- Barajar
ActivarDesactivar
- Alphabetizar
ActivarDesactivar
- Frente Primero
ActivarDesactivar
- Ambos lados
ActivarDesactivar
- Leer
ActivarDesactivar
Leyendo...
Cómo estudiar sus tarjetas
Teclas de Derecha/Izquierda: Navegar entre tarjetas.tecla derechatecla izquierda
Teclas Arriba/Abajo: Colvea la carta entre frente y dorso.tecla abajotecla arriba
Tecla H: Muestra pista (3er lado).tecla h
Tecla N: Lea el texto en voz.tecla n
Boton play
Boton play
66 Cartas en este set
- Frente
- Atrás
Explicar la política ALLOW Actions on a non-selective Policy
|
Check the Continue to Next Rule box to indicate that when this rule is satisfied and its action is
triggered, testing of the same request, exception, or results should continue with the next rule. This means that multiple rules may be satisfied and multiple actions taken based on a single request or exception. If not marked (the default), no additional rules will be tested when this rule is satisfied. If marked, rule testing will continue with the next rule, regardless of whether or not this rule is satisfied. The collector logs the connection. Session information (log in/log outs) are always logged. Except for the Allow action, a policy violation is logged each time a rule is triggered (unless that action suppresses logging). Allow: When matched, do not log a policy violation. If "Allow" action is selected, no other actions can be added to the rule. Constructs are logged. |
Explicar los puntos de IGNORE STAP SESSION
|
--Ignore S-TAP Session causes the collector to send a signal to the S-TAP
instructing it to stop sending all traffic, except for the logout notification, for specific sessions. --The current request and the remainder of the S-TAP session will be ignored. --This action is done in combination with specifying in the policy builder menu screen of certain systems, users or applications that are producing a high volume of network traffic. This action is useful in cases where you know the database response from the S-TAP session will be of no interest. |
It is important to note that Ignore Session rules are still very important to include in the policy
even if using....?? |
a Selective Audit Trail.
|
gnore Session rules decrease the load on a collector
considerably because ...?? |
by filtering the information at the S-TAP level, the collector never receives
it and does not have to consume resources analyzing traffic that will not ultimately be logged. |
A Selective Audit Trail policy with no Ignore Session rules would mean that all traffic would be sent
from the database server to the collector, causing |
the collector to analyze every command and
result set generated by the database server |
Explicar S-TAP Terminate Action
|
The S-TAP TERMINATE action will terminate a database connection (a session) and prevent
additional requests on that session. This action is available in S-TAP, regardless of whether SGATE is used or not. |
Explicar S-GATE Actions
|
S-GATE provides database protection via S-TAP for both network and local connections.
When S-GATE is available, all database connections (sessions) are evaluated and tagged to be monitored in one of the following S-GATE modes: -Attached (S-GATE is "on") -Detached (S-GATE is "off") |
Explicar el S-TAP en modo Attached (S-GATE is "on")
|
S-TAP is in firewalling mode for that session, it holds the database
requests and waits for a verdict on each request before releasing its responses. In this mode, latency is expected. However, it assures that rogue requests will be blocked. |
Explicar el S-TAP en modo Detached (S-GATE is "off")
|
S-TAP is in normal monitoring mode for that session, it passes
requests to the database server without any delay. In this mode latency is not expected. |
S-GATE configuration in the S-TAP defines...???
|
the default S-GATE mode for all sessions, as well as
other defaults related to S-GATE verdicts when the collector is not responding. Other than the default S-GATE configuration, S-GATE is controlled through the real-time policy mechanism using the following S-GATE Policy Rule Actions • S-GATE ATTACH • S-GATE DETACH • S-GATE TERMINATE • S-GATE/ S-TAP |
Nota para lower linux kernels en ATAP y S-GATE
|
For ATAP and S-GATE, there are limitations for lower Linux kernels. Basically, for S-TAP 10.1.2
and higher, S-GATE is supported everywhere except Linux with ATAP and kernels less than 2.6.36. |
Consideracion en Mysql para S-GATE
|
To avoid this, connect to MySQL
with the "-A" flag, which will disable the"'auto-complete" feature, and will not trigger the "terminate" rule. Another option is to fine tune the rule and not terminate on ANY access to these objects/field and instead find a criteria that is more narrow and will not trigger the rule on the login sequence |
Explicar la politica de S-GATE ATTACH
|
Intended for use when a certain criteria is met that raises the need to closely watch (and if
needed block) the traffic on that session |
Explicar la politica S-GATE DETACH
|
Intended for use on sessions that are considered as "safe" or sessions that cannot tolerate
any latency. |
Explicar la politica S-GATE TERMINATE
|
Has effect only when the session is attached. It drops the reply of the
firewalled request, which will terminate the session on some databases. The S-GATE TERMINATE policy rule will cause a previously watched session to terminate. |
S-GATE/ S-TAP termination does not work on a client IP group whose members have....???
|
wildcard characters.
|
Explicar las Alerting Actions
|
Alert actions send notifications to one or more recipients.
For each alert action, multiple notifications can be sent, and the notifications can be a combination of one or more of the following notification types: • Email messages • SNMP traps • Syslog messages • Custom notifications (implemented as Java™ classes.) |
Adding an Extrusion Rule will only be available if....
|
he administrator user has set the Inspection
Engine configuration to Inspect Returned Data |
“Alert only” and “Alert per match” notify.....
|
for each time the rule is satisfied
|
DML (Data Manipulation Commands) include SQL statements like...
|
‘UPDATE’,’INSERT'
|
Explicar Policy Rule Basics
|
Within a policy, rules are evaluated in the order in which they appear, as each element of
traffic is analyzed. |
Explicar la "access rule"
|
o An access rule applies to client requests - for example, it might test for UPDATE
commands issued from a specific group of IP addresses. |
Explicar la "exception rule"
|
o An exception rule evaluates exceptions returned by the server (responses) - for
example, it might test for five login failures within one minute. |
Explicar la "extrusion rule"
|
o An extrusion rule evaluates data returned by the server (in response to requests)
- for example, it might test the returned data for numeric patterns that could be social security or credit card numbers. |
sends notifications each time the rule is satisfied
|
Alert Per Match
|
Object details are stored in .....
|
the “Objects” field
|
Filtering fields can be fully qualified, or partially qualified, by using....
|
the percent sign
wildcard character |
2 notas a tomar en cuenta sobre las wildcards
|
--You can insert the wildcard character (%) anywhere within the value string
--The presence of the wildcard character (%) represents a string of zero of more characters. |
Significado de poner "%" en filtrado de campos
|
Matches all strings
|
Significado de poner "%a" en filtrado de campos
|
Matches all strings that end with the letter a, for example: a, ba, cba.
|
Significado de poner "a%" en filtrado de campos
|
Matches all strings that start with the letter a, for example: a, ab, abc
|
Significado de poner "a%a" en filtrado de campos
|
Matches all strings the begin and end with the letter a, for example a, aba, aca.
|
Explicar que hace el Ignore S-TAP session con qué se combina y por qué es util
|
--The current request and the remainder of the S-TAP session will be ignored.
--This action is done in combination with specifying in the policy builder menu screen of certain machines, users or applications that are producing a high volume of network traffic --This action is useful in cases where you know the database response from the S-TAP session will be of no interest. |
The Group is used in...
|
a Policy to
determine a rule action for example. |
If a Group has no members...
|
an empty group will always return TRUE when the rule is evaluated.
|
Query rewrite rules are always classified as....
|
access rules
|
Explicar el Add a rule with a QUERY REWRITE: ATTACH rule action y que hay que tener en cuenta antes
|
Be sure to check the Continue to next rule checkbox.
This rule identifies the specific session parameters that must be matched in order to trigger a query rewrite session, for example a specific database user name or client IP address. |
Explicar el Add a rule with a QUERY REWRITE: APPLY DEFINITION rule action y que hay que tener en cuenta antes y un ejemplo
|
Be sure to check the
Continue to next rule checkbox. This rule identifies the specific objects or commands that must be matched in order to apply the rewrite definitions and modify the source query. For example, setting the Object field to EMPLOYEE restricts a SELECT * from rewrite definition to EMPLOYEE objects. |
Explicar el Add a rule with a QUERY REWRITE: DETACH rule action rule action y que hay que tener en cuenta antes
|
This closes the query
rewrite session and prevents further monitoring of session traffic. |
Definir que es Ignore session, que hace y en que es util
|
--The current request and the remainder of the session will be ignored.
--This action does not log a policy violation, but it stops the logging of constructs and will not test for policy violations of any type for the remainder of the session. --This action might be useful if, for example, the database includes a test region, and there is no need to apply policy rules against that region of the database. |
notify for each time the rule is satisfied.
|
“Alert only” and “Alert per match”
|
Filtrar una regla negativa a través de Filtering SQL via a Policy rule
|
Negative Rule: Mark the Not box to create a negative rule; for example, not the specified
App User, or not any member of the selected group, or neither the specified App User nor any member of the selected group |
que especifica la configuracion firewall_default_state=0
|
specifies that the firewall should
operate in open mode, which means that while it is waiting for a verdict from the appliance, S-TAP does not hold up the database connections or traffic. Therefore, in open mode, users should not experience any latency when they are connecting to the database or running SQL statements. |
que regla pueden todavía usar los users Guardium cuando firewall_default_state=0
|
S-GATE Attach
rules in the policy to override this default and monitor specific sessions in closed mode. |
GuardAPI commands can be used to....
|
create, list, and update multiple groups
|
Group members can include wildcard (%) characters for when...
|
the group is used in a
query condition or policy rule. |
Cómo Ignoring traffic from Development database servers?
|
Database servers are associated with “Server IP”s – so these “Server IP”s are key to a
Policy rule that would filter traffic coming from a specific set of “Server IP”s (eg where only development database servers reside). A “Client IP” may access both a production and/or a development database and so “Client IP” could not be used to filter for filtering traffic from a set of specific development database servers |
Explicar operador condicional IN GROUP
|
If the value matches any member of the selected group, the condition is
true |
Explicar operador condicional IN ALIASES GROUP
|
this operator works on a group of the same type as IN
GROUP, however assumes the members of that group are aliases. Note that the IN GROUP/IN ALIASES GROUP operators expect the group to contain actual values or aliases respectively. Query Builder will look for records with database values matching the aliases value in the group. |
Puntos a tener en cuenta en Exporting Outlier Detection results
|
-You must ensure that quick search is enabled
-Search is enabled by default on new installations of 64-bit systems, or you can use the command grdapi enable_quick_search. -You can also review outliers in the Analytic Outliers List report |
Que provée un runtime parameter
|
provides a value to be used in a query condition. There is a default
set of runtime parameters for all queries, and any number of runtime parameters can be defined in the query that is used by the report. |
An external feed can be mapped to receive data from Guardium reports..... Pasos a seguir
|
• Identify the external database that will receive data from the feed, and gather the
connection information required for that database (ip address, port number, username, password, etc.). N1: External feeds currently support relational databases and may not function with other database type • External feeds allow you to send Guardium report information directly to an external database. Anything that can be defined in a report can be sent via an external feed. These feeds depend on mapping DOMAIN_ID and ATTRIBUTE_ID from Guardium's reporting mechanism to table fields on the external database. N2: Use the grdapi_create_ef_mapping function to help create these tables and establish the mapping |
What is a report Domain
|
A domain provides a view of the data that Guardium stores.
Each domain contains one or more entities. An entity is a set of related attributes, and an attribute is basically a field value. |
Que hace Log only?
|
Log the policy violation only
|
The Policy Violations domain holds ...
|
the entities and attributes that allow for specific
reports to be created by the administrator to further investigate the Violations |
Funcion del operador en los reportes LIKE GROUP
|
If the value is like any member of the selected group, the condition is
true. This condition enables wildcard (%) characters in the group member names. |
Funcion del operador en los reportes IN DYNAMIC GROUP
|
If the value matches any member of a group that will named as a
run-time parameter, the condition is true. |
Funcion del operador en los reportes LIKE
|
Simply like the specified value
|
Why do some DB User Name appear to have ‘?’ in the output
|
There can be various reasons for this. The most likely cause is that Guardium missed
some of the login packets while monitoring the database due to high traffic on the collector. |
Explicar hacia donde se puede hacer el Signing off an Audit Process Result on behalf of the assigned receiver
|
Navigate to Comply > Tools and Views > Audit Process To-Do List
As an administrator, you can perform any actions on any to-do list entry. Any actions you perform are logged, indicating that the action was performed on behalf of the user by the administrator |
Stopping an audit process can be performed only if
|
the audit tasks have not been run or
are running. -- |
Notas a tener en cuenta cuando ce para un audit process
|
--Stopping an audit process will not execute any more tasks that have not
started --Stopping an audit process does not deliver partial results. --The audit process stops and a stopped error message is the result --However, if tasks are complete, stopping an audit process will not stop the sending of results. |
Cómo detener un audit process?
|
Stop an audit process by using invoking GuardAPI (place the cursor on any line and
double-click for a drill-down) from Comply > Tools and Views > Audit Process Log report. Alternatively they can be stopped bu clicking “Actions” in the top right corner, stop_audit_process then pick the specific audit. |
Use a test exception to...
|
exclude specific members of a group from a security assessment
N1: Run the security assessment against the exception group to see if a specific member of a group is affecting your assessment results N2: This is useful if you do not want to or are not authorized to change group settings. |
The basic steps for creating a security assessment are....
|
1. Create the assessment
2. Add datasources to the assessment 3. Add tests to the assessment |
Guardium Vulnerability Assessments requires access to the databases it evaluates. To
do this, Guardium provides a...... |
set of SQL scripts (one script for each database type) that
creates users and roles in the database to be used by Guardium. The template scripts are available on the Guardium system once it is built and can be found and downloaded via fileserver at the following path: /log/debuglogs/gdmmonitor_scripts/. More information is available in the README.txt file. |