Configure trust rules

更新时间:
复制 MD 格式

To audit specific database operations without triggering alerts, create custom trust rules.

Add a trust rule

Important

Requests on effective assets that match a trust rule do not generate alerts. Configure trust rules with caution.

  1. Log on to Database Audit. For more information, see Log on to Database Audit.

  2. In the left-side navigation pane, choose Rule Configuration > Trust Rule.

  3. Click Add.

  4. In the Add Rule panel, configure the rule parameters and click Save.

    Category

    Parameter

    Supported operators

    Description

    Basic Information

    Name

    N/A

    The name of the rule. The name must be 1 to 64 characters long and can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    Important

    The names of all user-defined rules for the same database must be unique.

    Description

    N/A

    The description of the rule.

    Client

    Client source

    Equals, Not equal to

    The IP address of the client. You can specify an IP address or an IP address group. You can enter multiple values separated by commas. Example: 192.168.XX.XX,192.168.XX.XX.

    Client tool

    Equals, Not equal to

    The name of the tool that the client uses. Supported match types: String and regular expression. You can enter multiple strings separated by commas. Example: db2bp.exe,javaw.exe,plsqldev.exe.

    Client port

    N/A

    The port number of the client. You can enter multiple values or ranges separated by commas. Example: 10-15,20,25,30-40.

    Client MAC address

    Equals, Not equal to

    The MAC address of the client. You can enter multiple values separated by commas. Example: fe:58:c0:39:**:**,fe:58:c0:55:**:**.

    Operating system username

    Equals, Not equal to

    The username for the client's operating system. Supported match types: String and regular expression. You can enter multiple strings separated by commas. Example: user01,user02.

    Hostname

    Equals, Not equal to

    The hostname of the client. Supported match types: String and regular expression. You can enter multiple strings separated by commas. Example: HostUser01,HostUser02.

    Application IP

    Equals, Not equal to

    The IP address of the client application. You can specify an IP address or an IP address group. You can enter multiple values separated by commas. Example: 192.168.XX.XX,192.168.XX.XX.

    Application username

    Equals, Not equal to

    The client's application username. Options: Custom and Select from Group. You can enter multiple values separated by commas. Example: TestUser01,TestUser02.

    Server

    Server IP

    Equals, Not equal to

    The IP address of the server. You can enter multiple values separated by commas. Example: 192.168.XX.XX,192.168.XX.XX.

    Server port

    N/A

    The port number of the server. You can enter multiple values or ranges separated by commas. Example: 10-15,20,25,30-40.

    Database account

    Equals, Not equal to

    The database logon username. Options: String, regular expression, and Select from Group. You can enter multiple strings separated by commas. Example: system,sys.

    Server MAC address

    Equals, Not equal to

    The MAC address of the server. You can enter multiple values separated by commas. Example: fe:58:c0:39:**:**,fe:58:c0:55:**:**.

    Database name (SID)

    N/A

    The name of the database on the server. Supported match types: String and regular expression. When using a string, enter the SID for Oracle databases or the database name for other databases. You can enter multiple strings separated by commas.

    Behavior

    Object group

    N/A

    The object group to which the SQL statement belongs. Supported values: Includes any object and Includes all objects.

    Operation type

    N/A

    The type of operation performed on the database. Valid values:

    • DDL: Truncate, Create, Alter, Drop, Comment, and Rename.

    • DML: Select, Insert, Update, Delete, Call, Explain, Lock, and Merge.

    • DCL: Grant and Revoke.

    • Others: UNKNOWN, Savepoint, Commit, Rollback, etc.

    SQL template ID

    N/A

    The ID of the SQL template. You can enter multiple values separated by commas.

    SQL keyword

    N/A

    Configure the following parameters:

    1. Add conditions.

      In the condition box, enter the content to match. Regular expressions are supported. Click Add condition to add multiple conditions.

      After you add a condition, you can perform Regex validation to verify whether the specified content matches the regular expression. Perform the following steps:

      1. Click Regex validation to the right of the condition.

      2. In the Regex validation dialog box, confirm the Regular expression and enter the Content to validate.

      3. Click Validate.

    2. Write a conditional expression.

      Use AND (&), OR (|), NOT (~), and parentheses to describe the logical relationships between conditions. Conditions are represented by sequence numbers. For example, "1" represents Condition 1.

      Example: 1&2 indicates that the rule is matched only if both Condition 1 and Condition 2 are met.

    SQL length

    Greater than or equal to

    The length of the SQL statement. The value range is 1 to 65,536 bytes.

    Number of associated tables

    Greater than or equal to

    The number of tables that are associated with the SQL operation. If an SQL operation involves this number of tables or more, Database Audit does not generate an alert. The maximum value is 255.

    WHERE clause

    N/A

    Specifies whether the SQL statement contains a WHERE clause. Valid values: Do not judge, Contains WHERE clause, and Does not contain WHERE clause.

    Result

    Execution duration

    Greater than or equal to, Less than or equal to, Range

    The execution duration of the SQL statement. Supported units: seconds, milliseconds, and microseconds. The value must be between 0 and 1,800 seconds.

    Affected rows

    Greater than or equal to, Less than or equal to, Range

    The number of affected rows. The value must be in the range of 0 to 999,999,999. If the number of rows affected by an SQL operation falls within this range, Database Audit does not generate an alert.

    Result set

    N/A

    Configure the following parameters:

    1. Add conditions.

      In the condition box, enter the content to match. Regular expressions are supported. Click Add condition to add multiple conditions.

      After you add a condition, you can perform Regex validation to verify whether the specified content matches the regular expression. Perform the following steps:

      1. Click Regex validation to the right of the condition.

      2. In the Regex validation dialog box, confirm the Regular expression and enter the Content to validate.

      3. Click Validate.

    2. Write a conditional expression.

      Use AND (&), OR (|), NOT (~), and parentheses to describe the logical relationships between conditions. Conditions are represented by sequence numbers. For example, "1" represents Condition 1.

      Example: 1&2 indicates that the rule is matched only if both Condition 1 and Condition 2 are met.

    Execution status

    N/A

    The execution status of the operation, such as success or failure.

    Execution result description

    Matches, Does not match

    The keywords contained in the execution result. You can use a regular expression for matching.

    Other

    Effective period

    N/A

    The time period when the rule is active. Options: Custom and Select from Group.

  5. Set the effective assets for the rule.

    1. Click the number in the Asset count column for the rule.

    2. In the Set assets to which the rule is applied dialog box, select the assets to which you want to apply the rule and click OK.

      After you set the effective assets, the rule immediately applies to all the specified assets.

Related operations

  • Edit a trust rule

    To modify a trust rule, click Edit in the Actions column for that rule.

  • Enable a trust rule

    A rule is enabled automatically when you apply it to one or more assets.

  • Disable a trust rule

    A rule is disabled when it is not applied to any assets (its asset count is 0).

  • Delete a trust rule

    To delete an unneeded rule, click Delete in the Actions column for that rule.

References

  • Database Audit provides filter rules, trust rules, and security rules. For more information about these rules, including their descriptions and matching process, see rule overview.