4) Select the protected target ORCL and click Apply in the lower corner :
5) Select some SQL, click the setting strategy in the upper right corner :
6) Set Policy Control: Operation Warn, Logging Level: Always, Threat Severity: Medium, click Save.
7) You can enter filter conditions in the search box, such as the SQL statement contains DUAL, click to start the search:
Show SQL containing only DUAL:
Select these SQL and set policy control:
8) Set the default rule: Click Default Rule
To edit the default policy, click Apply Changes :
9) Add new rules: All unseen DDL, DCL, and DML statements related to BONUS, EMP, and EMPLOYEES will be alerted and recorded every time, and the threat severity is the main priority.
10) Set the login failure alarm, invalid statement policy and other settings in the policy control/settings:
If there are 2 consecutive login failures within 30s, an alarm will be issued for the third time; an alarm will be issued for invalid SQL statements:
Note: For the login failure alarm and invalid SQL alarm settings to take effect, the database response must be activated first. ( Log in to the Audit Vault Server with the management account avadmin , select the mandatory point /ORCLEP on the protected target Tab page, and enable database response)
11) Click Publish in the upper right corner , and the newly created policy can be used for DBFW monitoring:
12) Apply the newly created policy for DBFW monitoring: In the protected target Tab page, select the target orcl, select the firewall policy, and click Change:
Select the newly created policy and click Save:
DBFW applies a new policy test for monitoring:
The following mainly looks at several types of built-in reports of AVDF: audit report, compatibility report, and special report. (Auditor account is required to log in to avauditor to log in to AVServer https://AVServer_IP )
On the Report Tab page, select Built-in Report/Audit Report to see various audit reports:
Activity reports include common data access, data change, login failure, user Login/Logout, authorization change, startup and shutdown of protected targets, etc. 11 kinds of reports. The functions of the three rows of buttons on the right are: browse generated reports, view report data, and Schedule reports.
Taking a data change report as an example, users can enter corresponding conditions in the search box to filter the content they are interested in:
- On the Report Tab page, select built-in report/audit report/warning report:
2) Click the button in the second row of All Alerts to view the report data:
- First make sure that the user authorization has been retrieved before: In the protected target Tab page, select the target/orcl, and click User Authorization (if the last checked time is --, click on the right to retrieve user authorization data )
- On the Report Tab page, select Built-in Report/Audit Report/Authorization Report:
- Click the second row of buttons in the User Accounts authorization report to view the report data:
- Make sure that stored procedure auditing has been activated before: In the protected target Tab page, select the target/orcl, and click Stored procedure auditing
- On the Report Tab page, select Built-in Report/Audit Report/Stored Process Audit Report:
- Click the button in the second row of the Stored Procedure Activity Overview report to view the report data:
Compatibility reports include: PCI report, GLBA report, HIPAA report, SOX report, DPA report.
Take the PCI report as an example:
- Add protected targets to a PCI group: In Protected Targets/Management/Groups, select PCI:
2) Select the protected target, click Add Member , and then click Save :
This allows protected targets to generate PCI compliance reports.
3) On the Report Tab page, select Compatibility Report/PCI Report, and click to view Data Modification data:
Data Modification (PCI) report:
The dedicated reports are mainly related to DBFW: Policy Report and F5 Report. Policy reports include client IP behavior tracking, OS user behavior tracking, alarms, blocking and invalid SQL reports.
- Client IP behavior tracking
2) Alarm report