PD26642

Product Guide
McAfee Database Activity Monitoring 5.2.0

For use with ePolicy Orchestrator 5.1.0-5.3.0 Software
COPYRIGHT
© 2016 Intel Corporation
TRADEMARK ATTRIBUTIONS
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active
Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,
McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee
Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2 McAfee Database Activity Monitoring 5.2.0 Product Guide

Contents
Preface 5
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1 Introduction 7
Key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
How McAfee DAM works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Policy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Application Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Data Manipulation Language (DML) auditing . . . . . . . . . . . . . . . . . . . . 8
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Supported databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2 Installation 11
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Implementation workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Install the extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Deploy the sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Deploy the sensor from McAfee ePO 5.0 . . . . . . . . . . . . . . . . . . . . . 13
Default sensor install paths . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Operating system dependencies . . . . . . . . . . . . . . . . . . . . . . . . . 14
Confirm sensor deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Features added to McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Uninstall the extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3 Policy configuration 17
Policy categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Assign a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
DAM Sensor Configuration policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Configure DAM Sensor Configuration policy . . . . . . . . . . . . . . . . . . . . 19
DBMS Monitoring Configuration policy . . . . . . . . . . . . . . . . . . . . . . . . . 19
Configure DBMS Monitoring Configuration policy . . . . . . . . . . . . . . . . . . 19
vPatch policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configure vPatch policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Update the vPatch policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Custom Rules policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configure Custom Rules policy . . . . . . . . . . . . . . . . . . . . . . . . . 22
vPatch rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Edit vPatch rule properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Add vPatch rule actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Enable or disable vPatch rules . . . . . . . . . . . . . . . . . . . . . . . . . 24
Create an exception to a vPatch rule . . . . . . . . . . . . . . . . . . . . . . . 24
Set the security level for a vPatch policy . . . . . . . . . . . . . . . . . . . . . 25
McAfee Database Activity Monitoring 5.2.0 Product Guide 3

Contents
Remove vPatch rule actions . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Create an allow rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Remove allow rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Custom rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Create a custom rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Remove a custom rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Change rule order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Copy a custom rule to another policy . . . . . . . . . . . . . . . . . . . . . . . 29
Rule objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Define rule objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Edit rule object properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Remove rule objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Configure dynamic DVM objects . . . . . . . . . . . . . . . . . . . . . . . . . 31
Rule syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Rule examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
DAM server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Edit DAM server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
DAM server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4 Database monitoring configuration 39

Database monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
View DBMS details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
View DBMSs attached to sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Manage DBMS clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Cluster DBMSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Change DBMS cluster type . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Break DBMS cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Disable monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Edit alternative connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Merge DBMSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Recalculate DBMS policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Reset application mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Clone DBMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Add a DBMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Define a DML audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5 Events, reporting, and troubleshooting 47

View the DAM events list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
View Application Mapping events . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Create an allow rule based on Application Mapping . . . . . . . . . . . . . . . . . . . . 48
View event details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Load archived events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
View quarantine events list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Remove a database user from quarantine . . . . . . . . . . . . . . . . . . . . . . . . 49
View DML audit trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Remove DML audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Queries and reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Custom queries and reports . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Download the Sensor Analytic package . . . . . . . . . . . . . . . . . . . . . . . . . 51
Index 53

Preface
This guide provides the information you need to work with your McAfee product.
Contents
About this guide
Find product documentation
About this guide

This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
• Administrators — People who implement and enforce the company's security program.
Conventions
This guide uses these typographical conventions and icons.
Italic Title of a book, chapter, or topic; a new term; emphasis

Bold Text that is emphasized
Monospace Commands and other text that the user types; a code sample; a displayed message
Narrow Bold Words from the product interface like options, menus, buttons, and dialog boxes
Hypertext blue A link to a topic or to an external website
Note: Extra information to emphasize a point, remind the reader of something, or
provide an alternative method
Tip: Best practice information
Caution: Important advice to protect your computer system, software installation,

network, business, or data
Warning: Critical advice to prevent bodily harm when using a hardware product

Preface

On the ServicePortal, you can find information about a released product, including product
documentation, technical articles, and more.
Task
1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.
2 In the Knowledge Base pane under Content Source, click Product Documentation.
3 Select a product and version, then click Search to display a list of documents.

1 Introduction
®
McAfee Database Activity Monitoring (McAfee DAM) provides monitoring and management of
database activity for multiple databases and vPatch service (optional). It also includes prevention,
database cluster support, third-party integration, and advanced reporting functionality.
Contents
Key features
How McAfee DAM works
Deployment
Supported databases
Key features
McAfee DAM provides full visibility into database user activity and can issue alerts or stop suspicious
activities based on predefined vPatch rules and custom rules.
It also includes prevention, cluster support, third-party integration, and advanced reporting
functionality.
Database protection — Prevention of intrusion, data theft, and other attacks on your databases.
McAfee DAM uses memory-based sensors to detect threats with a single, nonintrusive solution.
Threat identification and intervention — High-risk violations can be configured to automatically

close suspicious sessions and quarantine malicious users, allowing time for the security team to
investigate the intrusion
Custom security policies — McAfee DAM enables you to create custom rule-based policies for users/
queries and database objects.
vPatch updates — Virtual patching updates are provided regularly for newly discovered
vulnerabilities, protecting sensitive data until a patch is released by the database vendor and can be
applied. The updates can be implemented without database downtime.
Audit log — Access to sensitive data, including complete transaction details, can be logged for audit
purposes.

1
Introduction

When the extension for McAfee DAM and the sensor is deployed on a database server with McAfee
Agent, it begins the process of discovering and monitoring your databases.
By default, the databases that McAfee DAM discovers are placed in the Lost & Found group in the System
Tree. You can configure the rule settings in McAfee ePO to place the databases in a different location.
Use of the terms DBMS (database management system) and database vary according to platform
vendor. In general, DBMS refers to the overall database system, including the data and the
infrastructure around it, but database can refer to the data tables. In this document, the terms are used
interchangeably.
Policy configuration
The monitoring policy for a DBMS is made up of the various rules that are enabled and applied on that
DBMS.
McAfee DAM provides enhanced DBMS security based on predefined vPatch rules and custom rules.
vPatch rules are included in the product installation and help prevent attacks against known
vulnerabilities. In addition, you can define custom rules to define the level of monitoring and alerts,
and further protect your DBMSs against potential threats.
Incoming statements are compared to the rules and policies enabled for the DBMS. Action is taken
based on the first rule that is matched. If a statement does not match any of the existing rules, the
statement is allowed.
Application Mapping
When the McAfee DAM sensor is deployed, it begins to collect sample information about access to the
DBMS. Application Mapping provides baseline information about the activities that take place on the
DBMSs during the sampling period, including which applications are run on the DBMS and which users
are running them.
The Application Mapping Events page also includes a count for each cluster of applications, users, IP
addresses, and each DBMS. This information can be used to create exceptions or allow rules (for
example, if a certain combination of IP address, application and user are audited elsewhere or are of
no security/audit interest). In addition, the information can be used to create monitoring rules.
Data Manipulation Language (DML) auditing

McAfee DAM enables activation of the complete DML audit, which tracks any changes to the selected
scope (table and columns), including old and new values.
This functionality is available from the Database Security Events page. You can create new DML audit
settings from the System Tree, manage existing DML audits from the DML Audit Management tab, and view
the audit results in the DML Audit tab.

1
Introduction
Deployment
Deployment
Before the software can monitor and manage database activity, you must install the product extension
®
on the McAfee ePO server and deploy the sensors to a database server where McAfee Agent is
installed.
Required components
• McAfee ePolicy Orchestrator 5.1 or later with these extensions installed:
• McAfee Database Activity Monitoring extension
• McAfee Vulnerability Manager for Databases extension

®
• McAfee Rogue Database Detection (RDD) extension 4.7 or later

®
• McAfee Advanced Management Core extension
• McAfee Agent 4.8 or later

®
Supported databases
McAfee DAM can be used to monitor and manage activity on several different types of databases.
The supported databases include:
• IBM DB2 for Linux and Unix platforms
• IBM DB2 for Z/OS with CorreLog IBM
• IBM DB2 iSeries (AS/400) with Raz-Lee
• IBM DB2 LUW
• Informix
• MariaDB on Linux
• Microsoft SQL Server 2000 or later on any supported Windows platform
• MySQL on Linux
• Oracle on Sun Solaris, IBM AIX, Linux, HP-UX, Microsoft Windows (including Oracle RAC and Oracle
Exadata)
• PostgreSQL
• SAP HANA
• Sybase ASE on all supported platforms
• Teradataon Linux
The lists of supported databases and their versions are updated regularly. To view the current lists, see
McAfee Data Center Security Suite for Databases System Requirements McAfee Data Center Security
Suite for Databases System Requirements.

1
Introduction
Supported databases

2 Installation
For McAfee DAM to be used with McAfee ePO software, you must first download and install the product
extension and deploy the sensor to McAfee Agent.
Contents
Deployment
Implementation workflow
Install the extension
Deploy the sensor
Confirm sensor deployment
Features added to McAfee ePO
Uninstall the extension
Deployment
Before the software can monitor and manage database activity, you must install the product extension
®
on the McAfee ePO server and deploy the sensors to a database server where McAfee Agent is
installed.
Required components
• McAfee ePolicy Orchestrator 5.1 or later with these extensions installed:
• McAfee Database Activity Monitoring extension
• McAfee Vulnerability Manager for Databases extension

®
• McAfee Rogue Database Detection (RDD) extension 4.7 or later

®
• McAfee Advanced Management Core extension
• McAfee Agent 4.8 or later

®
Implementation workflow
These tasks must be performed to enable McAfee DAM to monitor and manage database activity.
1 Verify that the extensions for McAfee Vulnerability Manager for Databases, McAfee Rogue Database
Detection, and McAfee Advanced Management Core are installed in the McAfee ePO console.
2 Install the McAfee DAM extension using the McAfee ePO console.

2
Installation
3 Deploy the sensor on DBMSs using a product deployment task in McAfee ePO.
4 Confirm the success of the sensor deployment in the Products tab of the respective system
information pages.
See also
Install the extension on page 12
Deploy the sensor from McAfee ePO 5.0 on page 13

Confirm sensor deployment on page 15

The McAfee Database Activity Monitoring extension is installed using the ePolicy Orchestrator console.
Before you begin

• Back up the McAfee ePO back-end database.
• Verify that the extensions for McAfee Vulnerability Manager for Databases, McAfee
Rogue Database Detection and McAfee Advanced Management Core are installed.
• If the ePolicy Orchestrator console is not connected to the Internet, you need to
download the product extensions from the McAfee ePO download site, then install them
from the ePolicy Orchestrator Extensions page.
Task
For details about product features, usage, and best practices, click ? or Help.
1 From the McAfee ePO console, click Menu | Software Manager.
2 In the Product Categories pane, select Software | Database Activity Monitoring.
All related components are listed, including the product extensions.
3 Select DBSecDAMPolicy extension, then click Download or Check In.
4 When prompted, select ZIP as the package type.
5 Repeat for the Database Activity Monitoring extension and Database Activity Monitoring help extension.
6 In the Software Manager, check in the McAfee DAM sensor managed product for the relevant operating
systems.
When the installation is complete, Database Activity Monitoring and Help Content appear in the Components
list.
By default, the extension is installed using a 30-day evaluation license, and EVAL appears on the
shortcut icons and at the top of the vPatch Rules and DAM Server Settings pages. The evaluation version has
several limitations. For example, it does not include vPatch security updates. If you already have a
license, we recommend that you install it now.

2
Installation
Deploy the sensor
Deploy the sensor

You can create a client task to deploy the sensor to a DBMS that has McAfee Agent installed. Once the
sensor is deployed, it starts automatically and appears in the System Tree.
Tasks
• Deploy the sensor from McAfee ePO 5.0 on page 13
You can deploy the sensor to DBMSs from the Product Deployment page of the McAfee ePO 5.0
console.
Deploy the sensor from McAfee ePO 5.0

You can deploy the sensor to DBMSs from the Product Deployment page of the McAfee ePO 5.0 console.
Before you begin

Verify that the Database Activity Monitoring package appears in the McAfee ePO Master
Repository.
Task
1 Click Menu | Software | Product Deployment.
2 Click New Deployment.
3 Enter a task name and description, then define the type (Fixed or Continuous).
4 From the Products and components drop‑down list, select DBMS McAfee Sensor for Windows.
5 Schedule the task deployment and configure more options as needed for any McAfee ePO client
task. For more information, see the ePolicy Orchestrator documentation.
6 Click Save.
The deployment task is created and the sensor is deployed according to the task configuration.
The task is run as scheduled in the task properties. You can also manually deploy the task from the
Systems Tree. Select Actions | Agent | Run Client Task Now, then select the task to run. The Run Client Task Now
option is supported for Windows systems only. Do not use this option for scheduling deployments on
UNIX or Linux systems.For more information on running client tasks, see the ePolicy Orchestrator
documentation.
See also
Default sensor install paths on page 13
Operating system dependencies on page 14
Default sensor install paths

The default sensor install paths and file names vary according to platform type.
Table 2-1 Default directories
Platform Installation directory Logs directory
AIX /opt/mfeagdbs.sensor /var/adm/mfe-agent-dbs-sensor
HPUX /opt/mfeagdbs.sensor /var/adm/mfe-agent-dbs-sensor
Linux /usr/local/mfe-agent-dbs.sensor /var/log/mfe-agent-dbs-sensor

2
Installation
Deploy the sensor
Table 2-1 Default directories (continued)

Platform Installation directory Logs directory
Solaris /opt/MFEAgentDBSsensor /var/adm/mfe-agent-dbs-sensor
Windows C:\Program Files\McAfee\Database C:\Program Files\McAfee\Database Security
Security Sensor Sensor\logs
Table 2-2 File names

Platform Configuration file Binary name Startup script name
AIX /etc/mfe-agent-dbs-sensor mfeagtdbsensor /etc/rc.d/init.d/
mfe-agent-dbs-sensor
HPUX /etc/rc.config.d/ mfeagtdbsensor /sbin/init.d/
mfe-agent-dbs-sensor mfe-agent-dbs-sensor
Linux /etc/sysconfig/ mfeagtdbsensor /sbin/init.d/
Solaris /etc/default/ mfeagtdbsensor /sbin/init.d/
Windows C:\Program Files\McAfee McAfee-Agent-DBS-Sensor.exe Service name - "McAfee
\Database Security Sensor\ Database Security
McAfeeAgentDBSConfig.exe Sensor"
Operating system dependencies

Successful installation of the sensor requires that specific packages be installed on the target
operating system.
Platform Dependencies
AIX IBM XL C/C++ Enterprise Edition for AIX, V9.0 Runtime Environment and
Utilities:
• xlC.aix50 • xlsmp.msg.Ja_JP.rte
• xlC.msg.Ja_JP • xlsmp.msg.ZH_CN.rte
• xlC.msg.en_US • xlsmp.msg.Zh_CN.rte
• xlC.msg.ja_JP • xlsmp.msg.en_US.rte
• xlC.rte • xlsmp.msg.ja_JP.rte
• xlsmp.aix52.rte • xlsmp.msg.zh_CN.rte
• xlsmp.msg.EN_US.rte • xlsmp.rte
• xlsmp.msg.JA_JP.rte
For details, see the IBM website)
HPUX pa risc 11.11 or • NFS.NFS-64SLIB

later
• OS-Core.CORE-64SLIB
• OS-Core.CORE-SHLIBS
• Streams.STREAMS-64SLIB

2
Installation
Platform Dependencies
HPUX ia64 11.23 or • NFS.NFS-64SLIB
later
• OS-Core.CORE2-64SLIB
• OS-Core.CORE2-SHLIBS
• Streams.STREAMS-64SLIB
Linux libstdc++33 (this library is almost always pre-installed)

Solaris N/A
Windows N/A

You can confirm the sensor deployment on the Products tab of the system details page.
Before you begin

Create and deploy the product deployment task.
Task
1 Click Menu | Systems | System Tree, then select the Systems tab.
2 Click the system where the sensor is deployed.
3 On the system details page, select the Products tab.
The sensor deployment is indicated under Product.
Features added to McAfee ePO

The extension adds or uses these features in the McAfee ePO environment.
Feature Details
System Tree Adds the Database Monitoring submenu to the Actions menu in the Systems tab.
Policy submenu Adds two options to the Policy submenu:
• vPatch Rules — View, add, and edit vPatch rules.
• Rule Objects — View, add, and edit rule objects.
Adds two predefined client task types to the Client Task Catalog:
• DAM Sensor Analytic Package — Extracts diagnostic information for troubleshooting
purposes.
• DAM Sensor Restart — Restarts the monitoring sensor. For more information, see
KB79692.
Configuration Adds one new option to the Configuration | Server Settings submenu:
submenu
• DAM Server Settings — Manage the McAfee DAM server archive, log, and general
settings.

2
Installation
Feature Details
Reporting Adds three new options to the Reporting submenu:
submenu
• Database Security Events — View the McAfee DAM event logs, event properties, and
DML audit results, and more.
• Application Mapping — View information about activities taking place on a DBMS,
including applications and their users.
• Dashboards | Database Activity Monitoring — View charts and graphs related to McAfee
DAM events.
Adds the Database Activity Monitoring group of result types in Query Builder.
Permission sets Adds these predefined user roles:

• Database Security Administrator — By default, the Database Security Administrator can create,
edit, or delete Scheduler tasks and queries. This user can view and edit all DVM
and DAM properties, including permission and policy configurations, dashboards,
and the credential catalog. This user can also view, delete, and purge events.
• Database Security Operator — By default, the Database Security Operator can view the System
Tree and all DVM and DAM properties, the audit log, credential catalog, and can
edit the dashboards. This user can also view the events in the Threat Event Log.
• Database Security Reviewer — By default, the Database Security Reviewer can view the
System Tree, DVM and DAM results, and weak passwords.
Automatic Adds the capability to append values to rule objects based on automatic response.
responses

You can uninstall the McAfee Database Activity Monitoring extension using the McAfee ePO console.
Uninstalling an extension permanently deletes its data.
Task
1 Click Menu | Software | Extensions.
2 From the Extensions list, select Database Activity Monitoring and the corresponding Help Content extension,
then click Remove.
3 When prompted to confirm, click OK.
Selecting Force removal is not recommended.
This task does not uninstall the sensor. Remove the sensor using a standard client task. For details,
see ePolicy Orchestrator documentation.

3 Policy configuration
McAfee DAM policy configuration enables you to implement the policy settings that are most
appropriate for your organization.
Contents
Policy categories
Assign a policy
DAM Sensor Configuration policy
DBMS Monitoring Configuration policy
vPatch policy
Custom Rules policy
vPatch rules
Custom rules
Rule objects
Rule syntax
DAM server configuration
Policy categories
McAfee DAM policies are grouped into several categories, with a default policy for each category.
Each default policy is read-only. However, we provide a policy template, My Default, that you can use to
edit and implement the policy settings for your organization.
DBMS Sensor Configuration

This policy determines the log configuration settings for the DAM sensor, and enables the definition of
advanced parameters.
DBMS Monitoring Configuration

This policy category contains two default policies related to the McAfee DAM monitor configuration:
• McAfee Default Monitor Configuration — This policy is made up of the general monitoring settings,
application mapping settings, and advanced logging parameters, as well as specific configuration
settings according to database type.
• McAfee Disable Monitor Configuration — This policy disables monitoring for a database.
vPatch rules
The default Virtual Patching for Database (vPatch) rule policy is made up of the full list of predefined
vPatch rules in read-only format. The rules are applied in the order that they appear in the list. You
can duplicate the default policy to create a custom rule set. Custom vPatch rule policies automatically
inherit all of the rules contained in the default policy, however you can edit the rule properties in the
customized policies.

3
Assign a policy
The default policy is updated regularly by McAfee DAM to include up-to-date monitoring and protection
against known and zero-day vulnerabilities.
Custom rules
This policy is made up of the custom rules defined based on your organization's ongoing monitoring of
potential risks and activities.
You can create your own rules in the My Default custom rules policy, or duplicate the Empty Rules Template
and create a custom rule policy.
Rule objects
This read-only policy is made up of the list of rule objects that can be used in dynamic rules. You can
duplicate the default policy and create multiple rule object policies.
You can add rule objects to the read-only policy. All rule objects are included in all rule object policies,
however you can edit the rule object values in duplicated policies.
Assign a policy
You can assign a McAfee DAM policy to a managed system or DBMS.
Task
1 Click Menu | Systems | System Tree | Systems, then select the group under the System Tree.
2 Select the system, then click Actions | Agent | Modify Policies on a Single System to open the Policy Assignment
page for that system.
3 From the Product drop-down list, select Database Activity Monitoring. The relevant policy categories are
listed with the system’s assigned policy.
4 Locate the required policy, then click Edit Assignments.
5 If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6 From the Assigned policy drop-down list, select the policy.

The available policies depend on your role and permissions.
From this location, you can edit the selected policy or create a new policy. For more information,
see the ePolicy Orchestrator documentation.
7 Select whether to lock policy inheritance.

Locking policy inheritance prevents any systems that inherit this policy from having another one
assigned in its place.
8 Click Save.
The policy is assigned to the selected managed system.

3

The DAM Sensor Configuration policy determines the log configuration settings for the McAfee DAM sensor,
and enables the definition of advanced parameters.
The default policy is read‑only. A policy template, My Default, enables you to edit and implement the
policy settings based on your organization's needs.
Configure DAM Sensor Configuration policy

Although a default DAM Sensor Configuration policy is provided, you can use the My Default policy template to
implement different policy settings on specific systems.
Task
1 Click Menu | Policy | Policy Catalog, then:

a From the Product drop-down list, select Database Activity Monitoring.
b From the Category drop-down list, select DAM Sensor Configuration.
2 Click My Default.
3 Edit the policy settings as needed, then click Save.
DBMS Monitoring Configuration policy

The DBMS Monitoring Configuration policy determines various monitoring options, including application
mapping and failed logon monitoring.
The default policy is read‑only. A policy template, My Default, enables you to edit and implement the
policy settings based on your organization's needs. In addition, the read-only Disable Monitor Configuration
policy is used to disable specific database instances from the System Tree.
You cannot assign the Disable Monitor Configuration policy and a default policy to the same database instance
at the same time.
Configure DBMS Monitoring Configuration policy

Although a default DBMS Monitoring Configuration policy is provided, you can use the My Default policy
template to implement different policy settings on specific systems.
Task

b From the Category drop-down list, select DBMS Monitoring Configuration.
2 Click the My Default link.
The default policy properties are organized into a general tab and one tab for each type of
database platform.

3
vPatch policy
3 Edit the settings as needed, then click Save.
The policy settings are applied only to database instances where the policy is assigned.
vPatch policy
The default vPatch policy comprises a predefined set of vPatch rules. The default policy is read‑only.
You can duplicate the policy and edit the actions defined for specific rules. You can also duplicate the
default vPatch policy and use it as the basis for creating a custom vPatch rule set. Custom vPatch rule
policies automatically inherit all of the rules contained in the default policy, however you can edit the
rule properties in the customized policies
The global vPatch policy is updated by McAfee DAM regularly (every several weeks) to provide
monitoring and protection from new vulnerabilities.
Different vPatch policies can be assigned to different DBMSs in the system.
You can disable a vPatch rule, but you can't remove a rule from the vPatch Rules list.
Configure vPatch policy

You can use a duplicate copy of the vPatch policy as the basis for creating a custom vPatch rule set.
Although the conditions (rule syntax) of these predefined rules cannot be edited, you can edit the
actions and tags defined for specific rules. You can also create exceptions within the rules.
Task

b From the Category drop-down list, select vPatch Rules.
2 Click your duplicate copy of vPatch Rules to open its vPatch Rules page.
3 To view or edit the properties of an existing rule, click the rule name.
Update the vPatch policy

McAfee DAM sends out notifications whenever new vPatch rules are available. We recommend that you
update the vPatch rule set to provide protection from new vulnerabilities.
The currently installed version of the vPatch policy appears in the Note column on the vPatch Policy page.
Tasks
• Update the vPatch rule set on page 20
When connected to the Internet, McAfee DAM automatically downloads the vPatch package
into the Master Repository. The package must then be applied to your McAfee ePO installation.
• Download and check in the vPatch rule set on page 21
When McAfee ePO is not connected to the Internet, you must manually download and
check in the updated vPatch rules package.
Update the vPatch rule set

When connected to the Internet, McAfee DAM automatically downloads the vPatch package into the
Master Repository. The package must then be applied to your McAfee ePO installation.

3
Custom Rules policy
Task
1 Click Menu | Software | Master Repository.
2 Click Pull Now, then click Next.
3 Select the DAM vPatch package, then click Next.
4 Click Start Pull to apply the package.
The new vPatch rules are included in the default vPatch policy.
Download and check in the vPatch rule set

When McAfee ePO is not connected to the Internet, you must manually download and check in the
updated vPatch rules package.
Before you begin

You must have Internet access to download the package.
Task
1 Click the link in the notification you received to download the updated vPatch rules package, then
save the package.
2 Click Menu | Software | Master Repository, then click Check In Package.
3 Select the package type, specify the path to where you saved the vPatch rules package, then click
Next.
4 Click Save to check in the package.
The new vPatch rules are included in the default vPatch policy.
Custom Rules policy

You can create custom policies according to your audit and security needs. Different policies can be
applied to different DBMSs in your organization.
DAM custom rule policies support multi-slot functionality so that more than one policy can be assigned
to a system. You can enforce different policies for different purposes on the same system. For
example, different policies might be configured for auditing, database security, and monitoring
purposes.
In a multi-slot scenario, an allow rule affects only the policy where it is created.
Rule order
The order of the rules in the Custom Rules list is important. The first rule that is matched is the rule that
is applied to the statement. If a statement does not match any of the existing rules, the statement is
allowed.
There are two approaches to defining policy:

3
vPatch rules
• Whitelist approach, which resembles the approach of firewalls, where you determine all the allowed
actions first and then alert on all other actions (assuming that all other actions are suspect).
• Blacklist approach, which resembles the approach of IDS/IPS systems, where everything is allowed
except actions that are considered suspect.
McAfee DAM users typically create a policy that integrates elements of both approaches, for example,
using a Blacklist approach for all known attacks, while using a Whitelist approach for the use of
development SQL tools.
Incoming statements are checked against the vPatch Rules list before they are checked against the
Custom Rules list.
Rule templates
Custom rule policies use these templates:
• My Default — This template is empty when the product is first installed. You can create your own
rules in this policy.
• Empty Rules Template — Duplicate this template and use it to create a custom rules policy.
• Integrity Monitoring — This template is made up of the rules that capture changes to the database,
including the addition and removal of tables, and changes in table structure and data.
• Rule Examples — This template is made up of examples of custom rules that can be used as is or as
models for creating new rules.
Configure Custom Rules policy

You can view and edit the rules that make up the Custom Rules policy.
By default, the Custom Rules policy does not contain any rules.
Task

b From the Category drop-down list, select Custom Rules.
By default, the custom rules policy does not contain any predefined rules.
2 Select the policy that you want to edit.
3 (Optional) Click Create New Rule to define a rule and add it to the Custom Rules policy.
4 To view or edit the properties of an existing custom rule, click the rule name.
vPatch rules
vPatch rules help prevent attacks against known vulnerabilities and database misconfigurations. A set
of predefined vPatch rules is included as part of the McAfee DAM installation.
McAfee DAM updates this set of rules regularly to provide monitoring and protection from new
vulnerabilities.
vPatch rules are applied in the order they appear in on the vPatch rules page.

3
vPatch rules
Edit vPatch rule properties

You can edit the properties of a vPatch rule including its actions, tags, and description.
Changes to the properties in the default vPatch policy are applied to all vPatch policies unless Override
global policy settings is configured in the rule in the duplicate policy.
Changes to the rule properties in a duplicate policy apply only to that policy.
Task

2 Click the vPatch rule policy to display the list of vPatch rules.
3 Select the rule that you want to edit, then click Actions | Edit Properties.
4 Edit the rule properties as needed.
5 Click OK.
Add vPatch rule actions

You can configure additional actions to be applied when vPatch rules are matched as part of the
monitoring process. Duplicate vPatch policies automatically inherit the rules and rule actions contained
in the default vPatch policy.
Changes to the rule actions in the default vPatch policy are applied to all vPatch policies unless Override
global policy settings is configured in the rule in the duplicate policy.
Changes to the rule actions in a duplicate policy apply only to that policy.
Task

2 Click the default vPatch rule policy or a duplicate policy to display the list of vPatch rules.
3 Select each of the rules where you want to add an action, then click Actions | Apply Actions.
4 If you are editing a copy policy of the default policy, select the Override global policy settings checkbox.
5 Select the actions that you want to apply to the selected rules:
• Log Level — Sets the level of criticality of the event.
• Threat event log — Sends an event to the threat event log if the rule is matched. If you select
Terminate, the Quarantine option is displayed. To quarantine a user, select Quarantine and enter the
number of minutes during which the user is prevented from reconnecting.
You can't send events to both the threat event log and the archive.
• To archive — Sends an alert only to the archive if the rule is matched.

3
vPatch rules
• Syslog — Sends an alert to the syslog if the rule is matched.
• Windows event log — Sends an alert to the Windows event log if the rule is matched.
• Log file — Sends an alert to a log file if the rule is matched.
• Mask sensitive data with the following regular expression — Prevents the display of sensitive data in alerts.
If selected, enter a regular expression in the Regular Expressions text box using standard
regular expression syntax.
You can also configure an email notification for the rule using McAfee ePO by selecting Menu |
Automation | Automatic Responses. Select ePO Notification Events, with Threats as the event type. In the filter
settings for the Threat Name, define the comparison criteria as Contains with RULE NAME as the value.
For more information, see the ePolicy Orchestrator documentation.
6 Click OK.
Enable or disable vPatch rules

You can enable or disable selected vPatch rules as needed.
Task

3 Select the rules that you want to enable or disable, then click Actions | Enable/Disable Rules.
4 In the Enable/Disable rules dialog box, select Enable or Disable as required, then click OK.
Create an exception to a vPatch rule

You can define an exception to a vPatch rule to allow specific conditions. Exceptions are defined in
response to false positive results to prevent vPatch rule from identifying a specific behavior as an
attack.
Task

2 Select the policy where you want to add the exception.
3 Select the rule where you want to add an exception, then click Actions | Edit Properties.
4 On the rule properties page, under Exceptions, click Add Exception.
5 In the text box that appears, enter the comparator statements that define the exception.
6 Click OK.

3
vPatch rules
See also
Rule syntax on page 31
Rule examples on page 34
Set the security level for a vPatch policy

You can set the security level for the vPatch policy that is applied to your databases based on a
predefined security level or by setting a customized set of parameters.
This feature enables you to control the tradeoff between security level and performance. The defined
settings are applied to the entire vPatch policy.
You can't set the security level for the global vPatch policy.
Task

2 Select a copy of the vPatch Rules policy.
The security level for the vPatch policy appears as a link in the policy header.
3 Click the security level link to open the Security Level page.
4 Select a preconfigured security level (Top, High, Medium, or Low) or select Custom to define settings
based on a combination of these parameters:
• Apply to DBMS Versions —
• Vulnerable Versions Only: Enables vPatch rules based on relevant DBMS versions.
• All Versions: Enables vPatch rules on all DBMS versions.
• Level — Enables vPatch rules according to the selected severity level (High Only, Medium and High, or
All).
• Confidence — Enables vPatch rules according to the selected confidence level (High Only, Medium and
High, or All).
5 Click OK.
Remove vPatch rule actions

You can remove specific actions from a vPatch rule.
Task


3
vPatch rules
3 Select the rules where you want to remove an action, then click Actions | Remove Actions.
4 Deselect the actions that you want to remove from the selected rules, then click OK.
The rule actions are updated. The removed actions are no longer applied when the selected vPatch
rule is matched as part of the monitoring process.
Create an allow rule

An allow rule enables you to define exceptions to specific conditions of an existing rule.
vPatch allow rules are always evaluated before built-in vPatch rules. If the allow rule is matched, rule
evaluation stops for all vPatch rules.
You can also create an allow rule from the Application Mapping page.
Task
1 Click Menu | Policy | vPatch Rules.
3 Select each of the rules where you want to create an allow rule, then click Actions | Create allow rule.
4 In the Name field, enter a name for the rule.
5 Under Rule text, enter the comparator statements that make up the conditions of the rule.
6 Under Monitoring source, set the sources of information used to determine compliance with this rule:
• Auto (All) — The sources of information are detected and sampled automatically.
• All — All available sources of information are used.
• Memory — Information is collected by memory sampling.
• Network — Information is collected from network traffic.
7 (Optional) Add tags or comments to the rule.
8 Select Enable Rule to enable the rule on all vPatch policies.
9 Click OK to add the rule.
The rule is added.
See also
Remove allow rule

You can remove multiple allow rules from the vPatch Rules list.

3
Custom rules
Task
For option definitions, click ? in the interface

3 Select the rules you want to remove, then click Actions | Remove allow rule.
4 When prompted for confirmation, click OK.
Custom rules
Based on ongoing monitoring of potential risks, custom rules can be defined to provide protection
against activity that your IT policy considers suspicious. Custom rules also help protect specific DBMSs
according to their functionality.
You can create and enable custom rules that determine how to handle statements received by the
DBMS. Rules can allow statements that match (whitelist), or they can be used to generate alerts
regarding statements that do not match the policy (blacklist). A rule can also be used to automatically
close potentially dangerous sessions.
Each rule consists of one or more comparator statements. Comparator statements are made up of
Identifiers, Operators, and Literals.The relationship between multiple comparator statements is based
on Boolean logic, using AND, OR, or NOT.
You can define exceptions to a rule that does not allow certain conditions by creating an Allow rule for
the exception and placing it before the rule in the Rules list. You can also create an exception within
the rule itself.
Create a custom rule

You can create custom rules based on the needs of your organization. For example, you can monitor
access to sensitive tables in an HR DBMS, or you can protect against the use of SQL query tools that
are not allowed on your production databases.
Before you begin

Before attempting to create custom rules, we recommend that you familiarize yourself with
Application Mapping, which can save time when you create custom rules.
Task

2 Click the default vPatch rule policy or a duplicate policy to display the list of vPatch rules.
3 On the Custom Rules policy page, click Create New Rule.

3
Custom rules
5 Under Rule text, enter the comparator statements that make up the conditions of the rule.
6 Under Monitoring source, set the sources of information used to determine compliance with this rule:
• Auto (All) — The sources of information are detected and sampled automatically.
• All — All available sources of information are used.
• Memory — Information is collected by memory sampling.
• Network — Information is collected from network traffic.
7 (Optional) Under Exceptions, click Add Exception to display the rule exceptions section. In the text box
that appears, enter the comparator statements that define the exception.
8 Under Actions, set the action to be taken when the rule conditions are met.
9 (Optional) Under Tags, add tags as needed.
10 (Optional) Under Comments, enter information for future reference.
11 Select Enable Rule to enable the rule.
12 Click Save.
See also
Remove a custom rule

You can remove a rule from the Custom Rules list.
Task
c Select a Custom Rules policy to display its list of rules.
2 On the Custom Rules policy page, select the rule that you want to remove, then click Actions | Remove
rule.
Change rule order

The order of the rules in the Custom Rules policy is important. The first rule that is matched is the rule
that is applied to the statement. If a statement does not match any of the existing rules, the
statement is allowed.

3
Rule objects
Task

c Select a Custom Rules policy to display its list of rules.
2 On the Custom Rules policy page, select the rule that you want to reposition in the policy, then click
Actions | Place New Location.
3 Set the location of the rule in the list, then click OK.
Copy a custom rule to another policy

You can copy a rule from one custom rule policy to another. This save you time if you need to include
it in more than one custom rule policy.
Task
1 In the Custom Rules policy page, select the rule that you want to copy to another policy, then click
Actions | Copy Rules to Another Policy.
2 Select the policy where you want to add the rule, then OK.
Rule objects
Rule objects are components that can be used in defining dynamic rules.
These components are helpful when working with Allow rules. For example, you can use a rule object
in the definition of a rule intended to allow a specific range of IP addresses.
McAfee DAM comes with several predefined rule objects. These predefined objects are used in the
predefined rules and are listed on the Policy | Rule Objects page.
You can add rule objects to the global rule object policy. Rule objects can also be populated by
different methods such as LDAP queries and DVM checks.
All rule objects are included in all rule object policies. You can edit the rule object values in duplicated
policies.
Rule objects are managed on the Policy | Rule Objects page.
Define rule objects

You add rule objects to the global Rule Objects policy. The rule objects can then be used as components
in rules.
Task
1 Click Menu | Policy | Rule Objects, then click Actions | New Object.

3
Rule objects
2 Configure these parameters:

• Name — The name of the rule object (must be in English without spaces).
• Type — The type of identifier for the rule object.
• Value — The object value (according to the selected type), which can be manually input or
automatically uploaded (see Dynamic Value ).
• Comment — A brief comment or description.
• Dynamic Value — Automatically uploads the object values based on the selected option.
• Static — Uploads a list of values from an existing CSV file, enter the file location in the File
upload field or click Browse to locate and select the file, then click Upload CSV File.
• DVM — Uploads dynamic object values based on an object that is created from a DVM result.
You can add or edit the regular expressions in the pattern of values. The expressions are
applied to every value in the patten. (This option is enabled for the editing of dynamic
objects only.)
• ePO Query — Enables the use of McAfee ePO queries for creating the rule object. Browse to
and select the query to use. The first column in the query is used to populate the rule object
values.
• LDAP — Enables the use of LDAP Security groups for this rule object. Select the server, enter
the fully qualified name of the LDAP Group, then click Add.
Click Show values to view the uploaded values in the Value text box.
• The DVM option uploads the object values based on an object that was created
from a DVM result. It is not enabled here.
• The use of dynamic LDAP objects is available only if LDAP server is configured in
the Menu | Configuration | Registered Servers page.
• Rule objects can also be populated by the automatic response mechanism.
The rule object is automatically added to the list of available values according to Identifier type and
can be used in rule definitions.
Edit rule object properties

You can view and edit the properties of a rule object.
Task
1 Click Menu | Policy | Rule Objects.
2 Select the rule object, then click Actions | Edit Properties.
3 On the Rule Object page, edit the parameters, then click Save.
Remove rule objects

You can remove a rule object provided that it is not in use in an existing rule.

3
Rule syntax
Task
1 Click Menu | Policy | Rule Objects.
2 Select at least one rule object, then click Actions | Remove Rule Objects.
3 When prompted for confirmation, click Yes.
Configure dynamic DVM objects

You can configure a dynamic rule object based on the findings of a Vulnerability Manager for
Databases vulnerability scan.
If you are adding the object to the global Rule Objects policy, you can create a new rule object or
override a selected rule object.
You can also assign values to dynamic DVM objects in McAfee ePO from the Response Builder wizard. On
the Actions page of the wizard, select Append Rule Object and configure the policy, object and value settings.
Task
1 Click Menu | Reporting | Database Security Events, then click the DVM Events tab.
2 Click the name of the event, then click Actions | Set Rule Object.
This option is available only if data appears in the data set table.
3 Select the policy where you want to add the rule object.
4 Select one of these options:

• New Object — Creates a new object in the global Rule Objects policy. This option is enabled if Global
Rule Object Policy is selected.
• Override Object — Overrides the settings of an existing rule object.
5 Under Pattern, set the type of values to fetch and how they appear in the rule object by selecting at
least one option (Type, Username or Lock).
The syntax for the value appears in the text box.
6 Click OK.
Rule syntax
Each rule consists of one or more comparator statements, which are made up of Identifiers, Operators
and Literals.
The relationship between multiple comparator statements is based on Boolean logic, using AND, OR,
or NOT. Comparator statements can be grouped using parentheses. If parentheses are not used, the
order of precedence is:

3
Rule syntax
1 NOT
2 AND
3 OR
Identifiers
Three basic types of identifiers are used in rule comparator statements.
Identifier type Description
String-based Types that are matched against strings.

Number-based Types that can be translated into a number representation. Numbers can be in a
specific range. Number-based types can be enforced to equal only a fixed set of
constants.
Enumerated Types that represent a fixed set of constants that cannot be translated into a
number representation.
McAfee DAM supports these identifiers.
All rules are case-insensitive. An identifier can be specified in lowercase, uppercase, or a combination of
both. For example: user, User, USER, and uSEr are all legal for the user identifier. Constant values are
case-insensitive, so SUNDAY and SunDAy are equivalent.
Identifier Type Description
action string The application action.

application string The application used to connect to the DBMS.
client_appl_name string The Sybase client application name. (Sybase only)
client_host_name string The Sybase client host name. (Sybase only)
client_name string The Sybase client name. (Sybase only)
clientid string The application set clientid accessing the DBMS. (Oracle only)
cmdtype string An action the statement is trying to perform, for example, select.
context_info string Microsoft SQL context information. (Microsoft SQL only)
date number The date the statement is executed. The date must be in the form
MM/DD/YY (US date format), for example, 1/25/07.
db_container string The database container. This provides specific database context
information when using the Pluggable Database functionality. (Oracle 12c
only)
error_code number The error code returned by the DBMS (for example, when the user is
trying to access a table that does not exist).
exec_user string If a user logs on to an application and then changes to another user, the
exec_user is the new user.
host string The domain name of the connecting application.
hour number The hour when the statement is executed. The hour must be in the form
HH[:MM] where HH is in the range of 0–23 and MM in the range of 0–59.
Note the minutes setting is optional.
inflow string The inflow PL/SQL object that originated the current executing
statement. Same format as object.
inflowsql string The SQL statement part that originated the current executing command.

3
Rule syntax
Identifier Type Description
instance string The instance where the execution takes place. In Oracle, this value is the
SID of the database instance. In Sybase, this value is the instance name.
In MS SQL, it is the full instance name including the host (for example,
MYHOST\SQLSERVER).
ip number The IP address where the statement is executed. IP addresses must be
in the form of: XXX.XXX.XXX.XXX (single IP address) or
XXX.XXX.XXX.XXX/YYY.YYY.YYY.YYY (IP with subnet). Each IP address is
validated by McAfee DAM to prevent errors.
module string The application set module.
month number The month when the statement is executed: JANUARY, FEBRUARY,
MARCH, APRIL, MAY, JUNE, JULY, AUGUST, SEPTEMBER, OCTOBER,
NOVEMBER, DECEMBER. Alternatively, the short form of month name is
also supported for example, JAN.
nethost string The host name of the network (this might differ from the host name
reported for an application). Applicable only when network monitoring is
enabled.
netip number The IP address of the network (this might differ from the IP address
reported for an application). Applicable only when network monitoring is
enabled.
object string The DBMS object being accessed. Supports syntax of the form
[owner.]objectname. DBMS objects include tables, triggers, and stored
procedures. In Oracle, the format is owner.objectname; in MS SQL, and
Sybase it is database.owner.objectname.
osuser string The operating system user.
schema string The default schema of the session.
session_state string • session_state=NEW_SESSION for monitoring session logons
• session_state=END_SESSION for logoffs
• session_state=NEW_LOGIN and session_state=END_LOGIN for
monitoring change of user during transaction execution (specifically for
Microsoft SQL Server)
• session_state=CHANGE_SCHEMA for monitoring changes in schema
during the session (Oracle only)
• session_state=EXECUTE for all other statements
statement string The raw statement sent to the server.

terminal string The machine where the user is logged on.
user string The DBMS user that is accessing the DBMS. See also exec_user.
version_mssql number The Microsoft SQL version. For example, version_mssql =9.0.4053 for
the relevant version of MS SQL 2005 (rarely used).
version_oracle number The full 5-digit oracle version. For example, 10.1.0.3.0 (rarely used).
version_sybase number The Sybase particular version. For example, version_sybase = 12.5 or
later (rarely used).
weekday value The day of the week when the statement is executed: SUNDAY, MONDAY,
TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY. Alternatively,
the short form is also supported, for example, TUE.

3
Rule syntax
Operators
McAfee DAM supports these operators.
Operator Description
= Equals (all types)
< Less than (all types)
> Greater than (number types only)
<= Less than or equal to (number types only)
>= Greater than or equal to (number types only)
<> Not equal to (all types)
(not)?like Compare to a string supporting the % character as a symbol to any string (string
types only)
(not)?between Check if an identifier is between two values (number types only)
(not)?in Check if an identifier is in a list of values (all types)
(not)?matches Perform a regular expression match (string types only)
(not)?contains Perform a simple and fast string match (string types only)
length When inserted before an identifier, indicates a condition on the field's length. For
example:
• "length statement > 1024" catches statements longer than 1024 bytes.
• "length user < 10" catches SQL statements where a DB user name length is
shorter than 10 characters.
Rule examples
These examples illustrate the rule syntax.
More examples are provided in the Custom Rules | Rule Examples template.
Example 1
OSUSER = 'mycompany\john' AND APPLICATION CONTAINS 'sqlplus' AND HOST =
'johnlaptop.localdomain' AND IP = 192.168.1.7
Action: Allow
This rule allows John to use SQL*Plus from his station (defined by host name and IP address), thereby
bypassing many rules that come later, such as preventing SQL*Plus from being used.
Example 2
APPLICATION CONTAINS 'sqlplus' OR APPLICATION CONTAINS 'toad'
Action: Log-high, terminate
This rule blocks any access by the applications Toad or SQL*Plus. It logs an alert with high severity.
Example 3
STATEMENT CONTAINS 'emps'
Action: log-medium

3
This example assumes that the emps.* columns include sensitive data that require protection, and
that emps.salary and emps.cc are particularly sensitive.
This rule provides an alert every time a SQL statement includes the string emps. This rule alerts on
any attempt to access columns containing the name emps (as well as any SQL statement component
that includes the string emps). Even when the user is not actually accessing the objects (for example,
the DBMS prohibits access based on authorization rules), this rule generates alerts (in contrast to
using object, see example 4).
Example 4
OBJECT = 'emps.salary' OR OBJECT = 'emps.cc'
Action: Log-high
This example assumes that the tables emps.salary and emps.cc are particularly sensitive.
This rule provides a high-level alert each time the specified objects are accessed. An alert appears
whether the object is accessed via a view, a stored procedure, a trigger, or another database. In this
case, if the DBMS successfully restricts the user from accessing the objects, an alert is not generated
because the object is not accessed.
Example 5
Statement contains 'drop session' Alert low
Statement contains 'alter DBMS' Alert low
Statement contains 'drop table' Alert low
Statement contains 'grant' Alert low
Statement contains 'grant dba' Alert medium
Statement contains 'grant sysdba' Alert medium
Statement contains 'noaudit' and osuser <> 'mycompany\johnd' Alert high
Action: Alert-high
In this example, the user receives alerts when various DDL commands are executed when someone
other than the database administrator attempts to stop auditing.

The DAM server configuration includes the archiving and logging settings, external interface settings,
licensed components, and advanced settings.
Edit DAM server settings

You can modify the DAM server settings Server Settings page, for example, to change the external
interface settings.

3
Task
1 Click Menu | Configuration | Server Settings, then select Database Activity Monitoring.
2 Edit the settings as needed, then click Save.
DAM server settings

Table 3-1 Archive settings
Option Definition
Enable Archive Select this option to enable saving of events in an archive.
Directory Path The full path to the location of the archive.
Rolling Interval The time period covered by each archive file (hourly or daily).
Table 3-2 Syslog settings

Option Definition
Enable Syslog Select this option to enable syslog to monitor events.
Host The IP address of the host where the syslog resides.
Port The port to be used for syslog communications.
Transport The transport type for connecting with the syslog server.
Maximum Packet Length The maximum length of a packet in the syslog.
Facilities The syslog facilities.
Format The file type to be used for the syslog (CSV, Sentinel, or Custom).
Table 3-3 Windows Event Log settings

Option Definition
Enable Windows Event Log Select this option to enable the Windows Event Log to monitor events.
Host The IP address of the host where the Windows Event Log resides (read-only).
Format The file type to be used for the Windows Event Log (CSV, Sentinel, or Custom).
Table 3-4 Log to File settings

Option Definition
Enable Log to File Select this option to enable saving of events in a file.
Directory Path The full path to the location of the log file.
Rolling Interval The time period covered by each log (hourly or daily).
Delete Files Older than The number of days after which the log file is deleted.
Format The file type of the log file (CSV, CEF, Sentinel, or Custom).
Table 3-5 Licensing and Advanced settings

Option Definition
Upload License Click Browse to locate and select a license key, then click Upload.
License Component Name The name of the licensed component.
License Type The type of license.
Expiration Date The date the license is set to expire.

3
Table 3-5 Licensing and Advanced settings (continued)

Option Definition
Advanced Properties Advanced parameter can be used for specific system-wide settings when
needed. For more information, see KB81209.
Key The name of the parameter.
Value The value assigned to the parameter.

3

4 Database monitoring configuration
McAfee DAM enables you to configure the monitoring settings for individual DBMSs and DBMS clusters.
Contents
Database monitoring
View DBMS details
View DBMSs attached to sensor
Manage DBMS clusters
Disable monitoring
Edit alternative connection
Merge DBMSs
Recalculate DBMS policies
Reset application mapping
Clone DBMS
Add a DBMS
Define a DML audit
Database monitoring
McAfee Database Activity Monitoring works within McAfee ePO to monitor and manage database
activity for multiple databases.
Once a McAfee DAM sensor is installed, all detected databases are added to the System Tree. You can
also manually add or import databases.
View DBMS details

You can view the detailed properties of a DBMS, including monitoring settings, application mapping
settings, and policy timestamps.
Task
2 Click the name of the DBMS where the sensor is deployed to display the DBMS properties page,
then click the DBMS Details tab.

4
Database monitoring configuration

You can view a list of the DBMSs attached to a specific sensor. The DBMSs attached to a sensor are
affected when changes are made to the DAM Sensor Configuration policy.
Task
2 Select the system where the sensor is deployed, then click the DBMS Details tab.
The DBMSs attached to the sensor are listed. You can click a DBMS name to view its detailed
properties.
Manage DBMS clusters

DBMSs can be grouped into clusters, enabling you to handle two DBMSs as a single managed system.
All DBMSs in a cluster are managed and reported by the same DBMS entry.
DBMS clustering also enables the implementation of Active-Passive or Active-Active failover.
Tasks
• Cluster DBMSs on page 40
You can select multiple DBMSs and group them into a single cluster. This is useful when
several nodes of the same DBMS cluster are detected, and you want to manage them as a
single DBMS.
• Change DBMS cluster type on page 41
You can change the type of failover that is implemented on the database instances in a
cluster.
• Break DBMS cluster on page 41
You can ungroup the databases in a DBMS cluster so that they are no longer treated as a
single DBMS.
Cluster DBMSs
You can select multiple DBMSs and group them into a single cluster. This is useful when several nodes
of the same DBMS cluster are detected, and you want to manage them as a single DBMS.
Task
2 Select at least one database of the type you want to include in the cluster, then click Actions |
Database Monitoring | Cluster DBMSs.
3 On the Cluster DBMSs page, select the databases to include in the cluster, then click Actions | Create
Cluster.

4
Disable monitoring
4 On the Create cluster page, set these cluster properties:

• Cluster Type — The type of failover clustering to implement:
• Active-Passive — One active database instance runs at a time, with the second instance
remaining idle. If failover occurs, the idle instance takes over for the database that is down.
• Active-Active — Two separate database instances run at the same time in the cluster. If failover
occurs, the remaining instance handles the requests of both database instances.
• Remove Merged DBMSs from System Tree — The databases that are contained in the cluster are merged
into a single entry in the System Tree and the individual nodes are removed.
5 Click OK.
A cluster containing the selected databases is created.
Change DBMS cluster type

You can change the type of failover that is implemented on the database instances in a cluster.
Task
2 Select the database cluster, then click Actions | Database Monitoring | Change Cluster Type.
3 Select the required cluster type (Active Passive or Active-Active), then click OK.
Break DBMS cluster

You can ungroup the databases in a DBMS cluster so that they are no longer treated as a single DBMS.
Task
2 Select the database cluster, then click Actions | Database Monitoring | Break DBMS Cluster.
3 When prompted for configuration, click Yes.
Disable monitoring
You can disable the default Monitoring Configuration policy for selected databases. For example, the
databases discovered by the sensor might include databases outside the required auditing scope.
Disabling the Monitoring Configuration policy does not affect the enforcement of other types of policies
(DBMS sensor configuration, vPatch rules, and custom rules).

4
Task
2 Select the databases where you want to disable monitoring, then click Actions | Database Monitoring |
Disable Monitoring.

You can edit the alternative connection for one or more databases. The alternative connection is
required for Sybase, MySQL, and Teradata databases. For other database types it is used when OS
authentication fails or if the user doesn't want to use OS authentication.
Task
2 Select the databases, then click Actions | Database Monitoring | Edit Alternative Connection.
3 Set these connection parameters:

a Select Enable Alternative DBMS Connection.
b Set the authentication method by selecting Use Credential Set or Username, then enter the relevant
details.
4 In the Connection String field, enter the vendor-specific connection string:

• Oracle — //127.0.0.1:1521/ <sid>
• MSSQL — <host>\<sid>
• MYSQL — 127.0.0.1:<port>
• DB2 — 127.0.0.1:50000
• Teradata — <host name>
• Sybase — <host name> <port>
5 Click OK.
Merge DBMSs
If a database is detected more than once (for example, due to upgrade or changes in the unique
identifier or home directory), you must merge the DBMSs in the System Tree into a single entry.

4
Task
2 Select at least one database of the type you want to include in the cluster, then click Actions |
Database Monitoring | Merge DBMSs.
3 On the Merge DBMSs page, select the databases to include in the cluster, then click Actions | Merge
DBMSs.
4 Click OK.
The selected databases are merged.

You can manually trigger recalculation of the polices that are applied to selected DBMSs, for example,
to ensure that policy changes are applied immediately.
Task
2 Select the databases where you want to update the effective policy, then click Actions | Database
Monitoring | Recalculate DBMS Policies.
When the recalculation is complete, OK appears in the message area.
Reset application mapping

Application mapping is performed per DBMS and provides information about the activities taking place
on the DBMS, including which applications and users connect to the DBMS.
Application mapping reports on up to 50,000 events, and then stops monitoring the activity. You can
reset application mapping on the DBMS to resume the application mapping activities.
Task
2 Select the databases where you want to update the effective policy, then click Actions | Database
Monitoring | Reset Application Mapping.
When the application mapping is reset, OK appears in the message area.
See also
Application Mapping on page 8

4
Clone DBMS
Clone DBMS
Cloning an existing database enables you to manually create a cluster node when a passive DBMS that
is part of cluster is not identified by the system. If the DBMS becomes active, it is then managed as
part of the cluster.
Task
2 Select the database that you want to clone, then click Actions | Database Monitoring | Clone Database.
3 From the DBMS Type drop-down list, select the database type (for example, Oracle, MSSQL, or MYSQL).
4 In the SID field, enter the server ID.
5 In the DBMS Home field, enter the name of the DBMS home directory.
6 From the Architecture drop-down list, select 32 bit or 64 bit.
7 From the OS Type drop-down list, select the type of operating system.
8 Click Next to display the Select system page.
9 Select the systems you want to add the database to, then click Save.
Add a DBMS
McAfee DAM can be used to monitor multiple DBMSs. If the sensor does not automatically detected a
database (for example, the passive node in a clustered database), you can manually add the DBMS to
the configuration.
Task
2 Select Actions | Database Monitoring | Add DBMS (DAM).
3 From the DBMS Type drop-down list, select the database type (for example, Oracle, MSSQL, MYSQLn).
The available DBMS parameters are refreshed according to the selected DBMS type.
4 In the SID field, enter the server ID.
5 In the DBMS Home field, enter the name of the DBMS home directory.
6 From the Architecture drop-down list, select 32 bit or 64 bit, as applicable.
7 From the OS Type drop-down list, select the type of operating system.
8 Click Next to display the Select system page.
9 Select the systems where you want to add the database, then click Save.
The DBMS is added in the System Tree.

4
Define a DML audit
Define a DML audit

A DML audit tracks any changes to the selected scope (table and columns) of a database.
Task
2 Select the databases where you want to implement the DML audit, then click Actions | Database
Monitoring (DAM) | Add DML Audit.
3 On the System Tree DML Triggers Configuration page, enter the credentials used to connect to the
database's operating system, then click Next.
4 Configure the tables and columns for auditing:

a In the Schema field, browse to and select the schema to audit, then click Next.
b In the Table field, browse to and select the table to audit, then click Next.
c In the Columns list, select the columns.
5 In the Command Type section, select at least one type of command to audit (Insert, Update, Delete).
6 (Optional) In the Trigger Action section, configure a time interval for delaying execution of a database
transaction.
7 (Optional) In the DMS Scan Assignment field, select Assign DBMS to default DML scan to display the audit
results on the DML Audit tab of the Database Security Events page. If this option is not selected, the audit
results are stored in a database table, but are not visible in the user interface.
8 Click Save.
See also
Data Manipulation Language (DML) auditing on page 8

4
Define a DML audit

5 Events, reporting, and troubleshooting
Enforcement of McAfee DAM policies generates events that can be viewed in McAfee ePO. You can also
create customized queries and reports with the McAfee ePO Query Builder, and download the relevant
McAfee DAM product logs for troubleshooting.
Contents
View the DAM events list
View Application Mapping events
Create an allow rule based on Application Mapping
View event details
Load archived events
View quarantine events list
Remove a database user from quarantine
View DML audit trail
Remove DML audit
Queries and reports
Download the Sensor Analytic package
View the DAM events list

McAfee DAM generates events based on compliance with its policies. These events are listed on the
Database Security Events page or in the McAfee ePO Threat Event Log.
Task
1 Click Menu | Reporting | Database Security Events.
The DAM Events Log tab lists the event ID and severity, as well as information on the policy that
detected the event.
2 (Optional) Click the column header to sort events by that column. (Sorting might cause pages to
load more slowly.)
3 (Optional) To view the details of a specific event, click the event row.
View Application Mapping events

Application Mapping provides baseline information about the activities that take place on the
databases. This information can be used to create exceptions or allow rules, and to create monitoring
rules.

5
Events, reporting, and troubleshooting
Task
• Click Menu | Reporting | Application Mapping.
The Application Mapping Events page lists the event ID and severity, as well as information on the policy
that detected the event.
See also
Application Mapping on page 8

An allow rule defines exceptions to specific conditions of an existing rule.
Place the allow rule before the rule in the Rules list so that its criteria are matched before the rule is
applied.
The allow rule affects only the policy where it is defined.
Task
1 On the Application Mapping Events page, click the name of the event.
2 On the Application Mapping Event Details page, click Actions | Create allow rule.
4 (Optional) Add tags or comments to the rule.
5 Select Enable Rule.
6 Click OK.
View event details

You can view the details of a specific DAM or Application Mapping event.
Task
• On the DAM Events page or Application Mapping Events page, click the name of the event.
The event details page lists information about the event in read-only format.
Load archived events

You can load events from an archived file and view the events in the Database Security Events | Archived
Events tab.

5
Task
1 Click Menu | Reporting | Database Security Events, then click the Archive Management tab.
2 Select the archive, then click Actions | Load/Reload Archived Events.

McAfee DAM places databases in quarantine based on the events generated by the monitoring policies.
Task
1 Click Menu | Reporting | Database Security Events, then click the Monitored Sessions tab.
The Monitored Sessions tab lists the sessions subject to specific actions, including quarantine, the
criteria for the quarantine action, and the name of the rule that triggered the quarantine, and
various quarantine-related parameters.
2 (Optional) Click the column header to sort the events by that column.
3 (Optional) To remove a database from quarantine, select the database, then click Actions |
Unquarantine.
Remove a database user from quarantine

Removing a database user from quarantine enables renewed access to the database.
Task
1 Click Menu | Reporting | Database Security Events, then click the Monitored Sessions tab.
2 (Optional) Select the database, then click Actions | Unquarantine.
View DML audit trail

The DVM audit results indicate any changes made to specific database tables and columns, including
the values before and after change.
Task
1 Click Menu | Reporting | Database Security Events, the select the DML Audit tab.
The DML Audit tab lists the changes made to audited tables and columns, and the command that
executed the change.
2 (Optional) Click the column header to sort events by that column. (Sorting might cause pages to
load more slowly.)

5
Remove DML audit
See also
Data Manipulation Language (DML) auditing on page 8
Remove DML audit

You can remove the existing DML audits in the Database Security Events | DML Audit Management tab.
Task
1 Click Menu | Reporting | Database Security Events, then select the DML Audit Management tab.
2 Select the DML audit that you want to remove, then click Actions | Remove DML Audit).
Queries and reports

The extension includes query and report generation through the McAfee ePO software.
You can create queries from properties stored in the McAfee ePO database. For more information, see
the ePolicy Orchestrator documentation.
Organize and maintain custom queries to suit your needs, then use them to run reports. You can
export reports into various file formats.
Custom queries and reports

You can create customized queries and reports with Query Builder. The result types selected in Query
Builder identify what type of data the query retrieves.
The extension adds a new group of Query Result Types, Database Activity Monitoring, in Query Builder. The group
contains a set of query targets related to database activity monitoring.
Query result type Shows this information...

DAM: Archived Events Events archived.
DAM: Archive Management Archive files.
DAM: DML Audit Events Events generated by the DML audit.
DAM: DML Audit Events - Verbose Events generated by the DML audit, including result set data.
DAM: DML Audit Management Detailed DML audit settings.
DAM: Events The events generated by enforcement of McAfee DAM policies.
DAM: Quarantine and Adaptive Monitoring Detailed information on quarantine and adaptive monitoring.
Database Security DBMSs Monitored DBMSs.
Database Security Detected DBMSs Content implementation details for virtual patching and
vulnerability assessment.
Database Security Repository Details of Database Security content implementation of virtual
patching and vulnerability assessment.
For each result type, the extension adds various properties in Query Builder for use in custom queries.
For more information about creating and using queries and reports, see the ePolicy Orchestrator
documentation.

5

The Sensor Analytic package contains an aggregation of all McAfee DAM product logs that are used for
troubleshooting only.
You can create a client task that generates the package as a .zip file, and then download the file and
send it to McAfee support.
Task
1 Click Menu | Policy | Client Task Catalog | DAM Sensor Analytic package, then click New Task.
2 Select DAM Sensor Analytic package as the task type.
3 Run the task to create the package.
4 From the System Tree, select the system where the sensor is deployed to view the system information
page, then click the DBMS Details tab.
5 Click the Download Analytic Package link, then save the file.
The Sensor Analytic package is ready to be sent to McAfee.

5

Index
A database clusters
breaking 41
about this guide 5
changing type 41
allow rules
defining 40
creating 26
database monitoring 39
creating from application mapping 48
databases
removing 26
adding 44
alternative connection 42
advanced properties 44
application mapping 8
cloning 44
creating allow rules 48
clusters 40, 41
resetting 43
disabling monitor configuration policy 41
viewing events 47
DML auditing 8
archive management 48
edit alternative connection 42
archived events
merging 42
loading 48
recalculating policies 43
assignment, policies 18
removing users from quarantine 49
auditing database changes 8
resetting application mapping 43
B viewing by sensor 40
viewing details 39
blacklist 21
viewing DML audit 49
DBMS sensor configuration policy
C
about 19
cloning a database 44 configuring 19
clusters, See database clusters DBMSs
configuration See also databases
dynamic rule objects 31
policy 17 supported 9
connection deployment of Database Activity Monitoring 9, 11
alternative 42 DML audit
conventions and icons used in this guide 5 about 8
custom queries 50 adding 45
custom rules removing 50
changing order 28 viewing 49
copying to another policy 29 documentation
creating 27 audience for this guide 5
overview 27 product-specific, finding 6
policy 22 typographical conventions and icons 5
removing 28 downloads, Database Activity Monitoring extension 12
rule order 21 dynamic rule objects 31
dynamic values 29
D
E
DAM server settings 35
evaluation license, limitations 12
details 36

Index
events policies
application mapping 47 about 8
DAM, view list 47 assigning 18
loading from archive 48 categories 17
quarantine 49 custom rules 22
viewing details 48 DBMS sensor configuration 19
exceptions monitor configuration 19
adding to a custom rule 27 monitor configuration, disabling 41
adding to a vPatch rule 24 recalculating 43
extension, McAfee Database Activity Monitoring 12 timestamps 39
installing 12 vPatch rules 20
uninstalling 16
Q
F quarantine
failed logon monitoring 19 removing database users 49
failover 40 viewing events 49
features queries
added to McAfee ePO environment 15 custom 50
Database Activity Monitoring 7 Database Activity Monitoring 50
Query Builder, Database Activity Monitoring additions 50
I query result types 50
identifiers 32
R
installation, McAfee Database Activity Monitoring
deploying the package 12 reports 50
downloading the package 12 Response Builder wizard 31
product extension 12 roles 15
workflow 11 rule actions
editing 23
removing 25
M
rule objects 29
McAfee ServicePortal, accessing 6 appending 31
monitor configuration policy 19 creating 29
disabling 41 dynamic, configuring 31
overview 19 editing properties 30
monitored sessions 49 removing 30
rule syntax 31
O examples 34
operators 34 identifiers 32
overview operators 34
deployment 9, 11 rules
features added to McAfee ePO environment 15 changing order 28
how DAM works 8 order 21
key features 7 syntax examples 34
supported databases 9
S
P security level, vPatch policy 25
packages Sensor Analytic package 51
deploying 12 sensors
downloading checking in 12
installing 12 confirming deployment 15
installing 12 default install paths 13
permission sets deploying 13
Database Activity Monitoring 15 deploying, ePO 5.0 13
viewing attached DBMSs 40

Index
server settings vPatch policies (continued)

DAM, editing 35 checking in rule set 21
ServicePortal, finding product documentation 6 overview 20
sessions, monitored 49 security level 25
System Tree updating rule set 20
actions added by Database Activity Monitoring 15 vPatch rules
adding DBMSs 44 adding exceptions 24
application mapping 43 applying actions 23
breaking DBMS clusters 41 checking in rule set 21
changing DBMS cluster type 41 configuring policy 20
creating DBMS clusters 40 disabling 24
merging DBMSs 42 editing properties 23
recalculating DBMS policies 43 enabling 24
removing actions 25
T updating rule set 20
technical support, finding product information 6

troubleshooting 51 W
whitelist 21
U
user roles 15
V
vPatch policies
allow rules 26

00

PD26642

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PD26642

Uploaded by

Copyright:

Available Formats

Product Guide

McAfee Database Activity Monitoring 5.2.0

2 McAfee Database Activity Monitoring 5.2.0 Product Guide

McAfee Database Activity Monitoring 5.2.0 Product Guide 3

Remove vPatch rule actions . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4 Database monitoring configuration 39

5 Events, reporting, and troubleshooting 47

4 McAfee Database Activity Monitoring 5.2.0 Product Guide

About this guide

Italic Title of a book, chapter, or topic; a new term; emphasis

Caution: Important advice to protect your computer system, software installation,

McAfee Database Activity Monitoring 5.2.0 Product Guide 5

Find product documentation

6 McAfee Database Activity Monitoring 5.2.0 Product Guide

Threat identification and intervention — High-risk violations can be configured to automatically

McAfee Database Activity Monitoring 5.2.0 Product Guide 7

How McAfee DAM works

Data Manipulation Language (DML) auditing

8 McAfee Database Activity Monitoring 5.2.0 Product Guide

• McAfee Vulnerability Manager for Databases extension

• McAfee Rogue Database Detection (RDD) extension 4.7 or later

• McAfee Advanced Management Core extension

• McAfee Agent 4.8 or later

• IBM DB2 for Z/OS with CorreLog IBM

• IBM DB2 iSeries (AS/400) with Raz-Lee

• IBM DB2 LUW

• Microsoft SQL Server 2000 or later on any supported Windows platform

• Sybase ASE on all supported platforms

McAfee Database Activity Monitoring 5.2.0 Product Guide 9

10 McAfee Database Activity Monitoring 5.2.0 Product Guide

• McAfee Vulnerability Manager for Databases extension

• McAfee Rogue Database Detection (RDD) extension 4.7 or later

• McAfee Advanced Management Core extension

• McAfee Agent 4.8 or later

McAfee Database Activity Monitoring 5.2.0 Product Guide 11

Deploy the sensor from McAfee ePO 5.0 on page 13

Install the extension

Before you begin

1 From the McAfee ePO console, click Menu | Software Manager.

2 In the Product Categories pane, select Software | Database Activity Monitoring.

All related components are listed, including the product extensions.

3 Select DBSecDAMPolicy extension, then click Download or Check In.

4 When prompted, select ZIP as the package type.

12 McAfee Database Activity Monitoring 5.2.0 Product Guide

Deploy the sensor

Deploy the sensor from McAfee ePO 5.0

Before you begin

1 Click Menu | Software | Product Deployment.

2 Click New Deployment.

Default sensor install paths

McAfee Database Activity Monitoring 5.2.0 Product Guide 13

Table 2-1 Default directories (continued)

Table 2-2 File names

Operating system dependencies

For details, see the IBM website)

HPUX pa risc 11.11 or • NFS.NFS-64SLIB

14 McAfee Database Activity Monitoring 5.2.0 Product Guide

Linux libstdc++33 (this library is almost always pre-installed)

Confirm sensor deployment

Before you begin

2 Click the system where the sensor is deployed.

3 On the system details page, select the Products tab.

The sensor deployment is indicated under Product.

Features added to McAfee ePO