Explicar la política ALLOW Actions on a non-selective Policy	Check the Continue to Next Rule box to indicate that when this rule is satisfied and its action is triggered, testing of the same request, exception, or results should continue with the next rule. This means that multiple rules may be satisfied and multiple actions taken based on a single request or exception. If not marked (the default), no additional rules will be tested when this rule is satisfied. If marked, rule testing will continue with the next rule, regardless of whether or not this rule is satisfied. The collector logs the connection. Session information (log in/log outs) are always logged. Except for the Allow action, a policy violation is logged each time a rule is triggered (unless that action suppresses logging). Allow: When matched, do not log a policy violation. If "Allow" action is selected, no other actions can be added to the rule. Constructs are logged.
Explicar los puntos de IGNORE STAP SESSION	--Ignore S-TAP Session causes the collector to send a signal to the S-TAP instructing it to stop sending all traffic, except for the logout notification, for specific sessions. --The current request and the remainder of the S-TAP session will be ignored. --This action is done in combination with specifying in the policy builder menu screen of certain systems, users or applications that are producing a high volume of network traffic. This action is useful in cases where you know the database response from the S-TAP session will be of no interest.
It is important to note that Ignore Session rules are still very important to include in the policy even if using....??	a Selective Audit Trail.
gnore Session rules decrease the load on a collector considerably because ...??	by filtering the information at the S-TAP level, the collector never receives it and does not have to consume resources analyzing traffic that will not ultimately be logged.
A Selective Audit Trail policy with no Ignore Session rules would mean that all traffic would be sent from the database server to the collector, causing	the collector to analyze every command and result set generated by the database server
Explicar S-TAP Terminate Action	The S-TAP TERMINATE action will terminate a database connection (a session) and prevent additional requests on that session. This action is available in S-TAP, regardless of whether SGATE is used or not.
Explicar S-GATE Actions	S-GATE provides database protection via S-TAP for both network and local connections. When S-GATE is available, all database connections (sessions) are evaluated and tagged to be monitored in one of the following S-GATE modes: -Attached (S-GATE is "on") -Detached (S-GATE is "off")
Explicar el S-TAP en modo Attached (S-GATE is "on")	S-TAP is in firewalling mode for that session, it holds the database requests and waits for a verdict on each request before releasing its responses. In this mode, latency is expected. However, it assures that rogue requests will be blocked.
Explicar el S-TAP en modo Detached (S-GATE is "off")	S-TAP is in normal monitoring mode for that session, it passes requests to the database server without any delay. In this mode latency is not expected.
S-GATE configuration in the S-TAP defines...???	the default S-GATE mode for all sessions, as well as other defaults related to S-GATE verdicts when the collector is not responding. Other than the default S-GATE configuration, S-GATE is controlled through the real-time policy mechanism using the following S-GATE Policy Rule Actions • S-GATE ATTACH • S-GATE DETACH • S-GATE TERMINATE • S-GATE/ S-TAP
Nota para lower linux kernels en ATAP y S-GATE	For ATAP and S-GATE, there are limitations for lower Linux kernels. Basically, for S-TAP 10.1.2 and higher, S-GATE is supported everywhere except Linux with ATAP and kernels less than 2.6.36.
Consideracion en Mysql para S-GATE	To avoid this, connect to MySQL with the "-A" flag, which will disable the"'auto-complete" feature, and will not trigger the "terminate" rule. Another option is to fine tune the rule and not terminate on ANY access to these objects/field and instead find a criteria that is more narrow and will not trigger the rule on the login sequence
Explicar la politica de S-GATE ATTACH	Intended for use when a certain criteria is met that raises the need to closely watch (and if needed block) the traffic on that session
Explicar la politica S-GATE DETACH	Intended for use on sessions that are considered as "safe" or sessions that cannot tolerate any latency.
Explicar la politica S-GATE TERMINATE	Has effect only when the session is attached. It drops the reply of the firewalled request, which will terminate the session on some databases. The S-GATE TERMINATE policy rule will cause a previously watched session to terminate.
S-GATE/ S-TAP termination does not work on a client IP group whose members have....???	wildcard characters.
Explicar las Alerting Actions	Alert actions send notifications to one or more recipients. For each alert action, multiple notifications can be sent, and the notifications can be a combination of one or more of the following notification types: • Email messages • SNMP traps • Syslog messages • Custom notifications (implemented as Java™ classes.)
Adding an Extrusion Rule will only be available if....	he administrator user has set the Inspection Engine configuration to Inspect Returned Data
“Alert only” and “Alert per match” notify.....	for each time the rule is satisfied
DML (Data Manipulation Commands) include SQL statements like...	‘UPDATE’,’INSERT'
Explicar Policy Rule Basics	Within a policy, rules are evaluated in the order in which they appear, as each element of traffic is analyzed.
Explicar la "access rule"	o An access rule applies to client requests - for example, it might test for UPDATE commands issued from a specific group of IP addresses.
Explicar la "exception rule"	o An exception rule evaluates exceptions returned by the server (responses) - for example, it might test for five login failures within one minute.
Explicar la "extrusion rule"	o An extrusion rule evaluates data returned by the server (in response to requests) - for example, it might test the returned data for numeric patterns that could be social security or credit card numbers.
sends notifications each time the rule is satisfied	Alert Per Match
Object details are stored in .....	the “Objects” field
Filtering fields can be fully qualified, or partially qualified, by using....	the percent sign wildcard character
2 notas a tomar en cuenta sobre las wildcards	--You can insert the wildcard character (%) anywhere within the value string --The presence of the wildcard character (%) represents a string of zero of more characters.
Significado de poner "%" en filtrado de campos	Matches all strings
Significado de poner "%a" en filtrado de campos	Matches all strings that end with the letter a, for example: a, ba, cba.
Significado de poner "a%" en filtrado de campos	Matches all strings that start with the letter a, for example: a, ab, abc
Significado de poner "a%a" en filtrado de campos	Matches all strings the begin and end with the letter a, for example a, aba, aca.
Explicar que hace el Ignore S-TAP session con qué se combina y por qué es util	--The current request and the remainder of the S-TAP session will be ignored. --This action is done in combination with specifying in the policy builder menu screen of certain machines, users or applications that are producing a high volume of network traffic --This action is useful in cases where you know the database response from the S-TAP session will be of no interest.
The Group is used in...	a Policy to determine a rule action for example.
If a Group has no members...	an empty group will always return TRUE when the rule is evaluated.
Query rewrite rules are always classified as....	access rules
Explicar el Add a rule with a QUERY REWRITE: ATTACH rule action y que hay que tener en cuenta antes	Be sure to check the Continue to next rule checkbox. This rule identifies the specific session parameters that must be matched in order to trigger a query rewrite session, for example a specific database user name or client IP address.
Explicar el Add a rule with a QUERY REWRITE: APPLY DEFINITION rule action y que hay que tener en cuenta antes y un ejemplo	Be sure to check the Continue to next rule checkbox. This rule identifies the specific objects or commands that must be matched in order to apply the rewrite definitions and modify the source query. For example, setting the Object field to EMPLOYEE restricts a SELECT * from rewrite definition to EMPLOYEE objects.
Explicar el Add a rule with a QUERY REWRITE: DETACH rule action rule action y que hay que tener en cuenta antes	This closes the query rewrite session and prevents further monitoring of session traffic.
Definir que es Ignore session, que hace y en que es util	--The current request and the remainder of the session will be ignored. --This action does not log a policy violation, but it stops the logging of constructs and will not test for policy violations of any type for the remainder of the session. --This action might be useful if, for example, the database includes a test region, and there is no need to apply policy rules against that region of the database.
notify for each time the rule is satisfied.	“Alert only” and “Alert per match”
Filtrar una regla negativa a través de Filtering SQL via a Policy rule	Negative Rule: Mark the Not box to create a negative rule; for example, not the specified App User, or not any member of the selected group, or neither the specified App User nor any member of the selected group
que especifica la configuracion firewall_default_state=0	specifies that the firewall should operate in open mode, which means that while it is waiting for a verdict from the appliance, S-TAP does not hold up the database connections or traffic. Therefore, in open mode, users should not experience any latency when they are connecting to the database or running SQL statements.
que regla pueden todavía usar los users Guardium cuando firewall_default_state=0	S-GATE Attach rules in the policy to override this default and monitor specific sessions in closed mode.
GuardAPI commands can be used to....	create, list, and update multiple groups
Group members can include wildcard (%) characters for when...	the group is used in a query condition or policy rule.
Cómo Ignoring traffic from Development database servers?	Database servers are associated with “Server IP”s – so these “Server IP”s are key to a Policy rule that would filter traffic coming from a specific set of “Server IP”s (eg where only development database servers reside). A “Client IP” may access both a production and/or a development database and so “Client IP” could not be used to filter for filtering traffic from a set of specific development database servers
Explicar operador condicional IN GROUP	If the value matches any member of the selected group, the condition is true
Explicar operador condicional IN ALIASES GROUP	this operator works on a group of the same type as IN GROUP, however assumes the members of that group are aliases. Note that the IN GROUP/IN ALIASES GROUP operators expect the group to contain actual values or aliases respectively. Query Builder will look for records with database values matching the aliases value in the group.
Puntos a tener en cuenta en Exporting Outlier Detection results	-You must ensure that quick search is enabled -Search is enabled by default on new installations of 64-bit systems, or you can use the command grdapi enable_quick_search. -You can also review outliers in the Analytic Outliers List report
Que provée un runtime parameter	provides a value to be used in a query condition. There is a default set of runtime parameters for all queries, and any number of runtime parameters can be defined in the query that is used by the report.
An external feed can be mapped to receive data from Guardium reports..... Pasos a seguir	• Identify the external database that will receive data from the feed, and gather the connection information required for that database (ip address, port number, username, password, etc.). N1: External feeds currently support relational databases and may not function with other database type • External feeds allow you to send Guardium report information directly to an external database. Anything that can be defined in a report can be sent via an external feed. These feeds depend on mapping DOMAIN_ID and ATTRIBUTE_ID from Guardium's reporting mechanism to table fields on the external database. N2: Use the grdapi_create_ef_mapping function to help create these tables and establish the mapping
What is a report Domain	A domain provides a view of the data that Guardium stores. Each domain contains one or more entities. An entity is a set of related attributes, and an attribute is basically a field value.
Que hace Log only?	Log the policy violation only
The Policy Violations domain holds ...	the entities and attributes that allow for specific reports to be created by the administrator to further investigate the Violations
Funcion del operador en los reportes LIKE GROUP	If the value is like any member of the selected group, the condition is true. This condition enables wildcard (%) characters in the group member names.
Funcion del operador en los reportes IN DYNAMIC GROUP	If the value matches any member of a group that will named as a run-time parameter, the condition is true.
Funcion del operador en los reportes LIKE	Simply like the specified value
Why do some DB User Name appear to have ‘?’ in the output	There can be various reasons for this. The most likely cause is that Guardium missed some of the login packets while monitoring the database due to high traffic on the collector.
Explicar hacia donde se puede hacer el Signing off an Audit Process Result on behalf of the assigned receiver	Navigate to Comply > Tools and Views > Audit Process To-Do List As an administrator, you can perform any actions on any to-do list entry. Any actions you perform are logged, indicating that the action was performed on behalf of the user by the administrator
Stopping an audit process can be performed only if	the audit tasks have not been run or are running. --
Notas a tener en cuenta cuando ce para un audit process	--Stopping an audit process will not execute any more tasks that have not started --Stopping an audit process does not deliver partial results. --The audit process stops and a stopped error message is the result --However, if tasks are complete, stopping an audit process will not stop the sending of results.
Cómo detener un audit process?	Stop an audit process by using invoking GuardAPI (place the cursor on any line and double-click for a drill-down) from Comply > Tools and Views > Audit Process Log report. Alternatively they can be stopped bu clicking “Actions” in the top right corner, stop_audit_process then pick the specific audit.
Use a test exception to...	exclude specific members of a group from a security assessment N1: Run the security assessment against the exception group to see if a specific member of a group is affecting your assessment results N2: This is useful if you do not want to or are not authorized to change group settings.
The basic steps for creating a security assessment are....	1. Create the assessment 2. Add datasources to the assessment 3. Add tests to the assessment
Guardium Vulnerability Assessments requires access to the databases it evaluates. To do this, Guardium provides a......	set of SQL scripts (one script for each database type) that creates users and roles in the database to be used by Guardium. The template scripts are available on the Guardium system once it is built and can be found and downloaded via fileserver at the following path: /log/debuglogs/gdmmonitor_scripts/. More information is available in the README.txt file.

Descubre

Crear Tarjetas

Acerca de Nosotros

Explore Tarjetas

Comparta este Set de Tarjetas de Aprendizaje

Tarjetas de Aprendizaje relacionadas

Sección 5 Activity Monitoring And Reporting

Cómo estudiar sus tarjetas

Rango de Cartas a estudiar

66 Cartas en este set