Data Center Security

 View Only

  • 1.  Need guidance with creating database detection policy for Linux and AIX

    Posted Mar 21, 2016 03:24 PM

    Good Day All

    So far I have received great help in the past and now I turn to this medium again seeking guidance on executing a crtical request.

    I have Symantec DCS 6.1MP1 installled in my environment. I know that the baseline detection policy for windows covers both Oracle and MSSQL databases. I need to have a detection policy for SQL and orcle db for UNIX as well.

    I am pretty new to this and am seeking guidance on how to configure it. I'm really not sure what to choose in the custom section to create this policy.

    Regards,

    Francene



  • 2.  RE: Need guidance with creating database detection policy for Linux and AIX

    Posted Mar 28, 2016 01:32 PM

    Hi

    There's no DCS 6.1 MP1  , could be 6.0 MP1 or 6.5 MP1, anyway the policies on those platforms are quite similar.

    As you mentioned Windows_Baseline_Detection has an Advanced Policy Setting for Database Services Monitor (it’s included Oracle RDBMS ), this detection policy tries to read specific strings from specific Oracle’s logs.

    For example, you will find something like:

    Select String:

    Source: *Oracle* USERID:[6] ?SYSDBA? * RETURNCODE:[4] ?1017? *

    With the *nix-Oracle You have two Detection Policy options:

    1. Create a Custom Rule under Unix_Baseline_Detection
      or
      (Recommended)
    2. Create all DB detections rules under Unix_Template_Policy .
      1. You can use more than 1 Detection Policy on an Asset/Group so, you can use Baseline + Template policy simultaneously.

    Here is the interesting thing:

    1. What do you need to audit and or monitor?
      1. C2 Logs
      2. Text Logs
    2. What kind of events do you need to audit or monitor?
      1. Oracle User activity
      2. Specific return codes
      3. Other

    So, according with the Detection Policy Reference Guide you will need to think about using Text Log ,  C2  or Syslog Rules https://support.symantec.com/en_US/article.DOC7979.html  

    Text Log: See Detection Policy Reference Guide Pages 37 to 39

    Looks for matches in user-specified text logs. You can specify the path to a log file, and a text pattern that determines how data from the log file is parsed and recorded.

     

     



  • 3.  RE: Need guidance with creating database detection policy for Linux and AIX

    Posted Mar 29, 2016 09:06 AM

    Thanks for the response Orionx.

    Please note I'm not really a database person however because I am familiar with Symantec DCS I have been asked to create this policy.

    Now that being said the main goal is to monitor user actvity. Who accessed the database, who attempted to access the database, who made changes to the schema or data. At this time though I have not been provided with specific database that they want to monitor chnages to. That information will come later on.

    For now the focus is on Oracle user activity. Based on my reading the C2 audit logs seems to have that information but I really would be looking for guidance s to which log would best capture the user activity information.