Professional Documents
Culture Documents
DDM Enablement Statement Rules Part4
DDM Enablement Statement Rules Part4
1
Enablement – September 2011
3
Statement processing rule definition
Securing individual SQL requests
• Select the new rule set and do a right-mouse-click , choose:
‘Edit Security Rule Set’ from the list.
>> An empty Rule editor will open:
• Rules are applied top-to-bottom
• Rule attribute: ‘Stop’ or ‘Continue when rule is matched’, allows
white/black list approach
• Folders allow ‘AND’
‘OR’ conditions
• Enable or disable rules
• ‘Log when rule is applied’
will create audit file in the
DDM log directory
• Export/Import rule sets
is also available
4
Rule definition
Defining a rule
Matchers identify an incoming SQL request:
Using text matchers, PLSQL, Java, From clause,
time of day, Symbol matcher
Stop or continue
rule processing
5
Regular expression introduction
• In regular expression the . (dot) means any character
• The * means the character on my left 0 or more times
• The + means the character on my left 1 or more times
• The .* means any character any number of times
• \s means single space
• \s* means 0 or more spaces
• \w means a letter
• \w+ means a word without spaces or special characters
• (.*) means all the text of the statement is captured as group number one
(tag placeholder), which can be retrieved in the text rewrite using \(1)
• In the following “search and replace” example,
ACCOUNT\s*=\s*(\w+)
is replaced with
ACCOUNT = \(1)*3
Original: select * from customer where account=10
DDM Rewrite: select * from customer where account=10*3
• The sign | means “or”, so ((DDM)|(PDM)) would match both DDM and
PDM
• Note that the SQL statement DOES NOT include semicolon ;
6
Database access auditing with the
rule.log file
• Rule.log file is populated when ‘log when rule is applied’ attribute is set
• Logging include the original and replaced SQL request, time stamp,
database name and statement processing rule set name an client
information.
• It is stored in activesecurity\log directory
• Logs are managed cyclically (10 files, each 20 mega in size)
• Log loader utility uploads the logs into a central database repository
7
FAQ
• What is the performance overhead:
A> The propagation delay is about 150 microsecond per SQL statement
(0.15 millisecond), similar to a network propagation.
Resource consumption is also negligible - about 2-3% CPU load, (it can be
installed on a dedicated server),
DDM Security switching applied only on specific programs, clients and IP’s
• What happens it DDM crushes
First, it has never been reported, secondly – you can have two DDM servers
with failover/load balance between them – or failover directly to the
database.
• What about Stored Procedure masking (PL/SQL)
A> We use wrappers that call the PL/SQL from another procedure that
masks the result set returned.
• How can we identify SAP responsibilities and PeopleSoft roles
A> For SAP we have a Java matcher that uses the session’s work process
to run an ABAP code that retrieve the SAP end-user name. For PeopleSoft
we have a PL/SQL function that looks at v$session clientinfo for the same
8
Summary
This session showed you how to:
• Define statement processing rules
• Regular expression introduction
• Import and export rules
• Test rules and see logs
0
11