Hedgehog. User's Guide. January Release 3.5

Transcription

1 Hedgehog User's Guide Release 3.5 January

2 Copyright All Rights Reserved. Hedgehog is a trademark of Sentrigo, Ltd. This material is proprietary of Sentrigo Ltd. Any unauthorized reproduction, use or disclosure of this material, or any part thereof, is strictly prohibited. This material is meant solely for the use of Sentrigo Networks employees and authorized customers. Hedgehog User's Guide ii

3 Table of Contents Table of Contents 1 Introducing Hedgehog Available Versions Deployment Hedgehog Server Administration Hedgehog Server Process Management Tuning the Hedgehog Server Performance Hedgehog Sensor Administration Hedgehog Sensor Process Management Hedgehog Sensor Configuration Overview of the Hedgehog Web Console Accessing the Hedgehog Web Console Hedgehog Web Console Components System-Wide Functionality Sorting List Data Changing Your Password Viewing Your License Information Logging Out Alerts Viewing the Alerts List Filtering the Alerts List Defining the Filter Criteria Saving a Filter Applying a Filter Viewing the Properties of a Filter Deleting a Filter Viewing Alert Details Hedgehog User's Guide iii

4 5.4 Handling Alerts Resolving an Alert Resolving Multiple Alerts Creating a Rule Based on an Alert Creating Trust for a Session Creating an Exception to a Rule Based on an Alert Terminating a Session Printing Alert Reports Archiving Alerts Hedgehog Dashboard Recalculating Chart Data Filtering the Dashboard Alerts Setting the Number of Most Active Rules Sensors Viewing the Sensors List Filtering the Sensors List Viewing Monitored DBMSs by Sensor Viewing Sensor Details Approving a Sensor Approving the DBMS(s) Changing the Sensor Action for a DBMS Stopping a Sensor Deleting a Sensor Troubleshooting the Sensor Installation Troubleshooting Procedures Running the Diagnostic Tool Hedgehog User's Guide iv

5 8 DBMSs Viewing the DBMSs List Filtering the DBMSs List Viewing DBMS Properties and Triggers Enabling/Disabling Triggers Configuring the Failed Logins Trigger Configuring the Character Set Enabling Application Mapping Viewing Sensors by DBMS Managing DBMS Groups Viewing DBMS Groups Creating a DBMS Group Viewing/Editing a DBMS Group Deleting a DBMS Group Applying DBMS Actions Rules Viewing Rules Filtering the Rules List Viewing the Rule Properties Enabling/Disabling Rules Managing vpatch Rules Viewing the Properties of a vpatch Rule Configuring the Action for a vpatch Rule Configuring the Action for a DBMS Installing/Removing vpatch Rules Updating the Security Level of the vpatch Rules Hedgehog User's Guide v

6 9.4 Managing Custom Rules Creating a Custom Rule Cloning a Rule Changing the Order of Custom Rules Editing a Custom Rule Removing a Custom Rule Importing and Exporting Rule Settings Rule Syntax Rule Examples Identifiers Operators Managing Rule Objects Creating a Rule Object Viewing/Editing Rule Object Properties Deleting a Rule Object Application Mapping Creating an Alert Rule Using the Application Mapping DBMS Access Info Working with Tags Assigning Tags to Rules Assigning Rules to DBMSs based on Tags Viewing Tags per DBMSs/DBMS Groups Importing/Exporting Rules Exporting Rules Importing Rules Viewing Rule Revisions Filtering the Rule Revisions List Viewing Rule Revision Details Comparing Revision Details Hedgehog User's Guide vi

7 9.13 Configuring Rule Modification and Application Mapping Notifications Compliance Configuring a Compliance Rule Saving Partial Compliance Rule Settings Editing Compliance Rules Roles Predefined Roles Viewing the Roles List Filtering the Roles List Viewing Role Details Creating a New Role Editing the Permissions of an Existing Role Removing a Role Users Viewing the Users List Filtering the Users List Viewing User Details Adding a User Editing User Properties Changing a User s Permissions Changing a User s Password Removing a User Exporting Users Importing Users Password Policy Hedgehog User's Guide vii

8 13 System Configuring the Outgoing Account Configuring LDAP Configuring SNMP Configuring the Syslog Configuring the Windows Event Log Configuring Log to File Configuring VPN-1 Blocking Configuring Twitter Configuring the XML API Managing Resolve Types Creating a Resolve Type Editing a Resolve Type Name Deleting a Resolve Type Alert Archiving Automatic Archiving Manual Alert Archiving Unarchiving/Re-archiving an Archive File Removing an Alert Archive Quarantining Users Configuring the Quarantine Parameters Removing a User from Quarantine Viewing Clusters Viewing the History List Filtering the Actions History List Setting the Time Period for Saving Actions History Viewing Actions History Details IDentifier Hedgehog User's Guide viii

9 13.16 Configuring and Downloading Server Logs Viewing System Messages Filtering the Messages List Viewing System Message Details Marking System Messages as Read/Unread Deleting a System Message Configuring System Messages Viewing Backend DBMS Details Updates Configuring Update Settings Manually Checking for/installing Security Updates Manually Checking for/installing Server Software Updates Manually Checking for/installing Sensor Software Updates Installing Offline Updates Viewing the Update History Reports Generating System Reports Working with Dynamic Reports Creating a Dynamic Report Viewing/Editing the Properties of a Dynamic Report Scheduling a Dynamic Report Running a Dynamic Report Deleting a Dynamic Report Configuring the Report Settings XML API Sensor Service Alert Service Hedgehog User's Guide ix

10 17 Working with External Databases Migrating the Internal Database to an External Database Migrating to an MSSQL Database Migrating to an Oracle Database Changing the Configured Password for the External Database Creating Your Own Database (Advanced Configuration) Working with the Hedgehog Server in Cluster Mode Configuring your Hedgehog Server to Work in Cluster Mode Viewing the Current Cluster Configuration Troubleshooting Hedgehog User's Guide x

11 Introducing Hedgehog 1 Introducing Hedgehog Hedgehog is an easy-to-deploy software solution that monitors the DBMS Management System (DBMS) and protects it from both internal and external threats. Hedgehog provides full visibility into DBMS user activity and can issue alerts or terminate suspicious activities based on predefined vpatch rules and custom rules. Modular in design and based on open standards, Hedgehog easily integrates with centralized enterprise security management systems and user access rights directories. In line with the layered defense strategy employed by leading enterprises, Hedgehog complements other security measures, such as encryption, network security and vulnerability assessment tools, by providing a hardened security layer surrounding the DBMS itself. Hedgehog s key advantages include: Monitoring of all DBMS activities, including the activities of authorized and privileged users Prevention of intrusion, data theft, and other attacks on the DBMS Real SQL Injection Protection (Inflow) Rule-based policies for users, queries and DBMS objects Quarantine rogue users Quick and easy deployment and configuration 1.1 Available Versions Hedgehog is available in three versions: Standard: The Standard version provides monitoring and management of database activity for a single database, and basic reporting functionality. Enterprise: The Enterprise version provides all functions included in the Standard version as well as monitoring and management of database activity for multiple databases and vpatch service (optional). It also includes prevention, cluster support, third-party integration, compliance modules and advanced reporting functionality. vpatch: The vpatch version is an annual service that includes the vpatch functionality, vpatch updates and silver support. vpatch does not include the capability of customizing rules and the compliance modules. Hedgehog User's Guide 1

12 Introducing Hedgehog 1.2 Deployment The Hedgehog solution can be used in support of simple, single DBMS installations as well as complex, multi-server, multi-dbms installations without hindering performance. The Hedgehog solution comprises three components: Hedgehog Sensor: A small-footprint process that runs on the DBMS host server in a safe, dedicated OS user-space using patent-pending technology. The sensor enables the monitoring of all local and network access to the DBMS(s) in real-time. Hedgehog Server: A J2EE server that communicates with all installed sensors. The Hedgehog server does not require a dedicated machine. Hedgehog Web Console: A rich Web-based GUI dashboard that enables the administrator to review alerts, and define rules and policies. The Hedgehog Sensor monitors access to the DBMS and sends transaction data to the Hedgehog Server. Based on the policies defined via the Hedgehog Web Console, the Server logs the transaction, issues an alert, and/or prevents access to the DBMS. Note: For a description of the installation process, refer to the Hedgehog Installation Guide. Hedgehog User's Guide 2

13 Hedgehog Server Administration 2 Hedgehog Server Administration This section includes the following topics: 2.1 Hedgehog Server Process Management 2.2 Tuning the Hedgehog Server Performance 2.1 Hedgehog Server Process Management To manage the Hedgehog Server process: On Linux/Solaris, run: /etc/init.d/sentrigo-server start/stop/restart/status On AIX, run: /etc/rc.d/init.d/sentrigo-server start/stop/restart/status On HPUX, run: /sbin/init.d/sentrigo-server start/stop/restart/status On Windows, run: services.msc and look for the service "Hedgehog" The following options are available: Start: Starts the Hedgehog Server process. Stop: Stops the Hedgehog Server process. Restart: Restarts the Hedgehog Server process. Status: Checks the status of the Hedgehog Server process (running or stopped). Hedgehog User's Guide 3

14 Hedgehog Server Administration 2.2 Tuning the Hedgehog Server Performance If you are experiencing performance issues with your Hedgehog Server running on a Windows platform, it is recommended that you set your JVM to run in Server mode. To set JVM to run in Server mode: 1. Install the Sun Java JDK Run hedgehogw.exe located at the Hedgehog Server installation bin directory (the default location is: C:\Program Files\Sentrigo\Hedgehog\bin). The Hedgehog Properties window is displayed. 3. On the Java tab, configure the executable to use the jvm.dll located in the server directory in the JRE of the JDK. For example: C:\Program Files\Java\jdk1.6.0\jre\bin\server\jvm.dll 4. Click the Apply button and restart the Hedgehog Server. 5. If you still experience performance problems, contact Sentrigo s support. Hedgehog User's Guide 4

15 Hedgehog Sensor Administration 3 Hedgehog Sensor Administration This section includes the following topics: 3.1 Hedgehog Sensor Process Management 3.2 Hedgehog Sensor Configuration 3.1 Hedgehog Sensor Process Management To manage the Hedgehog Sensor process: On Linux/Solaris, run: /etc/init.d/sentrigo-sensor start/stop/restart/status On AIX, run: /etc/rc.d/init.d/sentrigo-sensor start/stop/restart/status On HPUX, run: /sbin/init.d/sentrigo-sensor start/stop/restart/status On Windows, run : services.msc and look for the service "HedgehogSensor" The following options are available: Start: Starts the Hedgehog Sensor process. Stop: Stops the Hedgehog Sensor process. Restart: Restarts the Hedgehog Sensor process. Status: Checks the status of the Hedgehog Sensor process (running or stopped). 3.2 Hedgehog Sensor Configuration You can control the Hedgehog Sensor configuration by running the following tool: On Linux, run: /etc/sysconfig/sentrisensor On Solaris, run: /etc/default/sentrigo-sensor On AIX, run: /etc/sentrigo-sensor On HPUX, run: /etc/rc.config.d/sentrigo-sensor On Windows, run sentrisensor.exe Follow the on screen instructions to modify: Hedgehog Server host and IP address Hedgehog Sensor log file location, log level, and maximum size and number of log files. Hedgehog Sensor update directory. This is the directory used for the Sensor software updates. As each software update occupies about 50MB, if you are low on disk space at the default location, you may want to edit this setting to point to a different location. Hedgehog User's Guide 5

16 Overview of the Hedgehog Web Console 4 Overview of the Hedgehog Web Console The Hedgehog Web Console enables you to manage various aspects of the Hedgehog functionality, including viewing alerts, approving sensors, defining rules, policies, role and users, and configuring security updates. This section includes the following topics: 4.1 Accessing the Hedgehog Web Console 4.2 Hedgehog Web Console Components 4.3 System-Wide Functionality 4.1 Accessing the Hedgehog Web Console The Hedgehog Web Console can be accessed using either of the following Web browsers: Mozilla Firefox 1.5 or above Microsoft Internet Explorer 6.0 or above A minimum of 128MB RAM is recommended. To access the Hedgehog Console: 1 In your Web browser, enter the URL of the Hedgehog Server based on the information configured in the installation in the format: number>. Note: The default port number is The Welcome page is displayed. 2 Enter the administrator username and password as configured in the installation, and click Login. The Hedgehog Web Console is displayed. Hedgehog User's Guide 6

17 Overview of the Hedgehog Web Console 4.2 Hedgehog Web Console Components The Hedgehog Web Console comprises the following pages: Alerts: Lists the alerts generated by the Hedgehog Server. For details, refer to 5 Alerts. Dashboard: Displays a range of statistical data regarding the status of alerts, DBMS monitoring, security updates, and rules. For details, refer to 6 Hedgehog Dashboard. Sensors: Lists the installed Hedgehog Sensor(s) and their approval status. For details, refer to 7 Sensors. DBMSs: Lists the DBMSs on which Hedgehog sensors have been installed, and enables you to view the properties of each DBMS. For details, refer to 8 DBMSs. Rules: Lists existing predefined (vpatch) and custom rules, and enables you to create rules as well as to manage the rules that are enabled and applied on each DBMS. For details, refer to 9 Rules. Compliance: Enables the configuration of Compliance rules based on established international standards and regulations. For details, refer to 10 Compliance. Permissions: Lists the defined roles and authorized users in the system, and enables you to add new roles/users and manage the permissions that apply to each role/user. For details, refer to 11 Roles and 12 Users. System: Lists the history of actions performed by users in the GUI and enables various system-wide configurations. For details, refer to 13 System. Updates: Enables the configuration and execution of automatic and manual security and software updates. For details, refer to 14 Updates. Reports: Available only for Enterprise or vpatch users, provides detailed reporting for alerts and system history. For details, refer to 15 Reports. You can easily navigate between the pages by selecting the corresponding tab at the top of any page. You can log out of the Hedgehog Web Console from any page by clicking Logout at the top of any page. You can access the Hedgehog help by clicking Help near the top of any page. You can access the Hedgehog support site on the Internet by clicking Support at the top of any page. 4.3 System-Wide Functionality This section addresses specific system-wide functionalities and includes the following topics: Sorting List Data Changing Your Password Viewing Your License Information Logging Out Hedgehog User's Guide 7

18 Overview of the Hedgehog Web Console Sorting List Data To facilitate the viewing of data in the Hedgehog Web Console, you can set the criteria by which each of the various lists is sorted. You can sort a list according to multiple criteria by setting the hierarchy of sort criteria (primary, secondary, and so on) in the Sort By page. Note: You can sort a list by a single criterion at any time by clicking the head of the column according to which you want to sort the data. Click again to reverse the order (ascending/descending). To sort a list: 1 Click Sort Options above the table to be sorted. The Sort By page is displayed. The current sorting criteria are listed in the Sort By pane, in the order in which they take precedence. The sort order is indicated by an (a) for ascending or (d) for descending. The following example shows the Sort By page for the Alerts list. The primary sort criteria is the Level of the alert in descending order (i.e., high severity first); the secondary sort criteria is the Timestamp, also in descending order (i.e., most recent first). The available columns are listed in the Table Columns pane. 2 To sort by a specific data column, select the column name in the Table Columns pane and click to apply the sort criteria in ascending order or click to apply the sort criteria in descending order. (To reverse the directional setting of a sort criterion, select the column name in the Sort By pane and click and then or as required). 3 To change the position of the sort criteria, select the column name in the Sort By pane and click or to move the column name up or down accordingly. Hedgehog User's Guide 8

19 Overview of the Hedgehog Web Console 4 To remove a column name from the sort criteria, select the column name in the Sort By pane and click. 5 Click OK to apply the sort criteria to the list Changing Your Password For security purposes, it is recommended that you change your password from time to time or according to your corporate policy. To change your password: 1 Click Change Password at the top of any page. The Change Password page is displayed. 2 Enter your current password in the Old Password field. 3 Enter your new password in the New Password field and then enter it again in the Confirm Password field. Note: The password must comprise at least four characters. (It is highly recommended to use longer passwords and refrain from using passwords that can be easily guessed by others.) 4 Click OK. Your password is changed. Note: Hedgehog Enterprise and vpatch allow you to use an external LDAP server (such as Active Directory) to manage the system users. You do not have to manage your passwords within Hedgehog if you are using an external LDAP server. For details, refer to 13.2 Configuring LDAP. Hedgehog User's Guide 9

20 Overview of the Hedgehog Web Console Viewing Your License Information You can view the current status of your Hedgehog license, as well as third-party license details and the Hedgehog End User License Agreement (EULA), To view the license information: Click License at the bottom of any page. The Hedgehog License Information page is displayed. Notes: If your Hedgehog Enterprise License expires, the system license will automatically be downgraded to Hedgehog Standard version and the advanced options will no longer be available. To import your license data from a file, click Upgrade License From a File Logging Out When you are not actively using the Hedgehog Web Console, it is recommended that you log out of the system. To log out: Click Logout at the top of any page. You are logged out of the system; you must log in again if you need to use the Hedgehog Web Console. Hedgehog User's Guide 10

21 Alerts 5 Alerts Based on both vpatch rules and custom rules, Hedgehog issues alerts on suspicious activities, enabling potential problems to be addressed in a timely manner. Alerts can be handled in a variety of ways in keeping with company policy and constraints. You can resolve an alert or you can immediately terminate a potentially dangerous DBMS session in response to an alert. In addition, you can create a new rule based on the scenario that triggered the alert (particularly useful in preventing future false positives) or establish trust for a specific current session. This section includes the following topics: 5.1 Viewing the Alerts List 5.2 Filtering the Alerts List 5.3 Viewing Alert Details 5.4 Handling Alerts 5.5 Printing Alert Reports 5.6 Archiving Alerts 5.1 Viewing the Alerts List The Alerts page lists the alerts generated by the Hedgehog Server, including the following parameters: Level: The level of the alert, as indicated by the following icons: A blue icon indicates a low level alert. An orange icon indicates a medium level alert. A red icon indicates a high level alert. DBMS: The name of the DBMS for which the alert was generated. Time: The date and time when the alert was generated. Resolution: The state of the alert (Unresolved, Resolved, False Alarm, Session Terminated, and so on). Statement: The requested operation (original SQL statement) that triggered the alert. Rules: The name(s) of the rule (s) that generated the alert. Hedgehog User's Guide 11

22 Alerts Action(s): The actions that can be performed on this rule, as indicated by the following icons: Create new rule Resolve alert Trust Session Terminate Session Excessive Behavior Excessive behavior: If a single alert is generated for multiple instances of the same rule violation, the icon is displayed. The alert details displayed are for the last transaction to violate the rule. From the Alerts page, you can: Filter the Alerts list according to various alert properties, as described in 5.2 Filtering the Alerts List. Set the criteria by which the list is sorted, as described in Sorting List Data. View the details of a specific alert, as described in 5.3 Viewing Alert Details. Perform various actions on one or more alerts, including resolving an alert, creating a rule based on an alert, creating trust for a session, or terminating a session, as described in 5.4 Handling Alerts. Hedgehog User's Guide 12

23 Alerts 5.2 Filtering the Alerts List To facilitate the viewing of alerts data, you can filter the Alerts list according to various alert properties. In addition, you can save filter criteria as customized filters, eliminating the need to redefine the filter criteria each time you view the Alerts list. By default, the most recently applied filter is applied to the Alerts list each time you access the Alerts page. This section includes the following topics: Defining the Filter Criteria Saving a Filter Applying a Filter Viewing the Properties of a Filter Deleting a Filter Defining the Filter Criteria You can set the filter criteria that determine the Alerts that are displayed in the Alerts list. To define the filter criteria: 1 Expand the Edit Filters area above the Alerts list. 2 Set one or more filter criteria by entering/selecting the relevant values (for example, DBMS, Resolution, or Level). Note that any free text field filters will look for a match for the String entered also as a substring of the field's value. For example, if you enter "General SQL" in the Rule Name field, all alerts triggered by all the General SQL Injection rules are shown. 3 In the Statement, Client ID, OS User, Module, User, Host Name, and Application fields, you can use one or more of the following symbols to define the matching criteria: = exact match! not similar to!= is not the same as/equal to \ ignore escape characters Hedgehog User's Guide 13

24 Alerts For example, if you enter =scott in the User field only those alerts for the user "scott" are displayed (and not scott1 or jscott). If you enter \=scott, all alerts containing the string =scott are displayed (scott, scott1 and jscott). Note: The! and = symbols cannot be used in the Statement field. 4 From the Display alerts per page dropdown list, select the number of alerts to display on each page. 5 (Optional) To sort the results according to specific criteria, click Sort Options and set the sort criteria. 6 Click Apply. The list of alerts is filtered to display only those alerts that match the filter criteria. Note: To clear all filter selections, click Clear. Click Apply again to retrieve the unfiltered list Saving a Filter You can save filter criteria as customized filters, eliminating the need to redefine the filter criteria each time you view the Alerts list. You can create and save multiple filters and easily alternate between the saved filters as the need arises. To save a filter: 1 Define the filter criteria as defined in Defining the Filter Criteria. 2 Click Save. The Save Filter Details page is displayed. Hedgehog User's Guide 14

25 Alerts 3 Enter the name of the filter in the Name field. 4 Enter a brief description of the filter in the Description field. 5 Click Save as required. The view name is added to the Filters list Applying a Filter You can apply a saved filter to the Alerts list. To apply a filter: 1 Select the view from the Filters dropdown list. The filter criteria in the Set Filter values area are refreshed to reflect the values of the customized view. 2 Click Apply to apply the selected filter to the Alerts list. Note: By default, the most recently applied filter is applied to the Alerts list each time you access the Alerts page Viewing the Properties of a Filter You can view the criteria that define a saved filter. To view the filter criteria: Select the view from the Filters dropdown list and click Edit. The filter details are displayed for the selected filter Deleting a Filter You can delete a saved filter. To delete a filter: 1 Select the view from the Filters dropdown list. 2 Click Delete Filter. A confirmation message is displayed. 3 Click OK. The Filter is deleted and is no longer available from the Filters dropdown list. Hedgehog User's Guide 15

26 Alerts 5.3 Viewing Alert Details To view the details of a specific alert, click the are displayed below the Alert s row: User: The DBMS user. OS User: The operating system user. sign next to the alert. Additional alert details Rules: The rule(s) that generated the alert. Clicking the rule name displays the Rule details page for the rule. Duplicate alerts amount: An alert is counted as duplicate if it was submitted from the same session within 1.5 seconds of the previous one or if it is one of the last 3 alerts submitted. This field indicates the number of aggregated duplicate alerts. Statement: The SQL statement that triggered the alert. DBMS: The name of the DBMS for which the alert was generated. Application: The application that created the SQL statement that triggered the alert. IP: The IP address of the user (if available). Hostname: The user hostname (if available). ID: Alert ID (automatically generated by the system). Note: The specific details displayed vary according to the type of database that is monitored. Hedgehog User's Guide 16

27 Alerts To view further, more advanced details for the selected alert, click Detailed View. The Alert Details page is displayed. The following alert details are displayed in the Alert Details page in read-only format: Sensor: The name of the sensor that generated the alert. Session ID: The session ID provided by the DBMS. Serial#: Relevant for Oracle only. The serial number generated by Oracle for this instance of the Session. This ID, when taken together with the Session ID, provides a unique session identifier. User: The DBMS user. OS User: The operating system user. Action: The application action. CMD Type: The SQL command type. Log on time: Relevant for MSSQL only. The time when the user logged on to the application. This field, when taken together with the Session ID, provides a unique session identifier. Hedgehog User's Guide 17

28 Alerts DBMS: The name of the DBMS for which the alert was generated. Application: The application that created the SQL statement that triggered the alert. IP: The IP address of the user (if available). Hostname: The user hostname (if available). Terminal: The user terminal (if available) Module: The module that generated the alert. Client ID: The Client ID of the application user that triggered the alert (if available). Context Info: In MSSQL only. It usually contains the user information. (It is used instead of the Application, Module and Client ID fields that are used in Oracle). Statement: The SQL statement that triggered the alert. Rules: The rule(s) that generated the alert. Clicking the rule name displays the Rule details page for the rule. Accessed Objects: The objects within the DBMS that were accessed as a result of the operation. Inflow SQL: The SQL statement components that originated the action (e.g., declare). Inflow Objects: The original PL/SQL program units within the DBMS that originated the SQL command. Resolution: The type of alert resolution. Resolved by: The user that resolved the alert. Resolve date: The date and time when the alert was resolved. Reason: The reason for the alert s resolution (if available). Hedgehog User's Guide 18

29 Alerts 5.4 Handling Alerts Alerts are triggered based on the rules defined and applied to SQL statements sent to the DBMS. As part of the monitoring process, you can view the alert information and take appropriate action as described in the following sections: Resolving an Alert Resolving Multiple Alerts Creating a Rule Based on an Alert Creating Trust for a Session Creating an Exception to a Rule Based on an Alert Terminating a Session Resolving an Alert When an alert is first triggered, the alert is displayed in the Alerts list with a default status of Unresolved. You can review the details of the alert and, depending on its specific properties, change its resolution state to either Resolved or False Alarm. You can also change the state of a resolved alert back to unresolved. Note: For easier monitoring, you can filter the Alerts list to show only Unresolved alerts. For details, refer to 5.2 Filtering the Alerts List. To resolve an alert: 1 In the Alerts list, select the alert that is to be resolved. Click the sign next to the alert, Additional alert details are displayed below the Alert s row. Review the alert details and click Resolve to resolve the alert. The Resolve Alert page is displayed. Hedgehog User's Guide 19

30 Alerts 2 Select the applicable resolution option from the dropdown list. Note: Hedgehog is provided with preconfigured resolve types. Hedgehog Enterprise and vpatch users can define additional resolve types to meet their specific needs. For details, refer to Managing Resolve Types. 3 Enter a brief summary of the reason for resolving the alert. 4 Click Resolve. In the Alerts list, the alert details are updated to reflect the new resolution status Resolving Multiple Alerts You change the resolution state of multiple alerts. Note: For easier monitoring, you can filter the Alerts list to show only Unresolved alerts. For details, refer to 5.2 Filtering the Alerts List. To resolve multiple alerts: 1 In the Alerts list, select the alerts to be resolved in one of the following ways: Select the checkboxes for the specific alerts in the Alerts list. Click the All link above the table header to select all alerts in the Alerts list. Click the Page link above the table header to select all alerts in the page of the Alerts list that is currently displayed. Hedgehog User's Guide 20

31 Alerts 2 Click Resolve to resolve the selected alerts. The Resolve Multiple Alerts page is displayed. 3 Select the applicable resolution option from the dropdown list. Note: Hedgehog is provided with preconfigured resolve types. Hedgehog Enterprise and vpatch users can define additional resolve types to meet their specific needs. For details, refer to Managing Resolve Types. 4 Enter a brief summary of the reason for resolving the alerts. 5 Click Resolve. In the Alerts list, the selected alerts are updated to reflect the new resolution status Creating a Rule Based on an Alert You can create a rule based on an alert in the Alerts list. This is particularly helpful when you need to create an exception, for example, to prevent the repeated occurrence of false positives. The resulting rule is based on the criteria that triggered the alert, eliminating the need to define a custom rule from scratch. The rule can then be edited and positioned in the Custom Rules list as required. To create a rule based on an alert: 1 In the Alerts list, click the sign next to the alert that is to serve as the basis of a rule. The alert details are displayed below the Alert s row. 2 Review the alert details and click Create Rule. The Create Rule page of the Custom Rules tab is displayed, with an automatically generated condition based on the details of the originating alert. Note that this is by default an Allow rule. 3 Edit the rule details to refine its properties and select the DBMSs the rule should be installed on. (For a detailed description of the rule components and how they are defined, refer to Creating a Custom Rule.) 4 Click Save. The new rule is created and added at the top of the Custom Rules list. Hedgehog User's Guide 21

32 Alerts 5 Move the rule to the appropriate location in the Custom Rules list by clicking the directional arrows. (For details, refer to Changing the Order of Custom Rules.) Click Save to save the new order. Note: Exceptions are typically placed immediately above the rule that triggered the alert. The Alerts list is updated to show Rule Created as the resolution status of the alert Creating Trust for a Session If you want to ignore the alerts for a specific session, you can create trust based on an alert for that session, for example, if you detect a long session that is repeatedly generating false alarms. The trust is created for the current session only. As previously mentioned, a session is identified by the system according to the DBMS session ID and an internal Hedgehog ID. This prevents wrongly identifying more than one session as a single session (because DBMSs sometimes reuse session IDs). If the behavior that triggered the alerts is repeated in a new session, alerts will be triggered and displayed accordingly. Note: Trust should only be created after you have examined the alert details and determined that the session does not pose a security threat. To create trust for a session: 1 In the Alerts list, click the sign next to the alert that is to serve as the basis for creating trust. Additional alert details are displayed below the Alert s row. 2 Review the alert details and click the Trust Session icon. The Trust Session for Alert page is displayed. Hedgehog User's Guide 22

33 Alerts 3 Enter a brief summary of the reason for trusting the session. 4 Click Trust. The Alerts list is updated to show Trusted as the resolution status of the alert, and the behavior that triggered the alert is ignored for the duration of the current session Creating an Exception to a Rule Based on an Alert You can create an exception to a vpatch or custom rule based on an alert, for example, to prevent the repeated occurrence of false positives. To create an exception: 1 In the Alerts list, click the sign next to the alert that is to serve as the basis of the exception. The alert details are displayed below the Alert s row. 2 Review the alert details and click the Add Exception icon. The properties page under the respective rules tab is displayed, with an automatically generated condition based on the details of the originating alert in the Exception field. 3 Edit the rule details to refine its properties (for example, to allow a specific IP address). (For a detailed description of the rule components, refer to 9.1 Viewing Rules.) 4 Click Save to save your changes. If the alert was triggered by a number of rules, a dialog box is displayed instructing you to select the rule for which you want to create an exception. Hedgehog User's Guide 23

34 Alerts Terminating a Session You can terminate a session for a user on the DBMS based on an alert in the Alerts list. To terminate a session: 1 In the Alerts list, click the icon next to the alert that is to be resolved. The alert details are displayed below the Alert s row. 2 Review the alert details and click Terminate Session icon. The Terminate Session for Alert page is displayed. 3 Enter a brief summary of the reason for terminating the session. 4 Click Terminate Session. The Alerts list is updated to show Session Terminated as the resolution status of the alert, and the session that triggered the alert is terminated immediately. 5.5 Printing Alert Reports Hedgehog Standard, vpatch, and Enterprise versions are all provided with a simple mechanism for creating reports from alerts in PDF format. For more advanced alert reports available in the Enterprise or vpatch editions only, refer to the Reports section. You can generate a report that contains detailed information on each of the alerts currently displayed in the Alerts list. The alerts contained in the report are subject to the filter that is applied to the Alerts list. For example, to generate a report that contains only those alerts that have resolution state of False Alarm, filter the list accordingly before attempting to print the report. Hedgehog User's Guide 24

35 Alerts Note: A PDF reader must be installed on the console s host computer in order to generate and view the report. To print an alert report: In the Alerts page, after applying the appropriate filter criteria, click Generate Report. The alerts report is displayed as a PDF file, which contains separate detailed entries for each of the alerts displayed in the Alerts list. 5.6 Archiving Alerts Hedgehog is provided with a mechanism for archiving alerts. Archived alerts are stored in the system archive. Archived alerts do not appear in the Alerts list. To archive alerts: In the Alerts page, after applying the appropriate filter criteria, click Archive Alerts. The alerts sent to the Hedgehog archive. Hedgehog User's Guide 25

36 Hedgehog Dashboard 6 Hedgehog Dashboard The Hedgehog Dashboard displays a wide range of statistical data regarding the status of alerts, DBMS monitoring, security updates, and rules. Note: The Dashboard functionality is available for Hedgehog Enterprise and vpatch users only. Hedgehog User's Guide 26

37 Hedgehog Dashboard You can set the time resolution of the data to be displayed in the Dashboard by selecting the relevant time period at the top of the page, for example, Last 10 min, Last hour, Last week, and so on. The Hedgehog Dashboard displays the following types of statistical data for the selected timeframe: Unresolved Alerts: Indicates the distribution of unresolved alerts in all monitored DBMSs according to severity (High, Medium, Low). Alerts per DBMSs: Indicates the distribution of alerts per sensor according to severity (High, Medium, Low) in the top 5 DBMSs with most alerts. Sensors Status: Indicates the distribution of sensors according to status Down, Pending, or Up. (Pending sensors are sensors that have not been approved by the administrator.) DBMS Status: Indicates the distribution of DBMSs according to their monitoring status Monitored, Partly Monitored, or Unmonitored. (Partly monitored DBMSs are clustered DBMSs where only some members are currently monitored.) Note: Unless sensors are installed on all cluster members, the display will not be accurate. Hedgehog User's Guide 27

38 Hedgehog Dashboard Alerts Summary: Indicates the distribution of alerts (all types) according to severity (High, Medium, Low) across the selected time period. Quarantine List: Lists the elements currently in quarantine, including the start time, the DBMS, and the rule that triggered the quarantine. Installed Security Updates: Lists the installed security updates, including version number, date installed, and the person responsible for their installation. Available Security Updates: Lists the available security updates, including version number, when published, and a brief description (if available). Hedgehog User's Guide 28

39 Hedgehog Dashboard Most Active vpatch: Lists the most active vpatch rules in the system, including the rule name, the DBMS on which the rule is installed, and the number of alerts (based on the time selected at the top of the screen). Most Active Custom Rules: Lists the most active custom rules in the system, including the rule name, the DBMS on which the rule is installed, and the number of alerts (based on the time selected at the top of the screen). From the Dashboard page, you can: Refresh the chart data, as described in 6.1 Recalculating Chart Data. Select the DBMSs for which alert statistics are displayed, as described in 6.2 Filtering the Dashboard Alerts. Configure the number of most active rules for which statistics are displayed, as described in 6.3 Setting the Number of Most Active Rules. Hedgehog User's Guide 29

40 Hedgehog Dashboard 6.1 Recalculating Chart Data You can refresh the chart data to reflect the most recently available statistics at any time by clicking Recalculate chart data at the top of the Dashboard page. 6.2 Filtering the Dashboard Alerts To facilitate the analysis of alerts data, you can filter the Dashboard to display data for up to five specific DBMS(s). To filter the Dashboard: 1 In the Alerts per DBMSs header, click Choose DBMSs. 2 Select the DBMSs for which you want to view alerts statistics. You can select up to five DBMSs. Note: To revert to the default settings, click Use Default. 3 Click Select to apply your selections and return to the Dashboard. Hedgehog User's Guide 30

41 Hedgehog Dashboard 6.3 Setting the Number of Most Active Rules You can set the number of rules included in the Most Active vpatch Rules and Most Active Custom Rules Lists. To set the number of most active rules: 1 In the Most Active vpatch Rules header or Most Active Custom Rules header, click Edit. The Number of rules selection dialog is displayed for the selected type of rule. 2 From the Number of vpatch/custom rules dropdown list, select the number of rules to be included in the respective most active rules list. 3 Click Save. Hedgehog User's Guide 31

42 Sensors 7 Sensors Hedgehog Sensors are responsible for monitoring access to the DBMS(s) and sending transaction data to the Hedgehog Server. After installation, a sensor needs to be approved before it can begin active monitoring of a DBMS. This section includes the following topics: 7.1 Viewing the Sensors List 7.2 Approving a Sensor 7.3 Approving the DBMS(s) 7.4 Changing the Sensor Action for a DBMS 7.5 Stopping a Sensor 7.6 Deleting a Sensor 7.7 Troubleshooting the Sensor Installation 7.1 Viewing the Sensors List The Sensors page lists the installed Hedgehog Sensor(s), including the following parameters: Name: The name of the sensor as configured in the installation process. Status: The current status of the sensor (CONNECTED, DISCONNECTED, or DELETED). Host Name: The name of the DBMS host server on which the sensor is installed. IP: The IP address of the sensor. OS: The operating system of the sensor. Approved By: If the sensor has been approved, the name of the user that approved the sensor appears. If the sensor has not been approved, the button appears. For details on approving a sensor, refer to 7.2 Approving a Sensor. Properties: An icon, which when clicked, enables you to view and edit the properties of the sensor. Actions: An icon, which when clicked, performs the corresponding action: Stops the sensor. For details, refer to 7.5 Stopping a Sensor. Deletes the sensor. For details, refer to 7.6 Deleting a Sensor. Hedgehog User's Guide 32

43 Sensors From the Sensors page, you can: Filter the Sensors list according to various alert properties, as described in Filtering the Sensors List. Set the criteria by which the list is sorted, as described in Sorting List Data. View the details of a specific sensor, as described in Viewing Monitored DBMSs by Sensor. Access the installation guide by clicking the Hedgehog Installation Guide link below the sensors list. Access the sensor troubleshooting guide by clicking the Troubleshooting link below the sensors list. For details, see 7.7 Troubleshooting the Sensor Installation. Hedgehog User's Guide 33

44 Sensors Filtering the Sensors List Hedgehog Enterprise and vpatch versions enable multiple sensors to work with a single Hedgehog server. To facilitate the viewing of sensor data when working with multiple sensors, you can filter the Sensors list according to various sensor properties. To filter the Sensors list: 1 Expand the Edit Filters area above the Sensors list. 2 Set one or more filter criteria by entering/selecting the relevant values (for example, DBMS SID, Approved By, or Host Name). 3 Click Apply. The list of sensors is filtered to display only those sensors that match the filter criteria. Note: To clear all filter selections, click Clear Viewing Monitored DBMSs by Sensor You can view a list of the DBMSs assigned to a sensor in the Sensors page. To view the DBMSs monitored by the sensor: Select the sensor in the Sensors list. The DBMSs monitored by the selected sensor are listed below the Sensors list, including the following details: Name: The name of the DBMS. Type: The type of DBMS. Version: The version of the DBMS. Status: The status of the DBMS (Fully Monitored, Not Monitored, or Partly Monitored). Action: The action that can be applied to the DBMS (Start or Stop Monitoring). For details, refer to 7.4 Changing the Sensor Action for a DBMS. Hedgehog User's Guide 34

45 Sensors Viewing Sensor Details You can view the detailed properties of a sensor in the Sensor Properties page. To view the sensor details: In the Sensors list, click the Properties icon in the row for the sensor. The Details tab of the Sensor Properties page is displayed. The following sensor details are displayed in the Details tab of the Sensor Properties page: Name: The name of the sensor (editable). Hostname: The name of the DBMS host server on which the sensor is installed. IP: The IP address of the sensor. MAC Address(es): The MAC address of the host server NICs. No. of CPU cores: The number of CPU cores detected on the host server. Version: The sensor version. Operating System: The operating system of the DBMS host server. Log Level: The detail level of logs to be created (by default the log level is set to INFO). Log File Size: The maximum size of the log file (in MB). Number of Log Files: The maximum number of log files to be created. Hedgehog User's Guide 35

46 Sensors To view the statistics for the DBMS(s) monitored by the selected sensor, select the Statistics Per DBMS tab in the Sensor Properties page. The following statistics are displayed in the Statistics Per DBMS tab: Name: The name of the DBMS. Hostname: The name of the DBMS host server on which the sensor is installed Version: The version of the DBMS. No. CPU: The number of CPUs used by the sensor to monitor this DBMS. Status: The status of the DBMS (full, none, or partial). Statements monitored last 5 minutes: The number of statements for this DBMS detected and monitored by the sensor in the last 5 minutes. Statements monitored last 24 h.: The number of statements for this DBMS detected and monitored by the sensor in the last 24 hours. 7.2 Approving a Sensor In order for the sensor to begin active monitoring of the DBMS, it needs to be manually approved. In the Sensors page, if the sensor has been approved, the name of the user that approved the sensor appears in the Approved By field. If the sensor has not been approved, the button appears. Hedgehog User's Guide 36

47 Sensors To approve a sensor: 1 In the Sensors page, click the icon to approve the sensor. If a new sensor reports that it is monitoring a DBMS that is already recognized by the Hedgehog system, the Approve DBMS page is displayed prompting you to select the DBMSs to be monitored. For details, refer to 7.3 Approving the DBMS(s). If the sensor ID already exists in the system the Approve Sensor page is displayed. 2 From the Available actions dropdown list, select how you want to handle this sensor: 3 Click OK. New: Indicates this is a new sensor. If you select New, you will need to change the sensor ID to a unique one. Merge: Indicates this is the same sensor, for example, following reinstallation, and both instances should be treated as a single sensor. Delete: Indicates that this sensor was added in error and should be removed from the configuration. Hedgehog User's Guide 37

48 Sensors 7.3 Approving the DBMS(s) If a new sensor reports that it is monitoring a DBMS that is already recognized by the Hedgehog system, the Approve DBMS page is displayed when you attempt to approve the sensor. To approve the DBMS(s): 1 In the Approve DBMS page, select the DBMSs to be modified by the sensor. Note: You can filter the list of DBMSs by selecting one of the following options from the dropdown list above the list: All DBMSs New DBMSs Existing DBMSs 2 If more than one DBMS has the same name, select one of the following from the adjacent dropdown list: New: Indicates this is a new DBMS that needs to be monitored separately from the existing DBMS. Merge: Indicates this DBMS is the same DBMS and the entries should be merged. Cluster: Indicates that the DBMS is included in a cluster (and thus your policy for the DBMS will be installed on all cluster members). If you select Cluster, the display expands to show details for the DBMS. Note: Cluster support is available with Hedgehog Enterprise and vpatch only. Hedgehog User's Guide 38

49 Sensors 3 Per each DBMs you can choose whether you want triggers to be installed. With Oracle DBMSs it is highly recommended to use triggers (chosen by default). Triggers used by Sentrigo are highly efficient and have minimal impact on the DBMS performance. Use triggers with MS SQL servers when you intend to use Hedgehog s prevention capabilities (allowing you to stop DDL actions before they take place). You can always change your choice later by selecting DBMS properties in the DBMSs tab, or by selecting the Manage DBMSs in the Sensors tab. 4 Click Save to complete the approval process. The name of the logged on user is displayed in the Approved By column. 7.4 Changing the Sensor Action for a DBMS You can determine the way in which the sensor handles a specific DBMS by setting the Action for that DBMS to Start Monitoring or Stop Monitoring, as required. To set the sensor to monitor a DBMS: 1 In the Sensors page, select the sensor. The DBMSs monitored by the selected sensor are listed below the Sensors list. 2 In the row for the DBMS, click Start Monitoring. The Approve DBMS page is displayed prompting you to select the DBMSs to be monitored. For details, refer to 7.3 Approving the DBMS(s). To set the sensor to stop monitoring a DBMS: 1 In the Sensors page, select the sensor. The DBMSs monitored by the selected sensor are listed below the Sensors list. 2 In the row for the DBMS, click Stop Monitoring. The sensor no longer monitors the DBMS. 7.5 Stopping a Sensor You can remove a sensor that is no longer to be used for monitoring purposes. As a result, monitoring of the corresponding DBMS(s) stops. A stopped sensor is not deleted from the Sensors list. To stop a sensor: 1 In the Sensors list, click in the row for the sensor that is to be stopped. A confirmation message is displayed. 2 Click OK. The sensor is stopped and no longer monitors the DBMS. Hedgehog User's Guide 39

50 Sensors 7.6 Deleting a Sensor You can delete a sensor that is no longer to be used for monitoring purposes. A deleted sensor is not deleted from the Web console, or from the DBMS itself, but its status is set to "DELETED". If you want to uninstall the sensor from the DBMS, you will have to access the DBMS host and uninstall the sensor (e.g., using rpm e in Linux machines, uninstall in MS Windows, and so on). To delete a sensor: 1 In the Sensors list, click in the row for the sensor that is to be deleted. A confirmation message is displayed. 2 Click OK. The sensor no longer monitors the DBMS. Note: The resolution state of alerts previously generated by the removed sensor is automatically updated to Sensor Deleted in the Alerts list. Hedgehog User's Guide 40

51 Sensors 7.7 Troubleshooting the Sensor Installation This section describes the preliminary actions to be taken in order to resolve sensor installation and configuration problems Troubleshooting Procedures If you encounter problems while installing the sensor, for example, if you have installed a sensor and No sensors detected is displayed when you log in to the Hedgehog console, follow the steps outlined in the sections below: Check if the Hedgehog Sensor process is up and running: On Linux/Solaris, run: /etc/init.d/sentrigo-sensor status On AIX, run: /etc/rc.d/init.d/sentrigo-sensor status On HPUX, run: /sbin/init.d/sentrigo-sensor status On Windows, run: services.msc and look for the service "HedgehogSensor" If the Sensor service is down and does not come up after you run it, check that the Hedgehog Server has a valid license. Note that if the sensor was connected to the server before applying the license, it will be down and you need to manually restart it. If you are still unable to run the Hedgehog Sensor, contact Sentrigo support after running the diagnostic tool (see Running the Diagnostic Tool). If the Hedgehog Sensor is not on the Hedgehog Server Sensors list: 1 Verify that the server IP and port are set correctly in the Hedgehog Sensor's configuration file (located in Linux: /etc/sysconfig/sentrisensor; Solaris: /etc/default/sentrigo-sensor; AIX: /etc/sentrigo-sensor; HPUX: /etc/rc.config.d/sentrigo-sensor; and on Windows, run sentrisensor.exe). If they are not set correctly, update the configuration file and restart the Hedgehog Sensor service. 2 Verify that the sensor is able to reach the server port, using ping <server ip> and telnet <server ip> <port number>. If it is not reachable, verify that there is no firewall blocking the communication (check that Hedgehog Sensor communication port is open for TCP). If it is blocked, enable TCP communications on that port and restart the Hedgehog Sensor service. If you are still unable to reach the Hedgehog Server machine from the Hedgehog Sensor machine, contact your system administrator for support. Hedgehog User's Guide 41

52 Sensors If the Hedgehog Server IP address and port are reachable from the Hedgehog Sensor machine and you still do not see the Sensor on the Sensors list on the Hedgehog Server, run the diagnostic tool (see Running the Diagnostic Tool) and then contact Sentrigo support for assistance. If no DBMSs are displayed for your Hedgehog Sensor: On Windows platforms, run the diagnostic tool (see Running the Diagnostic Tool) and then contact Sentrigo support for assistance. On non-windows platforms, verify that: o o o o o You have group read and execute permissions on $ORACLE_HOME, $ORACLE_HOME/dbs and group read permissions on $ORACLE_HOME/dbs/sp*.ora and $ORACLE_HOME/dbs/init*.ora Your ORACLE_HOME group is either dba or oinstall. If not, add the relevant Oracle group to the 'sentrigo' OS user Your oratab file (under /etc/oratab or /var/opt/oracle/oratab) points to the correct ORACLE SID and ORACLE_HOME (entries in the file are of the form: $ORACLE_SID:$ORACLE_HOME:<N Y>:). If the entries are incorrect, fix them and restart the Hedgehog Sensor service. Otherwise, contact Sentrigo support after running the diagnostic tool (see below). If your oratab file is in a different location, you can configure Hedgehog by editing the startup script accordingly (on Linux/Solaris: /etc/init.d/sentrigo-sensor, on AIX: /etc/rc.d/init.d/sentrigo-sensor, on HPUX: /sbin/init.d/sentrigo-sensor) by adding "-r <oratab full path>/oratab" to the start function. After editing the startup script, run the Hedgehog Sensor. If your DBMS appears on the Sensors list, but is listed as disconnected: 1 Verify that Oracle is version or above, or MS SQL Server 2005 (or 2000 beginning from Hedgehog 2.3.0). 2 If the Hedgehog Sensor is still unable to monitor your DBMSs, run the diagnostic tool (see Running the Diagnostic Tool) and then contact Sentrigo support for assistance. Hedgehog User's Guide 42

53 Sensors Running the Diagnostic Tool Running the diagnostic tool creates an output file for you to provide to Sentrigo support when requesting assistance. Users of Hedgehog Sensor version and up can change the sensor log level and remotely create an analytic package as follows: 1 In the Sensors tab, click the Properties icon in the row for the sensor. The following dialog appears: 2 From the Log Level dropdown, select DEBUG. 3 Run the Hedgehog Sensor for 5 minutes (no sensor restart is required). 4 Click Generate. Note: It is recommended to restore the log level to INFO after troubleshooting is complete. If you are running an earlier Hedgehog version or having trouble connecting to the sensor, perform the following steps: 5 Change the log level from INFO to DEBUG in the sentrisensor configuration file as follows: On Linux, run: /etc/sysconfig/sentrisensor On Solaris, run: /etc/default/sentrigo-sensor On AIX, run: /etc/sentrigo-sensor On HPUX, run: /etc/rc.config.d/sentrigo-sensor On Windows, run sentrisensor.exe Hedgehog User's Guide 43

54 Sensors 6 Run the Hedgehog Sensor for 10 minutes. 7 Run the diagnostic tool: On Linux, run: /sbin/service sentrigo-sensor create_analytic_package On Solaris, run: /etc/init.d/sentrigo-sensor create_analytic_package On AIX, run: /etc/rc.d/init.d/sentrigo-sensor create_analytic_package On HPUX, run: /sbin/init.d/sentrigo-sensor create_analytic_package On Windows, run: Analytics.exe The analytic package output file name is displayed when the process is complete. Send the file via to Sentrigo s support team. Hedgehog User's Guide 44

55 DBMSs 8 DBMSs Hedgehog provides protection for the DBMS(s) on which Hedgehog Sensors have been installed. The monitoring policy for a DBMS comprises the various rules that are enabled and applied on that DBMS. After installing a Hedgehog Sensor on a DBMS host server, if more than a single DBMS is installed on the host, the DBMS needs to be approved in the Hedgehog configuration before a monitoring policy can be applied to the DBMS. The DBMS page lists the DBMSs on which Hedgehog sensors have been installed, and enables you to view the properties of each DBMS. This section includes the following topics: 8.1 Viewing the DBMSs List 8.2 Filtering the DBMSs List 8.3 Viewing DBMS Properties and Triggers 8.4 Viewing Sensors by DBMS 8.5 Managing DBMS Groups Note: For a description of the configuration of the rules that make up the monitoring policy, refer to 9 Rules. 8.1 Viewing the DBMSs List The DBMSs page lists the DBMSs being monitored by the Hedgehog sensors, including the following parameters: DBMS: The name of the DBMS. Host Name: The name of the host on which the DBMS is installed. Type: The DBMS type. Version: The DBMS version. Description: A brief description of the DBMS. Status: Provides information about the current monitoring status: Fully Monitored: The DBMS is fully monitored, i.e., all sensors monitoring the DBMS are up and running (more than one sensor monitors a single DBMS if the DBMS is clustered). Not Monitored: There is currently no connection with any of the sensors monitoring the DBMS. PARTIAL: Not all sensors that should be monitoring the DBMS are monitoring it. Hedgehog User's Guide 45

56 DBMSs Properties: An icon, which when clicked, opens the main DBMS screen enabling customization of policy rules, editing of the DBMS details, and more. Action: An icon, which when clicked, deletes the sensor (and undeletes the sensor when deleted sensors are viewed using the filter). From the DBMSs page, you can: Filter the DBMS list according to various properties, as described in 8.2 Filtering the DBMSs List. View the properties of a specific DBMS, as described in 8.3 Viewing DBMS Properties and Triggers. View the sensors that monitor a specific DBMS, as described in 8.4 Viewing Sensors by DBMS. 8.2 Filtering the DBMSs List Hedgehog Enterprise and vpatch versions enable multiple DBMSs to be monitored using the same server. To facilitate the viewing of data when working with multiple DBMSs, you can filter the DBMSs list according to various DBMS properties. Note: You can also set the criteria by which the list is sorted, as described in Sorting List Data. Hedgehog User's Guide 46

57 DBMSs To filter the DBMSs list: 1 Expand the Set filter values area above the DBMSs list. 2 Set one or more filter criteria by entering/selecting the relevant values (for example, ID, name, or monitoring status). 3 Click Apply. The list of DBMSs is filtered to display only those DBMSs that match the filter criteria. Notes: To clear all filter selections, click Clear and then Apply. 8.3 Viewing DBMS Properties and Triggers You can view the detailed properties of a DBMS, including its name, description, and DBMS Group assignment, and if applicable. The DBMS properties also include the Hedgehog trigger settings for the DBMS. Two triggers are added by Hedgehog to the host DBMS. A Data Definition Language (DDL) trigger and a failed login trigger. The DDL trigger is used to prevent DDL actions before they happen (requires relevant custom rules, e.g., cmdtype = drop and user <> $privileged_users). The failed logins trigger is used by the vpatch rules to alert in the event of too many failed logins in a single DBMS (which may be a result of a denial of service attempt or dictionary attack). Hedgehog User's Guide 47

58 DBMSs To view the DBMS details: In the DBMS list, click the Properties icon in the row for the DBMS. The Properties page is displayed for the selected DBMS. Hedgehog User's Guide 48

59 DBMSs The Properties page lists the following parameters: Name: The name of the DBMS. This parameter can be edited. Instance Name: The name of the DBMS instance. Description: A brief description of the DBMS. vpatch Coverage: Database version Available vpatch relevant protections Available relevant Oracle Critical Patch Updates Enable Application Mapping: When selected, enables the mapping of application data for the DBMS. Limit Application Mapping Alerts per Second: The maximum number of application mapping alerts that are sampled per second. Notify When Database Events Count Exceeds: The number of database events, which when exceeded, triggers notification. Purge DBMS Application Mapping Data: When selected, purges all DBMS application mapping data for the DBMS. Failed Login: Failed Login Count: The number of failed attempts to log in to a single DBMS within the defined Failed Login Measure Period that triggers an alert (if triggers are enabled). Failed Login Measure Period: The time period within which, if the Failed Login Count is exceeded, an alert is generated by the vpatch rules. Enable Triggers: When selected, the DDL and Failed login triggers are enabled on the DBMS. DDL Delay Time: The time period for which the trigger delays the execution of the DDL command in order to allow the rule action to run first (so it will be able to terminate the session before the statement is executed if so required by the rule). Enable alternative DBMS connection (advanced users only): When selected, alternative connections can be made using the following parameters: User Name: The user name to be used to connect to the DBMS. Password: The password to be used to connect to the DBMS. Connection String: The user name to be used to connect to the DBMS. This parameter is applicable for Oracle DBMSs only. Hedgehog Cache Size: The size of the cache that can be used by the DBMS. This parameter is applicable for SQL DBMSs only. DBMS Groups: The DBMS groups to which this DBMS belongs. Charset: The DBMS character set. Hedgehog User's Guide 49

60 DBMSs Detected: The detected character set. Selected: The selected character set Enabling/Disabling Triggers To enable triggers: In the DBMS Properties page, select the Enable Triggers checkbox to enable the triggers. To disable triggers: In the DBMS Properties page, clear the Enable Triggers checkbox to disable the triggers Configuring the Failed Logins Trigger You can determine the amount of failed logins within a set time period that is considered abnormal for the DBMS. Note: Only vpatch rules make use of the failed login feature. To configure the Failed Logins Trigger: 1 In the DBMS Properties page, select the Enable Triggers checkbox to enable the triggers. 2 In the Failed Login Count field, set the number of failed attempts to log in to a single DBMS within the defined Failed Login Measure Period that triggers an alert. 3 In the Failed Login Measure Period field, set the time period (in seconds) within which, if the Failed Login Count is exceeded, an alert is generated by the vpatch rules. 4 Click Save Configuring the Character Set When using Hedgehog sensor 2.5 and above, Hedgehog supports international character sets. Normally, Hedgehog automatically detects the correct character set. In some cases (such as if the DBMS is configured with one character set but another character set is being used), however, manual configuration of the character set is required. To select the correct character set, select the DBMS Properties page and the select the required character set from the Charset dropdown list. Hedgehog User's Guide 50

61 DBMSs Enabling Application Mapping You can configure the mapping of application data per DBMS. Note: Application monitoring can be configured only for DMBSs that are monitored by sensors, version 3.1 and above. To configure application mapping: 1 In the DBMS Properties page, select the Application Mapping checkbox. 2 In the Limit Application Mapping Alerts per Second field, set the maximum number of application mapping alerts are sampled per second. 3 In the Notify When Database Events Count Exceeds field, set the number of database events, which when exceeded, triggers notification. 4 Click Save. Note: To purge all application mapping data for the DBMS, click Purge in the DBMS Properties page. (Optional) To purge all saved mapping data for all DBMSs, click Purge in the Rule Settings page of the Rules module. 8.4 Viewing Sensors by DBMS You can view a list of the sensors used to monitor a DBMS in the DBMSs page. To view the sensors that monitor a DBMS: Select the DBMS in DBMSs list. The sensors that monitor the selected DBMS are listed below the DBMSs list, including the following details: Name: The name of the sensor. Status: The status of the sensor. 8.5 Managing DBMS Groups To facilitate the application of rules to multiple DBMSs, you can create DBMS Groups. Rules that are applied to a DBMS Group are applied to all of the group members. DBMS Groups are configured in the DBMS Groups tab of the DBMS page. This section includes the following topics: Viewing DBMS Groups Creating a DBMS Group Viewing/Editing a DBMS Group Deleting a DBMS Group Hedgehog User's Guide 51

62 DBMSs Note: This functionality is available for Hedgehog Enterprise or vpatch users only Viewing DBMS Groups The DBMS Groups tab lists the existing DBMS Groups, including the following parameters: Name: The name of the DBMS Group. Description: A brief description of the DBMS Group. Properties: An icon, which when clicked, enables you to view the DBMS Group details. Remove: An icon, which when clicked, deletes the DBMS Group (available only for userdefined DBMS groups). From the DBMS Groups tab, you can: Add a DBMS Group, as described in Creating a DBMS Group. Edit the properties of an existing DBMS Group, as described in Viewing/Editing a DBMS Group. Delete a DBMS Group, as described in Deleting a DBMS Group. Hedgehog User's Guide 52

63 DBMSs Creating a DBMS Group A DBMS Group is a subset of DBMSs to which various rules can be applied. You can define multiple DBMS Groups in keeping with the needs of your enterprise. A DBMS Group can comprise any number of DBMSs. A specific DBMS can be a member of more than one DBMS Group. Rules that are installed on a DBMS Group are applied to all of the group members. To create a DBMS Group: 1 In the DBMS Groups tab, click New DB Group. The DBMS Properties page is displayed. 2 Enter the name of the DBMS Group in the Name field. 3 Enter a brief informative description of the group in the Description field. 4 Select the DBMSs to be included in the group from the All DBMSs list and click the adjacent button or double-click the DBMS to move it to the Selected DBMSs list. Note: To remove DBMS from the Selected DBMSs list, double-click the DBMS or select it and click. 5 Click Save. Hedgehog User's Guide 53

64 DBMSs Viewing/Editing a DBMS Group You can view and edit the properties of a DBMS Group. To view/edit a DBMS Group: 1 In the DBMS Groups tab, click the Properties icon in the row for the rule object. The DBMS Group Properties page is displayed. 2 Edit the DBMS Group properties, as required, and click Save Deleting a DBMS Group You can delete a DBMS Group that is no longer needed, however it is recommended that you exercise caution in doing so. Deleting a DBMS Group does not delete the DBMSs that were included in the group, however if you delete a DBMS Group that is used in a rule, the rule is automatically disabled for all of the members of that DBMS Group. As a result, if the rule was applied only to that DBMS Group, the rule needs to be assigned to specific DBMSs or other DBMS Groups in the rule definition in order for it to have any impact. To delete a DBMS Group: 1 In the DBMS Groups tab, click in the row for the DBMS Group to be deleted. A confirmation message is displayed. 2 Click OK to confirm. The DBMS Group is removed from the DBMS Groups list. Note: If the system detects specific problems related to the proposed deletion, an additional message is displayed describing the potential consequences and prompting you to again confirm that you want to delete the DBMS Group. Hedgehog User's Guide 54

65 DBMSs 8.6 Applying DBMS Actions You can apply a single action to multiple DBMSs by selecting the DBMSs in the DBMSs tab and then clicking. The available actions include: Failed logins configuration Trigger action configuration Alternate connection configuration Charset configuration Hedgehog User's Guide 55

66 Rules 9 Rules DBMSs are manipulated by SQL statements and queries on an ongoing basis. The monitoring policy for a DBMS comprises the various rules that are enabled and applied on that DBMS. Rules define what types of statements are allowed to run on the DBMS, what types are forbidden, and which types should be monitored. Incoming statements are compared to the rules enabled for the DBMS and action (allow, alert, or terminate) is taken based on the first rule that is matched. If a statement does not match any of the existing rules, the statement is allowed. Hedgehog provides enhanced DBMS security based on both predefined vpatch rules and custom rules. vpatch rules are included in the installation and help prevent attacks against known vulnerabilities. In addition, you can define custom rules to define the level of monitoring and alerts, and further protect your DBMS(s) against potential threats. For example, custom rules can be used to limit access to specific tables in the DBMS, or to limit access to the DBMS by specific users or at specific times of day. Rules are defined and/or enabled per DBMS. Rules for each DBMS are managed in the various tabs of the DBMS Properties page. vpatch rules are listed in the vpatch Rules tab of the DBMS properties page. Custom rules are listed in the Custom Rules tab of the DBMS properties page. Incoming statements are checked against the vpatch list before they are checked against the Custom Rules list because the vpatch rules deal mostly with known attacks and therefore should not be overruled by custom rules. Nonetheless, you can disable all of the vpatch rules or specific rules if the need arises, for example, in case of false positives. This section includes the following topics: 9.1 Viewing Rules 9.2 Enabling/Disabling Rules 9.3 Managing vpatch Rules 9.4 Managing Custom Rules 9.6 Rule Syntax 9.7 Managing Rule Objects 9.8 Application Mapping 9.9 Working with Tags 9.10 Viewing Tags per DBMSs/DBMS Groups 9.11 Importing/Exporting Rules 9.12 Viewing Rule Revisions 9.13 Configuring Rule Modification and Application Mapping Notifications Note: Hedgehog also enables you to apply compliance rules. For details on managing compliance rules, refer to 10 Compliance. Hedgehog User's Guide 56

67 Rules 9.1 Viewing Rules Rules both custom and vpatch are viewed and managed in the Rules page. The Rules page comprises the following tabs: vpatch Rules: Lists the predefined vpatch rules and indicates whether or not they are enabled for the DBMS(s). For details, refer to 9.3 Managing vpatch Rules. Custom Rules: Lists the custom rules defined for the DBMS(s). For details, refer to 9.4 Managing Custom Rules. Application Mapping: Lists the application rules defined for the DBMSs. For details, refer to 9.8 Application Mapping. Tags-DBMSs: Lists the existing tags, and shows the extent to which the rules that include each specific tag are applied to the DBMSs. For details, refer to 9.9 Working with Tags. Rule Revisions: Enables you to view the state of rules at any specific point in time and the revisions made to rules over time. For details, refer to 9.12 Viewing Rule Revisions. Rule Objects: Enables you to define rule objects, which can then be used as components in other rules. For details, refer to 9.7 Managing Rule Objects. Settings: Enables you to configure notifications regarding rule changes and application mapping. For details, refer to 9.13 Configuring Rule Modification and Application Mapping Notifications Note: Compliance rules are managed in the Compliance page. For details, refer to 10 Compliance. To view the Rules list for all DBMSs: In the Rules page, select the Custom Rules tab, or To view the vpatch Rules list, select the vpatch Rules tab. The Rules list is displayed in the selected tab. Hedgehog User's Guide 57

68 Rules The Rules list includes the following parameters for each rule: Enabled/Disabled: An icon indicating the status of the rule, enabled or disabled. No.: The ID number of the rule. Name: The name of the rule. Rule: The comparator statements that serve as the criteria for matching the rule. For details, refer to 9.6 Rule Syntax. Installed on: The DBMS(s) on which the rule is currently installed. Rule Actions: The actions to take if the rule criteria are met. Actions: Properties icon, which when clicked, enables you to view all rule details. Clone icon, which when clicked, enables you to duplicate a rule. Remove icon, which when clicked, deletes the rule. Level: The level of the rule: A red icon indicates a forbidden violation. An orange icon indicates a medium level violation. A blue icon indicates a low level violation. Hedgehog User's Guide 58

69 Rules From the Rules page, you can: Filter the Rules list according to various alert properties, as described in Filtering the Rules List. View the details of a specific rule, as described in Viewing the Rule Properties. Enable or disable an existing rule, as described in 9.2 Enabling/Disabling Rules Install vpatch Rules on DBMSs, as described in 9.3 Managing vpatch Rules. Create a new rule, as described in Creating a Custom Rule. Change the order of rules in the Rules list, as described in Changing the Order of Custom Rules. Configure Rule objects, as described in 9.7 Managing Rule Objects. Assign tags to existing custom rules, as described in 9.9 Working with Tags. View the distribution of rules per DBMS, as described in 9.10 Viewing Tags per DBMSs/DBMS Groups. Import and export rules, as described in 9.11 Importing/Exporting Rules. View the history of revisions to a specific rule, as described in 9.12 Viewing Rule Revisions Filtering the Rules List You can filter the Rules list to display only those rules that match specific criteria, for example, DBMS name or group, tags or compliance type. To filter the Rules list: 1 Expand the Edit Filters area above the Rules list. 2 Set one or more filter criteria by entering/selecting the relevant values (for example, DBMS name, Rule Name, Tags, or Compliance). 3 From the Display rules per page dropdown list, select the number of rules to display on each page. 4 Click Apply. The list of rules is filtered to display only those rules that match the filter criteria. Note: To clear all filter selections, click Clear. Hedgehog User's Guide 59

70 Rules Viewing the Rule Properties You can view the details of a specific rule in Rule properties page. To view a rule s properties: In the Rules list, click the Properties icon in the row for the rule. The Rule Properties page is displayed. Hedgehog User's Guide 60

71 Rules 9.2 Enabling/Disabling Rules You can enable/disable vpatch rules and Custom rules at any time. The current status of a rule in the Rules list is indicated by the icon in the leftmost column: : The rule is enabled. : The rule is disabled. It is a good idea to disable a rule if you have started to define a rule, but have not completed it; if you would like to confirm the rule first with another administrator; or if you need to temporarily allow an action that is normally forbidden. Disabled rules are not processed by the sensor until they are enabled. To enable a rule: In the Rules list, click in the row for the rule that is to be enabled. The rule is enabled and the icon is displayed. To disable a rule: In the Rules list, click in the row for the rule that is to be disabled. The rule is disabled and the icon is displayed. To enable/disable multiple rules: 1 Filter the Rules list to display all rules or only the rules that you want to enable or disable. 2 Click Enable/Disable Rules. The Enable/Disable Rules dialog is displayed. 3 Select one of the following options: To enable the rules displayed in the filtered Rules list, select Enable all displayed rules. To disable the rules displayed in the filtered Rules list, select Disable all displayed rules. 4 Click OK. The displayed rules are enabled or disabled accordingly. Hedgehog User's Guide 61

72 Rules 9.3 Managing vpatch Rules vpatch rules are listed in the vpatch tab. vpatch rules cannot be deleted, however they can be installed or removed from the policy applied to specific DBMSs and DBMS Groups. Note: A red exclamation point is displayed in the left margin to indicate if a vpatch rule has not been installed on any DBMSs or DBMS groups. This section includes the following topics: Viewing the Properties of a vpatch Rule Configuring the Action for a vpatch Rule Configuring the Action for a DBMS Installing/Removing vpatch Rules Updating the Security Level of the vpatch Rules Hedgehog User's Guide 62

73 Rules Viewing the Properties of a vpatch Rule You can view the details of a vpatch rule, including the DBMSs and DBMS Groups on which the rule is installed. To view a vpatch rule s properties: In the vpatch Rules list, click the Properties icon in the row for the rule. The Rule Properties page is displayed. Hedgehog User's Guide 63

74 Rules The following properties of the vpatch rule are displayed: System ID: The ID number of the rule. Name: The name of the rule. Description: A short description of the rule. Exception: The conditions that comprise the rule statement. Action: The specific action to be taken when the conditions of the vpatch rule are met. DBMSs & Groups: DBMSs: The DBMS(s) on which the rule is installed. Action: The specific action to be taken per DBMS when the conditions of a specific vpatch rule are met. Tags: The tag(s) assigned to this rule. Enable Rule: If selected, the rule is enabled. From the Properties page, you can: Define default rule properties, as described in Configuring the Action for a vpatch Rule. Apply the rule to additional DBMSs and DBMS Groups, as described in Installing/Removing vpatch Rules Configuring the Action for a vpatch Rule In addition to enabling or disabling a vpatch rule, you can define the alert level and the action to be taken when the conditions of a specific vpatch rule are met. Note: You cannot change additional properties of a vpatch rule. To set an action for a vpatch rule: 1 In the vpatch Rules tab, click the Properties icon in the row for which you want to set the default action. The Rule Properties page is displayed. 2 In the Action area, set the action as follows: To configure notification in addition to the alert in the log, select , and select the priority to be assigned to the message from the dropdown list (Low, Medium, or High). Note: The settings must be configured in the System screen in order to route alerts correctly. To send an alert as an SNMP trap if the rule is matched, select SNMP Trap. Note: If SNMP is not enabled in the System SNMP properties, this option is disabled. To send a message using Twitter if the rule is matched, select Twitter. Hedgehog User's Guide 64

75 Rules Note: If Twitter is not enabled in the System properties, this option is disabled. To terminate a session if the rule is matched, select Terminate. Note: This option should be used sparingly because terminating sessions can disrupt legitimate business transactions. Depending on various environmental variables (such as command type and table size), session termination may not stop the current SQL command. Stronger termination capability is provided for DCL and DDL commands that use a before trigger (see DDL triggers). If you select Terminate, the Quarantine option is displayed. To quarantine a user, select the Quarantine checkbox and enter the number of minutes during which the user is to be prevented from reconnecting. To run an action script if the rule is matched, select Script and then set the script that is to be run on the host DBMS. You can use all parameters that Hedgehog monitors within the script, by using $ as a prefix. For example, if you want to use the user parameter in a script, you should enter $user. Script example: revoke dba from $user. Note: This option is intended for advanced users only. 3 To enable this rule, select Enable Rule. 4 Click Save. The action is saved Configuring the Action for a DBMS You can set the specific action to be taken per DBMS when the conditions of a specific vpatch rule are met. Note: Alerts are enabled per rule; You can define only how the alert is handled for the selected DBMS. To set an action for a vpatch rule: 1 In the vpatch Rules tab, click the Properties icon in the row for which you want to set the default action. The Rule Properties page is displayed. 2 In the DBMSs and Groups area, click Change Actions in the row for the DBMS for which you want to define a specific action. The vpatch Rule Action Per DBMS page is displayed. Hedgehog User's Guide 65

76 Rules 3 To send an alert, select Send Alert and select the relevant alert options: To generate an alert in the Alert screen, select Alert Hedgehog Console and then select the alert priority from the dropdown list (Low, Medium or High). To send an alert to the Hedgehog console, select Hedgehog console, and select the priority to be assigned to the alert from the dropdown list (Low, Medium, or High). To send an alert as an SNMP trap if the rule is matched, select SNMP Trap. Note: If SNMP is not enabled in the System SNMP properties, this option is disabled. To send an alert to the Syslog if the rule is matched, select Syslog. To send an alert to the Winlog if the rule is matched, select Winlog. To send the alert to the log file, select Log to file. To send the alert to an address, select Send alert to . Note: The settings must be configured in the System screen in order to route alerts correctly. To terminate a session if the rule is matched, select Terminate users session. Note: This option should be used sparingly because terminating sessions can disrupt legitimate business transactions. Hedgehog User's Guide 66

77 Rules If you select Terminate, the Quarantine option is displayed. To quarantine a user, select the Quarantine checkbox and enter the number of minutes during which the user is to be prevented from reconnecting. To run an action script if the rule is matched, select Script and then set the script that is to be run on the host DBMS. You can use all parameters that Hedgehog monitors within the script, by using $ as a prefix. For example, if you want to use the user parameter in a script, you should enter $user. Script example: revoke dba from $user. Note: This option is intended for advanced users only. 4 (Optional) Configure limitations on the frequency of alerts as follows: From the Limit alerts per second dropdown list, select the maximum number of alerts to be generated per second. From the Limit alerts per session dropdown list, select the maximum number of alerts to be generated per session or select Unlimited.Note: The session is uniquely identified by the Session ID and the Serial fields in Oracle, and by the Serial ID and the Logon time in MSSQL. 5 (Optional) To prevent the display of sensitive data in alerts, select Mask Sensitive Data and enter a regular expression in the Regular Expressions text box using standard regular expression syntax. Note: For more information on standard regular syntax, see: To check the validity of the regular expression, click Test. In the Test Regular Expression dialog box, enter a value to be masked and click Test. 6 Click Save. The action is saved. Hedgehog User's Guide 67

78 Rules Installing/Removing vpatch Rules By default, vpatch rules are automatically installed on all DBMSs during the installation process. Nonetheless, you can manually remove vpatch rules from and/or install vpatch rules on some or all DBMSs Installing vpatch Rules on DBMSs and DBMS Groups You can install all or a filtered group of vpatch rules on specific DBMSs or DBMS groups. To install all/multiple vpatch rules on DBMSs/DBMS groups: 1 In the vpatch Rules tab, filter the vpatch Rules list to display all rules or only the rules that you want to install on the DBMS(s). 2 Click Install Rules on DBMSs. The Install on DBMSs and DBMS Groups page is displayed. 3 Select the DBMSs or DBMS Groups to which you want to attach the rules from the DBMSs and DBMS Groups list or select All DBMSs to install the vpatch rules on all DBMSs. Note: To remove a DBMS selection, clear the corresponding checkbox. 4 Click Save. All of the rules currently displayed in the vpatch Rules list are attached to the DBMS(s). (Rules that are not displayed per filter criteria are not attached.) Hedgehog User's Guide 68

79 Rules To install a single vpatch rule on DBMSs/DBMS Groups: 1 In the vpatch Rules tab, click the Properties icon in the row for the rule that you want to install. The Rule Properties page is displayed. 2 Click Install On next to the DBMSs and Groups. The Install on DBMSs and DBMS Groups page is displayed. 3 Select the DBMSs or DBMS Groups to which you want to attach the rule from the DBMSs and DBMS Groups list or select All DBMSs to install the vpatch rules on all DBMSs. Note: To remove a DBMS selection, clear the corresponding checkbox and click Save. 4 Click Save. The rules are attached to the DBMS Removing vpatch Rules from DBMSs and DBMS Groups You can remove all or a filtered group of vpatch rules from specific DBMSs or DBMS groups. To remove all/multiple vpatch rules from DBMSs/DBMS groups: 1 In the vpatch Rules tab, filter the vpatch Rules list to display all rules or only the rules that you want to remove from the DBMS(s). 2 Click Remove Rules from DBMSs. The Remove Rules from DBMSs and DBMS Groups page is displayed. Hedgehog User's Guide 69

80 Rules 3 Select the DBMSs or DBMS Groups from which you want to remove the rules or select All DBMSs to remove the vpatch rules from all DBMSs. 4 Click Remove. All of the rules currently displayed in the vpatch Rules list are removed from the DBMS(s). (Rules that are not displayed per filter criteria are not attached.) Updating the Security Level of the vpatch Rules You can select the security levels you want to apply to virtual patches. This determines which vpatch rules are in effect in your databases. For example, you can decide whether to receive alerts from low confidence rules or alerts about attacks relevant to Oracle 8i only, even when Oracle 10g is the target. This feature enables you to control the tradeoff between security level and performance. You can view the current security level at the top right corner of the vpatch rules page. Hedgehog User's Guide 70

81 Rules To edit the security level: 1 In the vpatch Rules tab, click the security level. The Security Level dialog is displayed. 2 Select the Security Level you want to apply and click Save. Note: When you select a security level, its description is displayed in the dialog. 9.4 Managing Custom Rules Based on your organization's ongoing monitoring of potential risks, custom rules can be defined to provide protection against activity that is considered suspicious according to your IT policy and to help you protect specific DBMSs according to their functionality. For example, you may want to monitor access to sensitive tables in an HR DBMS, such as tables that contain employee compensation information, or you may want to protect against the usage of SQL query tools that are not allowed in your organization. This section includes the following topics: Creating a Custom Rule Changing the Order of Custom Rules Editing a Custom Rule Removing a Custom Rule Hedgehog User's Guide 71

82 Rules Creating a Custom Rule You can create and enable custom rules that determine how statements received by the DBMS are handled. Rules can be used to allow statements that match, or they can be used to generate alerts regarding suspicious statement. A rule can also be used to automatically terminate potentially dangerous sessions. Each rule consists of one or more comparator statements. The relationship between multiple comparator statements is based on Boolean logic, using AND, OR, or NOT. You can define exceptions to a rule that does not allow certain conditions by creating an Allow rule for the exception case and placing it before the rule in the Rules list. You can also create an exception within the rule itself. New rules can be defined using the Rule Creation wizard or in the New Rule page as described in the following sections: Creating a Rule with the Rule Creation Wizard Creating a Rule in the New Rule Page Creating a Rule with the Rule Creation Wizard The Rule Creation wizard breaks the rule definition process down into individual steps, making it easy for you to create custom rules to meet the specific needs of your enterprise. If you are new to the rule creation process, it is recommended that you take advantage of the wizard s guided process when creating your first rule(s). To create a rule using the wizard: 1 In the Custom Rules tab, click Create New Rule with Wizard. The Rule Creation wizard is displayed. Hedgehog User's Guide 72

83 Rules 2 In the Name field, enter a name for the rule. It is recommended that the name selected clearly reflect the nature of the rule (for example, Sensitive HR tables or PCI-DSS password protection ).Click Next. The Rule Trigger page of the wizard is displayed. 3 In the If fields, define the first rule comparator statement as follows: Notes: In the first field, type the first letter of the Identifier name and select the required Identifier from the dropdown list. In the second field, select the required operator from the dropdown list. In the third field, enter the literal component to be matched. If the literal component is a string, the text must be enclosed in single quotation marks. Click Add. The comparator statement appears in the textbox. For a detailed description of rule comparator statements and their syntax, refer to 9.6 Rule Syntax. Alternatively, you can enter the comparator statement directly into the text box below the If fields, entering a space to access the respective dropdown lists. To turn off the auto-completion feature, select Disable auto completer. 4 If the rule is to include more than one comparator statement, enter the relevant Boolean operator (AND, OR, or NOT) in the fourth field and then define the next comparator statement. Repeat for additional comparator statements as required. Note: You can define rule objects, which can then be used as components in other rules. For example, a rule object could be used in the definition of a rule intended to allow a specific range of IP addresses. For details, refer to 9.7 Managing Rule Objects. Note: If there is a problem with the rule syntax, the validation is not successful and a message is displayed accordingly. For example, if you failed to enclose a text string in single quotation marks, a message is displayed regarding an unexpected token. 5 Click Next. The Rule Action page of the wizard is displayed. Hedgehog User's Guide 73

84 Rules 6 In the Then area, select the action(s) to be taken when a statement matches the rule. 7 To send an alert if the rule is matched, select Send Alert to and select the relevant alert options: To generate an alert in the Alert screen, select Alert Hedgehog Console and then select the alert priority from the dropdown list (Low, Medium or High). To send an alert as an SNMP trap if the rule is matched, select SNMP Trap. Note: If SNMP is not enabled in the System SNMP properties, this option is disabled. To send a message using Twitter if the rule is matched, select Twitter. Note: If Twitter is not enabled in the System properties, this option is disabled. Hedgehog User's Guide 74

85 Rules To configure notification in addition to the alert in the log, select , and select the importance to be assigned to the message from the dropdown list (Low, Medium or High). Note: The server settings must be configured in the System screen in order to route e- mail alerts correctly. To send an alert only to the archive (without displaying it in the Hedgehog console or any other location), select Archive. This option is suitable for auditing information that does not need to be monitored on a day-to-day basis. To send an alert to the Syslog if the rule is matched, select Syslog. To send an alert to the Winlog if the rule is matched, select Winlog. To send the alert to the log file, select Log to file. 8 To terminate a session if the rule is matched, select Terminate. Note: This option should be used sparingly because terminating sessions can disrupt legitimate business transactions. We recommend using the terminate option only if the following conditions are met: You are certain that the rule will not create false positives (it is recommended to use the rule first in alert only mode to make sure that legitimate traffic is not affected). The risk involved with the rule condition is very high. The application is such that terminating a session causes only minimal disruption to other transactions. If you select Terminate, the Quarantine option is displayed. To quarantine a user, select the Quarantine checkbox and enter the number of minutes during which the user is to be prevented from reconnecting. Note: Quarantine is done based on the quarantine settings in the System tab. You can quarantine based on the IP address, the DBMS user, the terminal, and more (or any combination of the above). Be sure to edit the quarantine settings before you enable quarantine on any of your rules. (The quarantine settings are configurable under System>Quarantine->Settings). 9 To enable the VPN-1/FireWall-1 to block the connection, select Create VPN-1 SAM rule and configure the following parameters: Select the type of VPN blocking action to be taken from the Action dropdown list. Enter the name of the gateway in the Gateway field and enter the number of minutes for which the connection is to be blocked in the adjacent field. 10 To allow the statement to be processed if the rule is matched, select Allow. (This enables you to create an exception to a rule that appears later in the policy.) 11 To stop the matching process if a rule is matched, select Stop Verifying Additional Rules. This is the default setting when the Rule Action is set to Allow. If this option is not selected the matching process will continue to search for a match. 12 (Optional) Expand the Advanced section to configure the advanced parameters: Hedgehog User's Guide 75

86 Rules Script: Specify a script that is to be run when a statement matches the rule (SQL*Plus script in Oracle and T-SQL run by OSQL in Microsoft SQL Server). Limit alerts per second: Set the maximum number of alerts that can be generated per second or Unlimited (the default value). Limit alerts per session: Set the maximum number of alerts that can be generated per session or Unlimited (the default value). To prevent the display of sensitive data in alerts, select Mask Sensitive Data and enter a regular expression in the Regular Expressions text box using standard regular expression syntax. Note: For more information on standard regular syntax, see: To check the validity of the regular expression, click Test. In the Test Regular Expression dialog box, enter a value to be masked and click Test. To apply an action only in response to repetitive or excessive behavior, select Apply action when rule triggers. Then, in the adjacent fields, specify the minimum number of alerts within the number of seconds, minutes or hours, required to trigger the actions. When this option is configured, a single alert is generated for multiple instances of the same rule violation. In the Alerts list, the icon is displayed to indicate alerts triggered due to excessive behavior and the alert details are displayed for the last transaction to violate the rule. 13 To select the DBMSs to which the rule is to be applied, click Install On. The Install on DBMSs and DBMS Groups page is displayed. Hedgehog User's Guide 76

87 Rules 14 Select one or more relevant DBMSs and/or DBMS Groups, and click Save to return to the rule definition page. The selected DBMSs and DBMS Groups are listed in the DBMSs and DBMS Groups fields respectively. 15 To assign a tag to the rule, enter the tag name in the Tags field or enter a space in the field to select the tag from the dropdown list. 16 By default, all users can edit the properties of a custom rule. To limit the ability to edit the properties of this rule to specific users or users assigned to a specific role, enter the user names or role names in the Role Restriction field. 17 Click Next. The Rule Comment page of the wizard is displayed. 18 In the Comments field, enter a free text description/comment. It is recommended that you indicate the reason for creating the rule. Hedgehog User's Guide 77

88 Rules 19 Click Next. The Enable Rule page of the wizard is displayed. 20 To enable the rule, select Enable Rule. Note: You can enable/disable the rule at any time by selecting/clearing the Enable Rule checkbox. 21 Click Finish to save the rule. The rule is validated and saved. Hedgehog User's Guide 78

89 Rules Creating a Rule in the New Rule Page You can create custom rules in the New Rule page, defining all of the rule properties in a single window. Note: If you are new to the rule creation process, it is recommended that you take advantage of the wizard s guided process when creating your first rule(s). To create a rule: 1 In the Custom Rules tab, click Create New Rule. The New Rule page is displayed. Hedgehog User's Guide 79

90 Rules 2 In the Name field, enter a name for the rule. It is recommended that the name selected clearly reflect the nature of the rule (for example, Sensitive HR tables or PCI-DSS password protection ). 3 In the If area, define the first rule comparator statement, as described in step 3 of Creating a Rule with the Rule Creation Wizard, and click Add. Tip: To enlarge the If area, for better viewing of long statements, click Increase rule edit box. Note: For a detailed description of rule comparator statements and their syntax, refer to 9.6 Rule Syntax. 4 If the rule is to include more than one comparator statement, enter the relevant Boolean operator (AND, OR, or NOT) and then define the next comparator statement. Repeat for additional comparator statements as required. Note: You can define rule objects, which can then be used as components in other rules. For example, a rule object could be used in the definition of a rule intended to allow a specific range of IP addresses. For details, refer to 9.7 Managing Rule Objects. Note: If there is a problem with the rule syntax, the validation is not successful and a message is displayed accordingly. For example, if you failed to enclose a text string in single quotation marks, a message is displayed regarding an unexpected token. 5 To create an exception to this rule, click Add Exception. An exception edit box is opened below the rule edit box. In the Exception edit box, enter a comparator statement that defines the conditions which when matched are treated as an exception to this rule. Note: For a detailed description of rule comparator statements and their syntax, refer to 9.6 Rule Syntax. Repeat to define additional exceptions as required. To delete an exception, click the adjacent Remove link. 6 In the Then area, select the action(s) to be taken when a statement matches the rule, as described in step 6 of Creating a Rule with the Rule Creation Wizard. 7 To select the DBMSs to which the rule is to be applied, click Install On. The Select DBMSs and DBMS Groups page is displayed. 8 Select one or more relevant DBMSs and/or DBMS Groups, and click Save to return to the rule definition page. The selected DBMSs and DBMS Groups are listed in the DBMSs and DBMS Groups fields respectively. 9 To assign a tag to the rule, enter the tag name in the Tags field or enter a space in the field to select the tag from the dropdown list. 10 In the Comment field, enter a free text description/comment. It is recommended that you indicate the reason for creating the rule. 11 To enable the rule, select Enable Rule. Note: You can enable/disable the rule at any time by selecting/clearing the Enable Rule checkbox. 12 Click Finish to save the rule. The rule is validated and saved. Hedgehog User's Guide 80

91 Rules Cloning a Rule You can create a new rule by cloning an existing rule. This eliminates the need to define all of the rule properties from scratch when creating rules that share many common properties. To clone a rule: 1 In the Custom Rules list, click in the row for the rule that is to be cloned. The New Rule page is displayed, with the properties of the original rule configured by default. 2 Change the rule name and modify specific rule properties as required. (For a detailed description of the rule parameters, refer to Creating a Rule in the New Rule Page.) 3 Click Finish to save the rule. The rule is validated and saved Changing the Order of Custom Rules The order of the rules in the Custom Rules list is important. The first rule that is matched is the rule that is applied to the statement. If a statement does not match any of the existing rules, the statement is allowed. The Hedgehog system enables you to create a policy according to your preferences and security requirements in various ways. Fundamentally, there are two approaches to defining policy: White List approach, which resembles the approach of firewalls, whereby you determine all the allowed actions first and then alert on all other actions (assuming that all other actions are suspect). Black List approach, which resembles the approach of IDS/IPS systems, whereby everything is allowed except actions that are considered suspect. Hedgehog users normally create a policy that integrates elements of both approaches, for example, using a Black List approach for all known attacks, while using a White List approach for the use of development SQL tools. Note: Incoming statements are checked against the vpatch Rules list before they are checked against the Custom Rules list. To change the position of a rule: Select the rule in the Rules list and then drag the position indicator on the slider to a new location. For example, to move the rule to the top of the list, drag the indicator to the top of the slider. Hedgehog User's Guide 81

92 Rules Editing a Custom Rule You can edit the properties of a rule in the Custom Rules tab of the DBMS Properties window. To edit a rule: 1 In the Custom Rules list, click the name of the rule that you want to edit. The rule properties are expanded to display the options that comprise the rule definition. 2 Edit the rule comparator statement(s), actions, and other parameters, as required. For details, refer to Creating a Custom Rule. 3 Click Save to update the rule Removing a Custom Rule You can remove a rule from the Custom Rule list. Note: You cannot remove a rule from the vpatch Rules list. Tip: Only remove a rule if you are sure that you will not need it in the future. If you may need it again, you can disable temporarily disable it. To remove a rule: 1 In the Custom Rules list, click in the row for the rule that is to be removed. A confirmation message is displayed. 2 Click OK. The rule is removed from the list. 9.5 Importing and Exporting Rule Settings You can import and export vpatch and custom rule settings, including exceptions. When you import or export a custom rule, the entire rule is copied (not just the settings). To export a rule: 1 In the vpatch or Custom Rules tab, click Export Rule. A File Download dialog box is displayed. 2 Click Save and select the location where you want to save the file. 3 Click Save. The file is saved in the specified location. To import a rule: 1 In the vpatch or Custom Rules tab, click Import Rule. The Import Rule dialog box is displayed. 2 Browse and select the file you want to import and click Import. The file is imported. If identical rule objects exist in the system, the Duplicate Rule Object dialog box is displayed: Hedgehog User's Guide 82

93 Rules 3 Select the checkboxes for the rules that you want to overwrite, and click Continue. The selected rules are overwritten. 9.6 Rule Syntax Each rule consists of one or more comparator statements, which comprise Identifiers, Operators and Literals. The relationship between multiple comparator statements is based on Boolean logic, using AND, OR, or NOT. Comparator statements can be grouped using parentheses. If parentheses are not used, the order of precedence is: 1. NOT 2. AND 3. OR This section includes the following topics: Rule Examples Hedgehog User's Guide 83

94 Rules Identifiers Operators Rule Examples The following examples are provided to illustrate the rule syntax. Example 1 OSUSER = 'john' AND APPLICATION CONTAINS 'sqlplus AND HOST = 'johnlaptop.localdomain' AND IP = Action: Allow The above rule allows john to use SQL*Plus from his station (defined by host name and IP address), thereby bypassing many of the rules that come later (such as preventing SQL*Plus from being used). Example 2 APPLICATION CONTAINS sqlplus OR APPLICATION CONTAINS toad Action: Log-high, -high, terminate This rule terminates any access by the applications Toad or SQL*Plus. It also sends an alert and an to the Hedgehog administrator. Example 3 STATEMENT CONTAINS emps Action: log-medium This example assumes that the columns emps.* include sensitive data that require protection and that emps.salary and emps.cc are particularly sensitive. This rule provides an alert every time an SQL statement includes the string emps, alerting on any access attempt to columns containing the name emps (as well as any other SQL statement component that includes the string emps ). Note that even when the user is not actually accessing the objects (e.g. the DBMS prohibits access based on authorization rules), this rule generates alerts (in contrast to using the object option, see example 4 below). Example 4 OBJECT = emps.salary OR OBJECT = emps.cc Action: log-high, -high This example assumes that the tables emps.salary and emps.cc are particularly sensitive. This rule provides a high level alert and an each time the specified objects are accessed. Note that, in this case, if the DBMS successfully restricts the user from accessing the objects, an alert will not be generated (because the object is not accessed). Hedgehog User's Guide 84

95 Rules Example 5 Statement contains drop session Alert low Statement contains alter DBMS Alert low Statement contains drop table Alert Low Statement contains grant Alert low Statement contains grant dba Alert medium Statement contains grant sysdba Alert medium Statement contains noaudit and osuser not johnd Alert high high In this example, the user receives alerts when various DDL commands are executed, and a high importance is sent to the administrator when someone other than the DBA attempts to stop auditing Identifiers There are three basic types of identifiers: String-based: Types that are matched against strings. Number-based: Types that can be translated into a number representation. Numbers may be in a specific range. Number-based types may be enforced to equal only a fixed set of constants. Enumerated: Types that represent a fixed set of constants that cannot be translated into a number representation. Hedgehog supports the following identifiers (the type is indicated in parentheses): action: (string) The application action. application: (string) The application used to connect to the DBMS. client_appl_name: (string) Sybase client application name (Sybase only) client_host_name: (string) The Sybase client host name (Sybase only) client_name: (string) The Sybase client name (Sybase only) clientid: (string) The application set clientid accessing the DBMS. (Oracle only) cmdtype: (string) An action the statement is trying to perform, for example, select. context_info: (string) Microsoft SQL context information (Microsoft SQL only) date: (number) The date on which the statement is executed. The date must be in the form MM/DD/YY (US date format), for example 1/25/07. day: (number) The day of the month on which the statement is executed. An integer in the range of enduser_action: (string) The type of web request (e.g. enduser_action = GET ) (with IDentifier only) Hedgehog User's Guide 85

96 Rules enduser_ip: (number) The end user s IP address (with IDentifier only) enduser_module: (string) The end user s application module (with IDentifier only) enduser_name: (string) (with IDentifier only) End user s name host: (string) The domain name of the connecting application. hour: (number) The hour in which the statement is executed. The hour must be in the form HH[:MM] where HH is in the range of 0-23 and MM in the range of Note the minutes setting is optional. inflow: (string) The inflow PL/SQL object that originated the current executing statement. Same format as object. inflowsql: (string) The SQL statement part that originated the current executing command. instance: (string) The instance on which the execution takes place. In Oracle this value is the sid of the database instance. In Sybase this value is the instance name. In MS SQL it is the full instance name including the host (for example: MYHOST\SQLSERVER). ip: (number) The IP address the statement is executed from. IP addresses must be in the form of: XXX.XXX.XXX.XXX (single IP address) or XXX.XXX.XXX.XXX/YYY.YYY.YYY.YYY (IP with subnet). Each IP address is validated by the Hedgehog system to prevent errors. module: (string) The application set module. month: (number) The month in which the statement is executed: JANUARY, FEBRUARY, MARCH, APRIL, MAY, JUNE, JULY, AUGUST, SEPTEMBER, OCTOBER, NOVEMBER, DECEMBER. Alternatively, the short form of month name is also supported for example: JAN. object: (string) The DBMS object being accessed. Supports a syntax of the form [owner.]objectname. DBMS objects can be tables, triggers, stored procedures, and so on. In Oracle the format is owner.objectname; in MS SQL and Sybase it is database.owner.objectname osuser: (string) The operating system user. schema: (string) The schema of the DBMS session_state: Three options: session_state=new_session for monitoring session logins, session_state=end_session for log outs, and session_state=execute for all other statements statement: (string) The raw statement sent to the server. terminal: (string) The machine on which the user is logged in. user: (string) The DBMS user that is accessing the DBMS. version_mssql: (number) (rarely used) The Microsoft SQL version (e.g. version_mssql = for the relevant version of MS SQL 2005) version_oracle: (number) (rarely used) The full 5-digit oracle version. For example: Hedgehog User's Guide 86

97 Rules version_sybase: (number) (rarely used) The Sybase particular version (e.g. version_sybase = ) weekday: (value) The day of the week on which the statement is executed: SUNDAY, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY. Alternatively, the short form is also supported for example: TUE. Note: All rules are case insensitive. An identifier can be specified in lower case, upper case or a combination of both. For example: user, User, USER, user are all legal for the user identifier. Additionally constant values are case insensitive so SUNDAY and SunDAy are equivalent Operators Hedgehog supports the following operators: = : Equals (all types) < : Less than (number types only) > : Greater than (number types only) <= : Less than or equal to (number types only) >= : Greater than or equal to (number types only) <> : Not equal to (all types) (not)? like : Compare to a string supporting the '%' character as a symbol to any string (string types only) (not)? between: Check if an identifier is between two values (number types only) (not)? in: Check if an identifier is in a list of values (all types) (not)? matches: Perform a regular expression match (string types only) (not)? contains: Perform a simple and fast string match (string types only) In addition, you can use the 'length' operator before any identifier to indicate a condition on the field's length. For example: "length statement > 1024" will catch statements longer than 1024 bytes. "length user < 10" will catch SQL statements where a DB username length is shorter than 10 characters. 9.7 Managing Rule Objects You can define rule objects, which can then be used as components in other rules. This can be particularly helpful when working with Allow rules. For example, a rule object could be used in the definition of a rule intended to allow a specific range of IP addresses. Note: This functionality is available for Hedgehog Enterprise or vpatch users only. Hedgehog User's Guide 87

98 Rules Rule objects are managed in the Rule Objects tab of the Rules page. Hedgehog is provided with several predefined rule objects. These predefined objects are used in the predefined rules and are listed in the Rule Objects tab. From the Rule Objects tab, you can: Add a new rule object, as described in Creating a Rule Object. View the properties of an existing rule object, as described in Viewing/Editing Rule Object Properties. Delete a rule object, as described in Deleting a Rule Object. Hedgehog User's Guide 88

99 Rules Creating a Rule Object You can define a rule object and then use that object in multiple rules. To add a rule object: 1 In the Rule Objects tab, click New Object. The Object Properties page is displayed. 2 From the Type list, select the type of identifier for the rule object. 3 In the Name field, enter a name for the rule object. 4 In the Value field, set the object value (according to the selected type). 5 In the Comment field, enter a brief comment or description. 6 If you want to define this object as a dynamic object and enable the use of LDAP Security groups for this rule object in creating rules, select Dynamic Object. Note: The use of dynamic objects is enabled only if LDAP is enabled. 7 If you want to upload a list of values from an existing file, enter the file location in the File upload field, or click browse to locate and select the file. Then click Upload to upload the list. 8 Click Save. The rule object is automatically added to the list of available values according to Identifier type and can be used in rule definitions. Hedgehog User's Guide 89

100 Rules Viewing/Editing Rule Object Properties You can view and edit the properties of an existing rule object. To view/edit a rule object s properties: 1 In the Rule Objects tab, click the Properties icon in the row for the rule object. The Rule Object Properties page is displayed. 2 Edit the rule object properties, as required, and click Save Deleting a Rule Object You can delete a rule object that is no longer needed, however it is recommended that you do so only if you are absolutely sure that it is not included in the definition of existing enabled rules. Important: If you remove a rule object that is included in an existing rule definition, the rule is automatically disabled and is removed the Rule Errors list. Use caution when deleting rule objects. To delete a rule object: 1 In the Rule Objects tab, click in the row for the rule object to be deleted. A confirmation message is displayed. 2 Click OK to confirm. The rule object is removed from the Rule Objects list. Any existing rules that incorporate the rule object are automatically invalidated. 9.8 Application Mapping Application mapping is performed per DBMS and provides additional information regarding the activities taking place on the DBMS, including which applications are being run on the DBMS and by which users. To minimize the impact on the DBMS, the system collects a sampling of information in the background and a message is sent to the user when sufficient data has been collected to be useful for analysis purposes. Note: Application mapping can be configured only for DBMSs that are monitored by sensors, version 3.1 and above Creating an Alert Rule You can create a rule that defines the conditions for alerts regarding application mapping on the DBMS. You can create an alert rule from scratch (as described herein) or based on the display settings for a specific DBMS. Hedgehog User's Guide 90

101 Rules To create an Alert rule: 1 In the Application Mapping tab of the Rules page, select Audit Wizard. The Audit Wizard page is displayed. 2 From the Select DBMS dropdown list, select the DBMS to which the rule will apply. Basic statistics are displayed indicating the scope of application mapping information collected for the DBMS. 3 In the Audit by area, select Full Audit to perform application mapping for all elements on the DBMS or select one of the available elements from the dropdown down list (for example, Application, Host, IP, Module, Schema, or Terminal). Hedgehog User's Guide 91

102 Rules The page is refreshed according to the selected element type. For example, if Application is selected the page is refreshed to enable you to select one or more applications: 4 Select the checkboxes for the elements to which the rule is to apply. For example, if you opt to audit by application, you can select one or more applications. 5 In the Rule statement area, enter the rule comparator statement(s). For a detailed description of rule comparator statements and their syntax, refer to 9.6 Rule Syntax. 6 (Optional) To create an exception to the rule, click Edit Filters in the Rule Exceptions area. The Rule Exceptions area is expanded to display the available exception categories in a tree-like hierarchy. 7 Select the exception category from the Exceptions tree, and then select the checkbox(es) for the elements to be ignored. The resulting exception is displayed in the Exception(s) selected text box. 8 Repeat for additional exception categories as required. 9 Click Create Rule to save the rule. The rule is validated and added to the Custom Rules list. Hedgehog User's Guide 92

103 Rules Using the Application Mapping DBMS Access Info After Hedgehog collects sampled information about the access to the DBMS, the Access Info page shows detailed information about the most commonly used clusters of applications, users, IPs, and so on that have accessed the DBMS during the sampling period, including a count for each such cluster. This information can be used to create exception rules (for example, when a certain combination of IP address, application and user are audited elsewhere or are of no security/audit interest). Alternatively, the information gathered can be used to create monitoring rules (for example, alert or audit each time the combination of user x, application y and IP z is detected). You can define exceptions to your custom rules by creating an Allow rule for the exception case and placing it before the relevant rules in the Custom Rules list. You can also create an alert rule for a specific combination. To create a mapping exception rule: 1 In the Application Mapping tab of the Rules page, select DBMS Access Info. The DBMS Access Info page is displayed. Hedgehog User's Guide 93

104 Rules 2 From the Select DBMS dropdown list, select the DBMS to which the rule will apply. 3 (Optional) To filter the list of display settings for the DBMS, enter the relevant criteria in the Filter area and click Apply The Display Settings table is filtered according to your selections. 4 Create the mapping rule as follows: To create an Allow rule, click the blue New icon in the row for the entry that is to be allowed. The Allow rule is created and added to the Custom Rules list. To create an Alert rule, click the orange New icon in the row for the entry for which you want to create an alert rule. The Audit wizard page is displayed. Configure the alert details, as described in Creating an Alert Rule. 5 Repeat for additional entries in the table, as required. Hedgehog User's Guide 94

105 Rules 9.9 Working with Tags You can use special tags to facilitate the systematic application of rules for specific purposes to specific DBMSs. Tags are applied to specific rules. The tags can then be used to apply multiple rules to a DBMS. The use of tags is intended for advanced users of the Enterprise version and is purely optional. Tags are created in the rule definition process. Existing tag assignments can be edited in the rule definition at any time. Note: This functionality is available for Hedgehog Enterprise users only. This section includes the following topics: Assigning Tags to Rules Assigning Rules to DBMSs based on Tags Assigning Tags to Rules You can assign tags to existing custom rules by creating or selecting the tags in the rule definition. To assign tags to an existing rule: 1 In the Custom Rules list, click the name of the rule that you want to edit. The rule properties are expanded to display the options that comprise the rule definition. 2 To assign a tag to the rule, enter the tag name in the Tags field or enter a space in the field to select the tag from the dropdown list. 3 Click Save to update the rule Assigning Rules to DBMSs based on Tags You can check the extent to which the rules that include a specific tag are applied to the DBMSs. You can also systematically apply (or remove) rules that have a given tag from a DBMS. To view the assignment of rules to DBMSs per tag: 1 In the Rules page, select the Tags-DBMSs tab and click View Tags. Hedgehog User's Guide 95

106 Rules Note: You must have at least one custom rule that includes a tag in order to activate this screen. 2 Select a tag from the Tags drop-down list. The extent to which the rules that include the selected tag are applied to the DBMS/DBMS Groups is indicated in the Tag per DBMSs table, including the following details: DBMS: The name of the DBMS/DBMS Group. Rules Applied: The number of rules that include this tag that are applied to the selected DBMS/DBMS Group relative to the number of rules that include this tag. For example, 25/50 indicates that out of a possible total of 50 rules, 25 of the rules have been applied to the selected DBMS/DBMS Group. Actions: The following actions can be performed from the Tags per DBMSs table on a row-by-row basis: Remove All: Removes all of the rules that include the selected tag from the DBMS/DBMS Group. Apply All: Applies all of the rules that include the selected tag from the DBMS/DBMS Group. Hedgehog User's Guide 96

107 Rules 9.10 Viewing Tags per DBMSs/DBMS Groups The Tags-DBMSs tab shows the distribution of tags according to DBMSs and DBMS groups. To view the distribution of tags: 1 In the Rules page, select the Tags-DBMSs tab and click View DBMSs. 2 Select the DBMS/DBMS Group from the DBMS Groups and DBMSs drop-down list. The Tag per DBMS Groups and DBMSs table indicates the extent to which the available tags have been applied to the selected DBMS/DBMS Group as follows: Tab: The name of the tag. Rules Applied: The number of rules that include this tag that are applied to the selected DBMS/DBMS Group relative to the number of rules that include this tag. For example, 25/50 indicates that out of a possible total of 50 rules, 25 of the rules have been applied to the selected DBMS/DBMS Group. Actions: The following actions can be performed from the Tags per DBMSs table on a row-by-row basis: Remove All: Removes all of the rules that include the tag from the selected DBMS/DBMS Group. Apply All: Applies all of the rules that include the tag from the selected DBMS/DBMS Group. Hedgehog User's Guide 97

108 Rules 9.11 Importing/Exporting Rules You can import and export rules in XML file format, eliminating the need to define the same rule again for additional DBMSs. Note: This functionality is available for Hedgehog Enterprise users only. This section includes the following topics: Exporting Rules Importing Rules Exporting Rules You can export a rule that has been defined for one DBMS in order to apply it to another DBMS. Note: Compliance rules cannot be exported. All rule objects, including those created for the compliance rules, will be exported. To export a rule: 1 In the Custom Rules tab of the DBMS Properties page, click Export Rules. A dialog is displayed, prompting you to indicate whether you want to open or save the file. 2 Select Save to Disk and click Save. The displayed rules are exported to an XML file. (The location in which the file is saved depends on your default settings.) Hedgehog User's Guide 98

109 Rules Importing Rules You can import a previously defined rule and apply it to another DBMS. To import a rule: 1 In the Custom Rules tab of the DBMS Properties page, click Import Rules. The Import Rules dialog is displayed. 2 Browse and select the saved rule file (.XML) and click Import. The rules contained in the file are added to the Rules list. 3 If the imported rule objects already exist in the server, you have the choice of overwriting the existing objects with the imported objects or leaving the currently installed rule objects untouched. 4 After importing the rules, you will need to: Install the imported rules on the relevant DBMS(s). Enable the rules Viewing Rule Revisions Rule revisions and history are important for several reasons, including the need to rollback after mistakes are made in the policy, and to comply with various standards and best practices. You can view the state of rules at any specific point in time and the revisions made to rules over time. Each rule revision entry reflects the existing rules at a given point in time, providing a virtual snapshot of the state of rules in the system. The Rule Revisions tab lists the following parameters: Revision type: The type of rule(s) or rule object(s) revised. Revision date: The date and time of the revision. Revision creator: The name of user who performed the revision. Modified rules: The name of the rule(s) modified. Hedgehog User's Guide 99

110 Rules Properties: An icon, which when clicked, enables you to view details of the revision to the rule/rule object(s). From the Rule Revisions tab, you can: Filter the Rule Revisions list, as described in Filtering the Rule Revisions List. View the details of a selected revision, as described in Viewing Rule Revision Details. Compare the details of two revisions, as described in Comparing Revision Details Filtering the Rule Revisions List To facilitate the viewing of rule revision data, you can filter the Rule Revisions list according to various properties. To filter the Rule Revisions list: 1 Expand the Edit Filters area above the Rule Revisions list. Hedgehog User's Guide 100

111 Rules 2 Set one or more filter criteria by entering/selecting the relevant values (for example, type or DBMS name). 3 Click Apply. The list of revisions is filtered to display only those revisions that match the filter criteria Viewing Rule Revision Details You can view the details of a rule revision entry in the Rule Revisions list. The rule revision data details the changes made from one implementation of revisions to the next, indicating whether or not any changes were made to the rules since the previous snapshot was recorded. In addition, you can view the details of a previous revision and roll back to that previous revision if necessary. To view rule revision details: In the Rule Revisions list, click the Properties icon in the row for the revision. The Custom Rules Revision page is displayed for the selected rule revision, listing the rules included in the rule set. Hedgehog User's Guide 101

112 Rules The following parameters are listed in the Custom Rules Revision details page: Rule Name: The name of the rule. Rule: The rule properties. Modification: If the rule has been changed since the previous Rule Revisions entry, MODIFIED appears in this column. Show Changed: An icon, which when clicked, enables you to view detailed information regarding the changes made to the role. To view the rule modification details: 1 In the Custom Rules Revision page, click the Show Changes icon in the row for the rule. Details regarding the rule modification(s) are displayed in the Rule details page in read-only format. 2 To roll back the rule details to this rule revision, click the Roll back to revision link Comparing Revision Details You can select two revisions in the Rule Revisions list and compare the details of different rule revisions. To compare revisions: 1 In the Rule Revisions list, select the checkboxes for two revisions and click Compare. Note: You can only compare revisions of the same type (Hedgehog will prevent you from comparing (e.g. a vpatch revision with a Custom rule revision). Hedgehog User's Guide 102

113 Rules 2 To view the details of a specific revision, click the Properties icon in the row for the revision. 3 To roll back the rule details to the older rule revision, click the Roll back to revision link. Note: You cannot roll back rule objects 9.13 Configuring Rule Modification and Application Mapping Notifications You can configure Hedgehog to notify you whenever a rule is modified. If application mapping is enabled, you can also configure the system to automatically purge application mapping alerts when a configured number of alerts is exceeded. To configure rule modification notifications: 1 In the Rules page, select the Settings tab. Hedgehog User's Guide 103

114 Rules 2 Select the Send notification when rule changed checkbox, and enter the address to which the notification is to be sent in the Send to field. Note: The server settings must be configured in the System screen in order to route alerts correctly. 3 In the Subject field, enter the text that is to appear in the subject line of the notification . 4 In the Quiet Period field, enter the number of minutes during which no further notifications will be sent. 5 In the When Application Mapping alerts exceed fields: Set the number of alerts which when reached will trigger an automatic purge action. Set the number of older alerts to be purged. The alerts will be purged on a first-in-firstout basis, meaning that the oldest alerts are removed and the most recent alerts retained. (Optional) To purge all saved mapping alerts for all DBMSs, click Purge All. Note: To purge all application mapping data for a specific DBMS only, click Purge in the DBMS Properties page for that DBMS. 6 Click Save. Hedgehog User's Guide 104

115 Compliance 10 Compliance Hedgehog enables you to create security rules based on established international standards, including PCI_DSS, Sarbanes Oxley (SOX), SAS-70 and HIPPA. In most cases, it is important to enable vpatch rules on all in-scope databases (if they are not already enabled). A Compliance rule can be applied to all DBMSs or to specific DBMSs and DBMS groups. The Compliance page lists the regulations for which Compliance rules can be configured. This section includes the following topics: 10.1 Configuring a Compliance Rule 10.2 Saving Partial Compliance Rule Settings 10.3 Editing Compliance Rules Hedgehog User's Guide 105

116 Compliance 10.1 Configuring a Compliance Rule Compliance rules are based on a variety of established standards and regulations. Compliance rules are configured using the Hedgehog Compliance Wizard. The specific definitions required in defining a Compliance rule vary based on the type of regulation, therefore the parameters to be set in the configuration and the number of pages in the Compliance Wizard vary accordingly. For the purpose of illustration only, the procedure below includes selected pages from within the PCI_DSS Compliance Wizard. Only those pages that include parameters common to all types of regulations are described herein. The parameters in additional pages should be configured based on the Wizard s on-screen instructions. Notes: Clicking Reset in any page resets the default values for that step only. If a red message appears after clicking Next, there is a problem with the values set for the indicated parameter. Fix the settings and click Next again. To configure a compliance rule: 1 In the Compliance page, select the type of regulation for which you want to verify compliance and click Select. The Compliance page is redisplayed, indicating that the respective Compliance Wizard has not been completed and advising you of the information required to configure a compliance rule for the selected type of regulation. Hedgehog User's Guide 106

117 Compliance 2 Click Configuration Wizard to begin the process of configuring the Compliance rule. The first page of the Hedgehog Compliance Wizard is displayed. 3 Select the DBMSs and/or DBMS Groups to which you want to apply the Compliance rule. 4 Click Next. The Application User Names page of the Compliance Wizard is displayed. Hedgehog User's Guide 107

118 Compliance 5 Enter the usernames that are used by approved application to access the DBMS(s) in either of the following ways: Enter the usernames in the field provided. Import the contents of a CSV file containing the usernames by browsing to select the file and clicking Upload. Note: From this point onward, you can opt to exit the Wizard and continue the configuration at a later point in time from the point at which you stopped. To do so, click Proceed Later. For details, refer to 10.2 Saving Partial Compliance Rule Settings. 6 Click Next. The next Compliance Wizard page(s) is displayed. 7 Configure the necessary parameters according to the on-screen instructions on each page. Depending on the regulation type, the Cardholder Tables page of the Wizard is displayed a number of pages later. Hedgehog User's Guide 108

119 Compliance 8 Enter the database tables that contain cardholder data in any of the selected DBMSs in either of the following ways: Enter the database tables in the field provided. Import the contents of a CSV file containing the database tables by browsing to select the file and clicking Upload. 9 Click Next. The next Compliance Wizard page(s) is displayed. 10 Configure the necessary parameters according to the on-screen instructions on each page. Depending on the regulation type, the DDL Commands page of the Wizard is displayed a number of pages later. The DDL Commands are listed in the DDL page. You do not need to make any changes. Hedgehog User's Guide 109

120 Compliance 11 Click Next without making any changes. The next Compliance Wizard page(s) is displayed. 12 Configure the necessary parameters according to the on-screen instructions on each page. Depending on the regulation type, the Complete page of the Wizard is displayed a number of pages later. 13 To enable the configured rule, read the instructions carefully and select Enable [Regulation Type] Compliance Rules. Note: If the above option is not selected, the rule is created but it is not enabled. Make sure that vpatch rules are enabled on all in-scope databases. 14 Click Finish to close the Wizard. A page is added under Compliance for the new regulation, showing the set of rules created based on predefined rule templates for that regulation type, including level and defined action. In addition, you can now filter alerts and other data according to the compliance type by selecting the regulation type from the Compliance dropdown list in the Filter area (where applicable). Hedgehog User's Guide 110

121 Compliance 10.2 Saving Partial Compliance Rule Settings Once you have completed the initial pages of the Compliance Wizard, you can opt to exit the Wizard and continue the configuration at a later point in time from the point at which you stopped. To save the settings before completing the Wizard: 1 In the Compliance Wizard, click Proceed Later. You are prompted to confirm that you want to close the Wizard. 2 Click OK. A popup message indicates that the data has been saved and you can complete the configuration later. To return to the Wizard: Select the regulation type and click Configuration Wizard. The Compliance Wizard is displayed. Note that although the Wizard contains the values you previously configured, it is still displayed from its first page. Review your settings and continue from where you left off Editing Compliance Rules You can edit the settings of a compliance rule. Hedgehog User's Guide 111

122 Compliance To edit a compliance rule: 1 In the Compliance page, select the type of Compliance rule regulation to be edited, and click Select. The corresponding Compliance page is displayed. 2 Click Edit Configuration. The Compliance Rules Configuration dialog is displayed. Hedgehog User's Guide 112

123 Compliance 3 Select the type of action that you would like to take: To reconfigure the rule properties, select Reconfigure rules. The Compliance Wizard is displayed, containing the values you previously configured. Review and modify the settings as required based on the on-screen instructions. To disable the rules, select Disable rules. A confirmation message is displayed. Click OK. To re-enable the rules, select Enable rules. To remove the configuration, select Remove configuration completely. Exercise caution in selecting this option - this action cannot be reversed. This action totally deletes the existing configuration. The Compliance Wizard is automatically displayed, prompting you to completely redefine the regulation. Hedgehog User's Guide 113

124 Roles 11 Roles Hedgehog enables you to assign different levels of permissions to different administrators by assigning each admin user to a specific role. Each role comprises a specific set of permissions, which are granted to those users assigned to the role. Hedgehog is provided with predefined roles. You can assign users to predefined roles or you can create and assign new roles. This section includes the following topics: 11.1 Predefined Roles 11.2 Viewing the Roles List 11.3 Creating a New Role 11.4 Editing the Permissions of an Existing Role 11.5 Removing a Role 11.1 Predefined Roles Hedgehog is provided with the following predefined roles: Read Only: Enables the user to view all screens and settings, but cannot make and changes to rules, resolve alerts, and so on. Hedgehog Operator: Enables the user to perform operations in the system, but cannot change the security policy and related objects. Policy Creator: Enables the user to create and edit rules, and configure other system components, however the policy creator is not authorized to view alerts. Read Only Alerts: Provides the user with read-only access to the Dashboard and the Alerts list. You can edit the permissions assigned to each of these roles to suit the needs of your organization, as described in 11.4 Editing the Permissions of an Existing Role Viewing the Roles List The Roles tab of the Permission page lists the roles defined for users in the system, including the following parameters: ID: The ID number of the role. Name: The name of the role. Description: A brief description of the role. Hedgehog User's Guide 114

125 Roles LDAP: If selected, enables you to use your existing system of user groups in your active directory. Properties: An icon, which when clicked, enables you to view and edit the properties of the role. Remove: An icon, which when clicked, removes the role from the Roles list. From the Roles tab of the Permissions page, you can: Filter the Roles list according to various role properties, as described in Filtering the Roles List. View the details of a specific role, as described in Viewing Role Details. Create a new role, as described in 11.3 Creating a New Role Filtering the Roles List To facilitate the viewing of data when working with multiple roles, you can filter the Roles list according to various role properties. To filter the Roles list: 1 Expand the Edit Filters area above the Roles list. 2 Set one or more filter criteria by entering/selecting the relevant values (for example, ID or Name). Hedgehog User's Guide 115

126 Roles 3 Click Apply. The list of roles is filtered to display only those roles that match the filter criteria. Note: To clear all filter selections, click Clear Viewing Role Details You can view the detailed properties of a role in the Role Details page. To view the role details: In the Roles list, click the Properties icon in the row for the role. The Role Details page is displayed. Hedgehog User's Guide 116

127 Roles The following role details are displayed in the Role Properties page: Name: The name of the role. Description: A brief description of the role. Selected permissions: A list of the permissions assigned to the role. Selected roles: A list of the permission sets assigned to the role. View Alert permissions by DBMSs: A list of the DBMSs and DBMS groups for which, if selected, the role is authorized to view alerts. View Alert permissions by Rules: A list of the rules for which, if selected, the role is authorized to view alerts Creating a New Role In keeping with organization-specific needs, you can create multiple roles each of which comprises a unique set of permissions. A role can also be based on the permissions set of another role, eliminating the need to define each permission in the set separately. This enables you to conveniently create a specialized group of users with the combined permissions of one or more groups and/or specific permissions. Hedgehog User's Guide 117

128 Roles To create a role: 1 In the Roles tab of the Permission page, click Create New Role. The Create New Role page is displayed. 2 In the Name field, enter a name for the role. 3 In the Description field, enter a brief description of the new role. 4 (Optional) To use an existing system of defined users, select the LDAP checkbox. The LDAP server must be configured first in the System screen, see 13.2 Configuring LDAP. A dropdown menu is displayed, listing all LDAP roles detected in the system. Select an LDAP role that matches an existing security group in the active directory and configure the permissions this LDAP role should have in the Hedgehog system. Hedgehog User's Guide 118

129 Roles Notes: Please allow 60 seconds between the first configuration of the LDAP server and the definition of the LDAP roles. To use more than one LDAP role, create separate roles for each LDAP security group. 5 Select the required permission for the new role from the All Permissions list and click the adjacent button or double-click the permissions to move them to the Selected permissions list. Note: To remove permissions from the Selected permissions list, double-click the permissions or select the permissions and click. 6 To include the permission set of an existing role in the new role, select the role in the All roles list and click the adjacent button or double-click the role name to move it to the Selected roles list. Note: To remove a role from the Selected roles list, double-click the role or select the role and click. 7 In the View Alert permissions by DBMSs area, select the DBMS groups and DBMSs for which the role is authorized to view alerts. 8 In the View Alert permissions by Rules area, select the rules for which the role is authorized to view alerts. 9 Click Save to save the new role Editing the Permissions of an Existing Role You can change the permission set that is defined for an existing role. The new settings are automatically applied to users assigned the edited role. To edit a role: 1 In the Roles tab, click the Properties icon in the row for the role to be edited. The properties of the selected role are displayed in the Role Properties page. 2 Edit the role permissions as required by moving specific permissions or roles to and from the Selected permissions list and Selected roles list, respectively, as required. 3 Click Save to apply the changes. Hedgehog User's Guide 119

130 Roles 11.5 Removing a Role You can remove a role that is no longer needed. Users assigned the removed role automatically lose the corresponding permissions set. If the user is assigned additional roles or specific permissions, those permissions are not affected. To remove a role: 1 In the Roles tab, click in the row for the role that is to be removed. A confirmation message is displayed. 2 Click OK. The role is removed from the list. Hedgehog User's Guide 120

131 Users 12 Users Access to the Hedgehog Web Console is restricted to authorized users (administrators). Each user is assigned roles and or specific permissions, which define the ways in which the user can use the system. Note: For details on creating and defining roles, refer to 11 Roles. This section includes the following topics: 12.1 Viewing the Users List 12.2 Adding a User 12.3 Editing User Properties 12.4 Removing a User 12.5 Exporting Users 12.6 Importing Users 12.1 Viewing the Users List The Users tab of the Permissions page lists authorized users in the system, including the following parameters: Username: The name of the user. First Name: The first name of the user. Last Name: The last name (surname) of the user. Status: The status of the user (active or inactive). Properties: An icon, which when clicked, enables you to view and edit the properties of the user, including the roles and permissions assigned to it. Remove: An icon, which when clicked, deletes the user. (The system administrator cannot be deleted or deactivated, however you can change the administrator user name.) Hedgehog User's Guide 121

132 Users From the Users tab of the Permissions page, you can: Filter the Users list according to various user properties, as described in Filtering the Users List. View the details of a specific user, as described in Viewing User Details. Add a new user, as described in 12.2 Adding a User View and modify a user s details, as described in 12.3 Editing User Properties Export users, as described in 12.5 Exporting Users Import users, as described in 12.6 Importing Users Filtering the Users List To facilitate the viewing of user data, you can filter the Users list according to various user properties. To filter the Users list: 1 Expand the Edit Filters area above the Users list. 2 Set one or more filter criteria by entering/selecting the relevant values (for example, Username or Last Name). Hedgehog User's Guide 122

133 Users 3 Click Search. The list of user is filtered to display only those users that match the filter criteria. Note: To clear all filter selections, click Clear. Hedgehog User's Guide 123

134 Users Viewing User Details You can view the detailed properties of a user in the User Details page. To view the user details: In the Users tab, click the Properties icon in the row for the user. The User Details page is displayed. Hedgehog User's Guide 124

135 Users The following details are displayed in the User Details page: 12.2 Adding a User Username: The name of the user. First Name: The first name of the user. Last Name: The last name (surname) of the user. Status: The status of the user. Selected permissions: The individual permissions assigned to the user. Selected roles: The permission sets assigned to the user. View Alert permissions: A list of the DBMSs and DBMS groups for which, if selected, the user is authorized to view alerts. You can add authorized users to the system and define the ways in which they are allowed to use system. You can assign more than one role to a user. In addition, you can assign specific permissions to a user. To add a user: 1 In the Users tab of the Permissions page, click Create New User. The Create New User page is displayed. Hedgehog User's Guide 125

136 Users 2 In the User Name field, enter a user name for the user. 3 In the First Name field, enter the user s first name. 4 In the Last Name field, enter the user s surname (family name). 5 From the Status dropdown list, select the status to be assigned to the user (Active or Inactive). Hedgehog User's Guide 126

137 Users 6 Enter the user s password in the Password field and then enter it again in the Confirm Password field. Note: The password must comprise at least four characters. 7 To apply the system's password policy on this user's password, select Enforce password policy. Note: The password policy is configured on Password Policy tab of the Permissions page. For details, see 12.7 Password Policy. 8 To force the user to change the password the first time they log in, select Change password on next login. 9 To assign the permission set of an existing role to the new user, select the required role from the All Roles list and click the adjacent button or double-click the role to move it to the Selected Roles list. The permission sets of the selected roles are assigned to the user. Note: To remove a role from the Selected Roles list, double-click the role or select the role and click. 10 If one or more specific permissions are to be assigned to the user, select the required permission from the All Permissions list and click the adjacent button or double-click the permissions to move them to the Selected permission list. Note: To remove permissions from the Selected permissions list, double-click the permissions or select the permissions and click. 11 In the Alert permissions area, select the DBMS groups and DBMSs for which the user is authorized to view alerts. 12 Click Save to save the user Editing User Properties You can update the properties of an existing user, for example, in order to assign additional permissions or change their passwords. This section includes the following topics: Changing a User s Permissions Changing a User s Password Hedgehog User's Guide 127

138 Users Changing a User s Permissions You can change the permissions assigned an existing user by changing the roles and/or specific permissions assigned to the user. To change a user s permissions: 1 In the Users tab of the Permissions page, click the Properties icon in the row for the user to be edited. The User Details page is displayed. 2 Edit the user's permissions as required by moving specific permissions or roles to and from the Selected permissions list and Selected roles list, respectively, as required. 3 Click Save to apply the changes Changing a User s Password You can change the password of an existing user, for example, if the user has forgotten the password. To change a user s password: 1 In the Users tab of the Permissions page, click the Properties icon in the row for the user to be edited. The User Details page is displayed. 2 Click the Change Password link. The Change Password page is displayed. Note: This page is displayed only if you are authorized to change another user s password. 3 Enter a new password in the New Password field and then enter it again in the Confirm Password field. Note: The password must comprise at least four characters. 4 Click OK. The password is changed. Hedgehog User's Guide 128

139 Users 12.4 Removing a User You can remove a user from the User's list, thereby revoking all of the user's permissions. A user that has been removed can no longer access the application or any of its functionality. To remove a user: 1 In the Users tab, click in the row for the user that is to be removed. A confirmation message is displayed. 2 Click OK. The user is removed from the list and is no longer authorized to access the application Exporting Users You can export the list of the Hedgehog users/administrators into an XML file, for example, in order to import them into another Hedgehog server or as a backup prior to a system upgrade. Note: This option is intended for advanced Hedgehog users only. It is available only to authorized users. To export users: 1 In the Users tab of the Permissions page, click Export Users. A dialog is displayed, prompting you to indicate whether you want to open or save the file. 2 Click OK. The displayed users are exported to an XML file. (The location in which the file is saved depends on your default settings.) Hedgehog User's Guide 129

140 Users 12.6 Importing Users You can import a previously defined list of users. To import a user: 1 In the Users tab of the Permissions page, click Import Users. The Import Users dialog is displayed. 2 Browse and select the previously saved file (.XML) and click Import. The users contained in the file are added to the Users list. Hedgehog User's Guide 130

141 Users 12.7 Password Policy You can configure the password requirements that apply to the user passwords. The default password policy requires that a user password include at least one upper case letter, at least one lower case letter, and at least one digit or special character. Note: The default password policy is defined in the Sentrigo properties file. To configure the password requirements: 1 In the Permissions page, select the Password Policy tab. 2 To enforce the use of special characters in user passwords, select Yes from the Enforce special characters dropdown list. 3 From the Password minimum length dropdown list, select the minimum number of characters to be included in a password. 4 To force users to change their passwords at regular time intervals, from the Enforce password change every dropdown list, set how often users must change their passwords. From the New password minimum lifetime dropdown list, select the minimum time after which users are prompted to change their passwords. 5 To prevent users from resetting their passwords to previously used passwords, select the time period during which users cannot reuse a past password from the Prevent password repetition dropdown 6 To prevent brute force attacks, select Yes from the Prevent brute force attack dropdown list to temporarily block login attempts from an IP address following repeated failed attempts to log in from the same IP address. Hedgehog User's Guide 131

142 Users 7 To lockout a user after multiple failed login attempts, select the number of failed logins after which the user is locked out of the system from the Lockout after failed logins dropdown list. Then, from the adjacent dropdown list, set the duration of the lockout period (for example, 1 day). 8 Click Save. Hedgehog User's Guide 132

143 System 13 System The System page provides several system functions, including Mail Configuration, LDAP configuration, SNMP configuration, Custom Rules Groups, Resolve types, and a history of actions taken by users in the GUI. This section includes the following topics: 13.1 Configuring the Outgoing Account* 13.2 Configuring LDAP* 13.3 Configuring SNMP* 13.4 Configuring the Syslog* 13.5 Configuring the Windows Event Log* 13.6 Configuring Log to File * 13.7 Configuring VPN-1 Blocking 13.8 Configuring Twitter 13.9 Configuring the XML API* Managing Resolve Types Alert Archiving* Quarantining Users* Viewing Clusters* Viewing the History List IDentifier* Configuring and Downloading Server Logs Viewing System Messages Viewing Backend DBMS Details * These topics are intended for Hedgehog Enterprise or vpatch users only. Hedgehog User's Guide 133

144 System 13.1 Configuring the Outgoing Account The outgoing settings defined in the tab determine the mailbox that is used by Hedgehog to send notifications, alerts, and traps. Note: This functionality is available for Hedgehog Enterprise or vpatch users only. To configure the outgoing account: 1 In the System page, select the Interfaces tab and then select . The tab is displayed. 2 Configure the parameters as follows: From: The name of the sender to appear in outgoing messages. From address: The address to be used for outgoing messages. Mail Server: The IP address or name of the host server. Port: The port used for communications. Max s for period: The maximum number of outgoing messages allowed for the time interval set as in the Period of time field. Period of time: The time interval in milliseconds used to measure the rate of outgoing messages, as set in the Max s for period field. Subject: Text that automatically appears in the Subject field of outgoing messages. Hedgehog User's Guide 134

145 System 3 Click Save Configuring LDAP To: The destination of outgoing messages (single user or semicolon delimited list). Template: The template used for generating outgoing messages. Configuring LDAP in Hedgehog enables you to make use of existing security groups in the active directory, eliminating the need to set up all of your users and roles from scratch. Note: This functionality is available for Hedgehog Enterprise or vpatch users only. To configure LDAP: 1 In the System page, select the Interfaces tab and then select LDAP. The LDAP tab is displayed. 2 Select Use LDAP to enable Hedgehog to use LDAP. 3 Configure the LDAP parameters as follows: Base: The Base distinguished name of the LDAP directory. Domain: The domain of the active directory Root Path (Optional): The fully qualified name of the entry to be used as the root path instead of the LDAP directory root. Hedgehog User's Guide 135

146 System 4 Click Save. URL: The URL of the active directory. Username: The name of the user authorized to access the LDAP directory. Password: The password of the user authorized to access the LDAP directory. After configuring the LDAP settings, the known groups are listed in the page as shown in the following example: Once you have finished configuring the LDAP settings, you can configure Hedgehog roles based on your LDAP Roles. For more information, see 11.3 Creating a New Role Configuring SNMP You can configure Hedgehog to use SNMP for internal communication and in order to send traps to third-party applications. Note: This functionality is available for Hedgehog Enterprise or vpatch users only. Hedgehog User's Guide 136

147 System To configure SNMP: 1 In the System page, select the Interfaces tab and then select SNMP. The SNMP tab is displayed. 2 To enable Hedgehog to use SNMP for internal communications, select Use SNMP and configure the SNMP parameters as follows: Port: The port to be used for SNMP communications. Community: The SNMP communication string. 3 To view the MIB file in an external browser (as a TXT file), click Open MIB file. The MIB file is displayed in an external file in read-only format. (Close the file to continue with the configuration process.) 4 To use SNMP to send traps to a third-party application, select Use SNMP Trap and configure the SNMP trap parameters as follows: 5 Click Save. Port: The port to be used for SNMP communications. Host: The IP address of the host on which the third-party application resides. Community: The SNMP communication string. Hedgehog User's Guide 137

148 System 13.4 Configuring the Syslog You can configure Hedgehog to use the syslogs to monitor alerts. Note: This functionality is available for Hedgehog Enterprise or vpatch users only. To configure the syslog: 1 In the System page, select the Interfaces tab and then select Syslog. The Syslog tab is displayed. 2 Select Use Syslog. 3 Configure the following parameters: Host: The IP address of the host on which the syslog resides. Port: The port to be used for syslog communications. Facilities: The syslog facilities. Format: The file type to be used for the syslog (CSV, Sentinel or Custom). 4 Click Save. The Syslog is configured and enabled. Hedgehog User's Guide 138

149 System 13.5 Configuring the Windows Event Log You can configure Hedgehog to use the Window Event Log to monitor alerts. Note: Windows Event Log is supported on Windows XP and up, and on Windows Server 2003 and up. Note: This functionality is available for Hedgehog Enterprise or vpatch users only. To configure the Windows Event log: 1 In the System page, select the Interfaces tab and then select Windows Log. The Windows Log tab is displayed. 2 Select Use Windows Event Log. 3 Configure the following parameters: Host: The IP address of the host on which the Windows Event Log resides. Format: The file type to be used for the Windows Event Log (CSV, CEF, Sentinel or Custom). 4 Click Save. The Windows Event Log is configured and enabled. Hedgehog User's Guide 139

150 System 13.6 Configuring Log to File You can configure Hedgehog to save log entries in a file. Note: This functionality is available for Hedgehog Enterprise or vpatch users only. To configure logging to file: 1 In the System page, select the Interfaces tab and then select Log to File. The Log to File tab is displayed. 2 Select Log to File. 3 Configure the following parameters: Directory Path: The full path to the location of the log file. Rolling Period: The time period covered by each log (hourly or daily). Delete Older Than: The number of days after which the log file should be deleted. Format: The file type of the log file (CSV, CEF, Sentinel or Custom). 4 Click Save. The log to file function is configured and enabled. Hedgehog User's Guide 140

151 System 13.7 Configuring VPN-1 Blocking OPSEC Suspicious Activity Monitoring (SAM) enables VPN-1/FireWall-1 to block a connection when suspicious activity is identified on the network or specific host, or as the result of the matching of a rule in the system. To implement OPSEC SAM, you need to define the SAM server and the SSCLA mode. Note: This functionality is available for Hedgehog Enterprise or vpatch users only. To configure OPSEC SAM: 1 In the System page, select the Interfaces tab and then select OPSEC SAM. The OPSEC SAM tab is displayed. 2 To define the SAM server properties: Select the SAM Server Properties checkbox. Enter the SAM server's IP address and port number in the designated fields. Select the log to be used for storing SAM alerts from the Log dropdown list. 3 To transmit without encryption, select Clear mode (no encryption). Hedgehog User's Guide 141

152 System 4 To define SSLCA mode: 5 Click Save. Enter the path to the OPSEC certificate in the Certificate Path field. Note: You can use the Check Point pull_cert utility to retrieve the OPSEC certificate. Enter the following command in the command line tool: opsec_pull_cert.exe h <nameof host where file is located> -n <checkpoint object name> - p <password for object> This creates the opsec.p12 certificate file. Enter the path to the Client SIC in the Client Sic field. Enter the path to the Server SIC in the Server Sic field Configuring Twitter You can use Twitter as an alternative or addition to sending alerts by . Using Twitter s integration with SMSs and dynamic configuration of followers you can efficiently get specific alerts to their destination. To configure Twitter: 1 In the System page, select the Interfaces tab and then select Twitter. The Twitter tab is displayed. 2 To enable Twitter, select the Use Twitter checkbox. Hedgehog User's Guide 142

153 System 3 Enter the Twitter username and password in the designated fields. 4 Click Save. Note: Using Twitter requires server access to the Internet. You should only use Twitter if you are familiar with Twitter security settings and after making certain that you do not expose any sensitive information by using Twitter in conjunction with Hedgehog Configuring the XML API The XML agent enables you to import and export XML files. Note: This functionality is available for Hedgehog Enterprise or vpatch users only. To configure the XML agent: 1 In the System page, select the Interfaces tab and then select XML API. The XML API tab is displayed. 2 Select XML API enabled. 3 Click Save. The XML agent is enabled. Note: To view the DTD or XSD files, click the respective link. The file is opened in an external window. You can now use the XML API, as described in 16 XML API. Hedgehog User's Guide 143

154 System Managing Resolve Types Assigning a meaningful resolve type when you resolve an alert makes it easier to monitor the system for recurring problems. Hedgehog has six preconfigured, system resolve types Unresolved, Resolved, False Alarm, Sensor Deleted, Session Terminated and Created rule. System resolve types can neither be edited nor deleted. You can create additional resolve types and assign them when you resolve alerts in the Alerts page. Note: This functionality is available for Hedgehog Enterprise or vpatch users only. From the Resolve Types tab, you can: Add a new resolve type as described in Creating a Resolve Type. Edit a resolve type, as described in Editing a Resolve Type Name. Delete a resolve type, as described in Deleting a Resolve Type. Hedgehog User's Guide 144

155 System Creating a Resolve Type Based on your own experience, you can create custom resolve types to facilitate the monitoring of alerts generated in response to specific conditions or events. To add a resolve type: 1 In the Resolve Types tab, click New Type. The Resolve Type Properties page is displayed. 2 In the Name field, enter a name for the resolve type. 3 Click Save. The resolve type is added to the Resolve Types list. User is displayed in the Type column to indicate that it is a custom, user-defined resolve type Editing a Resolve Type Name You can edit the name of a custom resolve type at any time. 1 In the Resolves Type tabs, click the Properties icon in the row for the resolve type. The Resolve Type Properties page is displayed. 2 Edit the resolve type name, as required, and click Save Deleting a Resolve Type You can delete a user-defined resolve type that is no longer needed. Note: You cannot delete a system resolve type. To delete a resolve type: In the Resolves Type tabs, click in the row for the resolve type to be deleted. The resolve type is removed from the Resolve Types list. Note: Alerts previously resolved using this resolve type are not affected, however the deleted resolve type is no longer available for selection. Hedgehog User's Guide 145

156 System Alert Archiving To facilitate the viewing of alerts and reduce the overall size of the alerts list, Hedgehog enables you to archive alerts, either automatically or manually. You can also un-archive existing archives to view the alerts that they contain, or you can remove alert archives that are no longer required. Existing archives are listed in the Archives tab of the System page. Note: This functionality is available for Hedgehog Enterprise or vpatch users only. From the Archives tab, you can: Configure automatic alert archiving, as described in Automatic Archiving. Perform on-demand archiving, as described in Manual Alert Archiving. Restore the alerts contained in an archive, as described in Unarchiving/Re-archiving an Archive File. Delete an alert archive file, as described in Removing an Alert Archive. Hedgehog User's Guide 146

157 System Automatic Archiving You can configure Hedgehog to automatically archive alerts in a specific location and at preset intervals. To configure automatic alert archiving: 1 In the System page, select the Archives tab and then select Settings. 2 In the Archive Folder Path field, set the location in which the archived files are to be stored. Note: By default, auto archive by number of alerts is enabled. Alerts are archived by default whenever the number of alerts exceeds 10,000 (by default the 30,000 oldest alerts are archived). 3 To disable automatic archiving (not recommended), clear the Auto Archive Enabled checkbox. 4 Schedule the archiving process as follows: To schedule archiving at hourly time intervals, select by hours and set the time interval in the adjacent field. For example, every 2 hours. To schedule daily archiving, select by day and the select the day of the week on which archiving is to take place. To schedule monthly archiving, select by month and set the frequency (per number of months) in the adjacent field. Hedgehog User's Guide 147

158 System 5 Set the age of alerts to be archived in the Archive Alerts older than fields, by setting both the number and time unit (days, weeks, months). 6 Click Save Manual Alert Archiving You can manually initiate the archiving process at any time. To configure manual alert archiving: 1 In the System page, select the Archives tab and then select Settings. 2 Set the age of alerts to be archived in the Archive Alerts older than fields, by setting both the number and time unit (days, weeks, months). 3 Click Archive Now. All alerts older than the set age are archived Unarchiving/Re-archiving an Archive File You can access the alerts that are contained in an alerts archive by unarchiving the archive file. You can then re-archive the alerts as required. To unarchive alerts: 1 In the System page, select the Archives tab and then select Archive History. 2 In the Archives list, click Unarchive in the row for the action. The Alerts page is displayed, and the Archives dropdown list is available for selection in the Filter area. 3 To view the alerts for a specific archive, select the archive file from the Archives dropdown list and click Apply to apply the selected filter to the Alerts list. To re-archive alerts: 1 In the System page, select the Archives tab and then select Archive History. 2 In the Archives list, click Re-archive in the row for the action. The Archives dropdown list is no longer available for selection in the Alerts page. Note: To maintain alert integrity, re-archiving simply removes the unarchived alerts from the alerts screen. The archive remains untouched (any actions performed on the unarchived alerts will not be kept) Removing an Alert Archive To conserve space, archives that are no longer relevant can be removed from the server. Note: The removal of an archive may not be permitted by regulations to which you must adhere. Check your organization s security policy before attempting to remove an archive. Hedgehog User's Guide 148

159 System To remove an archive: 1 In the System page, select the Archives tab and then select Archive History. 2 In the Archives list, click in the row for the archive that is to be deleted. A confirmation message is displayed. 3 Click OK. The archive is deleted Quarantining Users If the action in a rule is set to Terminate and the Quarantine option is selected, a user can be placed in quarantine for a predefined number of minutes. While in quarantine, the user is unable to reconnect to the DBMSs for which the rule was triggered. Note: This functionality is available for Hedgehog Enterprise or vpatch users only. The Quarantine tab lists the following parameters for users currently in quarantine: Quarantine parameters: The parameter(s) according to which the user was quarantined (for example, IP address, OS user, or application). Start time: The time when the quarantine of the user began. DBMS: The DBMS that the user was attempting to access. Rule: The rule that triggered the quarantine action. Unquarantine: A link, which when clicked, enables you to remove the user from quarantine. Hedgehog User's Guide 149

160 System Configuring the Quarantine Parameters You can determine the parameters according to which users are placed in quarantine. It is advisable to first review your current alerts before deciding on the best way to identify a user in your network. The best option is when one parameter is always unique in your network (for example, terminal is unique in some networks, however it is not used in others). To set the quarantine parameters: 1 In the System page, select the Quarantine tab and then select Settings. 2 Select or clear the checkboxes for the parameters according to which a user can be quarantined. The system treats the selected parameters by adding the operator and between them. For example, if you choose user and IP, when triggered by a rule the system will check the user name and the IP address (e.g., scott and ) and deny access to any subsequent SQL statement that comes from and the user scott. It will, however, allow statements coming from where the user is jerry. 3 Click Save. Hedgehog User's Guide 150

161 System Removing a User from Quarantine To remove a user from quarantine: 1 In the System page, select the Quarantine tab and then select Quarantine list. 2 In the Quarantine list, click Unquarantine in the row for the user that is to be removed from quarantine. The Unquarantine dialog is displayed. 3 Enter the reason for removing the user from quarantine and click Unquarantine. The user is removed from both the quarantine and the Quarantine list, and is again able to access the DBMS. Hedgehog User's Guide 151

162 System Viewing Clusters The Clusters tab is used when the Hedgehog server is clustered. It displays view-only information regarding the servers, including the sensors installed on each server. It is intended for use by Hedgehog Enterprise or vpatch users only. For Hedgehog cluster configuration instructions, contact Sentrigo support Viewing the History List The History tab lists the following parameters: Action: The type of action taken (for example, Modify User Rule, Resolve Alert, Approve Sensor, or Change Role). Modified by: The name of user who performed the action. Modify date: The date and time of the action. Parameters: An icon, which when clicked, enables you to view the details of the action. Hedgehog User's Guide 152

163 System From the History tab, you can: Filter the Actions History list, as described in Filtering the Actions History List. Set the time period after which actions history entries are deleted, as described in Setting the Time Period for Saving Actions History. View the details of a selected revision, as described in Viewing Actions History Details Filtering the Actions History List To facilitate the viewing of actions data, you can filter the Actions History list according to various properties. To filter the Actions History list: 1 Expand the Edit Filters area above the Actions History list 2 Set one or more filter criteria by entering/selecting the relevant values (for example, name or action). Hedgehog User's Guide 153

164 System 3 Click Apply. The list of actions is filtered to display only those actions that match the filter criteria Setting the Time Period for Saving Actions History You can set the amount of time after which actions are automatically deleted from the Actions History list. To configure automatic deletion of action entries: 4 In the History tab, select the Delete actions older than checkbox and, in the adjacent field, enter the number of days after which to delete actions. 5 Click Save Viewing Actions History Details You can view the details of an action in the Actions History list. To view history details: In the Actions History list, click the Properties icon in the row for the action. The properties page is displayed for the selected rule. Hedgehog User's Guide 154

165 System IDentifier The IDentifier tab provides you with information on the current IDentifier status as well as links to the IDentifier installation guides. The IDentifier tab lists the following parameters: IDentifier User Guides: Direct links to the respective user guides. Available Licenses: The total number of Hedgehog licenses available. Licenses in Use: The number of Hedgehog licenses currently in use. Expiration Date: The Hedgehog license expiration date Configuring and Downloading Server Logs The Troubleshooting tab enables you to configure the server logs and download the server log files to send to Sentrigo support when required. It also enables you to configure the automatic resolution of IP addresses. To configure the Server logs: 1 When instructed to do so by Sentrigo s support, in the System page, select the Troubleshooting tab. The Troubleshooting tab is displayed. Hedgehog User's Guide 155

166 System 2 From the Log Level dropdown list, select the type of logs to be created (by default the log level is set to INFO). 3 In the Log file size field, set the maximum size of the log file (in MB). 4 Click Save. To download a log file: 1 In the Troubleshooting tab of the System page, click the Download Logs link. A dialog is displayed, prompting you to indicate whether you want to open or save the file. 2 Select Save to Disk and click OK. The server logs are exported to an XML file. (The location in which the file is saved depends on your default settings.) Hedgehog User's Guide 156

167 System To configure automatic resolution of IP addresses: 1 In the Troubleshooting tab of the System page, select Resolve IP from Host for Alert. Note: By default, this feature is enabled (selected). Disabling of this feature is only necessary in cases of severe network load. 2 Click Save Viewing System Messages The Messages tab of the System page lists the system messages generated by the system in response to various conditions and events in the system, for example, when a sensor stops communicating with the server or when a license is about to expire. If there are high severity messages, an icon appears at the top of each page indicating the number of unread high severity messages. Click the icon to view the messages. Unread messages appear in bold type; read messages appear in regular type. The Messages tab lists the following parameters: Severity: The level of severity (Low, Medium, or High). Subject: The subject of the message. Body: The text content of the message. Creation Date: The date and time when the message was created. Properties: An icon, which when clicked, enables you to view and edit the message properties. Delete: An icon, which when clicked, removes the message from the System Messages list. Hedgehog User's Guide 157

168 System From the Messages tab, you can: Filter the Messages list according to various properties, as described in Filtering the Messages List. View the details of a specific message, as described in Viewing System Message Details. Mark all system message as read/unread, as described in Marking System Messages as Read/Unread. Delete a system message, as described in Deleting a System Message. Configure alerts for system messages and/or when sensors are disconnected, as described in Configuring System Messages. Hedgehog User's Guide 158

169 System Filtering the Messages List To facilitate the viewing of system messages, you can filter the Messages list according to various properties. To filter the Messages list: 1 Expand the Set filter values area above the Messages list. 2 Set one or more filter criteria by entering/selecting the relevant values (for example, Severity or Date). 3 Click Apply. The list of roles is filtered to display only those roles that match the filter criteria. Note: To clear all filter selections, click Clear Viewing System Message Details You can view the detailed properties of a message in the Message Details page. To view the message details: In the Messages list, click the Properties icon in the row for the message. The Message Details page is displayed. Hedgehog User's Guide 159

170 System To view the message details of the next message in the list, click Next Message. To view the message details of the previous message in the list, click Previous Message. To stop receiving this type of message, click the Click here to stop receiving link Marking System Messages as Read/Unread You can mark the all of the message as read or unread in the Messages list. To mark all messages as read: In the Messages list, click Mark all as Read. All of the messages are marked as read. To mark all messages as unread: In the Messages list, click Mark all as Unread. All of the messages are marked as unread Deleting a System Message If, after viewing a system message, the message is no longer relevant you can delete it from the Messages list. To delete a system message: 1 In the Messages list, click in the row for the message that is to be deleted. A confirmation message is displayed. 2 Click OK. The message is removed from the list Configuring System Messages You can configure whether or not alerts are generated for all system messages and/or when sensors are disconnected. You can also specify an address destination for system messages. To configure system messages: 1 In the Messages tab of the System page, click Message and then click Configuration. The System Messages page is displayed. Hedgehog User's Guide 160

171 System 2 To configure the system to send messages to an address based on the severity of the system message, enter the address in the Send to field and then select the severity level (Low, Normal, or High) from the dropdown list. 3 To receive alerts indicating whenever a sensor is disconnected, select Alert when sensor is disconnected. If you select this option, set the number of seconds to wait before considering the sensor to be disconnected and generating the alert. (The default value is 60 seconds). 4 To receive an alert when the number of vpatch alerts in a specific time period exceeds a specific level, select Alert when server received over. If you select this option, set the number of alerts and the time period accordingly. Click Save. The configuration is saved. Hedgehog User's Guide 161

172 System Viewing Backend DBMS Details You can view basic information on the backend database in the Backend DBMS tab of the System page. The read-only DBMS details vary according to database type (HSQLDB, Oracle or MS SQL). To view backend DBMS details: In the System page, click Backend DBMS details. The Backend DBMS tab is displayed. The following details are displayed for all backend DBMS: Type: The type of database (HSQLDB, Oracle or MS SQL) Size Details: The file name/table space, current size, maximum size, and amount of free space. Note: If the system is unable to detect the maximum size, it is recommended that you verify that enough space is available on the DBMS. The following additional details are displayed for an Oracle or MS SQL database: Username: The name of the database user. IP/Host: The IP address or name of the host on which the DBMS is located. Port: The port used to communicate with the DBMS. Hedgehog User's Guide 162

173 Updates 14 Updates The Updates page comprises the following tabs: Security Updates: Enables you to manually check for and install security updates, and displays the history of previously installed updates. Software Updates: Enables you to manually check for and install server and sensor software updates, and displays the history of previously installed updates. Security Update Settings: Enables you to configure the policy for performing security updates. This section includes the following topics: 14.1 Configuring Update Settings 14.2 Manually Checking for/installing Security Updates 14.3 Manually Checking for/installing Server Software Updates 14.4 Manually Checking for/installing Sensor Software Updates 14.5 Installing Offline Updates 14.6 Viewing the Update History Hedgehog User's Guide 163

174 Updates 14.1 Configuring Update Settings vpatch rules are provided by Hedgehog to help monitor and prevent attacks against known vulnerabilities. You can determine whether or not these rules are automatically updated, and when the automatic security updates are to take place. To configure the security update settings: 1 In the Update page, select the Update Settings tab. 2 To automatically check for all updates, select Check for available updates automatically. 3 Select the required auto-installation option as follows: 4 Click Save. To disable the automatic installation feature, select No auto-installation. To perform the update in real-time, select Real-time (auto-install when new updates are available). To isntall updates on a specific day and time, select Schedule installation, and then select the day of the week and indicate the time when the update is to begin. Hedgehog User's Guide 164

175 Updates 14.2 Manually Checking for/installing Security Updates You can manually check for updates and/or install security updates. To check for/install updates: 1 In the Update page, select the Security Updates tab. Note: The currently installed version is indicated in the Security Updates tab. 2 Click Check for new updates. A list of available updates is displayed. To install an update, select the update and click Install. Note: If no updates are available, a message is displayed accordingly. The Security Update dialog is displayed, indicating the version to be installed and listing the changes that are included in the new version. Hedgehog User's Guide 165

176 Updates 3 Click Install. The Security Update dialog is displayed while the Security Update is installed. Note: If you attempt to install a version that is older than the currently installed version, the Security Update dialog is displayed prompting you to confirm that you really want to do so. Click OK to continue or click Cancel to abort the installation. Hedgehog User's Guide 166

177 Updates To install an update from a local file (offline installation): 1 In the Security Updates tab of the Update page, click Browse to locate and select the installation file. 2 Click Upload. The Security Update dialog is displayed, indicating the version to be installed and listing the changes that are included in the new version. 3 Click Install. The Security Update dialog is displayed while the Security Update is installed. Hedgehog User's Guide 167

178 Updates 14.3 Manually Checking for/installing Server Software Updates You can manually check for updates and/or install server software updates. To check for updates: 1 In the Update page, select the Software Updates tab. 2 Click Check for new Hedgehog releases. A list of available updates is displayed. To install an update, select the update and click Install. If no updates are available, a message is displayed accordingly. 3 To install an update from a local file (offline installation): Click Browse to locate and select the installation file. Click Upload. The Security Update dialog is displayed, indicating the version to be installed and listing the changes that are included in the new version. Click Install. The Security Update dialog is displayed while the Security Update is installed. Hedgehog User's Guide 168

179 Updates 14.4 Manually Checking for/installing Sensor Software Updates You can manually check for updates and/or install sensor software updates. To check for updates: 1 In the Update page, select the Software Updates tab. 2 Click Check for new sensor updates. A list of available updates is displayed for each platform To install an update, select the update and click Manual Install. If no updates are available, a message is displayed accordingly Installing Offline Updates You can install security updates and software updates from a file that you have downloaded or have received from Hedgehog support personnel. To install updates from a saved file: 1 In the Update page, select the Security Updates/Server Updates/Software Updates tab (as applicable). 2 Click the Upload an update file link. Hedgehog User's Guide 169

180 Updates 3 Browse to and select the update file (with a file extension.sup) that you want to upload. 4 Click OK to upload the file Viewing the Update History You can view a history of the previously installed security updates, server updates, or sensor updates, including both automatic and manual updates. To view the update history: In the Update page, select the Security Updates/Server Updates/Software Updates tab. A history of the security updates is listed in the Updates History area, indicating the version, when installed and by whom, and installation mode (automatic or manual). Hedgehog User's Guide 170

181 Reports 15 Reports If you are using Hedgehog Enterprise or vpatch version, you can generate a wide range of reports. By default, Hedgehog reports are displayed in HTML format in an external browser window. Alternatively, you can generate reports in PDF format. You can generate System Reports or Dynamic Reports. This section includes the following topics: 15.1 Generating System Reports 15.2 Working with Dynamic Reports 15.1 Generating System Reports The following reports are currently available in System Reports tab of the Reports page: Alerts Per DBMS Most Critical Alerts Alerts per Rules Alerts per Tags All Rules Custom Rules vpatch Rules Inactive Rules Rules per DBMS Sensor Drill Down DBMS Drill Down Top Critical Alerts per single DBMS Top Critical Alerts per multiple DBMS History Actions Alerts per Compliance Hedgehog User's Guide 171

182 Reports To generate a system report: 1 In the System Reports tab of the Reports page, click the icon in the Run column in the row for the required category of report. 2 You are prompted to set various report parameters, as shown in the following example: 3 Set the report criteria. Hedgehog User's Guide 172

183 Reports 4 (Optional) Enter a brief description or comment in the Comments field. The comment is displayed at the top of report. 5 (Optional) To generate the report as a PDF, select PDF view. Note: By default, the report is generated in HTML format in an external browser window. 6 Click OK. The report is generated and displayed Working with Dynamic Reports You can create dynamic reports to meet the needs of your organization. The Dynamic Reports tab of the Reports page lists the configured Dynamic Reports, including the following parameters: Report Name: The name of the report (as configured in the creation process). Description: A brief description of the report (as configured in the creation process). Scheduling: A clock icon is displayed if scheduling is enabled for the report. Properties: An icon, which when clicked, enables you to view and edit the properties of the Dynamic Report. Run: An icon, which when clicked, enables you to run the Dynamic Report. Remove: An icon, which when clicked, enables you to delete the Dynamic Report definition. Download: An icon, which when clicked, enables you to download a report. Hedgehog User's Guide 173

184 Reports From the Dynamic Reports List, you can: Define a new dynamic report, as described in Creating a Dynamic Report on page 174. View the definition of a dynamic report, as described in Viewing/Editing the Properties of a Dynamic Report on page 176. Configure the dynamic report to run at a specific time or at specific time intervals, as described in Scheduling a Dynamic Report on page 177. Run a dynamic report, as described in Running a Dynamic Report on page 177. Delete a dynamic report, as described in Deleting a Dynamic Report on page Creating a Dynamic Report You can create multiple dynamic reports to meet the needs of your organization. For each report, you define one or more filters that determine which alerts are included in the dynamic report. If you produce the report as a PDF or Microsoft Excel file, you can configure the report to run automatically at scheduled intervals and be sent as an attachment. To create a dynamic report: 1 In the Dynamic Reports tab of the Reports page, click New Report. The Dynamic Report properties form is displayed, as shown in the following example: Hedgehog User's Guide 174

185 Reports 2 In the Name field, enter a name for the dynamic report. It is recommended that the name selected reflect the nature of the report. 3 In the Description field, enter a brief description of the dynamic report. 4 In the Filter by area, set the filters to be applied to the report as follows: To define a filter, select the required criteria from the Filter by dropdown lists(s) and click Add. The filter is added to the Selected Filter Fields table. To remove a filter from the Selected Filter Fields table, click Remove in the corresponding row. 5 To set the report format, select the format type from the Report Format dropdown list (HTML, PDF or Excel). Hedgehog User's Guide 175

186 Reports 6 From the Group by dropdown list, select the criteria for grouping data in the report (Level, DBMS, sensor or rule). 7 Set the criteria for sorting data as follows: To sort by a specific parameter in ascending order, select the parameter in the Table Column list and click to move it to the Sort by list. To sort by a specific parameter in descending order, select the parameter in the Table Column list and click to move it to the Sort by list. To remove a parameter from the Sort by list, select the parameter and click to move it to the Table Column list. The data will be sorted by selected criteria in the order in which they appear in the Sort By list. Select a parameter and click or to reposition it in the Sort By list. 8 Set the fields to be displayed in the report as follows: To exclude a field from the report, select the parameter in the Selected Report Fields list and click to move it to the Available Report Fields list. To include a field in the report, select the parameter in the Available Report Fields and click to move it to the Selected Report Fields list. 9 To run the report based on a schedule (available only in Excel and PDF report formats), select Schedule Enabled and configure the following parameters: Select the interval at which you want the report to be run, by hours, by day, or by month, and set the relevant frequency. In the Start Time field, set the time of day to run the report. 10 Configure the report notification settings as follows: If you want to send a notification when the report is ready, enter the address in the Send notification by to field. If you want the report to be sent as an attachment to an message, enter the address in the Send notification by to field and select Attach report. 11 Click Save to save the report without running it, or click Run to generate the report Viewing/Editing the Properties of a Dynamic Report You can view/edit the properties of a dynamic report. To view/edit the properties of a dynamic report: 1 In the Dynamic Reports list, click in the row for the report. The properties of the dynamic report are displayed in the Dynamic Reports tab. 2 Modify the report properties as required. 3 Click Save. Hedgehog User's Guide 176

187 Reports Scheduling a Dynamic Report You can schedule a dynamic report to run at a specific time. Note that this feature is only available for Excel and PDF report formats. To schedule a dynamic report: 1 In the Dynamic Reports list, click in the row for the report. The properties of the dynamic report are displayed in the Dynamic Reports tab. 2 Select Schedule Enabled and configure the following parameters: Select the interval at which you want the report to be run, by hours, by day, or by month, and set the relevant frequency. In the Start Time field, set the time of day to run the report. Set the address to receive the report output file. Note that you need to configure the server in the System tab first. 3 Click Save. The report definition is updated to include the new schedule settings. The scheduled report output is saved in the Hedgehog Server machine to the path specified in the properties file <Sentrigo Server root>\webapps\root\web-inf\config\reports\ britconfig.properties in the sentrigo.reports.xlsdirectory property, which is by default located in the <Sentrigo Server root>\webapps\root\export\ folder Running a Dynamic Report You can manually run a dynamic report at any time. To run a dynamic report: In the Dynamic Reports list, click in the row for the report that you want to run Deleting a Dynamic Report You can delete a dynamic report that is no longer required. To delete a dynamic report: 1 In the Dynamic Reports list, click in the row for the report that is to be deleted. A confirmation message is displayed. 2 Click OK. The report is deleted from the Dynamic Reports list. Hedgehog User's Guide 177

188 Reports 15.3 Configuring the Report Settings You can opt to display the default log on reports or you can configure the system to display a custom logo in reports. It is recommended that the logo be saved as a GIF or JPG, and 700x200 in size. To set the logo: 1 In the Reports page, click Settings. The Settings tab is displayed. 2 Select one of the following options: 3 Click Save. Use Default Log: The logo that appears in the user interface is displayed in reports. Use Custom Logo: A different logo is displayed in reports. If you select this option, browse and select the graphic file containing the logo. Hedgehog User's Guide 178

189 XML API 16 XML API Once you have enabled the XML API, it allows you to request information from the Hedgehog Server using a standardized HTTP GET/POST request and receive the response in an XML format. The detailed structure of the XML reply can be found in the XSD file in the System- >Interfaces->XML API tab. Note: For more on enabling the XML API, see 13.9 Configuring the XML API. In order to use the XML API, you must provide the login credentials of a user with the "Use XML API" permission granted. The available services: Sensor: Returns the Sensors list. Alert: Returns the Alerts list Sensor Service To use the Sensors service, enter the following URL: <server url>/xmlapi.svc with the service parameter set to "sensor", for example: It also accepts the following optional parameters: HH$Name: The Sensor name. HH$Id: The Sensor ID (as it appears in the XML API result). HH$Hostname: The Sensor's host name HH$Ip: The Sensor's IP HH$Database: The Database ID (as appears in the XML API result). HH$Approved: Comma Separated Values of the Approved statuses (APPROVED, DENIED or PENDING). HH$Status: Comma Separated Values of the Communication Status (ALIVE, DISCONNECTED, DELETED or STOPPED). Hedgehog User's Guide 179

190 XML API 16.2 Alert Service To use the Alerts service, enter the following URL: <server url>/xmlapi.svc with the service parameter set to "alert", for example: It also accepts the following optional parameters: HH$ExecutionTimeFrom: Lower bound on the execution time, in one of the following formats: Date in the format: dd MMM yyyy HH:mm:ss, for example: Aug%202008%2010:10:10 Millis since 1970, for example: HH$ResolveReason: The resolve reason HH$Id: Alert ID HH$Agents: Comma Separated Values of the Sensor IDs (as they appear in the XML API result) HH$tag: The tag name HH$DbGroupName: The DB Group name HH$ExecutionTimeTo: Upper bound on the execution time, same format as the HH$ExecutionTimeFrom parameter. HH$Databases: Comma Separated Values of ehe Database IDs (as they appear in the XML API result). HH$Operation: The SQL statement HH$OsUser: The OS User HH$Severities: Comma Separated Values of the Alert Severity values (LOW,MEDIUM,HIGH); HH$SourceHost: Statement source host name HH$SourceIP: statement source host IP HH$ResolveNames: Comma Separated Values of the Resolve Type names HH$RuleName: The Rule name HH$ExecUser: The executing database user Hedgehog User's Guide 180

191 XML API HH$ExecProgram: The Application name HH$Clientid: The Client ID HH$Module: The Module name HH$ModifyDateFrom: The lower bound on the last modified time of the alert in the same format as the HH$ExecutionTimeFrom parameter. HH$ModifyDateTo: The upper bound of the last modified time of the alert in the same format as the HH$ExecutionTimeFrom HH$TimeBackPeriod: Time back in milliseconds Hedgehog User's Guide 181

192 Working with External Databases 17 Working with External Databases The Hedgehog Server comes bundled with an efficient in-memory backend database. The database is ideal for customers with moderate alert volumes. The database can be easily replaced by a commercial database either Oracle or MSSQL for two main reasons: If you expect a large volume of alerts (more than 100k alerts between archive events), the use of an external database is necessary. The use of an external database allows you to use your regular DBMS tools to perform backups, create your own reports, and so on. Hedgehog supports the use of the following external databases: Oracle versions 10g and 11g MS SQL 2005 (Service Pack 2) A simple CLI command is used to migrate the database. The Hedgehog Backend Migration Tool supports the following options: Migrating the internal database to the external database. Note that if at any stage you want to revert back to the internal database, the data stored on the external database will be no longer accessible to the Hedgehog Server. Changing the password used to authenticate the server to the database. This section describes how to use the Hedgehog Backend Migration Tool to move data from the Hedgehog internal database to an external database Migrating the Internal Database to an External Database The Hedgehog Backend Migration Tool is used to migrate the internal database to the external database. The migration procedure varies slightly according to the type of database (Oracle or MSSQL), as described in the following sections: Migrating to an MSSQL Database Migrating to an Oracle Database When migrating to an external database, any existing data is automatically moved from the internal database to the external database when it is created. Note: The traffic between the Hedgehog server and the backend database is not encrypted. If both are not installed on the same machine you should consider encrypting the traffic between the machines (e.g. using IPsec). Hedgehog User's Guide 182

193 Working with External Databases Migrating to an MSSQL Database Before migrating to an MSSQL Database using the Migration Tool, you must define the MSSQL database user. A username and password will be required to complete the process. The user must have sufficient permissions to create a database. If you do not want to grant create database permissions to the database user to be used to access the Hedgehog Server database, you can alternatively perform the following steps: 1. Manually create the databases SNTRSRV and SNTRSRV_BACKUP using a user with create database permissions. 2. Run the migration script and provide it with a database user that is now only required to have the following permissions on the SNTRSRV and SNTRSRV_BACKUP databases: Notes: db_datareader db_datawriter db_ddladmin The Hedgehog Server must be stopped before you attempt to set up the external database. It is recommended to copy the file sentrigo-custom.properties located in the <installation directory>/conf folder and save it under another name (for example, sentrigocustom.properties.1) To migrate to the MSSQL database: 1 The process for starting up the migration depends upon the target platform the server is installed on. Windows: Open a command prompt (cmd) and change directory to the bin directory under the root install directory (for example, C:\Program Files\Sentrigo\Hedgehog\bin). Run the bat file: migration_tool.bat. Note: You must be an administrator to run the Migration Tool. Linux or Solaris: Run the following command as root: /etc/init.d/sentrigo-server db-migrate 2 When prompted to select the desired action, type migrate. 3 When prompted to select the database type, type mssql. 4 When prompted, type in the MSSQL username and password that you previously defined. 5 When prompted to enter the MSSQL Host address, type in the IP address of the Host server on which the database is located. Note: If the external database is on the local host, the external IP address or hostname of the server should be used. Do not use localhost or When prompted to enter the MSSQL Listening Port, type in the number of the MSSQL port of the database host used for listening (for example, 1433). Verify that TCP/IP communication is enabled for that IP and port. Hedgehog User's Guide 183

194 Working with External Databases After the process is run, a message is displayed indicating the duration of the process and whether the process completed successfully. When the process completes successfully, the file sentrigo-custom.properties is modified to contain properties to enable Hedgehog to connect to the external database. Note: If the process fails, examine and verify that the properties listed on the screen are correct. For further assistance, please contact Sentrigo support with the process output. Figure 1: Example of Migration Process Output (MSSQL) Migrating to an Oracle Database Before using the Backend Migration Tool, it is important that you define two new Oracle database users. The resulting usernames and passwords are required in order to complete the process. Both users should have the permissions: resource and connect. Only the first user is actually used by the Hedgehog Server; the second user is used for backup during upgrade scenarios. Note: The Hedgehog Server must be stopped before you attempt to set up the external database. To generate the Oracle database: 1 The process for starting up the migration depends upon the target platform the server is installed on. Windows: Open a command prompt (cmd) and change directory to the bin directory under the root install directory (for example, C:\Program Files\Sentrigo\Hedgehog\bin). Hedgehog User's Guide 184

195 Working with External Databases Run the bat file: migration_tool.bat. Note: You must be an administrator to run the Migration Tool. Linux or Solaris: Run the following command as root: /etc/init.d/sentrigo-server db-migrate 2 When prompted to select the desired action, type migrate. 3 When prompted to select the database type, type oracle. 4 When prompted, type in the username and password for the first Oracle user. 5 When prompted, type in the username and password for the second Oracle user. 6 When prompted to enter the Oracle Host address, type in the IP address or hostname of the server on which the database is located. 7 When prompted to enter the Oracle Listening Port, type in the number of the Oracle listening port (for example, 1521). 8 When prompted for the Oracle SID, type in the database instance SID. After the process is completed, a message is displayed indicating the duration of the process and whether the process completed successfully. When the process completes successfully the file sentrigo-custom.properties is modified to contain properties enabling the Hedgehog Server to connect to the external database. The file sentrigo-custom.properties is located in the <installation directory>/conf folder. Note: If the process fails, verify that the properties listed on the screen are correct. For further assistance, please contact Sentrigo support with the process output. Figure 2: Example of Migration Process Output (Oracle) Hedgehog User's Guide 185