Professional Documents
Culture Documents
TRADEMARK ATTRIBUTIONS
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active
Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,
McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee
Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
Preface 5
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1 Introduction 7
Key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
How McAfee DAM works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Policy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Application Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Data Manipulation Language (DML) auditing . . . . . . . . . . . . . . . . . . . . 8
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Supported databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2 Installation 11
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Implementation workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Install the extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Deploy the sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Deploy the sensor from McAfee ePO 5.0 . . . . . . . . . . . . . . . . . . . . . 13
Default sensor install paths . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Operating system dependencies . . . . . . . . . . . . . . . . . . . . . . . . . 14
Confirm sensor deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Features added to McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Uninstall the extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3 Policy configuration 17
Policy categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Assign a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
DAM Sensor Configuration policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Configure DAM Sensor Configuration policy . . . . . . . . . . . . . . . . . . . . 19
DBMS Monitoring Configuration policy . . . . . . . . . . . . . . . . . . . . . . . . . 19
Configure DBMS Monitoring Configuration policy . . . . . . . . . . . . . . . . . . 19
vPatch policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configure vPatch policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Update the vPatch policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Custom Rules policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configure Custom Rules policy . . . . . . . . . . . . . . . . . . . . . . . . . 22
vPatch rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Edit vPatch rule properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Add vPatch rule actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Enable or disable vPatch rules . . . . . . . . . . . . . . . . . . . . . . . . . 24
Create an exception to a vPatch rule . . . . . . . . . . . . . . . . . . . . . . . 24
Set the security level for a vPatch policy . . . . . . . . . . . . . . . . . . . . . 25
Index 53
This guide provides the information you need to work with your McAfee product.
Contents
About this guide
Find product documentation
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
• Administrators — People who implement and enforce the company's security program.
Conventions
This guide uses these typographical conventions and icons.
Task
1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.
2 In the Knowledge Base pane under Content Source, click Product Documentation.
3 Select a product and version, then click Search to display a list of documents.
®
McAfee Database Activity Monitoring (McAfee DAM) provides monitoring and management of
database activity for multiple databases and vPatch service (optional). It also includes prevention,
database cluster support, third-party integration, and advanced reporting functionality.
Contents
Key features
How McAfee DAM works
Deployment
Supported databases
Key features
McAfee DAM provides full visibility into database user activity and can issue alerts or stop suspicious
activities based on predefined vPatch rules and custom rules.
It also includes prevention, cluster support, third-party integration, and advanced reporting
functionality.
Database protection — Prevention of intrusion, data theft, and other attacks on your databases.
McAfee DAM uses memory-based sensors to detect threats with a single, nonintrusive solution.
Custom security policies — McAfee DAM enables you to create custom rule-based policies for users/
queries and database objects.
vPatch updates — Virtual patching updates are provided regularly for newly discovered
vulnerabilities, protecting sensitive data until a patch is released by the database vendor and can be
applied. The updates can be implemented without database downtime.
Audit log — Access to sensitive data, including complete transaction details, can be logged for audit
purposes.
Use of the terms DBMS (database management system) and database vary according to platform
vendor. In general, DBMS refers to the overall database system, including the data and the
infrastructure around it, but database can refer to the data tables. In this document, the terms are used
interchangeably.
Policy configuration
The monitoring policy for a DBMS is made up of the various rules that are enabled and applied on that
DBMS.
McAfee DAM provides enhanced DBMS security based on predefined vPatch rules and custom rules.
vPatch rules are included in the product installation and help prevent attacks against known
vulnerabilities. In addition, you can define custom rules to define the level of monitoring and alerts,
and further protect your DBMSs against potential threats.
Incoming statements are compared to the rules and policies enabled for the DBMS. Action is taken
based on the first rule that is matched. If a statement does not match any of the existing rules, the
statement is allowed.
Application Mapping
When the McAfee DAM sensor is deployed, it begins to collect sample information about access to the
DBMS. Application Mapping provides baseline information about the activities that take place on the
DBMSs during the sampling period, including which applications are run on the DBMS and which users
are running them.
The Application Mapping Events page also includes a count for each cluster of applications, users, IP
addresses, and each DBMS. This information can be used to create exceptions or allow rules (for
example, if a certain combination of IP address, application and user are audited elsewhere or are of
no security/audit interest). In addition, the information can be used to create monitoring rules.
Deployment
Before the software can monitor and manage database activity, you must install the product extension
®
on the McAfee ePO server and deploy the sensors to a database server where McAfee Agent is
installed.
Required components
• McAfee ePolicy Orchestrator 5.1 or later with these extensions installed:
• McAfee Database Activity Monitoring extension
Supported databases
McAfee DAM can be used to monitor and manage activity on several different types of databases.
The supported databases include:
• IBM DB2 for Linux and Unix platforms
• Informix
• MariaDB on Linux
• MySQL on Linux
• Oracle on Sun Solaris, IBM AIX, Linux, HP-UX, Microsoft Windows (including Oracle RAC and Oracle
Exadata)
• PostgreSQL
• SAP HANA
• Teradataon Linux
The lists of supported databases and their versions are updated regularly. To view the current lists, see
McAfee Data Center Security Suite for Databases System Requirements McAfee Data Center Security
Suite for Databases System Requirements.
For McAfee DAM to be used with McAfee ePO software, you must first download and install the product
extension and deploy the sensor to McAfee Agent.
Contents
Deployment
Implementation workflow
Install the extension
Deploy the sensor
Confirm sensor deployment
Features added to McAfee ePO
Uninstall the extension
Deployment
Before the software can monitor and manage database activity, you must install the product extension
®
on the McAfee ePO server and deploy the sensors to a database server where McAfee Agent is
installed.
Required components
• McAfee ePolicy Orchestrator 5.1 or later with these extensions installed:
• McAfee Database Activity Monitoring extension
Implementation workflow
These tasks must be performed to enable McAfee DAM to monitor and manage database activity.
1 Verify that the extensions for McAfee Vulnerability Manager for Databases, McAfee Rogue Database
Detection, and McAfee Advanced Management Core are installed in the McAfee ePO console.
2 Install the McAfee DAM extension using the McAfee ePO console.
3 Deploy the sensor on DBMSs using a product deployment task in McAfee ePO.
4 Confirm the success of the sensor deployment in the Products tab of the respective system
information pages.
See also
Install the extension on page 12
• Verify that the extensions for McAfee Vulnerability Manager for Databases, McAfee
Rogue Database Detection and McAfee Advanced Management Core are installed.
• If the ePolicy Orchestrator console is not connected to the Internet, you need to
download the product extensions from the McAfee ePO download site, then install them
from the ePolicy Orchestrator Extensions page.
Task
For details about product features, usage, and best practices, click ? or Help.
5 Repeat for the Database Activity Monitoring extension and Database Activity Monitoring help extension.
6 In the Software Manager, check in the McAfee DAM sensor managed product for the relevant operating
systems.
When the installation is complete, Database Activity Monitoring and Help Content appear in the Components
list.
By default, the extension is installed using a 30-day evaluation license, and EVAL appears on the
shortcut icons and at the top of the vPatch Rules and DAM Server Settings pages. The evaluation version has
several limitations. For example, it does not include vPatch security updates. If you already have a
license, we recommend that you install it now.
Tasks
• Deploy the sensor from McAfee ePO 5.0 on page 13
You can deploy the sensor to DBMSs from the Product Deployment page of the McAfee ePO 5.0
console.
Task
For details about product features, usage, and best practices, click ? or Help.
3 Enter a task name and description, then define the type (Fixed or Continuous).
4 From the Products and components drop‑down list, select DBMS McAfee Sensor for Windows.
5 Schedule the task deployment and configure more options as needed for any McAfee ePO client
task. For more information, see the ePolicy Orchestrator documentation.
6 Click Save.
The deployment task is created and the sensor is deployed according to the task configuration.
The task is run as scheduled in the task properties. You can also manually deploy the task from the
Systems Tree. Select Actions | Agent | Run Client Task Now, then select the task to run. The Run Client Task Now
option is supported for Windows systems only. Do not use this option for scheduling deployments on
UNIX or Linux systems.For more information on running client tasks, see the ePolicy Orchestrator
documentation.
See also
Default sensor install paths on page 13
Operating system dependencies on page 14
Platform Dependencies
AIX IBM XL C/C++ Enterprise Edition for AIX, V9.0 Runtime Environment and
Utilities:
• xlC.aix50 • xlsmp.msg.Ja_JP.rte
• xlC.msg.Ja_JP • xlsmp.msg.ZH_CN.rte
• xlC.msg.en_US • xlsmp.msg.Zh_CN.rte
• xlC.msg.ja_JP • xlsmp.msg.en_US.rte
• xlC.rte • xlsmp.msg.ja_JP.rte
• xlsmp.aix52.rte • xlsmp.msg.zh_CN.rte
• xlsmp.msg.EN_US.rte • xlsmp.rte
• xlsmp.msg.JA_JP.rte
Platform Dependencies
HPUX ia64 11.23 or • NFS.NFS-64SLIB
later
• OS-Core.CORE2-64SLIB
• OS-Core.CORE2-SHLIBS
• Streams.STREAMS-64SLIB
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Systems | System Tree, then select the Systems tab.
Feature Details
System Tree Adds the Database Monitoring submenu to the Actions menu in the Systems tab.
Policy submenu Adds two options to the Policy submenu:
• vPatch Rules — View, add, and edit vPatch rules.
• Rule Objects — View, add, and edit rule objects.
Adds two predefined client task types to the Client Task Catalog:
• DAM Sensor Analytic Package — Extracts diagnostic information for troubleshooting
purposes.
• DAM Sensor Restart — Restarts the monitoring sensor. For more information, see
KB79692.
Configuration Adds one new option to the Configuration | Server Settings submenu:
submenu
• DAM Server Settings — Manage the McAfee DAM server archive, log, and general
settings.
Feature Details
Reporting Adds three new options to the Reporting submenu:
submenu
• Database Security Events — View the McAfee DAM event logs, event properties, and
DML audit results, and more.
• Application Mapping — View information about activities taking place on a DBMS,
including applications and their users.
• Dashboards | Database Activity Monitoring — View charts and graphs related to McAfee
DAM events.
Adds the Database Activity Monitoring group of result types in Query Builder.
Automatic Adds the capability to append values to rule objects based on automatic response.
responses
Task
For details about product features, usage, and best practices, click ? or Help.
2 From the Extensions list, select Database Activity Monitoring and the corresponding Help Content extension,
then click Remove.
This task does not uninstall the sensor. Remove the sensor using a standard client task. For details,
see ePolicy Orchestrator documentation.
McAfee DAM policy configuration enables you to implement the policy settings that are most
appropriate for your organization.
Contents
Policy categories
Assign a policy
DAM Sensor Configuration policy
DBMS Monitoring Configuration policy
vPatch policy
Custom Rules policy
vPatch rules
Custom rules
Rule objects
Rule syntax
DAM server configuration
Policy categories
McAfee DAM policies are grouped into several categories, with a default policy for each category.
Each default policy is read-only. However, we provide a policy template, My Default, that you can use to
edit and implement the policy settings for your organization.
• McAfee Disable Monitor Configuration — This policy disables monitoring for a database.
vPatch rules
The default Virtual Patching for Database (vPatch) rule policy is made up of the full list of predefined
vPatch rules in read-only format. The rules are applied in the order that they appear in the list. You
can duplicate the default policy to create a custom rule set. Custom vPatch rule policies automatically
inherit all of the rules contained in the default policy, however you can edit the rule properties in the
customized policies.
The default policy is updated regularly by McAfee DAM to include up-to-date monitoring and protection
against known and zero-day vulnerabilities.
Custom rules
This policy is made up of the custom rules defined based on your organization's ongoing monitoring of
potential risks and activities.
You can create your own rules in the My Default custom rules policy, or duplicate the Empty Rules Template
and create a custom rule policy.
Rule objects
This read-only policy is made up of the list of rule objects that can be used in dynamic rules. You can
duplicate the default policy and create multiple rule object policies.
You can add rule objects to the read-only policy. All rule objects are included in all rule object policies,
however you can edit the rule object values in duplicated policies.
Assign a policy
You can assign a McAfee DAM policy to a managed system or DBMS.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Systems | System Tree | Systems, then select the group under the System Tree.
2 Select the system, then click Actions | Agent | Modify Policies on a Single System to open the Policy Assignment
page for that system.
3 From the Product drop-down list, select Database Activity Monitoring. The relevant policy categories are
listed with the system’s assigned policy.
5 If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
8 Click Save.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Click My Default.
You cannot assign the Disable Monitor Configuration policy and a default policy to the same database instance
at the same time.
Task
For details about product features, usage, and best practices, click ? or Help.
The default policy properties are organized into a general tab and one tab for each type of
database platform.
The policy settings are applied only to database instances where the policy is assigned.
vPatch policy
The default vPatch policy comprises a predefined set of vPatch rules. The default policy is read‑only.
You can duplicate the policy and edit the actions defined for specific rules. You can also duplicate the
default vPatch policy and use it as the basis for creating a custom vPatch rule set. Custom vPatch rule
policies automatically inherit all of the rules contained in the default policy, however you can edit the
rule properties in the customized policies
The global vPatch policy is updated by McAfee DAM regularly (every several weeks) to provide
monitoring and protection from new vulnerabilities.
You can disable a vPatch rule, but you can't remove a rule from the vPatch Rules list.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Click your duplicate copy of vPatch Rules to open its vPatch Rules page.
3 To view or edit the properties of an existing rule, click the rule name.
Tasks
• Update the vPatch rule set on page 20
When connected to the Internet, McAfee DAM automatically downloads the vPatch package
into the Master Repository. The package must then be applied to your McAfee ePO installation.
• Download and check in the vPatch rule set on page 21
When McAfee ePO is not connected to the Internet, you must manually download and
check in the updated vPatch rules package.
Task
For details about product features, usage, and best practices, click ? or Help.
The new vPatch rules are included in the default vPatch policy.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click the link in the notification you received to download the updated vPatch rules package, then
save the package.
3 Select the package type, specify the path to where you saved the vPatch rules package, then click
Next.
The new vPatch rules are included in the default vPatch policy.
In a multi-slot scenario, an allow rule affects only the policy where it is created.
Rule order
The order of the rules in the Custom Rules list is important. The first rule that is matched is the rule that
is applied to the statement. If a statement does not match any of the existing rules, the statement is
allowed.
• Whitelist approach, which resembles the approach of firewalls, where you determine all the allowed
actions first and then alert on all other actions (assuming that all other actions are suspect).
• Blacklist approach, which resembles the approach of IDS/IPS systems, where everything is allowed
except actions that are considered suspect.
McAfee DAM users typically create a policy that integrates elements of both approaches, for example,
using a Blacklist approach for all known attacks, while using a Whitelist approach for the use of
development SQL tools.
Incoming statements are checked against the vPatch Rules list before they are checked against the
Custom Rules list.
Rule templates
Custom rule policies use these templates:
• My Default — This template is empty when the product is first installed. You can create your own
rules in this policy.
• Empty Rules Template — Duplicate this template and use it to create a custom rules policy.
• Integrity Monitoring — This template is made up of the rules that capture changes to the database,
including the addition and removal of tables, and changes in table structure and data.
• Rule Examples — This template is made up of examples of custom rules that can be used as is or as
models for creating new rules.
Task
For details about product features, usage, and best practices, click ? or Help.
By default, the custom rules policy does not contain any predefined rules.
3 (Optional) Click Create New Rule to define a rule and add it to the Custom Rules policy.
4 To view or edit the properties of an existing custom rule, click the rule name.
vPatch rules
vPatch rules help prevent attacks against known vulnerabilities and database misconfigurations. A set
of predefined vPatch rules is included as part of the McAfee DAM installation.
McAfee DAM updates this set of rules regularly to provide monitoring and protection from new
vulnerabilities.
vPatch rules are applied in the order they appear in on the vPatch rules page.
Changes to the rule properties in a duplicate policy apply only to that policy.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Click the vPatch rule policy to display the list of vPatch rules.
3 Select the rule that you want to edit, then click Actions | Edit Properties.
5 Click OK.
Changes to the rule actions in a duplicate policy apply only to that policy.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Click the default vPatch rule policy or a duplicate policy to display the list of vPatch rules.
3 Select each of the rules where you want to add an action, then click Actions | Apply Actions.
4 If you are editing a copy policy of the default policy, select the Override global policy settings checkbox.
5 Select the actions that you want to apply to the selected rules:
• Log Level — Sets the level of criticality of the event.
• Threat event log — Sends an event to the threat event log if the rule is matched. If you select
Terminate, the Quarantine option is displayed. To quarantine a user, select Quarantine and enter the
number of minutes during which the user is prevented from reconnecting.
You can't send events to both the threat event log and the archive.
• Windows event log — Sends an alert to the Windows event log if the rule is matched.
• Mask sensitive data with the following regular expression — Prevents the display of sensitive data in alerts.
If selected, enter a regular expression in the Regular Expressions text box using standard
regular expression syntax.
You can also configure an email notification for the rule using McAfee ePO by selecting Menu |
Automation | Automatic Responses. Select ePO Notification Events, with Threats as the event type. In the filter
settings for the Threat Name, define the comparison criteria as Contains with RULE NAME as the value.
For more information, see the ePolicy Orchestrator documentation.
6 Click OK.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Click the vPatch rule policy to display the list of vPatch rules.
3 Select the rules that you want to enable or disable, then click Actions | Enable/Disable Rules.
4 In the Enable/Disable rules dialog box, select Enable or Disable as required, then click OK.
Task
For details about product features, usage, and best practices, click ? or Help.
3 Select the rule where you want to add an exception, then click Actions | Edit Properties.
5 In the text box that appears, enter the comparator statements that define the exception.
6 Click OK.
See also
Rule syntax on page 31
Rule examples on page 34
You can't set the security level for the global vPatch policy.
Task
For details about product features, usage, and best practices, click ? or Help.
The security level for the vPatch policy appears as a link in the policy header.
3 Click the security level link to open the Security Level page.
4 Select a preconfigured security level (Top, High, Medium, or Low) or select Custom to define settings
based on a combination of these parameters:
• Apply to DBMS Versions —
• Vulnerable Versions Only: Enables vPatch rules based on relevant DBMS versions.
• Level — Enables vPatch rules according to the selected severity level (High Only, Medium and High, or
All).
• Confidence — Enables vPatch rules according to the selected confidence level (High Only, Medium and
High, or All).
5 Click OK.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Click the vPatch rule policy to display the list of vPatch rules.
3 Select the rules where you want to remove an action, then click Actions | Remove Actions.
4 Deselect the actions that you want to remove from the selected rules, then click OK.
The rule actions are updated. The removed actions are no longer applied when the selected vPatch
rule is matched as part of the monitoring process.
You can also create an allow rule from the Application Mapping page.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Click the vPatch rule policy to display the list of vPatch rules.
3 Select each of the rules where you want to create an allow rule, then click Actions | Create allow rule.
5 Under Rule text, enter the comparator statements that make up the conditions of the rule.
6 Under Monitoring source, set the sources of information used to determine compliance with this rule:
• Auto (All) — The sources of information are detected and sampled automatically.
See also
Rule syntax on page 31
Rule examples on page 34
Task
For option definitions, click ? in the interface
2 Click the vPatch rule policy to display the list of vPatch rules.
3 Select the rules you want to remove, then click Actions | Remove allow rule.
Custom rules
Based on ongoing monitoring of potential risks, custom rules can be defined to provide protection
against activity that your IT policy considers suspicious. Custom rules also help protect specific DBMSs
according to their functionality.
You can create and enable custom rules that determine how to handle statements received by the
DBMS. Rules can allow statements that match (whitelist), or they can be used to generate alerts
regarding statements that do not match the policy (blacklist). A rule can also be used to automatically
close potentially dangerous sessions.
Each rule consists of one or more comparator statements. Comparator statements are made up of
Identifiers, Operators, and Literals.The relationship between multiple comparator statements is based
on Boolean logic, using AND, OR, or NOT.
You can define exceptions to a rule that does not allow certain conditions by creating an Allow rule for
the exception and placing it before the rule in the Rules list. You can also create an exception within
the rule itself.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Click the default vPatch rule policy or a duplicate policy to display the list of vPatch rules.
5 Under Rule text, enter the comparator statements that make up the conditions of the rule.
6 Under Monitoring source, set the sources of information used to determine compliance with this rule:
• Auto (All) — The sources of information are detected and sampled automatically.
7 (Optional) Under Exceptions, click Add Exception to display the rule exceptions section. In the text box
that appears, enter the comparator statements that define the exception.
8 Under Actions, set the action to be taken when the rule conditions are met.
12 Click Save.
See also
Rule syntax on page 31
Rule examples on page 34
Task
1 Click Menu | Policy | Policy Catalog, then:
a From the Product drop-down list, select Database Activity Monitoring.
2 On the Custom Rules policy page, select the rule that you want to remove, then click Actions | Remove
rule.
Task
For details about product features, usage, and best practices, click ? or Help.
2 On the Custom Rules policy page, select the rule that you want to reposition in the policy, then click
Actions | Place New Location.
3 Set the location of the rule in the list, then click OK.
Task
For details about product features, usage, and best practices, click ? or Help.
1 In the Custom Rules policy page, select the rule that you want to copy to another policy, then click
Actions | Copy Rules to Another Policy.
2 Select the policy where you want to add the rule, then OK.
Rule objects
Rule objects are components that can be used in defining dynamic rules.
These components are helpful when working with Allow rules. For example, you can use a rule object
in the definition of a rule intended to allow a specific range of IP addresses.
McAfee DAM comes with several predefined rule objects. These predefined objects are used in the
predefined rules and are listed on the Policy | Rule Objects page.
You can add rule objects to the global rule object policy. Rule objects can also be populated by
different methods such as LDAP queries and DVM checks.
All rule objects are included in all rule object policies. You can edit the rule object values in duplicated
policies.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Policy | Rule Objects, then click Actions | New Object.
• Value — The object value (according to the selected type), which can be manually input or
automatically uploaded (see Dynamic Value ).
• Dynamic Value — Automatically uploads the object values based on the selected option.
• Static — Uploads a list of values from an existing CSV file, enter the file location in the File
upload field or click Browse to locate and select the file, then click Upload CSV File.
• DVM — Uploads dynamic object values based on an object that is created from a DVM result.
You can add or edit the regular expressions in the pattern of values. The expressions are
applied to every value in the patten. (This option is enabled for the editing of dynamic
objects only.)
• ePO Query — Enables the use of McAfee ePO queries for creating the rule object. Browse to
and select the query to use. The first column in the query is used to populate the rule object
values.
• LDAP — Enables the use of LDAP Security groups for this rule object. Select the server, enter
the fully qualified name of the LDAP Group, then click Add.
Click Show values to view the uploaded values in the Value text box.
• The DVM option uploads the object values based on an object that was created
from a DVM result. It is not enabled here.
• The use of dynamic LDAP objects is available only if LDAP server is configured in
the Menu | Configuration | Registered Servers page.
The rule object is automatically added to the list of available values according to Identifier type and
can be used in rule definitions.
Task
For details about product features, usage, and best practices, click ? or Help.
3 On the Rule Object page, edit the parameters, then click Save.
Task
For details about product features, usage, and best practices, click ? or Help.
2 Select at least one rule object, then click Actions | Remove Rule Objects.
You can also assign values to dynamic DVM objects in McAfee ePO from the Response Builder wizard. On
the Actions page of the wizard, select Append Rule Object and configure the policy, object and value settings.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Reporting | Database Security Events, then click the DVM Events tab.
2 Click the name of the event, then click Actions | Set Rule Object.
This option is available only if data appears in the data set table.
3 Select the policy where you want to add the rule object.
5 Under Pattern, set the type of values to fetch and how they appear in the rule object by selecting at
least one option (Type, Username or Lock).
6 Click OK.
Rule syntax
Each rule consists of one or more comparator statements, which are made up of Identifiers, Operators
and Literals.
The relationship between multiple comparator statements is based on Boolean logic, using AND, OR,
or NOT. Comparator statements can be grouped using parentheses. If parentheses are not used, the
order of precedence is:
1 NOT
2 AND
3 OR
Identifiers
Three basic types of identifiers are used in rule comparator statements.
All rules are case-insensitive. An identifier can be specified in lowercase, uppercase, or a combination of
both. For example: user, User, USER, and uSEr are all legal for the user identifier. Constant values are
case-insensitive, so SUNDAY and SunDAy are equivalent.
instance string The instance where the execution takes place. In Oracle, this value is the
SID of the database instance. In Sybase, this value is the instance name.
In MS SQL, it is the full instance name including the host (for example,
MYHOST\SQLSERVER).
ip number The IP address where the statement is executed. IP addresses must be
in the form of: XXX.XXX.XXX.XXX (single IP address) or
XXX.XXX.XXX.XXX/YYY.YYY.YYY.YYY (IP with subnet). Each IP address is
validated by McAfee DAM to prevent errors.
module string The application set module.
month number The month when the statement is executed: JANUARY, FEBRUARY,
MARCH, APRIL, MAY, JUNE, JULY, AUGUST, SEPTEMBER, OCTOBER,
NOVEMBER, DECEMBER. Alternatively, the short form of month name is
also supported for example, JAN.
nethost string The host name of the network (this might differ from the host name
reported for an application). Applicable only when network monitoring is
enabled.
netip number The IP address of the network (this might differ from the IP address
reported for an application). Applicable only when network monitoring is
enabled.
object string The DBMS object being accessed. Supports syntax of the form
[owner.]objectname. DBMS objects include tables, triggers, and stored
procedures. In Oracle, the format is owner.objectname; in MS SQL, and
Sybase it is database.owner.objectname.
osuser string The operating system user.
schema string The default schema of the session.
session_state string • session_state=NEW_SESSION for monitoring session logons
• session_state=END_SESSION for logoffs
• session_state=NEW_LOGIN and session_state=END_LOGIN for
monitoring change of user during transaction execution (specifically for
Microsoft SQL Server)
• session_state=CHANGE_SCHEMA for monitoring changes in schema
during the session (Oracle only)
• session_state=EXECUTE for all other statements
Operators
McAfee DAM supports these operators.
Operator Description
= Equals (all types)
< Less than (all types)
> Greater than (number types only)
<= Less than or equal to (number types only)
>= Greater than or equal to (number types only)
<> Not equal to (all types)
(not)?like Compare to a string supporting the % character as a symbol to any string (string
types only)
(not)?between Check if an identifier is between two values (number types only)
(not)?in Check if an identifier is in a list of values (all types)
(not)?matches Perform a regular expression match (string types only)
(not)?contains Perform a simple and fast string match (string types only)
length When inserted before an identifier, indicates a condition on the field's length. For
example:
• "length statement > 1024" catches statements longer than 1024 bytes.
• "length user < 10" catches SQL statements where a DB user name length is
shorter than 10 characters.
Rule examples
These examples illustrate the rule syntax.
More examples are provided in the Custom Rules | Rule Examples template.
Example 1
OSUSER = 'mycompany\john' AND APPLICATION CONTAINS 'sqlplus' AND HOST =
'johnlaptop.localdomain' AND IP = 192.168.1.7
Action: Allow
This rule allows John to use SQL*Plus from his station (defined by host name and IP address), thereby
bypassing many rules that come later, such as preventing SQL*Plus from being used.
Example 2
APPLICATION CONTAINS 'sqlplus' OR APPLICATION CONTAINS 'toad'
This rule blocks any access by the applications Toad or SQL*Plus. It logs an alert with high severity.
Example 3
STATEMENT CONTAINS 'emps'
Action: log-medium
This example assumes that the emps.* columns include sensitive data that require protection, and
that emps.salary and emps.cc are particularly sensitive.
This rule provides an alert every time a SQL statement includes the string emps. This rule alerts on
any attempt to access columns containing the name emps (as well as any SQL statement component
that includes the string emps). Even when the user is not actually accessing the objects (for example,
the DBMS prohibits access based on authorization rules), this rule generates alerts (in contrast to
using object, see example 4).
Example 4
OBJECT = 'emps.salary' OR OBJECT = 'emps.cc'
Action: Log-high
This example assumes that the tables emps.salary and emps.cc are particularly sensitive.
This rule provides a high-level alert each time the specified objects are accessed. An alert appears
whether the object is accessed via a view, a stored procedure, a trigger, or another database. In this
case, if the DBMS successfully restricts the user from accessing the objects, an alert is not generated
because the object is not accessed.
Example 5
Statement contains 'drop session' Alert low
Action: Alert-high
In this example, the user receives alerts when various DDL commands are executed when someone
other than the database administrator attempts to stop auditing.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Configuration | Server Settings, then select Database Activity Monitoring.
McAfee DAM enables you to configure the monitoring settings for individual DBMSs and DBMS clusters.
Contents
Database monitoring
View DBMS details
View DBMSs attached to sensor
Manage DBMS clusters
Disable monitoring
Edit alternative connection
Merge DBMSs
Recalculate DBMS policies
Reset application mapping
Clone DBMS
Add a DBMS
Define a DML audit
Database monitoring
McAfee Database Activity Monitoring works within McAfee ePO to monitor and manage database
activity for multiple databases.
Once a McAfee DAM sensor is installed, all detected databases are added to the System Tree. You can
also manually add or import databases.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Systems | System Tree, then select the Systems tab.
2 Click the name of the DBMS where the sensor is deployed to display the DBMS properties page,
then click the DBMS Details tab.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Systems | System Tree, then select the Systems tab.
2 Select the system where the sensor is deployed, then click the DBMS Details tab.
The DBMSs attached to the sensor are listed. You can click a DBMS name to view its detailed
properties.
Tasks
• Cluster DBMSs on page 40
You can select multiple DBMSs and group them into a single cluster. This is useful when
several nodes of the same DBMS cluster are detected, and you want to manage them as a
single DBMS.
• Change DBMS cluster type on page 41
You can change the type of failover that is implemented on the database instances in a
cluster.
• Break DBMS cluster on page 41
You can ungroup the databases in a DBMS cluster so that they are no longer treated as a
single DBMS.
Cluster DBMSs
You can select multiple DBMSs and group them into a single cluster. This is useful when several nodes
of the same DBMS cluster are detected, and you want to manage them as a single DBMS.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Systems | System Tree, then select the Systems tab.
2 Select at least one database of the type you want to include in the cluster, then click Actions |
Database Monitoring | Cluster DBMSs.
3 On the Cluster DBMSs page, select the databases to include in the cluster, then click Actions | Create
Cluster.
• Active-Active — Two separate database instances run at the same time in the cluster. If failover
occurs, the remaining instance handles the requests of both database instances.
• Remove Merged DBMSs from System Tree — The databases that are contained in the cluster are merged
into a single entry in the System Tree and the individual nodes are removed.
5 Click OK.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Systems | System Tree, then select the Systems tab.
2 Select the database cluster, then click Actions | Database Monitoring | Change Cluster Type.
3 Select the required cluster type (Active Passive or Active-Active), then click OK.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Systems | System Tree, then select the Systems tab.
2 Select the database cluster, then click Actions | Database Monitoring | Break DBMS Cluster.
Disable monitoring
You can disable the default Monitoring Configuration policy for selected databases. For example, the
databases discovered by the sensor might include databases outside the required auditing scope.
Disabling the Monitoring Configuration policy does not affect the enforcement of other types of policies
(DBMS sensor configuration, vPatch rules, and custom rules).
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Systems | System Tree, then select the Systems tab.
2 Select the databases where you want to disable monitoring, then click Actions | Database Monitoring |
Disable Monitoring.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Systems | System Tree, then select the Systems tab.
2 Select the databases, then click Actions | Database Monitoring | Edit Alternative Connection.
b Set the authentication method by selecting Use Credential Set or Username, then enter the relevant
details.
• MSSQL — <host>\<sid>
• MYSQL — 127.0.0.1:<port>
• DB2 — 127.0.0.1:50000
5 Click OK.
Merge DBMSs
If a database is detected more than once (for example, due to upgrade or changes in the unique
identifier or home directory), you must merge the DBMSs in the System Tree into a single entry.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Systems | System Tree, then select the Systems tab.
2 Select at least one database of the type you want to include in the cluster, then click Actions |
Database Monitoring | Merge DBMSs.
3 On the Merge DBMSs page, select the databases to include in the cluster, then click Actions | Merge
DBMSs.
4 Click OK.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Systems | System Tree, then select the Systems tab.
2 Select the databases where you want to update the effective policy, then click Actions | Database
Monitoring | Recalculate DBMS Policies.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Systems | System Tree, then select the Systems tab.
2 Select the databases where you want to update the effective policy, then click Actions | Database
Monitoring | Reset Application Mapping.
See also
Application Mapping on page 8
Clone DBMS
Cloning an existing database enables you to manually create a cluster node when a passive DBMS that
is part of cluster is not identified by the system. If the DBMS becomes active, it is then managed as
part of the cluster.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Systems | System Tree, then select the Systems tab.
2 Select the database that you want to clone, then click Actions | Database Monitoring | Clone Database.
3 From the DBMS Type drop-down list, select the database type (for example, Oracle, MSSQL, or MYSQL).
5 In the DBMS Home field, enter the name of the DBMS home directory.
7 From the OS Type drop-down list, select the type of operating system.
9 Select the systems you want to add the database to, then click Save.
Add a DBMS
McAfee DAM can be used to monitor multiple DBMSs. If the sensor does not automatically detected a
database (for example, the passive node in a clustered database), you can manually add the DBMS to
the configuration.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Systems | System Tree, then select the Systems tab.
3 From the DBMS Type drop-down list, select the database type (for example, Oracle, MSSQL, MYSQLn).
The available DBMS parameters are refreshed according to the selected DBMS type.
5 In the DBMS Home field, enter the name of the DBMS home directory.
7 From the OS Type drop-down list, select the type of operating system.
9 Select the systems where you want to add the database, then click Save.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Systems | System Tree, then select the Systems tab.
2 Select the databases where you want to implement the DML audit, then click Actions | Database
Monitoring (DAM) | Add DML Audit.
3 On the System Tree DML Triggers Configuration page, enter the credentials used to connect to the
database's operating system, then click Next.
b In the Table field, browse to and select the table to audit, then click Next.
5 In the Command Type section, select at least one type of command to audit (Insert, Update, Delete).
6 (Optional) In the Trigger Action section, configure a time interval for delaying execution of a database
transaction.
7 (Optional) In the DMS Scan Assignment field, select Assign DBMS to default DML scan to display the audit
results on the DML Audit tab of the Database Security Events page. If this option is not selected, the audit
results are stored in a database table, but are not visible in the user interface.
8 Click Save.
See also
Data Manipulation Language (DML) auditing on page 8
Enforcement of McAfee DAM policies generates events that can be viewed in McAfee ePO. You can also
create customized queries and reports with the McAfee ePO Query Builder, and download the relevant
McAfee DAM product logs for troubleshooting.
Contents
View the DAM events list
View Application Mapping events
Create an allow rule based on Application Mapping
View event details
Load archived events
View quarantine events list
Remove a database user from quarantine
View DML audit trail
Remove DML audit
Queries and reports
Download the Sensor Analytic package
Task
For details about product features, usage, and best practices, click ? or Help.
The DAM Events Log tab lists the event ID and severity, as well as information on the policy that
detected the event.
2 (Optional) Click the column header to sort events by that column. (Sorting might cause pages to
load more slowly.)
3 (Optional) To view the details of a specific event, click the event row.
Task
For details about product features, usage, and best practices, click ? or Help.
The Application Mapping Events page lists the event ID and severity, as well as information on the policy
that detected the event.
See also
Application Mapping on page 8
Task
For details about product features, usage, and best practices, click ? or Help.
1 On the Application Mapping Events page, click the name of the event.
2 On the Application Mapping Event Details page, click Actions | Create allow rule.
6 Click OK.
Task
For details about product features, usage, and best practices, click ? or Help.
• On the DAM Events page or Application Mapping Events page, click the name of the event.
The event details page lists information about the event in read-only format.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Reporting | Database Security Events, then click the Archive Management tab.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Reporting | Database Security Events, then click the Monitored Sessions tab.
The Monitored Sessions tab lists the sessions subject to specific actions, including quarantine, the
criteria for the quarantine action, and the name of the rule that triggered the quarantine, and
various quarantine-related parameters.
2 (Optional) Click the column header to sort the events by that column.
3 (Optional) To remove a database from quarantine, select the database, then click Actions |
Unquarantine.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Reporting | Database Security Events, then click the Monitored Sessions tab.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Reporting | Database Security Events, the select the DML Audit tab.
The DML Audit tab lists the changes made to audited tables and columns, and the command that
executed the change.
2 (Optional) Click the column header to sort events by that column. (Sorting might cause pages to
load more slowly.)
See also
Data Manipulation Language (DML) auditing on page 8
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Reporting | Database Security Events, then select the DML Audit Management tab.
2 Select the DML audit that you want to remove, then click Actions | Remove DML Audit).
Organize and maintain custom queries to suit your needs, then use them to run reports. You can
export reports into various file formats.
For each result type, the extension adds various properties in Query Builder for use in custom queries.
For more information about creating and using queries and reports, see the ePolicy Orchestrator
documentation.
Task
For details about product features, usage, and best practices, click ? or Help.
1 Click Menu | Policy | Client Task Catalog | DAM Sensor Analytic package, then click New Task.
4 From the System Tree, select the system where the sensor is deployed to view the system information
page, then click the DBMS Details tab.
5 Click the Download Analytic Package link, then save the file.
A database clusters
breaking 41
about this guide 5
changing type 41
allow rules
defining 40
creating 26
database monitoring 39
creating from application mapping 48
databases
removing 26
adding 44
alternative connection 42
advanced properties 44
application mapping 8
cloning 44
creating allow rules 48
clusters 40, 41
resetting 43
disabling monitor configuration policy 41
viewing events 47
DML auditing 8
archive management 48
edit alternative connection 42
archived events
merging 42
loading 48
recalculating policies 43
assignment, policies 18
removing users from quarantine 49
auditing database changes 8
resetting application mapping 43
B viewing by sensor 40
viewing details 39
blacklist 21
viewing DML audit 49
DBMS sensor configuration policy
C
about 19
cloning a database 44 configuring 19
clusters, See database clusters DBMSs
configuration See also databases
dynamic rule objects 31
policy 17 supported 9
connection deployment of Database Activity Monitoring 9, 11
alternative 42 DML audit
conventions and icons used in this guide 5 about 8
custom queries 50 adding 45
custom rules removing 50
changing order 28 viewing 49
copying to another policy 29 documentation
creating 27 audience for this guide 5
overview 27 product-specific, finding 6
policy 22 typographical conventions and icons 5
removing 28 downloads, Database Activity Monitoring extension 12
rule order 21 dynamic rule objects 31
dynamic values 29
D
E
DAM server settings 35
evaluation license, limitations 12
details 36
events policies
application mapping 47 about 8
DAM, view list 47 assigning 18
loading from archive 48 categories 17
quarantine 49 custom rules 22
viewing details 48 DBMS sensor configuration 19
exceptions monitor configuration 19
adding to a custom rule 27 monitor configuration, disabling 41
adding to a vPatch rule 24 recalculating 43
extension, McAfee Database Activity Monitoring 12 timestamps 39
installing 12 vPatch rules 20
uninstalling 16
Q
F quarantine
failed logon monitoring 19 removing database users 49
failover 40 viewing events 49
features queries
added to McAfee ePO environment 15 custom 50
Database Activity Monitoring 7 Database Activity Monitoring 50
Query Builder, Database Activity Monitoring additions 50
I query result types 50
identifiers 32
R
installation, McAfee Database Activity Monitoring
deploying the package 12 reports 50
downloading the package 12 Response Builder wizard 31
product extension 12 roles 15
workflow 11 rule actions
editing 23
removing 25
M
rule objects 29
McAfee ServicePortal, accessing 6 appending 31
monitor configuration policy 19 creating 29
disabling 41 dynamic, configuring 31
overview 19 editing properties 30
monitored sessions 49 removing 30
rule syntax 31
O examples 34
operators 34 identifiers 32
overview operators 34
deployment 9, 11 rules
features added to McAfee ePO environment 15 changing order 28
how DAM works 8 order 21
key features 7 syntax examples 34
supported databases 9
S
P security level, vPatch policy 25
packages Sensor Analytic package 51
deploying 12 sensors
downloading checking in 12
installing 12 confirming deployment 15
installing 12 default install paths 13
permission sets deploying 13
Database Activity Monitoring 15 deploying, ePO 5.0 13
viewing attached DBMSs 40
V
vPatch policies
allow rules 26