InTrust for Databases User Console, from the command line, or from the Report Builder.

• Archive Management - A one-click audit archive management system allows an administrator to create new archives and allows off load of old archives.


Get StartedBefore you start to use the InTrust for Databases User Console, make sure your Administrator does the following:

• Installs the IDB framework on the system you plan to use as an IDB server and on each system that contains databases you want to monitor.

• Installs an IDB agent on each system that contains databases you plan to monitor.

• Configures instances of the databases you want to monitor.

• Sets you up as a user with either a USER or OPERATOR role.

• Gives you a workflow role of Investigator, Approver, or both.

At any time, from the InTrust for Databases User Console you can do the following:

• Launch InTrust for Databases Administrator Console - Select this link to open InTrust for Databases Administrator. This is a separate application from InTrust for Databases Console. It enables an administrator with a Quest Agent Manager login that has the ADMIN role to manage IDB servers, instances, users, ticket system, licenses, and data collection agents.

• Launch Federated Console - Select this link to connect to a set of IDB servers and view and compare database audit data from the entire set of servers from a single console.

• Launch Report Builder - Select this link to manage reports. The Report Builder provides samples to help you design custom reports and a wizard to help you create new reports. It has Report Designer integrated, which you can use to rearrange the elements of the report and add charts, tables, images, text, and other custom features to your reports.

• Get Started - Select this link to open the help system to the Get Started topic and. follow the suggestions.

After you connect to an IDB server, you can:

• Configure policies - Select this option to launch a wizard that provides pre-defined profiles and policies to help you get started auditing quickly.

• Create new profiles and policies - Select the Profiles tab to add your own new profiles and then create policies using these profiles.

• Investigate Forensics - Select this option to review database actions or investigate policy violations.


Suggestions for an OPERATORIf you are an OPERATOR, it is suggested that you follow these steps to get started:

1 Connect to an IDB server where you have an OPERATOR role. See “Connect to an IDB Server” on page 14.

2 Optional: Use the Configure Policies Wizard to quickly create profiles and policies based on templates. See “Use Profile and Policy Templates for a Quick Start” on page 17.

3 Organize assets into Profiles. Profiles enable you to catalog your instance, user, and table/column and errors into groups with shared ownership, business value, and exposure to risk and then apply policies to all the members of the group. See “Build Custom Profiles” on page 19.

In addition to asset-type profiles, you can create time profiles to schedule policies to apply at specific time intervals such as working hours, non-working hours, during backups, or any other special time periods when you want to track or not track access.

You can also create session profiles that allow you to have a higher level of control of database activity. You can select sessions to monitor based on DB user, OS user, program, or machine.

4 Create or edit policies. Policies identify incidents based on a business rule and generate appropriate responses and tickets. See “Create Custom Policies” on page 26.

5 Examine tickets. See “Workflow Roles” on page 44 and “Process Tickets” on page 50.

• If you have a workflow role of Investigator, you can accept, return, add notes, set resolution, and propose a ticket for closure.

• If you have a workflow role of Approver, you can approve or reject ticket closures.

• If you have both roles, you can perform all the workflow operations.

6 Perform forensic investigations and create, edit, and generate forensic tickets. See “Create Forensic Tickets” on page 54.

7 Generate reports and save or print for documentation purposes. See “Generate Reports from the User Console” on page 66 or “Generate Reports from the Command Line” on page 67 or you can generate custom reports from the Report Builder.

8 View and analyze trends.


Suggestions for a USERIf you are a USER, it is suggested you follow these steps to get started

1 Connect to an IDB server where you have a USER role. See “Connect to an IDB Server” on page 14

2 View profiles, profile details for a specific profile.

3 View policies, policy details for a specific policy, and configure the display of data on the Policy Overview tab.Note A USER cannot create or edit profiles or policies. You must have an OPERATOR

role to perform those tasks.

4 Examine tickets.

• If you have a workflow role of Investigator, you can accept, return, add notes, set resolution, and propose a ticket for closure.

5 Perform forensic investigations. See “View Sessions and Executions” on page 53 and “Create Forensic Tickets” on page 54.

6 Generate reports and save or print for documentation purposes. Certain reports require an OPERATOR role to generate. See “Generate Reports from the User Console” on page 66 or “Generate Reports from the Command Line” on page 67 or you can generate custom reports from the Report Builder.

7 View and analyze trends.


Connect to an IDB ServerThe InTrust for Databases Console Welcome window opens the Connection Manager dialog. where you can select the IDB server that contains the audit data you want to manage. The IDB server stores collected data, policies, profiles, and ticket information.

A single IDB server can handle audit data for about 15 CPUs.

Select an IDB server and do one of the following:

• Click Connect. You must be an OPERATOR or USER to whom your administrator has given privileges to access to the selected IDB server. ADMIN users cannot connect to an IDB server and run InTrust for Databases User Console.

• Click Add to configure a new connection. If the Connection Manager dialog is blank, click Add to configure a connection to an IDB server where you have OPERATOR or USER privileges.

• Click Edit to edit an existing connection.

• Click Remove to remove a connection.

2

Build Profiles and Policies

Contents

Introduction to Profiles and PoliciesUse Profile and Policy Templates for a Quick StartBuild Custom ProfilesCreate Custom PoliciesDefine Actions to Take when an Incident OccursAnalyze Policy DetailsImprove Profiles and Policies


Introduction to Profiles and PoliciesNow that you have successfully launched InTrust for Databases User Console and connected to the IDB server that contains the audit data you want to manage, you are ready to perform the critical tasks to successfully audit your company’s databases. Key to this endeavor is to create and manage profiles, policies, tickets, forensic investigations, and reports. The cycle of operation is to build profiles, build policies on top of profiles, recognize and handle incidents, send alerts, investigate tickets, respond to incidents, adjust policies and profiles, restart. InTrust also helps you document actions taken and issue reports to keep as an audit trail.

About ProfilesProfiles allow you to group your assets for the purpose of managing them using different policies. Profiles address concerns about company assets. Because a company typically has large numbers of assets of different types, the job of writing and maintaining policies regarding these assets is difficult and becomes especially tedious when assets change. You can apply a policy to a profile and if assets in the profile change, you do not need to change the policy. Profiles make it easier to build policies consistent with business needs and to ensure that policy violations, notifications, tickets, and reports are prioritized properly.

The profile options in InTrust for Databases enable you to catalog your instance, user, table, and authorized connections assets into profiles of shared ownership, business value, exposure to risk, and other meaningful characteristics. Auditors view this grouping of assets as a very significant step because it indicates that the company followed due diligence in recognizing the value or lack of value of its assets.

You can have any number of profiles and even share assets across profiles. This is useful if you need to apply different controls from more than one regulatory imperative, for example SOX and PCI.

About PoliciesPolicies enforce real-world controls and identify incidents based on a business rule and generate appropriate responses. They also document the controls you applied to assets and apply the controls to selected profiles. For example, you can create a policy to audit access to sensitive tables. Later, you can add or remove tables from the underlying profile and the policy automatically stops monitoring the tables you removed and starts monitoring the tables you added.

Chapter 2 17Build Profiles and Policies

Policy options enable you to see at a glance the most urgent violations of your threat and exploit policies for all monitored databases. You can rapidly open tickets, drilldown on the relevant incidents, and switch to forensics for detailed investigations.

InTrust for Databases Console groups policies into various categories:

• Threat policies - identify attempted database intrusions by monitoring sessions initiated under specified groups of users. You can use threat policies to audit logins, failed login attempts, and unauthorized logins.

• Exploit policies - identify inappropriate use of data by monitoring SQL activity in the database. You can use exploit policies to audit table access, DDL commands, and error events.

• Error policies - identify inappropriate use of data by monitoring generated errors. An error policy is a type of Exploit policy.

There are two approaches you can take to build profiles and policies:

• Quick Start - Use the Policy Configuration wizard to configure profiles and policies based on a set of samples. Later, you can edit or remove these policies or use them as a basis to create your own.

• Build Custom Profiles and Configure Policies - Create new profiles and use the Create New Policy wizard to create policies to apply to the profiles.

Use Profile and Policy Templates for a Quick StartUse the Configure Policies wizard to quickly create profiles and policies based on templates. This wizard guides you through the steps to create basic profiles and policies with as few entries as possible. The policies you configure with this wizard are based on built-in templates or policies from other InTrust for Database consoles.

These policies help you get started monitoring and protecting your databases quickly. The default response action is to issue a high-priority ticket when any one of these policies is violated. As you find that the policies need refinements, you can use other InTrust for Databases features to add or edit profiles and create new policies with the Create Policy Wizard.

Note You need an OPERATOR role to perform this task.

Tip Click a profile to view a description of that profile and the type of items it should contain.


Create Policies QuicklyWhile in the Configure Policies wizard, after you finish defining all your profiles, the next step is to decide which template policies to use on your system. The default is to load all of them to your system.

To create policies using the Configure Policies wizard

1 On the Select Policies page, select Configure profiles first to categorize the items of value that you want to control with the policies.

2 Expand the Basic and Detailed policies nodes and select or clear the checkboxes to indicate the policies you want to create.

3 On the Policy Mode page, select Change policy working mode, and then select one of the following options:

• Realtime mode - Select this option to run the policies all the time. Also select Load Configuration to apply the policies as soon as you complete this wizard. If you do not select this option now, you can commit and activate the policies later from Tools | Load Configuration.

• Scheduled - Select this option to run the policies once every hour, day or week.

Hour - process data collected the previous hour at the beginning of each new hour.

Day - process data collected the previous day at the beginning of each new day.

Week - process data collected from Monday to Sunday midnight the previous week early Monday morning so that people do not receive tickets in the middle of the weekend.

4 On the Define Instances, Define DB Users, Define Tables, and Define Errors pages, define profiles.

• Expand the profile and select an instance, and then select or clear the checkmarks next to the items you want to include in the profile.

5 On the Summary page, review the summary of the profiles and policies you plan to create. Click Back to return to previous pages and change your selections or click Create.

6 On the Completion page, view a list of the profiles and policies the wizard created on your system. These policies all have a response action to create a high-priority ticket.


7 You must apply the new policies to have them take effect. If you did not select Load Configuration from the wizard, select Tools | Load Configuration to apply the changes and activate the policies.

Later, you can edit these policies or use one of these policies as a basis for a new policy.

Build Custom Profiles Profiles enable you to group your company’s assets into categories. Auditors view this grouping of assets as a very significant step because it indicates that the company followed due diligence in recognizing the value or lack of value of its assets.

The examples provide step-by-step instructions on how to create profiles and add assets to those profiles. From the Profiles tab, you can do the following:

• Create instance profiles

• Create table profiles

• Create user profiles

• Create error profiles

• Create time profiles

• Create session profiles

Create Instance ProfilesInstance profiles catalog your databases assets into groups with shared ownership, business value, and exposure to risk. Instances are typically subject to differing business, technology, risk, and value expectations.

For the following reasons, you may want to group instances into profiles and apply different policies to the profiles:

• Risk exposure - This is the most common basis for profiling instances. Note that while it may seem appealing to create separate profiles to target individual regulations (SOX, HIPAA, PCI, etc.), it is usually more efficient to simply create profiles for instances subject to policy expectations irrespective of whether the driver is one or more regulations. List these instance risk factors.

• Environment - Because a production environment is very different from a development environment, you may want to profile instances used in each


environment separately. Typically, it is not required to audit development databases unless access to sensitive data is an issue in this environment.

• Business unit - It is best practice to use separate audit servers, at least virtually, if your company manages business units in a highly segregated manner for confidentiality, cost management, or legal purposes. In the case where business units share audit solutions, list these business unit factors in a profile plan.

a Create a matrix of instance profiling factors - typically ownership vs. risk.

b Name the cells where there are significant combinations of profiling factors.

Overview of Procedure to Create Instance ProfilesOnce you have a plan for how you want to organize your instances, proceed as follows:

1 From the InTrust for Databases tab, create profiles for each instance control group. In the following example, the groups are accounts payable and customer relations management in a production environment.

2 Add instances of your databases to the profiles.

3 Register instances.

4 Generate profile history reports and attach to your profile plan.

Example of How to Create Instance ProfilesThis example demonstrates how to create an instance profile called ap-prod (accounts payable production) and an instance profile called crm-prod (Customer Relations Management production).

To create instance profiles

1 Select the Profiles tab.

2 On the navigation tree, select Instance Profiles.

3 From the navigation tree, select Add New Profile.

4 Enter the name of the instance (ap-prod) and optionally, a description (Profile for accounts payable production).:

5 Optional: Select Display unprofiled instances only to view only those instances that are not yet included in a profile.

6 Select the instances to include in the profile from the Available column and use the arrows to move them into the Selected column.

7 Click OK.


8 Select Add New Profile again.

9 Enter the name of the next instance (crm-prod) and optionally, a description (Profile for customer relation management production).

10 Optional: Select Display unprofiled instances only to view only those instances that are not yet included in a profile.

11 Select the instances to include in the profile from the Available column and use the arrows to move them into the Selected column.

12 Click OK.

Repeat Steps 8 - 12 for each new instance profile you want to create.

Create Table ProfilesTables are the ultimate source of concern because they are the company assets most vulnerable to exploitation by theft, fraud, and corruption.You can classify tables by risk, business value, ownership, or other criteria. Until these table assets are classified into profiles, the quality of controls placed on them is unknown.

Overview of Procedure to Create Table ProfilesUse table profiles to group tables that contain sensitive data into related groups and to identify which tables belong to each system.

1 Creates two profiles: an ap-tables profile and a crm-tables profile. Each of these profiles contains tables that contain sensitive, privileged customer information such as Social Security and credit card numbers or financial data that goes into the organization’s financial statement.

2 In the ap-tables profile, add all the tables that belong to the accounts payable system.

3 In the crm-tables profile, add all the tables that belong to the customer relations management system.

4 These sensitive tables (ap-tables and crm-tables) usually have a common set of business rules whose scope goes beyond the accounts payable or customer relations management system. To support the business rules for these sensitive tables, regardless of the system to which they belong, build a third profile simply called sensitive-tables.

5 In the sensitive-tables profile, choose a mix of tables from the accounts payable and customer relation management databases. This demonstrates that you can


include the same table in more than one profile. Because these tables are considered more sensitive, apply more stringent audit rules to this profile and notify different people when an incident occurs.

Example of How to Create Table ProfilesTo create table profiles

1 On the navigation tree of the Profiles tab, select Table/Column Profiles.

2 Select Add New Table Profile.

3 Enter the name of the table profile (ap-tables) and optionally, a description.

4 Select the instance to which the profile applies.

5 Optional: Select Display unprofiled tables only to view only those tables that are not yet included in a profile.

6 Select all the tables that belong to the accounts payable system from the Available column and use the arrows to move them into the Selected column.

7 Click OK.

8 Select Add New Table Profile again.

9 Enter the name of the next table profile (crm-tables) and optionally, a description



12 Select all the tables that belong to the customer relations management system from the Available column and use the arrows to move them into the Selected column.

13 Click OK.

14 Select Add New Table Profile again.

15 Enter the name of the next table profile (sensitive-tables) and optionally, a description.



18 Select choose a mix of tables from the accounts payable and customer relation management databases from the Available column. This demonstrates that you


can include the same table in more than one profile. Use the arrows to move them into the Selected column.

19 Click OK.

Repeat Steps 14-19 for each new table profile you want to create.

Similarly, you can create profiles for sensitive columns in a table. Click Manage Columns to define table columns to add to the list of available columns that you can include in a column profile. Column profiles allow users to access the non-sensitive columns in a table without causing InTrust for Databases to raise alerts. This reduces false alarms and may also allow you to identify queries that are accidentally returning sensitive data through SELECT * as opposed to querying just the columns they need. To create column profiles, select Add New Column Profile.

Create User ProfilesUsers are typically separated by their database roles, such as DBA, users created specifically to run certain applications, and perhaps users created for analysts. An organization’s business rules are typically built around the user role regardless of the application the account was created for. You need to create user profiles that make sense for your organization. For the following reasons, you may want to group users into profiles and apply different policies to each user profile:

• Privileged and restricted accounts - It is common that a key risk to which business data is exposed, is accidental or intentional theft, fraud, or corruption on the part of privileged users in the process of managing the underlying database. It is imperative that privileged accounts be subject to more scrutiny. Restricted accounts typically do not pose the same threat. In your profile plan (it is suggested that you make a spread sheet), list the categories of privileged and restricted user types according to levels of threat.

• User, application, and system accounts - System and application accounts are those used by services and application processes to perform well-defined activities. User accounts typically do not exhibit such regular behavior, and can be used as access points from a wider range of machines, OS user accounts, and programs. In your profile plan, list the categories of system, application, and user accounts by the type of source of access typically expected.

• Active and inactive accounts - Inactive accounts should, by definition, not be used to access the database, but there is always the possibility that someone might use one of these accounts temporarily to gain access to the database. In your


profile plan, list all inactive accounts from which connections should not be expected.

Overview of Procedure to Create Users• In your profile plan, create a matrix of user profiling factors - typically privilege

level, connection source, and active status.

• Name the cells where there are significant combinations of profiling factors.

• Create profiles for each user control group.

• Add users to each profile.

• Generate profile history reports.

Example of How to Create User ProfilesThis example creates a dba-users profile and an application-users profile.

In the DBA profile, add any account that has DBA privileges (sysdbas, or system administrators). In the application profile, add the accounts that have been assigned for use only by the application.

To create a user profile

1 On the navigation tree of the Profiles tab, select User Profiles.


3 Enter the name of the user profile (dba-users) and optionally, a description.


5 Optional: Select Display unprofiled users only to view only those users that are not yet included in a profile.

6 Select the users to include in the profile from the Available column and use the arrows to move them into the Selected column.

7 Click OK.

8 Select Add New Profile again.

9 Enter the name of the next user profile (application-users) and optionally, a description


11 Optional: Select Display unprofiled users only to view only those users that are not yet included in a profile.


12 Select the users to include in the profile from the Available column and use the arrows to move them into the Selected column.

13 Click OK.

Repeat Steps 14-19 for each new table profile you want to create.

Create Error ProfilesBefore you actually create an error profile, you must compile a list of errors. Click Manage Errors to define errors to add to the list of available errors that you can include in an error profile. Then select Add New Profile to create an error profile.

Create Time ProfilesUse this profile to schedule policies to apply at specific time intervals such as working hours, non-working hours, during backups, or any other special time periods when you want to track or not track access.

To create a time profile

1 On the navigation tree of the Profiles tab, select Time Profiles.


3 Enter the name of the time profile and optionally, a description.


5 Select Enable time profile.to enable options that allow you to set the time range for when the profile applies.

6 Enter or select a start and end time for when a policy using this profile applies.

7 Select the days to apply the profile.

Create Session ProfilesUse session profiles to create more granular profiles and policies that provide a higher level of control of database activity. You can select sessions based on DB user, OS user, program and machine.

To create a session profile

1 On the navigation tree of the Profiles tab, select Session Profiles.


2 From the navigation tree, select Add New Session.

3 Select the instance with the sessions of interest to you.

4 Select the session parameters (DB User, OS User, Machine, Program) to add these sessions to the common session list.


6 Enter the name of the session profile and optionally, a description.


8 Optional: Select Show unprofiled sessions only to view only those sessions that are not yet included in a profile.

9 Select all the sessions on the instance that are of interest from the Available sessions section and use the arrows to move them into the Selected sessions section.

10 Click OK.

Repeat Steps 5-10 for each new session profile you want to create.

Apply Changes to ProfilesWhen finished, be sure to apply the new profiles to have them take effect.

• From the Tools menu, select Load Configuration.

These profiles are the basic components used to define the audit rules. The next task is to create policies to define the audit rules and to specify how to respond when an incident occurs.

Create Custom PoliciesOnce you categorize your database assets into profiles, you can begin to create policies. Policies enforce real-world controls and document the controls you apply to your assets. You can apply policies to one or more profiles, which eliminates the need to manage each object in a profile individually. For example, if you create a policy to audit access to sensitive tables and you later add or remove tables from the underlying profile, the policy automatically stops monitoring the tables you removed, and starts monitoring the tables you added.


Use this method to create policies where you can specify the response actions you want to invoke when a policy detects an incident. The Create Policy wizard breaks policies into two main categories: threats and exploits.

• Threat policies audit logins, failed login attempts, and unauthorized logins.

• Exploit policies audit table access, DDL commands, and error events.

Create Threat PoliciesA common business rule is to keep track and alert on excessive attempts to log in using a DBA account. This might indicate an illicit attempt to gain access to the database.

Example of How to Create Threat PoliciesThis example demonstrates how to create a threat policy.

1 On the Policies tab, click Create Policy to open the Create New Policy wizard.

2 On the Policy Information page, assign a name and reference number that helps you map this Policy back to your business unit’s catalog of controls. Optional: Enter a rank to indicate the importance of the policy to your company (1 indicates highest) and enter a description.

3 On the Select Policy Type page, select Threat policy, and then select one of the options (All Sessions or Failed Logons).

4 On the Set Expected Activity page, quantify the amount of activity you expect the policy to generate or click Next to accept the defaults.

5 On the Select Instances page, clear the Monitor everything option and move the ap-prod and crm-prod instances to the Selected column.

6 On the Select Users page, clear the Monitor everything option and move the DBA user profile the Selected column. This means that the policy monitors all the users in the DBA profile.

7 On the Select Sessions page, clear the Monitor everything option and move one or more sessions to the Selected column.

8 On the Associate Actions page add/edit/or delete actions to associate with the policy.

• Click Add Action and add a new action called first alert and base the action on a threshold. For additional information about actions, see “Define Actions to Take when an Incident Occurs” on page 30.


• Select Event Threshold and set Threshold to 5 per Hour. This means that whenever a DBA fails to enter a password correctly after 5 tries within an hour, the policy produces an incident.

• Assign a priority. Failed logins occur all the time, so set the priority to Low.• Select an activity period. Here is where you can select a time profile such as

Work-Hours to activate the policy only during working hours as defined in the time profile.

• Select one or more responses:

Email - Select this option to send an email notification to the user or user group you select from the list.

Ticket - Select this option to generate a ticket.

XML file - Select this option to write incident information to an XML file. Batch jobs can parse the XML file and Enterprise monitoring systems such as can process this XML file.

Foglight - Select this option to send a message to the Foglight server.

Select Ticket to create an audit artifact of this incident. Because a ticket does not proactively notify anyone in the real world, also select Email to create an email and notify all the people identified in the email group called team1.

Repeat this step to add addition actions to take when an incident occurs.

9 Click Create to complete the wizard. You can also select to enable the policy in real-time mode or schedule it to run once an hour, day, or week.

The new policy displays in the Policy Overview tab. You can build custom views to include the Policies that interest you the most. Individual users can each have sets of custom views. As incidents occur, you can see the graphs and information on the tab change.

Create Exploit PoliciesExploit policies identify inappropriate use of data by monitoring SQL activity in the database. Error policies are a type of exploit policy and they identify inappropriate use of data by monitoring generated errors. A violation of to an exploit policy might indicate a compromise to data.

Example of How to Create Exploit PoliciesThis example demonstrates how to create an exploit policy.


1 On the Policies tab, click Create Policy to open the Create New Policy wizard.

2 On the Policy Information page, assign a name and reference number that helps you map this Policy back to your business unit’s catalog of controls. Optional: Enter a rank to indicate the importance of the policy to your company (1 indicates highest) and enter a description.

3 On the Select Policy Type page, select Exploit policy, and then select one of the options (Execution of SQL statements or Occurrence of errors).

4 On the Set Expected Activity page, quantify the amount of activity you expect the policy to generate or click Next to accept the defaults.

5 On the Select Instances page, clear the Monitor everything option and move the instances of interest to the Selected column.

6 On the Select Users page, clear the Monitor everything option and move the user profiles of interest to the Selected column. This means that the policy monitors all the users in these profiles.

7 On the Select Sessions page, clear the Monitor everything option and move one or more sessions to the Selected column.

8 On the Select Operations page, define the type of operations to audit. InTrust for Databases can audit read only activity as well as insert, delete, and update write activity. InTrust for Databases is truly unique in the sense that it knows exactly which tables were accessed and the type of access regardless of whether the access came through synonyms, views, stored procedures, or encrypted connections.

• Select to audit Write activity. • Select the sensitive tables profile (sensitive-tables).

9 On the Associate Actions page, add/edit/or delete actions to associate with the policy.

• Click Add Action and add a new action called exploit.action1 and base the action on an event threshold. For additional information about actions, see “Define Actions to Take when an Incident Occurs” on page 30.

• Assign a priority. A compromise to data is significant, so set the priority to High.

• As with the threat policy, select Ticket, Email, and an email group. See “Define Actions to Take when an Incident Occurs” on page 30.

Repeat this step to add addition actions to take when an incident occurs.


10 Click Create to complete the wizard. You can also select to enable the policy in real-time mode or schedule it to run once an hour, day, or week.

• The new policy displays in the Policy Overview tab. You can build custom views to include the Policies that interest you the most. Individual users can each have sets of custom views. As incidents occur, you can see the graphs and information on the Policy Overview tab. See “Get a Policy Overview” on page 33.

Define Actions to Take when an Incident OccursActions are an extremely important part of policy creation. Without defined actions, when an incident occurs, nothing happens. InTrust for Databases does not notify anyone nor does it issue a ticket to track the incident. If you used the Configure Policies Wizard to quickly create profiles and policies based on templates, these policies default to issuing a high-priority ticket when an incident occurs. For both custom and template policies, you can add or edit the response actions you want InTrust for Databases to take when an incident occurs. Once you define and name an action, you can use it in many policies.

The Add Action or Edit Action dialog helps you define conditions that generate an incident and specify the response.

Note You need an OPERATOR role to perform this task.

To access the Add Action or Edit Action dialog

1 Do one of the following:

• Go to the Create Action pane of the Create Policy wizard and click Add Action or select an action and click Edit.

• Select the Policies tab and do one of the following:• Double-click a specific policy.• Select the <policy_name> tab for a specific policy. • On the All Policies tab, select a policy and click View Policy.

• In the Selected Action section of the <policy_name> tab, click Add Action or select an action and click Edit.


To Add or Edit an action

1 Enter or change information in the following fields:

Action name Enter or change the name to use to refer to this action.

Single event Select this option to generate an incident for any event found by the policy.

Threshold limit Select this option to generate an incident only after a threshold is reached.

• For threat policies, the threshold is the number of events that occurred.

• For exploit policies the threshold can apply to either the number of events or the number of rows

When you select rows, it accumulates the number of rows in each event. A threshold of 7 rows could be exceeded by 3 SQL statements each updating 3 rows, for a total of 9 rows.

For both types of policies, the threshold can be either per Hour, Day, or Week.

Maximum number of events to store per incident

Set a storage limit so that the log file does not become exceedingly large.

Apply threshold to the whole instance rather than to each session

Select this option to apply the thresholds to the instance.Deselect this option to apply the thresholds to the session.

Check threshold at the end of the time period rather than on each event

Select this option to count incidents at the end of the time period.Deselect this option to count incidents as they occur.


2 Click OK.

The new or modified action displays in the list on the Create Action pane of the Create Policy wizard and in the Selected Action section of the <policy_name> tab.

Apply Changes to PoliciesWhen finished, be sure to apply the new policies to have them take effect.

• From the Tools menu, select Load Configuration.

These policies define the audit rules. The next task is to analyze what is happening on your system and see how many incidents the policies generate and when the incidents occur.

Incident priority Select High, Medium, or Low to assign a priority to the incident.

Response Select one or more of the following options to perform when an incident occurs:

Email Select this option to send an email notification to the user or user group you select from the list.

Ticket Select this option to generate a ticket.

External XML Select this option to specify an external XML file. Takes info about the incident and writes it to an XML file on the disk. The XML file can be parsed by batch jobs or consumed by Enterprise monitoring systems such as FogLight or Microsoft Operations Manager (MOM).


Analyze Policy DetailsTo help you quickly evaluate what is happening on your system, InTrust for Databases displays graphs showing an overview of the policies on all monitored instances. You can examine statistics and details about policies, tickets, and incidents for each monitored instance. You can specify responses at the per-event level, as well as at the hourly, daily, and weekly aggregate levels.

InTrust for Databases Console organizes and displays policies in an Overview, All Policies, and Incident Calendar view.

Get a Policy OverviewThe Overview tab displays a set of graphs showing a summary of the number of open tickets at each ticket priority level and displays the total number of incidents that occurred per hour, day, and week for each policy in the view. The Last Month section of the graph shows the total number of tickets for each day of the previous month and gives you a quick view of whether the number of policy violations is increasing, decreasing, or staying the same.

To get more information

1 Under Tickets Open, click a bar to open the All Tickets tab with the filter set to the priority level (High, Medium or Low) of the selected ticket bar.

When the number of open high-priority tickets exceeds the expected number, the display indicates there is a problem. The bar behind the policy name and the Tickets Open | High Priority bar turns red.


2 Under Incident Summary, click a bar to view the All Tickets tab with the filter set to the time period (Hour, Day, or Week) of the selected incident bar.

When the number of incidents in an hour exceeds the expected number, the display indicates there is a problem. The bar behind the policy name and the Incident Summary | Hour bar turns red. Note When the number of tickets exceeds the expected number for medium or low priority

levels or the number of incidents per day or week exceeds the expected number, only the corresponding bar turns red.

To customize the view

• At the bottom of the Overview tab, select Configure View to open the Configure Policy Overview dialog. Use this dialog to create and name, edit, or remove custom views from the Policies Overview tab.

View All PoliciesThe All Policies tab displays statistics for Policies, Tickets, and Incidents using a standard list representation.

To view statistics for All Policies

1 Select the Policies tab.

2 Select the All Policies sub-tab to view the following statistics:

Policies Policy Statistics

Rank Displays a number representing the importance of the policy to your company (1 indicates highest).

Name Displays the name of the policy.


This section of the tab displays ticket statistics.

Type Displays the type of policy.

• Threat policies identify attempted database intrusions by monitoring sessions initiated under specified groups of users.

• Exploit policies identify inappropriate use of data by monitoring SQL activity in the database.

• Error policies identify inappropriate use of data by monitoring generated errors.

Id Displays a unique identification name and number generated by InTrust for Databases.

Open Tickets Ticket Statistics

High Displays the number of open high priority tickets generated in response to violations of the policy.

Medium Displays the number of open medium priority tickets generated in response to violations of the policy.

Low Displays the number of open low priority tickets generated in response to violations of the policy.

Total Displays the total number of open high, medium, and low priority tickets.

Policies Policy Statistics


This section of the tab displays incident statistics.

Note Under the Incidents column, click an Hour, Day, or Week to open the Incident Calendar tab.

3 Click a column heading to display the rows of information in descending or ascending order based on the selected column.

Analyze the Incident CalendarThe Incident Calendar tab displays a one year or one week calendar that shows when incidents occurred and enables you to see whether there is a pattern. The first time you access the Incident Calendar, the tab is blank except for the filter criteria. This provides an opportunity for you to set the filters to limit the amount of data displayed.

Year CalendarThe year calendar displays each month and highlights in red the days when incidents occurred.

Incident Incident Statistics

Hour Displays the number of incidents that occurred in an hour.

Day Displays the number of incidents that occurred in a day.

Week Displays the number of incidents that occurred in a week.



Week CalendarThe week calendar displays an hourly breakdown of when incidents occurred for each day of the week.

To view details about an incident

1 Set the filters.

2 Click Apply to view the yearly or weekly filtered data.

3 On the Year calendar:

• Move the cursor over a highlighted day to see the number and type of incidents that occurred on that day.

• Double-click a highlighted day to view the Week calendar and view an hourly breakdown of when the incidents occurred.

4 On the Week calendar:

• Move the cursor over a specific incident to see the number, type, and priority of the incident.

• Double-click an hour with incident activity to drilldown to Forensics where you can view incident properties and investigate incidents.


View Details for a Specific PolicyThe Policies | <policy_name> tab displays policy details for a selected policy in separate sections on the tab.

To view or change policy details

1 Select the Policies tab.


• Double-click a specific policy.• Select the <policy_name> tab for a specific policy. • On the All Policies tab, select a policy and click View Policy.

InTrust for Databases Console creates a <policy_name> tab if one does not already exist. The <policy_name> tab contains the following sections:

• Policy Information• Policy Expectations• Profile Details• Session Flags• Operations


• Action List

3 Click Edit in any of the above sections and change the parameters.

4 If you edit any of the sections, click Apply Changes to commit the changes to the policy.

5 Click Policy History to view details about a previous version of the policy.

6 Click Close to close the tab. Note If you click Close before you Apply Changes, the changes do not take effect and

are not committed to the policy.


Improve Profiles and PoliciesOver time you can make adjustments to your Policies and Profiles. As you adjust your Policies and Profiles, InTrust for Databases logs the changes you make.

Now that you have built profiles and policies, the next step is to let the policies take effect and let them generate tickets when incidents occur. See Chapter 3, “Manage Tickets”.


3

Manage Tickets

Contents

Introduction to TicketsWorkflow RolesAnalyze Ticket DetailsProcess Tickets


Introduction to TicketsTickets are documents used to track progress on the actions taken in response to incidents. InTrust for Databases generates most of the tickets in response to database incidents. However, when performing a Forensic investigation, operators may want to create and generate additional tickets.

The ticket workflow provides separation of duties and supports a best-practice approach of continuous improvement as well as support of the tasks needed to pass a database audit. To support separation of duties, an administrator assigns workflow roles to console users with a USER or OPERATOR role.

Workflow RolesWorkflow roles allow InTrust for Databases Console users to manage specific ticket tasks. InTrust for Databases generates tickets when incidents occur. Operators can also generate tickets from Forensic investigations. All InTrust for Databases Console users can view all the existing tickets. Select the Tickets tab, and then select the All Tickets sub-tab. The All Tickets tab allows users with a workflow role of Investigator or Approver to select a specific ticket and perform processing tasks as shown in the Workflow Information chart. An administrator sets up the workflow roles through the InTrust for Databases Administrator.

• Investigator - If you have a workflow role of Investigator, you can Accept, Return, Add Notes, Set Resolution, and Propose a ticket for closure.

• Approver - If you have a workflow role of Approver, you can Approve or Reject proposals to close tickets.

Chapter 3 45Manage Tickets

The Workflow flowchart shows the various handling processes a ticket goes through from creation to closure.

Step 1 - Process a New ticketA user or operator with a workflow role of Investigator can do the following:

• View Ticket details - Double-click a ticket with a New status or right-click a ticket and select View Ticket Details. This opens a Ticket Detail tab called Ticket Number n.

• Accept a ticket for investigation - Click Accept. When an investigator accepts a ticket, the investigator takes ownership of it. The status of the ticket changes to Assigned.

As shown later in the workflow, an Investigator can also Accept a ticket with a status of Reassigned, Assigned, or Rejected.


Step 2 - Investigate a ticketThe Owner of an Assigned ticket can do the following:

• Set Resolution - Select a ticket resolution from the list (None, Remediate, Mitigate, Exception, Non-Issue).

• Add Note - Clarify what was done to resolve the issue or add a comment.

• Change Priority - Select a Priority from the list (High, Medium, Low) to indicate the impact on the security of the database.

• Return - Return the ticket, which changes its status to Reassign and its Resolution to None. This enables another user with an Investigator role to accept the ticket and take over the assignment.

An Investigator can accept a ticket with the following status:

• Reassigned - A previous owner returned this ticket was returned by a previous owner. Another Investigator may now accept it.

• Assigned - An Investigator owns this ticket, but another Investigator may accept it and take over ownership.

• Rejected - This ticket went through the investigation process and an Approver rejected the proposal to close the ticket. Any Investigator my accept a ticket with a status of Rejected.

Step 3 - Propose to close a ticketAfter investigating a ticket, the owner proposes to close the ticket. This changes the ticket's status to Proposed (Proposed for closure).

Step 4 - Evaluate proposed for closure ticketsOnly an Approver can approve or reject a proposal to close a ticket. When the Approver rejects a ticket, its status changes to Rejected. Any Investigator, including the original owner, can then accept the ticket and investigate it.

Step 5 - Close the ticket.When an Approver approves a ticket for closure, its status changes to Closed. No further processing takes place. This closes the ticket handling process.


Analyze Ticket DetailsTickets are documents used to track progress on the actions taken in response to incidents. You can display tickets in an Overview, All Tickets list view, or you can examine an individual ticket.

Most tickets are generated by InTrust for Databases in response to database incidents. However, when performing a Forensic investigation, you may want to create and generate additional tickets.

Get a Ticket OverviewThe Overview tab displays a set of graphs that provide a quick overview of the status of all the tickets related to the databases InTrust for Databases monitors.


The four sections of the Overview tab display the following information:

• Ticket Service Level Agreement (SLA) - displays pie charts that show the percent of high, medium, and low priority tickets that conform to the SLA, are over the time limit set to assign a ticket to satisfy the SLA, and are over the time limit set to close a ticket to satisfy the SLA. The SLA is an acceptable industry standard policy for setting time limits for resolving outstanding tickets.

• Ticket Workflow - displays bar charts that show the actual number of high, medium, and low priority tickets in each stage of the workflow (New, Investigate, Proposed for closure, Closed). Ticket Age - displays bar charts that show the number of high, medium, and low priority tickets by age (older than a week, a week, a day, or hour old).

• Ticket Ownership - displays bar charts showing the number of high, medium, and low priority tickets by owner and the number of tickets that do not have an owner.

To view additional information

• In the Ticket SLA section, click a High, Medium, or Low Priority pie chart to view details about the tickets.

• Click Display SLA to view the current settings for the SLA. InTrust for Databases keeps statistics on your company's record for meeting the ticket response times set in the SLA for each level of tickets. From the Administrator Console, you can change values for SLA.

• In the Ticket Age section, click a field (Old (older than a week), Week, Day, Hour).

• In the Ticket Workflow section, click a state (New, Investigate, Proposed (for closure), Closed).

• Click Display Workflow to view a flowchart that describes the ticket workflow.

• In the Ticket Ownership section, click a priority (High, Medium, Low) in the row of an owner.

The All Tickets tab displays details for the tickets filtered by the selected parameter.


View All TicketsThe All Tickets tab displays statistics for Tickets using a standard list representation. You can view ticket information for all tickets, apply filters to customize the view, or click column headings to sort the data. You can also initiate a forensic investigation or view details about a selected ticket.

To initiate a forensic investigation

• Right-click a ticket and select Go to Forensics.

To view details about a ticket

• Do one of the following:

• Double-click a ticket. • Right-click a ticket and select View Policy Details.• Right-click a ticket and select View Ticket Details.

This creates a tab for the ticket and displays ticket details.

View Details for a Specific TicketThe Ticket Detail view displays ticket properties and history on a <Ticket Number n> tab. If you have not previously viewed details for the selected ticket, InTrust for Databases creates a new tab for the selected ticket.

InTrust numbers tickets in consecutive order and allows you to Accept (take responsibility for a ticket). Once you Accept a ticket, its status becomes Assigned and you become the ticket owner. You can then add notes to the ticket, return the ticket (change its status to Reassign), resolve the ticket, and propose the ticket for closure. You can only modify your own tickets.


From the <Ticket Number n> tab, you can do the following:

• Set Resolution (None, Remediate, Mitigate, Exception, Non Issue)

• Change Priority (High, Medium, Low)

• Go to Forensics

• Perform a ticket action (Accept, Return, Set Resolution, Propose (for closure), Approve, Reject)

• Add ticket notes

Process TicketsThe ticketing system provides essential audit artifacts about the incidents that occur and the actions taken to investigate and resolve them. InTrust for Databases stores tickets permanently. Overall this provides an auditor with valuable insight into the care that your company takes to secure their assets.

Let us open the ticket the sensitive table access Policy just produced. From the ticket you can click and go straight to the forensic facility to see the offending SQL statements and even zoom out to see all the SQL statements in the offending session.

You can navigate back to the ticket to accept ownership and log any notes. In this case, we will document that this incident was a DBA mistake and that no remediation needs to be performed.

The ticketing system enforces a separation of duties. Each InTrust for Databases user has a defined role. If you are granted the Investigator Workflow role, you may only propose to close a ticket. Your supervisor or another person with an Approver role must review the ticket and either reject or approve it.

An InTrust for Databases administrator manages the audit archives. Read-only archives are fully accessible whenever they are on the server. So if you ever need to go back and look at an older archive, just have your InTrust for Databases administrator copy the archive back to the InTrust for Databases server.

4

Perform Forensic Investigations

Contents

Introduction to ForensicsView Sessions and ExecutionsCreate Forensic TicketsView Events


Introduction to ForensicsForensics are reviews of database actions or investigations of policy violations. The system allows you to raise a ticket during the initiation of a forensic investigation and keep this ticket active in order to attach and detach incidents, connections, configurations, and executions.

You can open the Forensics window from any ticket to see the associated executions and sessions. You can also open Forensics for any time frame. This is possible because InTrust for Databases constantly audits the database. So regardless of the Policies you create, every session and every execution is audited and stored. You can drill into any session and see ALL the SQL statements that session issued.

The left pane of the Forensics tab displays a hierarchical view of profiled and unprofiled instances and displays buttons for the types of tickets you can view and manage

From the Forensics tab, you can:

• Create a Ticket

• Edit a Ticket

• Generate a Ticket

• Cancel a Ticket

Chapter 4 53Perform Forensic Investigations

View Sessions and ExecutionsInTrust for Databases keeps track of all sessions and program executions on its monitored hosts and you can view this information from the Forensics tab.

To view sessions and executions for an instance

1 In the tree, expand a profile name and select an instance.

Tip In the filter area, to view all the data, set the range from the First available date to the Last available date. Display the calendar on the From field, click Clear, and then click anywhere on the grid below. Repeat for the To field.

2 Select the Sessions tab to filter and view sessions where activities occurred during a selected time period.

3 Select the Executions tab to filter and view program executions that occurred during a selected time period.

a Select an execution to view the following information:

Bind Variables Bind variables send the same SQL to Oracle each time the query is made. They eliminate the need to parse similar SQL statements over and over. Note Information displays in this field only if the BIND

environment variable is enabled. See Appendix C of the InTrust for Databases Installation Guide.

Accessed Tables Lists the names of the affected tables and the operations performed.

SQL SQL refers to the SQL statement that initiated the operation. This section lists up to 1000 characters. Click View Full SQL to view more SQL statements


Create Forensic TicketsIf you want to further investigate and keep track of actions taken, you can create a forensic ticket. Forensic tickets display on the Tickets | All Tickets tab.

To create a new forensics ticket

1 Select one or more sessions or executions.

2 Right-click an occurrence and select Create New Ticket.

3 At the top of the Forensics ticket tab, select a priority, and enter a description and notes.

At this point, the ticket is in draft form. You can select another button or tab and do other tasks, create more draft tickets, or edit tickets. When ready to proceed, select Draft Session Tickets or Draft Execution Tickets.

4 Select a draft ticket and do one of the following:

• Click Generate to generate the ticket and remove it from the Draft Session/Executions Tickets list. The ticket receives a number and displays under the Ticket tab in the list on the All Tickets sub-tab.

• From the Selected Sessions or Selected Executions grid, select one or more items and click Remove Sessions or Remove Executions to delete them from the draft ticket.

• Click Cancel to cancel the draft ticket.

Chapter 4 55Perform Forensic Investigations

View EventsAn event is a policy violation. The response actions determine the number of events that must occur per day, week, or month before InTrust for Databases generates an incident. The Event View tab displays information about all of the recorded events

To view events

1 On the Forensics | Event View | Session Events or Execution Events tab, set the filters. For Mode, select one of the following:

• All Incidents to view all the incidents that occurred during the session. • Tickets Only to view only those incidents that resulted in a ticket.

2 On the Session Events tab, expand an incident to view information about each event.

3 On the Execution Events tab, expand a session, and select an execution to view event information.

• Select an event to view Bind Variables, Accessed Tables, and the first 1K of SQL.

• Click View Full SQL to view the full SQL in either paragraph or formatted form.


5

Monitor Application Sessions

Contents

About Application SessionsConfigure InTrust for Databases to Recognize Individual Sessions


About Application SessionsSometimes multiple users share the same application and use the same user name to launch the application. This usually happens when an application runs on a server and various people access the server to make queries or requests that affect a database. InTrust for Databases records these database accesses under the user name associated with the server. To track database changes and to assure security for your databases, you want to distinguish between these users to track exactly who is accessing the database. InTrust for Databases can identify and associate session information to an individual user provided you make some configuration changes.

There are several occasions when an applications that uses a single database user might send SQL to the database with the original user's information. This is very application dependent, and the application’s design and implementation determines whether the new “application user” feature can benefit you.

Multi-tiered ApplicationsMulti-tiered applications are often designed so that there is a single database user, but every client gets a dedicated connection to the database (for example, there is no connection pooling). This can be either because it is a two-tier application or because the application server is a three-tier application that opens a dedicated connection for each client connection.

Often, for multi-tiered applications, at the beginning of the connection there is some SQL with information about the original application client. This occurs in order to do one or more of the following:

• Authenticate the client - The user and password entered into the application need to be verified and permissions for that user need to be retrieved. The application server sometimes caches that information.

• Pass login information - The application may write information about the new login to:

• Audit tables to keep a log of all the logins.• Statistic tables to keep track of how often a user logs in.• Miscellaneous tables that could be referenced to see who is currently logged

in.There may be features in the application (like the ones above) that show information about the clients that logged in to it. But looking at the InTrust for Databases forensic data is the easiest way to identify whether the SQL exists and what it looks like.

Chapter 5 59Monitor Application Sessions

Applications with Connection PoolingAnother type of application that uses the same logon for multiple users is one where the application has a single database user and uses connection pooling. This means that the application has a set number of connections (usually fixed) and all the activity from all the users gets mixed into those connections.

These single-database applications with connection pooling usually contain connection information about the original application client. This occurs in order to do one or more of the following:

• Set the client_info, module, context, or other similar fields - The application sends this information whenever the user on the connection changes to allow database monitoring applications (like IDB, PA, Spotlight) to know what is each session currently doing, and on whose behalf. This information is visible in views like V$SESSION.

• Update an audit log - Sometimes applications keep an audit log showing who did what (this might be in a file on the application server).

• Update a usage statistics table - Sometimes these applications update a usage statistics table for each user (again, this might be in a file on the application server).

• Mark changes to tables - Sometimes these applications mark changes to tables as done by someone. In this case, the database writer connections might be able to be linked to the originating user.

Custom ApplicationsCustom applications built by your organization may have SQL in the data stream (for all the above mentioned reasons). If not, the application might need to be modified to add SQL to the beginning of the session in order to audit the originating user.

Configure InTrust for Databases to Recognize Individual Sessions

If an application session contains information about the originating user, you can configure InTrust for Databases to recognize the individual session.

Similar to session filters, Intrust for Databases reads application session configuration information from a file that resides in the DASMON/<version>/config folder on the agent host.


The name of this configuration file is:

appinfo_patterns.conf.interceptor.<IDB_INSTANCE_NAME>

The file is a standard Quest Agent Manager file that contains a set of name-value pairs, one line for each application:

name value

name value

...

The format of an entry in the configuration file is:

<name> “pattern=<SQL text>;begin=<char>;end=<char>”

or

<name> “pattern=<SQL text>”

Note Semicolons separate the parameters in the value section of the name-value pair.

The following table describes the structure of the name-value pair.

The words pattern=, begin=, and end= in the value string are case sensitive. The pattern= keyword is mandatory. It is the substring that the SQL text must contain for it to qualify as the beginning of an application session. Because SQL is not case sensitive, the contents of the <fragment of SQL text> is also not case sensitive.

The begin= and end= keywords surround the application session information and make it possible to identify and to extract. Both keywords are optional. If absent, InTrust for Databases uses spaces, tabs, a new-line character, or an end-of-string marker to identify the application session information.

name Provides information only and can be anything, for example, the application name.

value Determines whether a SQL statement is the beginning of an application session. It is a specially encoded string. The value consists of three parts:

pattern=<fragment of SQL text>;begin=<character that marks start of application session info>;end=<character that marks end of application session info>


ExamplesThese examples describe the ways the application session information may be imbedded in the SQL of an application and how InTrust for Databases uses the name-value pairs in the configuration file to identify the application session information. Your application developer should know how your company’s application session information is embedded or you can use various tools including InTrust for Databases Forensics to examine an application’s SQL and identify the information you need to put into the configuration file.

Example 1: Application session information surrounded by markersOracle has a routine in its DBMS_APPLICATION_INFO package named SET_CLIENT_INFO. Its syntax looks like this:

SQL> conn scott/tiger@orcl

Connected.

SQL> begin

2 dbms_application_info.set_client_info('Scott Tiger');

3 end;

4 /

PL/SQL procedure successfully completed.

In this example, the string DBMS_APPLICATION_INFO.SET_CLIENT_INFO contains the application session information ‘Scott Tiger’. This is the name of the person who is using the application.

The configuration file parameters needed to recognize this SQL as an application session and to extract information that identifies the actual user is as follows:

To identify application session information surrounded by markers

1 Enter the following line in the configuration file:

pattern= DBMS_APPLICATION_INFO.SET_CLIENT_INFO

Note This SQL text is not case sensitive.

begin= (

end= )


OraAppInfo "pattern=DBMS_APPLICATION_INFO.SET_CLIENT_INFO; begin=(;end=)"

2 Name the file appinfo_patterns.conf.interceptor.<IDB_INSTANCE_NAME> and store it in the DASMON/<version>/config folder on the agent host.

When the application runs and InTrust for Databases finds a match to the pattern, it extracts the string bounded by the markers and uses it as the DB User name (in this example, the string is: ‘Scott Tiger’).

Example 2: Application session information without markersSQL Server has an operator SET CONTEXT_INFO that takes a binary hexadecimal value as its application session information:

c:\>osql -S .\mssql -E

1> set context_info 0xDE

2> go

1>

In this case, 0xDE is the application session information of interest.

The configuration file parameters needed to recognize this SQL as an application session and to extract the application session information that identifies the actual user is as follows:

To identify application session information without markers

1 There are no begin and end markers that surround the application session information, so you can omit the begin= and end= keywords and enter the following string in the configuration file.

MssqlAppInfo= “pattern=SET CONTEXT_INFO“

2 Name the file appinfo_patterns.conf.interceptor.<IDB_INSTANCE_NAME> and store it in the DASMON/<version>/config folder on the agent host.

pattern= SET CONTEXT_INFO

Note This SQL text is not case sensitive.

begin= Omit this parameter.

end= Omit this parameter.


When the application runs and InTrust for Databases finds a match to the pattern, it extracts the next word, because there are no markers, and uses it as the DB User name (in this example, the string is: ‘oxDE’).


6

Generate Reports

Contents

Introduction to ReportsGenerate Reports from the User ConsoleGenerate Reports from the Command LineGenerate Reports from Report Builder


Introduction to ReportsThe report feature enables you to take a snapshot in time, which an auditor can compare with a more recent snapshot and quickly see exactly what changed. Regulatory compliance requires that a company keep a catalog of its assets and controls and document material changes to those assets and controls.

The changes to profiles and policies can be seen in a few extra non-activity associated Profile and Policy reports. This helps satisfy the need to document material changes to your assets and controls.

If your auditor is interested in more details surrounding tickets or incidents related to a specific policy, you can also produce simple reports to document such details.

Most of the windows in the user console have report printing capability. This allows you to tailor the information in a particular window and produce a listing in Excel or PDF. There are several ways to produce reports: from the InTrust for Databases User Console, from the command line or from the Report Builder.

Generate Reports from the User ConsoleThe changes to profiles and policies can be seen in a few extra non-activity associated Profile and Policy reports. This helps satisfy the need to document material changes to your assets and controls. Regulatory compliance requires that a company keep a catalog of its assets and controls and document material changes to those assets and controls.

If your auditor is interested in more details surrounding tickets or incidents related to a specific policy, you can also produce simple reports to document such details. Most of the windows in the user console have report printing capability. This allows you to tailor the information in a particular window and produce a listing in Excel or PDF.

The report feature enables you to take a snapshot in time, which an auditor can compare with a more recent snapshot and quickly see exactly what changed.

The following interactive reports are available from the Reports tab:

• Profiles Catalog - This report lists the names of all the profiles for a selected type. It is a catalog of your company's assets.

• Altered/Deleted Profiles - This report lists information for each profile that was created, altered, or deleted from a selected start time until the present and documents material changes to those assets.

Chapter 6 67Generate Reports

• All Policies - This report provides ticket and incident counts for all active policies. The report catalogs your company's database controls. This report shows auditors that your company has controls in effect.

• Altered/Deleted Policies - This report lists information for each policy that was created, altered, or deleted from a selected start time until the present and documents material changes to those controls.

• Unprofiled Assets - This report lists the names of all the unprofiled assets for a selected profile type. These are assets, such as instances, tables, columns, users, or errors that have not yet been classified by risk, business value, ownership, or other criteria. Until these assets are classified into profiles, the quality of controls placed on them is unknown. The report helps you discover the new or existing assets that are not classified into profiles.

• Instances - This report displays information about each registered instance monitored by InTrust for Databases. The report includes the instance name, instance host IP address, port, database name, database path, and database type. It also provides information about the IDB server, port, and active archive that stores collected data for the instance. This report is important to auditors because it shows which instances are being monitored and have controls in place.

• Privileged Sessions - This report displays information about sessions and executions for the given DB User Profile. The report includes the start and finish time of each session, instance name, DB user, OS user, machine name, and the program that ran during the session.

To create a report

1 In the Report list, select a report.

2 Set the filters, and then click Apply.

3 Click Print to display a preview of the report.

4 Select options from the Preview toolbar or menu to customize, print, export, or save the report in various formats.

Generate Reports from the Command LineThe command line report feature allows an InTrust for Databases OPERATOR or USER to obtain reports through Windows PowerShell from your IDB Windows client without invoking InTrust for Databases User Console. You can schedule and run these command line reports in the background.


To get reports from the command line

1 Install Windows PowerShell.

2 Register the InTrust for Databases PowerShell Snap-in

3 At the PowerShell prompt (for example, PS C:\>), enter Get-IDBReport [<-ReportName>] or Get-IDBReportbyID [<-ReportName>], and then do one of the following:

• Enter parameter pairs in any order.• Enter parameter values in the proper order.• Press Enter and let the snap-in prompt for the parameters.

Note See Command Line Reports in the InTrust for Databases Console help system for installation instructions and details about the report commands.

The same reports that are available from the console are also available from the command line. In addition, several other reports are available. To see a complete list of reports available from the command line, enter the following command:

• At the PowerShell prompt, enter Get-Help Get-IDBReport to view a list of all the available reports.

• Enter Get-Help Get-IDBReport -detailed to a list of reports and parameter descriptions.

• Enter Get-Help Get-IDBReport -full to view a list of reports, parameter descriptions and other technical information.

Generate Reports from Report BuilderInTrust for Databases Report Builder helps you create and manage reports. It helps you connect to the servers that contain the audit data you want to report on. It provides pre-defined reports you can use to generate reports or as a basis to create custom reports. It also provides a wizard to help you create new reports. It has Report Designer integrated, which you can use to rearrange report elements and add charts, tables, images, text, and other custom features to your reports.

Report Builder features can help you:

• Get started (create, copy, import, and design reports)• Change report filters and properties

Chapter 6 69Generate Reports

• Generate reports• View, print, and save generated reports• Configure subscription email server (do this before you create new

subscriptions)• Create subscriptions and schedule and deliver reports to a list of recipients

Create SubscriptionsThe Report Builder features a New Subscription wizard to help you create a subscription, which allows you to select one or more reports to be scheduled and delivered to a set of recipients. This wizard helps you set the times you want to generate the selected reports and configure emails so that the reports go to the proper people.


Analyze TrendsInTrust for Databases displays a set of graphs on the Trends tab that show the number of opened and closed tickets and incidents over time. These graphs help you quickly see what is happening on your system over time.

To view trends over time

1 On the Trends tab, select a time period or enter a custom time period.

2 Select a policy or select All policies.

3 Click Apply to view the trend lines for open tickets, closed tickets, and incidents.

The Closed Tickets trend line should be flat. If it is decreasing or zero, then the people responsible for investigating and closing tickets are not paying enough attention to their duties.

If the Open Tickets trend line is increasing, it may mean that the number of audit violations detected is producing too much work for the staff assigned to it.

If there is an increase in the number of incidents, this may indicate that your policies are not appropriate for the way your company is doing business or that your DBAs are not respecting your company's policies.

To address these trend issues, you may need to edit your policies, adjust expectations, or discuss staff issues with management.

7

Use the Federated Console

Contents

Launch the Federated Console

Monitor PoliciesMonitor TicketsReview Profiles


Launch the Federated ConsoleInTrust for Databases Federated Console is a tool for use at sites where there are multiple IDB servers managing audit data. For this application, the term Federated means that this console connects to a set of IDB servers and lets you view and compare database audit data for the entire set of servers from a single console.

InTrust for Databases Federated Console allows InTrust for Databases USERs or OPERATORS to connect to multiple IDB servers, and examine policies, tickets, and profiles.

To launch InTrust for Databases Federated Console from Windows

1 Select Start | Programs | Quest Software | InTrust for DB <version> | InTrust for DB Federated Console.

Note Note: If the Federated Console is not available from the InTrust for Databases menu, go to the InTrust for Databases installation folder (default location is c:\Program Files\Quest Software\Intrust for DB <version> Federated Console) and click the msi to install the Federated Console.

2 Select a tab:

• Servers• Policies• Tickets• Profiles

3 Use the File menu to Import Servers (for instructions, see Manage Servers), change the Page Setup, Print the display, or Exit the Federated Console.

Chapter 7 73Use the Federated Console

Manage Multiple ServersThe Federated Console Servers tab displays information about each server (display name, host name, connection port, IDB server version, and information about the number of open tickets at each priority level and the number of incidents that occurred each hour, day, and week).

The Federated Console allows you to view and compare data from several IDB servers from a singe console.

To view data from multiple IDB servers


• Click Add or select a server and click Edit or Delete to open the Connection Manager dialog where you can connect to all the IDB servers whose data you want to examine from the Federated Console.

• Click Import or select File | Import Servers to open the default console connection file or to browse to a folder and file of your choice. The default file location is: c:\Documents and Settings\<user name>\Local Settings\Application Data\Quest Software\InTrust for Databases <version>\connectionConsolidateUser.xml

Click Open to import the servers and view them on the Servers tab.

2 View or hide information about monitored instances.

• Click the Plus + or Minus - next to the Display Name column to expand or collapse monitored instance information for a selected server.

• Select Expand All or Collapse All to expand or collapse monitored instance information for all the servers in the list.

3 Activate or deactivate a server.

• Select a server and click Deactivate or Activate to stop or resume the querying and displaying of information.


Monitor PoliciesThe Federated Console Policies tab displays statistics for policies, tickets, and incidents for multiple servers. It enables you to see the most urgent violations of your threat, error, and exploit policies for all monitored databases.

To view policy statistics

1 Select the Policies tab. The statistics displayed are the same as those on the All Policies tab in the user console, but are for policies related to databases monitored by a set of IDB servers, not just one server.

2 Set filters to view data for all or specific IDB servers, policies, and policy types.Note The filters apply as you set them.

3 Optionally, select these options to limit the amount of data displayed on the tab:

• Policies with open tickets only - to display information for policies that have open tickets

• Policies with incidents for last week only - to display information about incidents that occurred during the last seven days only.

4 Select Expand All or Collapse All to expand or collapse policy information for all the servers in the list.

Monitor TicketsThe Federated Console Tickets tab displays ticket statistics for multiple servers. It enables you to see which audit tickets require the most urgent attention.

To display ticket information

1 Select the Tickets tab. The statistics displayed and the filters are the same as those on the All Tickets tab in the user console, but are for tickets related to the databases monitored by a set of IDB servers, not just one server.

2 Set filters to view ticket data for a specific time period, by priority, status, owner, for all or specific IDB servers, and policy types.Note Note: The filters apply as you set them.

Chapter 7 75Use the Federated Console

Review ProfilesThe Federated Console Profiles tab displays your company's database instance, user, table, error, time, and session assets related to databases on multiple servers. Profiles group these assets by shared ownership, business value, and exposure to risk.

To display profile information

1 Select the Profiles tab. The statistics displayed are for profiles related to databases monitored by a set of IDB servers, not just one server.

2 Set filters to view profiles for all or specific IDB servers, profiles, or profile types.Note Note: The filters apply as you set them.

The tab displays a list of profiles each with its corresponding profile type (All, Instance, Database User, Table/Column, Error, Time, Session) and server.

The Consistency icon indicates that the profile is consistent. If this icon is red, it indicates that an item in the profile is corrupt or was removed from the server, but not from the profile. To make the profile consistent again, manually remove the item from the profile.

3 Select a profile and click Show Details to view profile details and information about the assets in the profile.


A

Appendix: Contact Quest

Contact Quest SupportQuest Support is available to customers who have purchased a commercial or trial version of Quest software and have a valid maintenance contract. Quest Support provides around the clock coverage with SupportLink, our web self-service. Visit SupportLink at: http://support.quest.com.

With SupportLink, you can do the following:

• Quickly find thousands of solutions (Knowledgebase articles/documents).

• Download patches and upgrades.

• Seek help from a Support engineer.

• Log and update your case, and check its status.

View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com/pdfs/Global Support Guide.pdf.

Note This document is only available in English.

https://support.quest.com

http://support.quest.com/pdfs/Global Support Guide.pdf


Contact Quest Software

Refer to our web site for regional and international office information.

About QuestQuest Software, Inc., a leading enterprise systems management vendor, delivers innovative products that help organizations get more performance and productivity from their applications, databases, Windows infrastructure, and virtual environments. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 90,000 customers worldwide meet higher expectations for enterprise IT. Quest Software helps organizations deliver, manage and control complex database environments through award-winning products for Oracle, SQL Server, IBM DB2, Sybase, and MySQL. Quest Software can be found in offices around the globe and at www.quest.com.

Email [email protected]

Mail Quest Software, Inc.World Headquarters5 Polaris WayAliso Viejo, CA 92656USA

Web site www.quest.com

mailto:[email protected]

http://www.quest.com

http://www.quest.com

Index

Aapplication sessions

about 58configuration file 60configure for individual sessions 59examples 61for Oracle 61identify with markers 61identify without markers 62

Ccalendar of incidents 36command-line reports 67Connection Manager 14connection pooling 59console

introduction 8operators 9users 9

custom applications 59custom policies 26

Eerror

policies 17profiles 25

eventsview 55

executions

remove 54view 53

exploit policies 17, 28

Ffeatures 10Federated console

launch 72multiple servers 73policies 74profiles 75tickets 74

forensicsintroduction 52remove sessions or executions 54tickets 54view sessions and executions 53

IIDB server

connect example 14incidents

calendar 36instances

profiles 19

Mmultiple servers 73multi-tiered applications 58


Ppolicies

about 16analyze details 33apply changes 32create custom 26create quickly 18error 17exploit 17, 28improve 41overview 33templates 17threat 17, 27view all 34view specific 39

profiles 25about 16apply changes 26create custom 19error 25improve 41instance 19session 25table 21templates 17time 25user 23

Qquick start 17

Rreports

analyze trends 70create subscriptions 69generate from command line 67generate from console 66generate from Report Builder 68generate from window 66

introduction 66print 66schedule and email 69

Ssessions

profiles 25remove 54view 53

subscriptions to reports 69support (technical)

contact 77

Ttables

profiles 21technical support

contact 77templates 17threat policies 17, 27tickets 44

analyze details 47forensic 52introduction 44overview 47process 50view all 49view specific 49

time 25profiles 25

trendsanalyze 70

Uusers

profiles 23

Wworkflow roles 44