McAfee Database Security 4.7.

x
Product Guide
Contents

Product overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Key features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

How it works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

McAfee Database Security web console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Access the web console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

System-wide functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Sort data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Manage filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Filter data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Save a filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Apply a filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

View or edit the filter properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Delete a filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Change your password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

View license information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Upgrade a license. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Working on alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

View alert details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Resolve an alert. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Resolve multiple alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Create a rule based on an alert. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Create a rule exception based on an alert. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Generate alert reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

 Archive alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Create a resolve type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Edit a resolve type name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Delete a resolve type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Vulnerability assessment scan results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

View the VA scan results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Handling VA results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Resolve a VA result. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Resolve multiple VA results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Archive VA results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Generate VA result reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

McAfee Database Security dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

View the dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Refresh the chart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Filter dashboard alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Set the number of most active rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Rules for securing DBMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Rules and monitoring policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Enable a rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Disable a rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Managing vPatch rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

View the properties of a vPatch rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Configure the action for a vPatch rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Configure the action for a DBMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Update the security level of the vPatch rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Managing custom rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Create a custom rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Create a rule with rule creation wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Create a custom rule in new rule page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

 Clone a rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Change the order of custom rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Edit a custom rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Remove a custom rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Install or remove rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Install all or multiple rules on DBMSs and DBMS groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Install a rule on DBMSs and DBMS groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Remove rules from DBMSs and DBMS groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Apply actions on all rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Import and export rule settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Import rule settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Export rule settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Rule syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Identifiers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Operators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Rule examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Managing rule objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Create a rule object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

View or edit rule object properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Delete a rule object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

DVM-based rule objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Add a specific DVM rule object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Add a global DVM rule object (distributed). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Add a global DVM rule object (Master repository). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Script configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Configure a signed script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

View or edit a signed script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Delete a signed script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Download a signed script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Application mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
 Create an audit rule to monitor DBMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Create a mapping exception rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Working with tags. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Assign tags to rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Assign rules to DBMSs based on tags. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

View tags per DBMS and DBMSs group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Rule revisons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

View rule revision details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Compare revision details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Configure notification for rule modification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Vulnerability assessment scan for database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Managing VA Scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Create a VA scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Enable or disable vulnerability assessment scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Clone a vulnerability assessment scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Schedule a VA scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Run a VA scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Stop a VA scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Remove a VA scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Apply actions to VA scan list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Remove actions from VA scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Add DBMS for VA scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Remove VA scans from DBMSs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

View the summary of VA scan result. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Generate VA scan summary report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Vulnerability assessment tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Create and define a custom vulnerability assessment test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Remove a custom VA test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Import VA test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Export VA test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Regulations and compliance rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Configure compliance rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Save partial compliance rule settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Edit compliance rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

McAfee Database Security sensor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

View DBMSs monitored by the sensor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

View or edit sensor details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Add a DBMS to a sensor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Approve a sensor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Approve the DBMSs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Change the sensor action for a DBMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Sensor management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Stop a sensor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Restart a sensor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Delete a sensor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Setup the Data Access Layer (DAL) connection using TLS 1.2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Troubleshooting the sensor installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Troubleshooting procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Run the diagnostic tool (Analytic package). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Sensor log files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Sensor log file size. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Sensor log format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Sensor startup logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Sensor cache statistics logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Searching sensor logs for errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Common log errors explained. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Data access layer errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Communication errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Monitoring and protecting DBMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

 Add a DBMS for vulnerability assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

DBMS properties and trigger settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

View and edit the DBMS properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Add a new DML trigger. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

View DML monitoring results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Enable or disable DML triggers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Enable or disable redo buffer monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Configure failed logon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Enable application mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Add actions to DBMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Configure the character set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Add DBMS from TNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

View sensors by DBMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Monitor a clustered database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Working with network scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Create a network scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

View network scan results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Create a VA DBMS from scan results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Rerun a network scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Stop a network scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Delete a network scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Managing DBMS groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Create a DBMS group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

View and edit a DBMS group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Delete a DBMS group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Roles and permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Predefined roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

View and edit roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Create a new role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Edit the permissions of an existing role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

 Remove a role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Add a user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

View and edit the user details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Change user permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Change user password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Remove a user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Export users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Import users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Configure password policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Configuring system interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Configure the outgoing email account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Configure LDAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Configure multiple LDAP servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Configure SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configure the Syslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configure a proprietary alert format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configure the Windows event log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configure log file settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configure Insights. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Archiving alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Configure automatic alert archiving. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Manually archive alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Reload an archive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Reload partial archives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Rearchive alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Remove an alert archive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Viewing clusters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Quarantining users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

 Configure the quarantine parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Remove a user from quarantine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Viewing action history. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Set a time period for deleting actions history. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

View actions history details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Managing server logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Configure the server logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Download the server logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Configure automatic resolution of IP addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

System messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

View system message details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Mark system messages as read or unread. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Delete a system message. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Configure system messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

View back-end DBMS details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Schedule a backup for DBMS details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Syslog fields directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Checking for security updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Configure security update settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Manually check for updates and install vPatch security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Manually check for updates and install VA security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Manually check for updates and install server software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Manually check for updates and install sensor software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Install offline updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

View the update history. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Generating reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Generating system reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Working with dynamic reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Create a detailed dynamic report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Create a summary dynamic report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

 View or edit the properties of a dynamic report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Schedule a dynamic report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Run a dynamic report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Delete a dynamic report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Set the logo for the reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

External databases and McAfee Database Security server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Migrating the internal database to an external database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Migrate to an MSSQL database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Migrate to an Oracle database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Change the configured password for the external database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Create your own database (advanced configuration). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Working with the McAfee Database Security server in cluster mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Configure your McAfee Database Security servers to work in cluster mode. . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Troubleshooting for cluster environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Backup and recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Back up the server configuration files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Back up the server back-end databases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Back up archive files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Recover the system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

XML API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Configure the XML API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Create a dedicated user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Use the XML API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

List of supported request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Sensor request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Alert request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

VA result request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

DBMS request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Scans request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Add VA database request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

 Update database request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Batch update database request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Delete VA database request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Add database to groups request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Remove database from groups request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Add VA scan request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Update VA scan request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Start VA scan request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Delete VA scan request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Rule objects request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Resolve alerts request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Resolve results request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Sensor restart request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Rules request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Database groups request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Application mapping request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Sensor management service request parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

McAfee Database Security Insights. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Key features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

How Insights works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Access the web console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Web console components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Insights system-wide functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Set the time frame. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Table options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Sort data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Select columns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Adjust column width. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Export table data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Work with filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

 Define a filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Filter syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Filter keywords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Save a filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Apply a filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Delete a filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Work with widgets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Add a widget. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Remove a widget. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Filter data based on widget list items. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Log out. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

View events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Update the event status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Assign an event to another user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Export events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Event properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Findings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

View findings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Update the finding status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Assign findings to another user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Export findings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Finding properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

View existing reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Create a report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Duplicate a report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Run an existing report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Delete a report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

 Analytics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Application mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Database risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

View database risk summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

View database risk details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Finding explorer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Access control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Add a user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Change a user password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Delete a user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Troubleshooting logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Edit the log settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Generate an analytic package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Index management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

View the indices list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Open an index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Close an index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Delete an index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

LDAP configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

1| Product overview

Product overview
Overview
McAfee® Database Security is an easy-to-deploy and highly scalable software solution that monitors the Database Management
System (DBMS) and protects it from internal and external threats and even intra database exploits.

McAfee Database Security Suite for database includes the following products:

• McAfee® Database Activity Monitoring (McAfee DAM) — Protects data from all threats by monitoring activity locally on
each database server and by alerting or terminating malicious behavior in real time, even when running in virtualized or
cloud computing environments.
• McAfee® Virtual Patching — Detects missing patches, applies vulnerability-specific countermeasures and fixes
misconfigurations (via McAfee Database Security virtual patching technology) found by vulnerability scans to improve
the security posture of databases immediately, without requiring any downtime.
• McAfee® Vulnerability Manager for Databases — Automatically discovers databases on the network, determines if the
latest patches have been applied, and tests for vulnerabilities, such as weak passwords, default accounts, and other
common threats. In addition, it allows for detailed data discovery scans, including PII, PCI-DSS, SOX, and HIPPA.

Note

Product features depend on the product version. When a function is unavailable in the version you are using, the User
Interface informs you that a different license is required to enable the feature.

Key features
McAfee Database Security provides full visibility into DBMS user activity and can issue alerts or terminate suspicious activities
based on predefined vPatch rules and custom rules.

In line with the layered defense strategy employed by leading enterprises, McAfee Database Security complements other security
measures, such as encryption, network security, and other tools, by providing a hardened security layer surrounding the DBMS
itself.

The key advantages of McAfee Database Security include:

• Monitoring of all DBMS activities, including the activities of authorized and privileged users
• Prevention of intrusion, data theft, and other attacks on the DBMS
• Real SQL Injection Protection
• Rule-based policies for users, queries, and DBMS objects
• Quarantine rogue users
• Enterprise level vulnerability assessment for DBMSs
• Quick and easy deployment and configuration

14 McAfee Database Security 4.7.x Product Guide

1| Product overview

How it works
McAfee Database Security Suite for databases offers real-time protection for databases from all types of threats, external,
internal, and even intra database exploits.

McAfee Database Security is ideal for servers operating in a physical or virtualized environment, on premises, or in the cloud.

1. The McAfee Database Security sensor enables the monitoring of local and network access to DBMSs in real time. The
sensor operates safely in operating system (OS) user-space, and can either run on the machine hosting the DBMS or on a
separate dedicated system, depending on the selected configuration.
2. The McAfee Database Security server is a J2EE server that communicates with all the installed sensors. It can run on a
dedicated physical machine or a dedicated virtual machine.
3. The web console is the interface in which the administrator can monitor and manage all Database Security products.

The McAfee Database Security sensor monitors access to the DBMS and sends transaction data to the McAfee Database Security
server. Based on the policies defined using the McAfee Database Security Web Console, the server logs the transaction, issues an
alert, and prevents access to the DBMS.

Note

Use of the terms DBMS (database management system) and database vary according to platform vendor. In general, DBMS
refers to the overall database system, including the data and the infrastructure around it, but database can refer to the data
tables. In this document, the terms are used interchangeably.

McAfee Database Security 4.7.x Product Guide 15

2| McAfee Database Security web console

McAfee Database Security web console

Access the web console
Access the web console to utilize the functionalities of McAfee Database Security such as, alerts, sensors, rules, roles, or security
updates.

Before you begin

Make•sure that your

Mozilla system
Firefox 1.5 ormeets
later these requirements:
• Microsoft Internet Explorer 7.0 or later
• Chrome 47 or later
• A minimum of 128-MB RAM
Task
1. In your web browser, enter the URL of the McAfee Database Security Server based on the information configured in the
installation in the format: https://<servername>:<port number>.

Note

The default port number is 8443.

2. Enter the administrator user name and password as configured in the installation, then click Login.

System-wide functionality
Sort data

Customize the view criteria in the McAfee Database Security web console by setting various criteria for sorting data.

Note

You can sort a list by a single criterion at any time by clicking the head of the column according to which you want to sort the
data. Click again to reverse the order (ascending or descending).

For example, you can set the primary sort criteria as the level of the alert in descending order (high severity first); the secondary
sort criteria as the time stamp, in descending order (most recent first).

Task
1. Expand the Edit Filters and click Sort Options.
The Sort By page is displayed with available columns listed in the Table Columns pane.
2. To sort by a specific data column, do the following:
a. Select the column name in the Table Columns pane.

16 McAfee Database Security 4.7.x Product Guide

2| McAfee Database Security web console

b. Click to apply the sort criteria in ascending order or click to apply the sort criteria in descending order.
The selected column name in the Table Columns pane is moved to Sort By pane.

The current sorting criteria are listed in the Sort By pane, in the order in which they take precedence. The sort order is
indicated by (a) in which they take precedence for ascending or (d) for descending.

3. (Optional) To change the position of the sort criteria, select the column name in the Sort By pane, then click or to
move the column name up or down.
4. (Optional) To remove a column name from the sort criteria, select the column name in the Sort By pane, then click .
5. Click OK to apply the sort criteria.

Manage filters

Filter data

Filter lists to display data that matches specific criteria.

Although the process for defining a filter varies by page, the basic instructions are the same throughout the system.

The following procedure explains how to filter the alert list.

Task
1. On the Alerts page, expand Edit Filters.
2. Set one or more filter criteria by selecting the relevant values in the drop-down list, such as, Sensor, DBMS, Resolution,
Rule Type, Archives, Level, DBMS Groups, Time, or Compliance.

Note

Any free text field filters also seek a match for the string entered as a substring of the field's value. For example, if you
enter General SQL in the Rule Name field, all alerts triggered by all General SQL injection rules are shown.

3. From the Display alerts per page drop-down list, select the number of alerts to be displayed on each page.
4. (Optional) To sort the results according to specific criteria, click Sort Options, then set the sort criteria.
5. In the other fields, such as, Module, Client ID, OS User, User, Host Name, and Application fields, enter one or more of
these symbols to define the matching criteria.

For example, consider filtering alerts for users, namely user1, user2, john_, and sys.

Symbol Definition Example

No symbol Similar User filter Expected results

user1 Alerts from user1 is

displayed.

McAfee Database Security 4.7.x Product Guide 17

2| McAfee Database Security web console

Symbol Definition Example

user Alerts from user1 and

user2 are displayed.

u_er1 Alerts from user1 is

displayed.

user_ Alerts from user1 and

user2 are displayed.

= Exact match User filter Expected results

=user1 Alerts from user1 is

displayed.

=user No alerts displayed.

=u_er1 No alerts displayed.

=user_ No alerts displayed.

! Not similar to User filter Expected results

!user1 Alerts for sys, john_

and user2 are
displayed.

!user Alerts for sys and

john_ are displayed.

!u_er1 Alerts for sys, user

2 and john_ are
displayed.

!user_ Alerts for sys and

john_ are displayed.

!= Not the same as or User filter Expected results

equal to

18 McAfee Database Security 4.7.x Product Guide

2| McAfee Database Security web console

Symbol Definition Example

!=user1 Alerts for sys, john_

and user2 are
displayed.

!=user Alerts for the 4 users

are displayed.

!=u_er1 Alerts for the 4 users

are displayed.

!=user_ Alerts for the 4 users

are displayed.

\ Ignore escape User filter Expected results

characters

john\_ Alerts for john_ is

displayed.

john\_\_ No alerts displayed.

There are two wildcards used in conjunction with the LIKE operator:

• % — The percent sign represents zero, one, or multiple characters.

• _ — The underscore represents a single character.
6. Click Apply.

Results
Note
The alert list displays only those alerts that match the filter criteria.
To deselect all filter selections, click Clear.

Save a filter

Create and save multiple filter criteria to reuse the filters when needed. This eliminates the need to redefine the filter criteria
each time you view a page.

Task
1. Expand Edit Filters, define the filter criteria, and then click Save Filter.
2. Enter the name of the filter in the Save filter details dialog box.

McAfee Database Security 4.7.x Product Guide 19

2| McAfee Database Security web console

3. Click Save.

Results

The filter name is added to the Edit Filters drop-down list.

Apply a filter

Apply a saved filter when needed.

Task
1. Select the filter from the Edit Filters drop-down list.

The filter criteria area is refreshed to reflect the values of the customized view.

2. Click Apply.

Note

By default, the most recently used filter is applied each time you access a page.

View or edit the filter properties

View or edit the criteria that defines a saved filter.

Task
1. Expand Edit Filters, then select the required filter from the Edit Filters drop-down list.
The details are displayed for the selected filter.
2. Edit the filter criteria, then click Save Filter.
3. In the Save filter details dialog box, provide the same filter name.
4. When prompted to save, click Save.

Delete a filter

Delete a saved filter.

Task
1. Select the filter from the Edit Filters drop-down list, then click Delete Filter.
2. Click OK in the confirmation dialog box.

Results

The filter is deleted and is no longer available in the Edit Filters drop-down list.

Change your password

For security purposes, it is recommended that you change your password from time to time or according to your company
policy.

20 McAfee Database Security 4.7.x Product Guide

2| McAfee Database Security web console

Task
1. Choose one of the ways to change the password:

• Click the McAfee Database Security account name that is displayed on the top right corner of any page.
• On the Permissions page, click Users tab.
The Users tab displays the User Properties.
2. Click Change Password.
The Change Password dialog box is displayed.
3. Type the current password in the Old Password field.
4. Type the new password in the New Password and Confirm Password fields.

Note

The password must contain at least four characters.

5. Click OK.

Note

McAfee Database Activity Monitoring and Vulnerability Manager for Databases versions enable you to use an external
LDAP server (such as Active Directory) to manage the system users. If you are using an external LDAP server, you do not
have to manage your passwords in McAfee Database Security.

View license information

View the status of your license, as well as third-party license and the end-user license agreement (EULA).

Task
1. Click License at the bottom of any page.
The McAfee Database Security License information is displayed.
2. To view third-party license information, click View third-party licenses.
3. To view end-user license agreement, click EULA.

Upgrade a license

Import a license data file to upgrade your license.

Before you begin

You must download the license data file from the McAfee Product Downloads site using their grant number.

Task
1. Click License at the bottom of any page, then click Upgrade License From a File.
2. Click Browse, then select the license file.
3. Click Upload.

McAfee Database Security 4.7.x Product Guide 21

3| Working on alerts

Working on alerts
Alerts can be handled in various ways in keeping with company policy and constraints. You can resolve an alert or you can
immediately close a potentially dangerous DBMS session in response to an alert. In addition, you can create a rule based on the
scenario that triggered the alert (particularly useful in preventing future false positives) or establish trust for a specific current
session.

View alert details

View alert details to investigate and take necessary action on an alert.

Task
1. On the Alerts page, in the alert list, click the expand icon beside the alert you want to view.
The alert details are displayed. The details displayed vary according to the type of database that is monitored.
2. To view more advanced details for the selected alert, click Detailed View.

The alert details are displayed in read-only format.

Resolve an alert
When an alert is first triggered, the alert is displayed in the alert list with a default status of Unresolved. You can review the
details of the alert and depending on the properties, change its resolution state to either Resolved or False Alarm.

Alerts are triggered based on the rules defined and applied to SQL statements sent to the DBMS. You can also change the state
of a resolved alert back to unresolved.

Task
1. On the Alerts page, click the expand icon beside the required alert.
2. Review the alert details, then select the alert.
3. To resolve an alert, choose one of these options:

• In Actions, click Resolve.

• In the Action(s) column, click the Resolve icon .

4. In the Resolve Alert dialog box, select the applicable resolution option.

Note

McAfee Database Security is provided with preconfigured resolve types. McAfee Database Activity Monitoring users can
define more resolve types to meet their specific needs.

5. Enter a brief summary of the reason for resolving the alert.

6. Click Resolve.

22 McAfee Database Security 4.7.x Product Guide

3| Working on alerts

Results

The alert details are updated to reflect the new resolution status.

Resolve multiple alerts

Change the resolution state of multiple alerts in a single operation.

Note

For easier monitoring, you can filter the alerts list to show only Unresolved alerts.

Task
1. On the Alerts page, select the alerts to be resolved in one of these ways:

• Select the required alerts in the alerts list.

• Filter the unresolved alerts, then click All to select all alerts in the alerts list.
• Filter the unresolved alerts, then click Page to select alerts in the currently displayed page.
2. To resolve multiple alerts, choose one of these options:

• In Actions, click Resolve.

• In the Action(s) column, click the Resolve icon .

3. In the Resolve multiple alerts dialog box, select the applicable resolve option from the drop-down list, then enter a brief
summary of the reason for resolving the alerts.
4. Click Resolve.

Results

The selected alerts are updated to reflect the new resolution status.

Create a rule based on an alert

Create a rule for an alert and save the rule under Custom Rules. This is helpful when you need to create an exception such as,
preventing the repeated occurrence of false positives.

Task
1. On the Alerts page, expand the alert that needs to serve as the basis of a rule.
2. Review the alert details, then click Create Rule icon in the Action(s) column.
The Create Rule From Alert dialog box is displayed, with default selected fields. You can edit these fields if required.
3. Click Create.
The Rules → Custom Rules tab is displayed, with an automatically generated condition based on the details of the
originating alert. By default, this is an Allow rule.
4. Edit the rule details to refine its properties, then select the DBMSs where the rule is installed.

By default, this is an Allow rule.

McAfee Database Security 4.7.x Product Guide 23

3| Working on alerts

5. Click Save.

The rule is created and added to the Custom Rules list.

6. To reorder the rule to the appropriate location in the Custom Rules list, select the rule and move the directional arrow .

Note

Exceptions are typically placed immediately above the rule that triggered the alert.

7. Click Save.

Results

Rule created status appears in the Resolution column of the alerts list.

Create a rule exception based on an alert

Create an exception to a vPatch or custom rule based on an alert.

Task
1. On the Alerts page, expand the required alert in the alert list.

2. Review the alert details, then click the Add Exception icon in the Action column.
The Create Exception From Alert dialog box is displayed with default selected fields. You can edit these fields if required.

Note

If the alert was triggered by several rules, you are prompted to select the rule for which you want to create an exception.

3. Click Create.
The Rules → Custom Rules tab is displayed, with an automatically generated condition based on the details of the
originated alert.
4. Edit the rule details to refine its properties, such as, to allow a specific IP address, and configure actions when the rule
matches.
5. Click Save.

Generate alert reports

Generate a report that contains detailed information about each of the alerts displayed in the alerts list.

McAfee Database Security Integrity Monitor and McAfee Database Activity Monitoring are provided with a simple mechanism for
creating reports from alerts in PDF format.

You can apply filter to the alerts list and then generate report to the filtered alert list. For example, to generate a report that
contains only alerts that have resolution state of False Alarm, filter the list accordingly before printing the report.

24 McAfee Database Security 4.7.x Product Guide

3| Working on alerts

Task
1. On the Alerts page, apply the appropriate filter criteria.
2. In the alert list, select the alerts for which the report needs to be generated.
3. Click Generate Report.
4. In the Generate Report dialog box, choose the required fields that you want to include in the generated report.
5. From the Report format drop-down list, select as PDF or Excel.

If Excel is selected, the report will be generated as XML file, which is a .zip file (archive file).

6. Click Generate.
The report is generated and downloaded as a PDF or XML file, which contains detailed entries for each of the alerts. The
generated XML file can be viewed with Microsoft Excel or PDF reader.

Archive alerts
Archiving the alerts at regular intervals ensures that the size of the alerts does not increase significantly. Archived alerts are
compressed and then stored in an archive file.

McAfee Integrity Monitor and McAfee Database Activity Monitoring are provided with a mechanism for archiving alerts. Archived
alerts do not appear in the alerts list unless the archive file is reloaded.

Task
1. On the Alerts page, apply the appropriate filter criteria.
2. Select the alerts you want to archive.
3. Click Archive before the table header.
4. In the Archive Results dialog box, provide the reason for archiving, and click Archive.

Results

The alerts are sent to the archive configured in the System → Archives section.

Create a resolve type

Based on your own experience, you can create custom resolve types to monitor alerts generated in response to specific
conditions or events.

Assigning a meaningful resolve type when you resolve an alert makes it easier to monitor the system for recurring problems.

McAfee Database Security has seven preconfigured, system resolve types - Created Rule, False Alarm, Released From
Quarantine, Resolved, Sensor Deleted, Test disabled, and Unresolved. System resolve types can't be edited or deleted.

Task
1. On the System page, click the Resolve Types tab.
2. Click New Type.
3. In the Properties of resolve type, enter a new name for the resolve type in the Name field.
4. Click Save.

McAfee Database Security 4.7.x Product Guide 25

3| Working on alerts

Results

The resolve type is added to the Resolve Types list.

Edit a resolve type name

You can edit the name of a user-defined resolve type at any time.

Task
1. On the System page, click the Resolve Types tab.
2. For the respective resolve type, click the Properties icon .
The Properties of resolve type dialog box is displayed.
3. Edit the resolve type name, then click Save.

Results

The resolve type name is changed in the Resolve Types list.

Delete a resolve type

Delete a user-defined resolve type that is no longer needed.

Note

You cannot delete a system resolve type.

Task
1. On the System page, click the Resolve Types tab.
2. For the respective resolve type, click the Remove icon .
3. When prompted for confirmation, click OK.

Results

The resolve type is removed from the Resolve Types list.

Alerts previously resolved using this resolve type are not affected, but the deleted resolve type is no longer available for
selection.

26 McAfee Database Security 4.7.x Product Guide

4| Vulnerability assessment scan results

Vulnerability assessment scan results

After running a VA scan, Vulnerability Manager for Databases provides detailed information about the scan findings in the VA
Results tab.

View the VA scan results

View the scan results to investigate and take necessary action on the scan result.

Task
1. On the VA Results page, in the VA result list, click the expand icon beside the required scan result.
The scan result details are displayed. The specific details displayed vary according to the type of database that is monitored.
2. Click Detailed View to view more details for the selected result.

The VA result details are displayed in read-only format.

Handling VA results
Resolve a VA result

After analyzing and fixing the VA result, you can change the resolution state to either Resolved or False Positive.

Task
1. On the VA Results page, click the expand icon beside the required VA result.
2. Review the result details, then select the VA result.
3. To resolve a VA result, choose one of these options:

• In Actions, click Resolve.

• In the Action(s) column, click the Resolve icon .

4. In the Resolve multiple results dialog box, select the applicable resolution option from the drop-down list.

Note

McAfee Database Security is provided with preconfigured resolve types. Vulnerability Manager users can define more
resolve types to meet their specific needs.

5. Enter a brief summary for resolving the VA result.

6. Click Resolve.

Results

The result details are updated to reflect the new resolution status.

McAfee Database Security 4.7.x Product Guide 27

4| Vulnerability assessment scan results

Resolve multiple VA results

You can change the resolution state of multiple VA results after analyzing and fixing the VA results.

Note

For easier monitoring, you can filter the VA result list to show only Unresolved alerts.

Task
1. On the VA Results page, select the VA results to be resolved in one of these ways:

• Select the required alerts in the VA Results list.

• Filter the unresolved scan results, then click All before the table header to select all results in the VA Results list.
• Filter the unresolved scan results, then click the Page before the table header to select results in the currently
displayed page.

2. To resolve multiple VA results, choose one of these options:

• In Actions, click Resolve.

• In the Action(s) column, click the Resolve icon .

3. In the Resolve Multiple VA Results dialog box, select the applicable resolve option from the drop-down list, then enter a
brief summary of the reason for resolving the VA results.

Note

McAfee Database Security is provided with preconfigured resolve types. Vulnerability Manager users can define more
resolve types to meet their specific needs.

4. Click Resolve.

Results

The selected results are updated to reflect the new resolution status.

Archive VA results

Archiving the scan results at regular intervals ensures that the size of the scan results does not increase significantly. Archived
scan results are compressed and stored in the archive file.

Archived results do not appear in the VA Results list unless the archive file is reloaded.

Task
1. On the VA Results page, apply the appropriate filter criteria.
2. Select the scan results you want to archive.
3. Click Archive before the table header.
4. In the Archive Results dialog box, provide the reason for archiving, and click Archive.

28 McAfee Database Security 4.7.x Product Guide

4| Vulnerability assessment scan results

Results

The selected results are sent to the archive configured in the system or archive section.

Generate VA result reports

Generate a report that contains detailed information about each of the VA results displayed in the VA result list.

McAfee Database Security Integrity Monitor and McAfee Database Activity Monitoring are provided with a simple mechanism for
creating reports from alerts in PDF format.

You can apply filters to the VA result list and generate a report of the filtered list. For example, to generate a report that contains
only VA results that have resolution state of False Alarm, filter the list accordingly before printing the report.

Task
1. On the VA Results page, apply the appropriate filter criteria.
2. In the VA results list, select the VA results for which the report needs to be generated.
3. Click Generate Report.
4. In the Generate Report dialog box, choose the required fields that you want to include in the generated report.
5. From the Report format drop-down list, select PDF or Excel.

When you select Excel, the report is generated as an XML archive file.

6. Click Generate.
The report is generated and downloaded as a PDF or XML file, which contains detailed entries for each of the VA results.
The generated XML file can be viewed with Microsoft Excel or PDF reader.

McAfee Database Security 4.7.x Product Guide 29

5| McAfee Database Security dashboard

McAfee Database Security dashboard

The McAfee Database Security dashboard displays a wide range of statistical data regarding the status of alerts, DBMS
monitoring, security updates, and rules.

View the dashboard

You can set the time period during which you need the data to be displayed in the Dashboard.

Task
1. Click the Dashboard page.
2. Click the required time period such as, Last 10 min, Last hour, Last day, Last 7 days, or Last 30 days on the top right of the
page.
You can view the data available for the selected time period.

Refresh the chart

You can view the latest statistics by clicking Recalculate chart data at the top of the Dashboard page.

Task
1. Click the Dashboard page.
2. Click Recalculate chart data at the top left of the page.
Chart data is refreshed with the latest update.

Filter dashboard alerts

To analyze the alerts, you can filter the data for up to five specific DBMSs.

Task
1. On the Alerts per DBMSs header, click Choose DBMSs.
2. Select the DBMSs for which you want to view alert statistics. You can select up to five DBMSs.

To revert to the default settings, click Use Default.

3. Click Select to apply your selection and return to the Dashboard.

Set the number of most active rules

Set the number of rules to be included in the Most Active vPatch Rules and Most Active Custom Rules lists.

Task
1. On the Most Active vPatch Rules header or Most Active Custom Rules header, click Settings.
The Number of rules selection dialog box is displayed for the selected type of rule.
2. From the Select upto drop-down list, select the number of rules to be include in the respective most active rules list.
3. Click Save.

30 McAfee Database Security 4.7.x Product Guide

6| Rules for securing DBMS

Rules for securing DBMS

Rules and monitoring policy
Rules define what types of statements are allowed to run on the DBMS, which types are forbidden, and which types should be
monitored. The monitoring policy for a DBMS comprises the various rules enabled and applied on that DBMS. McAfee Database
Security provides enhanced DBMS security based on both predefined vPatch rules and custom rules.

McAfee Database Security also enables McAfee Database Activity Monitoring users to apply compliance rules.

DBMSs are manipulated by SQL statements and queries on an ongoing basis. Incoming statements are compared to the rules
enabled for the DBMS and action is taken based on the first rule that is matched. If a statement does not match any of the
existing rules, the statement is allowed.

McAfee Database Security provides enhanced DBMS security based on vPatch rules and custom rules. vPatch rules are included
in the installation of the Database Activity Monitoring version and help prevent attacks against known vulnerabilities. In addition,
you can define custom rules to define the level of monitoring and alerts, and further protect your DBMSs against potential
threats. For example, custom rules can be used to limit access to specific tables in the DBMS, or to limit access to the DBMS by
specific users or at specific times of day.

Rules are defined and is enabled for one or more DBMSs. Rules for each DBMS are managed in the various tabs of the DBMS
properties page. vPatch rules are listed on the vPatch Rules tab of the DBMS properties page. Custom rules are listed on the
Custom Rules tab of the DBMS properties page. Incoming statements are checked against the vPatch Rules list before they are
checked against the Custom Rules list.

vPatch rules address known attacks and therefore should not be overruled by custom rules. Nonetheless, you can disable all
vPatch rules or specific rules if the need arises, for example, for false positives where exceptions are unable to resolve the issue.

Enable a rule

You can enable vPatch rules and Custom rules at any time. A rule must be enabled before it can be processed by the sensor.

Task
1. On the Rules page, click the vPatch Rules or Custom Rules tab.
2. In the rules list, click the disable icon in the required row.

Results

The rule is enabled and enable icon is displayed.

Tip

To enable multiple rules, filter the rules list to display all rules or only the rules that you want to enable. Click Enable all rules
in the Actions drop-down list.

McAfee Database Security 4.7.x Product Guide 31

6| Rules for securing DBMS

Disable a rule

You can disable a rule if you have started to define but have not completed it. Disabled rules are not processed by the sensor
until they are enabled.

We recommend disabling the rules in the following scenarios:

• If you have started to define a rule, but have not completed it.
• If you would like to confirm the rule first with another administrator.
• If you need to temporarily allow an action that is normally forbidden.
Task
1. On the Rules page, click the vPatch Rules or Custom Rules tab.
2. In the rules list, click the enable icon in the required row.
The rule is disabled and disable icon is displayed.

Tip

To disable multiple rules, filter the rules list to display all rules or only the rules that you want to disable. Click Disable all
rules in the Actions drop-down list.

Managing vPatch rules

vPatch rules help prevent attacks against known vulnerabilities. vPatch rules can only be disabled, installed or removed from
DBMSs and DBMS groups. They cannot be deleted.

Note

A red exclamation point is displayed in the left margin to indicate that a vPatch rule is not installed on any DBMS or DBMS
group.

View the properties of a vPatch rule

You can view the details of a vPatch rule, including the DBMSs and DBMS groups where the rule is installed.

Task
1. On the Rules page, click the vPatch Rules tab.
2. In the rules list, click the Properties icon in the required row.

The properties of the selected vPatch rule are displayed.

Configure the action for a vPatch rule

Define the alert level and the action to be taken when the conditions of a specific vPatch rule are met.

32 McAfee Database Security 4.7.x Product Guide

6| Rules for securing DBMS

Note

You cannot change additional properties of a vPatch rule.

Task
1. On the Rules page, click the vPatch Rules tab.
2. In the rules list, click the Properties icon in the required row.
3. In the Action area of the rule properties, set the action as follows:

• To configure email notification in addition to the alert in the log, select Send alert to email, then select the priority
to assign to the email message (Low, Medium, or High). You can also define the email addresses. By default, the
administrator's email address is selected. The email settings must be configured on the System page to route email
alerts correctly.
• To send an alert as an SNMP trap if the rule is matched, select SNMP Trap.

Note

If SNMP is not enabled on the System page in the SNMP tab, this option is disabled.

• To terminate a session if the rule is matched, select Terminate user session.

Note

This option should be used sparingly because terminating sessions can disrupt legitimate business transactions.
Depending on environmental variables (such as command type and table size), session termination might not
stop the current SQL command. Stronger termination capability is provided for DCL and DDL commands that
use a before trigger (see DDL triggers).

If you select Terminate user session, the Quarantine user for option is displayed. To quarantine a user, select
Quarantine, then enter the number of minutes the user is prevented from reconnecting. For the purposes of
quarantine, user represents the database user, OS user, host name, IP address and more, or a combination of
these parameters. The user definition for quarantine purposes is defined in the System → Quarantine → Settings.
• To run an action script if the rule is matched, expand the Advanced actions, then set the script to run on the host
DBMS. You can use all parameters that McAfee Database Security monitors within the script, by using $ as a prefix.
For example, if you want to use the user parameter in a script, enter $user.
For example, revoke dba from $user as part of a script revokes the DBA permissions of the database user who
executed the SQL command.

Note

This option is intended for advanced users only.

4. To enable this rule, select Enable Rule.

5. Click Save.

McAfee Database Security 4.7.x Product Guide 33

6| Rules for securing DBMS

Configure the action for a DBMS

Configure an action to be taken per DBMS when the conditions of a specific vPatch rule are met.

Alerts are enabled per rule; You can define only how the alert is handled for the selected DBMS.

Note

Actions that are not enabled in the system properties are not available for selection.

Task
1. On the Rules page, click the vPatch Rules tab.
2. In the rules list, click the Properties icon in the required row.

The properties of the selected vPatch rule are displayed.

3. In the DBMSs and Groups area, click Change Actions in the row for the DBMS for which you want to define a specific
action.
The vPatch Rule Action Per DBMS page is displayed.
4. To send an alert, select Send Alert, then select the relevant actions:

• McAfee Database Security Console — Generates an alert on the alert screen, according to the selected alert
priority, such as, LOW, MEDIUM, or HIGH.
• SNMP Trap — Sends an alert as an SNMP trap when the rule is matched.
• To Archive — Sends the alert only to the archive (without displaying it in the console or any other location). This
option is suitable for auditing information that does not require monitoring on a day-to-day basis.
• Syslog — Sends an alert to the Syslog when the rule is matched.
• Windows event log — Sends an alert to the Windows event log when the rule is matched.
• Log to file — Sends the alert to a log file.
• Send alert to email — Sends the alert to the specified email addresses.

5. To terminate a session if the rule is matched, select Terminate user session.

Note

This option should be used sparingly because terminating sessions can disrupt legitimate business transactions.
Depending on environmental variables (such as command type and table size), session termination might not stop
the current SQL command. Stronger termination capability is provided for DCL and DDL commands that use a before
trigger (see DDL triggers).

If you select Terminate user session, the Quarantine user for option is displayed. To quarantine a user, select Quarantine,
then enter the number of minutes the user is prevented from reconnecting. For the purposes of quarantine, user
represents the database user, OS user, host name, IP address and more, or a combination of these parameters. The
user definition for quarantine purposes is defined in the System → Quarantine → Settings area.

34 McAfee Database Security 4.7.x Product Guide

6| Rules for securing DBMS

6. To run an action script if the rule is matched, set the script to run on the host DBMS. You can use all parameters that
McAfee Database Security monitors within the script, by using $ as a prefix. For example, if you want to use the user
parameter in a script, enter $user.
For example, revoke dba from $user as part of a script revokes the DBA permissions of the database user who executed
the SQL command.

Note

This option is intended for advanced users only.

7. (Optional) Configure limitations on the frequency of alerts as follows:

• From the Limit alerts per second drop-down list, select the maximum number of alerts to generate per second.
• From the Limit alerts per session drop-down list, select the maximum number of alerts to generate per session or
select Unlimited.

Note

The session is uniquely identified by the Session ID and Serial fields in Oracle, and by the Serial ID and Logon
time in MSSQL.

• Select Apply action when rule triggers for which the selected action in the rule is not executed unless the alert
happens the specified number of time in the specified period.
• Select Automatically resolve to to automatically resolve an alert when triggered.
• To prevent the triggering of alerts by signed scripts, select the Ignore Signed Scripts checkbox.
8. (Optional) To prevent the display of sensitive data in alerts, select Mask Sensitive Data and enter a regular expression in
the Regular Expressions text box using standard regular expression syntax.

Note

For more information about standard regular syntax, see http://java.sun.com/javase/6/docs/api/java/util/regex/

Pattern.html.

9. Click Save.

Update the security level of the vPatch rules

Select the security levels you want to apply to virtual patches. This determines which vPatch rules are in effect in your database.

For example, you can decide whether to receive alerts from low confidence rules or alerts about attacks relevant to Oracle
8i only, even when Oracle 10g is the target. This feature enables you to control the tradeoff between security level and
performance. By default, Security Level (HIGH) is selected. High security was designed as the optimal high security and high
performance combination.

McAfee Database Security 4.7.x Product Guide 35

6| Rules for securing DBMS

You can view the current security level at the top right corner of the vPatch Rules page.

Task
1. On the Rules page, click the vPatch Rules tab, then click the Security Level (HIGH).
2. In the Security Level, select the security level you want to apply, then click Save.

Tip

When you select a security level, its description is displayed.

Managing custom rules

Create a custom rule

You can create and enable custom rules that determine how statements received by the DBMS are handled. Rules can be used to
allow statements that match (whitelist), or they can be used to generate alerts regarding statements that do not match the policy
(blacklist). A rule can also be used to automatically terminate potentially dangerous sessions.

Based on your organization's ongoing monitoring of potential risks, custom rules can be defined to provide protection against
activity that is considered suspicious per your IT policy and to help you protect specific DBMSs according to their functionality.

For example, you might want to monitor access to sensitive tables in an HR DBMS, such as tables with employee compensation
information, or you might want to protect against the usage of specific SQL query tools on production databases. Before trying to
create custom rules, familiarize yourself with the Application Mapping functionality, which can save considerable time in creating
custom rules.

Each rule consists of one or more comparator statements. The relationship between multiple comparator statements is based
on Boolean logic, using AND, OR, or NOT.

You can define exceptions to a rule by creating an Allow rule for the exception case and placing it before the rule in the Rules list.
You can also create an exception in the rule itself.

Create a rule with rule creation wizard

The rule creation wizard breaks down the rule definition process into individual steps, making it easy to create custom rules to
meet the specific needs of your enterprise.

If you are new to the rule creation process, you follow the wizard guided process when creating your first rules.

Task
1. On the Rules page, select the Custom Rules tab.
2. In the Actions drop-down list, click Create New Rule with Wizard.
3. In the Name field, enter a name for the rule.

We recommend that the name selected clearly reflect the nature of the rule, for example, Sensitive HR tables or PCI-DSS
password protection.

36 McAfee Database Security 4.7.x Product Guide

6| Rules for securing DBMS

4. Click Next to display the Rule Trigger.

5. In the Rule Trigger, do the following:
a. In the If fields, define the first rule comparator statement as follows:

• In the first field, type the first letter of the identifier name, then select the required identifier from the
drop-down list.
• In the second field, select the required operator from the drop-down list.
• In the third field, enter the literal component to be matched. If the literal component is a string, the text must
be enclosed in single quotation marks.

Note

Alternatively, you can enter the comparator statement directly into the text box under the If fields, entering a
space to access the respective drop-down lists.

b. Click Add.
If the rule includes more than one comparator statement, enter the relevant Boolean operator (AND, OR, or NOT)
in the fourth field, then define the next comparator statement. Repeat for additional comparator statements as
required.

Note

If there is a problem with the rule syntax, validation fails and a message is displayed. For example, if you fail to
enclose a text string in single quotation marks, a message is displayed regarding an unexpected token.

c. (Optional) To turn off the auto-completion feature, select Disable auto completer.

Note

You can define rule objects, which can then be used as components in other rules. For example, a rule object
might be used in the definition of a rule intended to allow a specific range of IP addresses.

d. To create an exception to this rule, click Add Exception. Then, in the Exception(s) text box, enter a comparator
statement that defines the conditions which when matched are treated as an exception to this rule. Repeat to define
additional exceptions as required.
6. Click Next to display the Rule Action.
7. In the Rule Action, select the required actions that the rule should trigger.

McAfee Database Security 4.7.x Product Guide 37

6| Rules for securing DBMS

Caution

The Terminate option should be used sparingly because terminating sessions can disrupt legitimate business
transactions. Use the terminate option only in the following conditions:

• You are certain that the rule will not create false positives. We recommended to use the rule first in alert only
mode to make sure that legitimate traffic is not affected).
• The risk involved with the rule condition is high.
• Terminating a session causes only minimal disruption to other transactions.

Note

Quarantine is done based on the quarantine settings in the System tab. Make sure that you edit the quarantine settings
before you enable quarantine on any of your rules.

8. To allow the statement to be processed if the rule is matched, select Allow. This enables you to create an exception to a rule
that appears later in the policy.
9. To stop the matching process if a rule is matched, select Stop Verifying Additional Rules. This is the default setting when
the Rule Action is set to Allow. If this option is not selected, the matching process continues.
10. (Optional) Expand the advanced actions to configure the script and other alert parameters.
11. To select the DBMSs where the rule is applied:
a. In the Install On, click DBMSs & Groups.
b. In the Install on DBMSs and DBMS Groups , select one or more relevant DBMSs or DBMS groups, then click Save to
return to the rule definition.

The selected DBMSs and DBMS groups are listed in the DBMSs & Groups fields respectively.

12. To assign a tag to the rule, enter the tag name in the Tags field or enter a space in the field to select the tag from the
drop-down list.
13. (Optional) By default, all users can edit the properties of a custom rule. To limit the ability to edit the properties of this
rule to specific users or users assigned a specific role, enter the user names or role names in the Grant edit permission to
role/s field.
14. Click Next.
15. In the Comments field, enter a free text description or comment, then click Next.
16. To enable the rule, select Enable Rule.

Note

You can enable or disable the rule at any time by selecting or deselecting the Enable Rule checkbox.

17. Click Finish to validate and save the rule.

Create a custom rule in new rule page

Create a custom rule defining all rule properties in a single window.

38 McAfee Database Security 4.7.x Product Guide

6| Rules for securing DBMS

Note

If you are new to the rule creation process, you follow the wizard guided process when creating your first rules.

Task
1. On the Rules page, select the Custom Rules tab, then click Create New Rule.
2. In the Name field, enter a name for the rule. It is recommended that the name selected clearly reflect the nature of the rule,
for example, Sensitive HR tables or PCI-DSS password protection.
3. In the If fields, define the first rule comparator statement as follows:
a. In the first field, type the first letter of the identifier name, then select the required identifier from the drop-down list.
b. In the second field, select the required operator from the drop-down list.
c. In the third field, enter the literal component to be matched. If the literal component is a string, the text must be
enclosed in single quotation marks.

Note

Alternatively, you can enter the comparator statement directly into the text box under the If fields, entering a
space to access the respective drop-down lists.

4. Click Add.
If the rule includes more than one comparator statement, enter the relevant Boolean operator (AND, OR, or NOT) in the
fourth field, then define the next comparator statement. Repeat for additional comparator statements as required.

Note

If there is a problem with the rule syntax, validation fails and a message is displayed. For example, if you fail to enclose a
text string in single quotation marks, a message is displayed regarding an unexpected token.

5. (Optional) To turn off the auto-completion feature, select Disable auto completer.

Note

You can define rule objects, which can then be used as components in other rules. For example, a rule object might be
used in the definition of a rule intended to allow a specific range of IP addresses.

6. To create an exception to this rule, click Add Exception. Then, in the Exception(s) text box, enter a comparator statement
that defines the conditions which when matched are treated as an exception to this rule. Repeat to define additional
exceptions as required.
7. In the Then area, select the required actions that the rule should trigger.

McAfee Database Security 4.7.x Product Guide 39

6| Rules for securing DBMS

Caution

The Terminate option should be used sparingly because terminating sessions can disrupt legitimate business
transactions. Use the terminate option only in the following conditions:

• You are certain that the rule will not create false positives (we recommended to use the rule first in alert only
mode to make sure that legitimate traffic is not affected).
• The risk involved with the rule condition is high.
• Terminating a session causes only minimal disruption to other transactions.

Note

Quarantine is done based on the quarantine settings in the System tab. Make sure that you edit the quarantine settings
before you enable quarantine on any of your rules.

8. To allow the statement to be processed if the rule is matched, select Allow. This enables you to create an exception to a rule
that appears later in the policy.
9. To stop the matching process if a rule is matched, select Stop Verifying Additional Rules. This is the default setting when
the rule is set to Allow. If this option is not selected, the matching process continues.
10. To select the DBMSs where the rule is applied:
a. In the Install On, click DBMSs & Groups.
b. In the Install on DBMSs and DBMS Groups , select one or more relevant DBMSs or DBMS groups, then click Save to
return to the rule definition.

The selected DBMSs and DBMS groups are listed in the DBMSs & Groups fields respectively.

11. To assign a tag to the rule, enter the tag name in the Tags field or enter a space in the field to select the tag from the
drop-down list.
12. (Optional) By default, all users can edit the properties of a custom rule. To limit the ability to edit the properties of this
rule to specific users or users assigned a specific role, enter the user names or role names in the Grant edit permission to
role/s field.
13. In the Comments field, enter a free text description or comment.
14. To enable the rule, select Enable Rule.

Note

You can enable or disable the rule at any time by selecting or deselecting the Enable Rule checkbox.

15. To prevent the triggering of alerts by signed scripts, select the Ignore Signed Scripts checkbox.
16. Click Save to save the rule.

Clone a rule

Create a rule by cloning an existing rule. This eliminates the need to define all rule properties from scratch while creating rules
that share many common properties.

40 McAfee Database Security 4.7.x Product Guide

6| Rules for securing DBMS

Task
1. On the Rules page, select the Custom Rules tab.

2. In the Custom Rules list, click in the row for the rule you want to clone.
3. When prompted, click OK.
The rule is added in the Custom Rules list and it's disabled.
4. Change the rule name and change specific rule properties as required.

Change the order of custom rules

The order of the rules in the Custom Rules list is important. The first rule that is matched is the rule that is applied to the
statement. If a statement does not match any of the existing rules, the statement is allowed.

The McAfee Database Security system enables you to create a policy according to your preferences and security requirements in
various ways.

Fundamentally, there are two approaches to define a policy:

• Whitelist approach — Resembles the approach of firewalls, whereby you determine the allowed actions first and then
alert on all other actions (assuming that all other actions are suspect).
• Blacklist approach — Resembles the approach of IDS/IPS systems, whereby everything is allowed except actions that are
considered suspect.

McAfee Database Security users normally create a policy that integrates elements of both approaches, for example, using a
Blacklist approach for all known attacks, while using a Whitelist approach for the use of development SQL tools.

Note

Incoming statements are checked against the vPatch Rules list before they are checked against the Custom Rules list.

Task
1. On the Rules page, select the Custom Rules tab.

2. Select the rule in the Custom Rules list and then drag the position indicator on the slider to a new location as required.

Edit a custom rule

Edit custom rule properties as you need.

Task
1. On the Rules page, select the Custom Rules tab.
2. In the Custom Rules list, click the Edit Rule icon in the required row.
3. In the rule properties, edit the rule comparator statements, actions, and other parameters, as required.
4. Click Save.

McAfee Database Security 4.7.x Product Guide 41

6| Rules for securing DBMS

Remove a custom rule

Remove a rule that you no longer use, from the Custom Rules list.

Note

You cannot remove a rule from the vPatch Rules list.

Tip

Only remove a rule if you are sure that you will not need it in the future. If you might need it again, you can temporarily
disable it.

Task
1. On the Rules page, select the Custom Rules tab.
2. In the Custom Rules list, click in the required row.
3. When prompted for confirmation, click OK.

Results

The rule is removed from the list.

Install or remove rules

Install all or multiple rules on DBMSs and DBMS groups

You can install all or a filtered group of vPatch or custom rules on specific DBMSs or DBMS groups.

By default, vPatch rules are automatically installed on all DBMSs during the installation process.

Task
1. On the Rules page, click the vPatch Rules or Custom Rules tab.
2. Filter the vPatch Rules or Custom Rules list to display all rules or only the rules that you want to install on the DBMSs.
3. In the Actions drop-down list, click Install Rules on DBMSs.
4. In Install on DBMSs and DBMS Groups, select the DBMSs or DBMS groups to which you want to attach the rule or select All
DBMSs to install the rules on all DBMSs.

Note

To remove a DBMS selection, deselect the corresponding checkbox.

5. Click Done.

42 McAfee Database Security 4.7.x Product Guide

6| Rules for securing DBMS

Results

All rules currently displayed in the vPatch Rules or Custom Rules list are attached to the selected DBMSs.

Note

Rules that are not displayed in the filter criteria are not attached to the selected DBMS.

Install a rule on DBMSs and DBMS groups

You can manually install or remove vPatch rules or custom rules on all or specific DBMSs or DBMS groups. By default, vPatch
rules are automatically installed on all DBMSs during the installation process.

By default, vPatch rules are automatically installed on all DBMSs during the installation process.

Task
1. On the Rules page, click the vPatch Rules or Custom Rules tab.
2. Click the Properties icon in the required row.
3. In the rules properties page, click DBMSs and Groups.
4. In Install on DBMSs and DBMS Groups, select the DBMSs or DBMS groups to which you want to attach the rule or select All
DBMSs to install the rules on all DBMSs.

Note

To remove a DBMS selection, deselect the corresponding checkbox.

5. Click Save.

Results

The rule is attached to the selected DBMS.

Remove rules from DBMSs and DBMS groups

You can remove all or a filtered group of vPatch rules or custom rules from specific DBMSs or DBMS groups.

By default, vPatch rules are automatically installed on all DBMSs during the installation process.

Task
1. On the Rules page, click the vPatch Rules or Custom Rules tab.
2. Filter the vPatch Rules or Custom Rules list to display all rules or only the rules that you want to remove from the DBMSs
or DBMS groups.
3. In the Remove DBMSs and DBMS Groups, select the DBMSs or DBMS groups from which you want to remove the rules.

McAfee Database Security 4.7.x Product Guide 43

6| Rules for securing DBMS

Note

Select All DBMSs to remove the rules from all DBMSs.

4. Click Done.

Results

All rules currently displayed in filter criteria are removed from the DBMSs or DBMS groups.

Apply actions on all rules

Add rule actions to the complete vPatch Rules or Custom Rules list.

Task
1. On the Rules page, click the vPatch Rules or Custom Rules tab.
2. In the Actions drop-down list, select Apply actions.
3. In the Rule Actions dialog box, select required actions and click Apply.

Results

The selected rule actions are applied to all the rules in vPatch Rules or Custom Rules list.

Import and export rule settings

Import rule settings

Import vPatch and custom rule settings, including exceptions.

Task
1. On the Rules tab, click the vPatch Rules or Custom Rules tab.
2. In the Actions drop-down list, click Import Rule.
3. Select the file you want to import, then click Import.

Results

The rules are imported.

After importing the rules, you need to:

• Install the imported rules on the relevant DBMSs.

• Enable the rules.

Note

If identical rule objects exist in the system, the Duplicate Rule Object dialog box is displayed. Select the checkboxes for the
rules that you want to overwrite, then click Continue. The selected rules are overwritten.

44 McAfee Database Security 4.7.x Product Guide

6| Rules for securing DBMS

Export rule settings

Export vPatch and custom rule settings, including exceptions.

Task
1. On the Rules tab, click the vPatch Rules or Custom Rules tab.
2. In the Actions drop-down list, click Export Rule.
3. In the File Download dialog box, click Save, then select the location where you want to save the file.
4. Click Save again.

Results
Note
The file is saved in the specified location.
The location where the file is saved depends on the default settings.

Rule syntax
Each rule consists of one or more comparator statements, which comprise Identifiers, Operators, and Literals.

The relationship between multiple comparator statements is based on Boolean logic, using AND, OR, or NOT. Comparator
statements can be grouped using parentheses.

If parentheses are not used, the order of precedence is:

• NOT
• AND
• OR

Identifiers

Identifiers are the names given to database objects such as tables, columns, indexes, views, other objects, and the database
itself.

There are three basic types of identifiers.

Identifier Type Description

String-based Types that are matched against strings.

Number-based Types that can be translated into a number

representation. Numbers can be in a specific range.
Number-based types can be enforced to equal only a
fixed set of constants.

McAfee Database Security 4.7.x Product Guide 45

6| Rules for securing DBMS

Identifier Type Description

Enumerated Types that represent a fixed set of constants that

cannot be translated into a number representation.

McAfee Database Security supports following identifiers.

Identifier Type Description

action string The application action.

application string The application used to connect

to the DBMS.

client_appl_name string Sybase client application name

(Sybase only).

client_host_name string The Sybase client host name

(Sybase only).

client_name string The Sybase client name (Sybase

only).

clientid string The application set client id

accessing the DBMS (Oracle only).

cmdtype string An action the statement is trying

to perform.

context_info string Microsoft SQL context

information (Microsoft SQL only).

date number The date the statement is

executed. The date must be in
the form MM/DD/YY (US date
format), for example 1/25/07.

46 McAfee Database Security 4.7.x Product Guide

6| Rules for securing DBMS

Identifier Type Description

day number The day of the month when the

statement is executed. An integer
in the range of 1–31.

db_container string The database container. This

provides specific database
context information when
using the Pluggable Database
functionality (Oracle 12c only).

error code number The error code returned by the

DBMS (for example, when the
user tries to access a table that
does not exist).

exec_user string If a user logs into an application

and then changes to another
user, the exec_user is the new
user.

host string The domain name of the

connecting application.

hour number The hour in which the statement

is executed. The hour must be in
the form HH[— MM] where HH is
in the range of 0–23 and MM in
the range of 0–59. The minutes
setting is optional.

inflow string The inflow PL/SQL object that

originated the current executing
statement. Same format as
object.

inflowsql string The SQL statement part that

originated the current executing
command.

McAfee Database Security 4.7.x Product Guide 47

6| Rules for securing DBMS

Identifier Type Description

instance string The instance where the execution

takes place. In Oracle, this value
is the SID of the database
instance. In Sybase, this value
is the instance name. In MS
SQL, it is the full instance name
including the host (for example,
MYHOST\SQLSERVER).

ip number The IP address the statement

is executed from. IP addresses
must be in the form of
- XXX.XXX.XXX.XXX (single IP
address) or XXX.XXX.XXX.XXX/
YYY.YYY.YYY.YYY (IP address
with subnet). Each IP address
is validated by the McAfee
Database Security system to
prevent errors.

module string The application set module.

month number The month in which

the statement is executed:
JANUARY, FEBRUARY, MARCH,
APRIL, MAY, JUNE, JULY,
AUGUST, SEPTEMBER, OCTOBER,
NOVEMBER, DECEMBER. Also, the
short form of month name is also
supported, for example, JAN.

nethost string The host name of the network

(this might differ from the
host name reported for an
application). Applicable only
when network monitoring is
enabled.

48 McAfee Database Security 4.7.x Product Guide

6| Rules for securing DBMS

Identifier Type Description

netip number The IP address of the network

(this might differ from the
IP address reported for an
application). Applicable only
when network monitoring is
enabled.

object string The DBMS object being

accessed. Supports syntax of
the form [owner.]objectname.
DBMS objects includes such
as, tables, triggers, or stored
procedures. In Oracle, the
format is owner.objectname; in
MS SQL and Sybase it is
database.owner.objectname.

osuser string The operating system user.

schema string The schema of the DBMS.

session_state string
• session_state=NEW_SESSION
for monitoring session logons
• session_state=END_SESSION
for logoffs
• session_state=NEW_LOGIN and
session_state=END_LOGIN for
monitoring change of user
during transaction execution
(Specifically for Microsoft SQL
Server)
• session_state=CHANGE_SCHEMA
for monitoring changes in
schema during the session
• session_state=EXECUTE for all
other statements

McAfee Database Security 4.7.x Product Guide 49

6| Rules for securing DBMS

Identifier Type Description

statement string The raw statement sent to the

server.

terminal string The computer where the user is

logged on.

user string The DBMS user that is accessing

the DBMS.

version_mssql number The Microsoft SQL version,

for example, version_mssql
=9.0.4053 for the relevant version
of MS SQL 2005 (rarely used).

version_oracle number The full 5-digit Oracle version, for

example, 10.1.0.3.0 (rarely used).

version_sybase number The Sybase particular version, for

example, version_sybase = 12.5
or later (rarely used).

weekday value The day of the week when the

statement is executed: SUNDAY,
MONDAY, TUESDAY, WEDNESDAY,
THURSDAY, FRIDAY, SATURDAY.
Also, the short form is also
supported, for example, TUE.

Note

All rules are case insensitive. An identifier can be specified in lowercase letters, uppercase letters, or a combination of both.
For example, user, User, USER, uSEr are all legal for the user identifier. In addition, constant values are case insensitive so
SUNDAY and SunDAy are equivalent.

Operators

An operator performs on separate data items and returns a result. The data items are called operands or arguments. Operators
are mentioned by special characters or by keywords.

50 McAfee Database Security 4.7.x Product Guide

6| Rules for securing DBMS

Operator Description

= Equals (all types).

< Less than (number types only).

> Greater than (number types only).

<= Less than or equal to (number types only).

>= Greater than or equal to (number types only).

<> Not equal to (all types).

(not)? like Compare to a string supporting the % character as a

symbol to any string (string types only).

(not)? between Check if an identifier is between two values (number

types only).

(not)? in Check if an identifier is in a list of values (all types).

(not)? matches Perform a regular expression match (string types

only).

(not)? contains Perform a simple and fast string match (string types
only).

length When inserted before an identifier, indicates a

condition on the field's length. For example:

• length statement > 1024 catches statements

longer than 1024 bytes.
• length user < 10 catches SQL statements where a
DB user name length is shorter than 10 characters.

McAfee Database Security 4.7.x Product Guide 51

6| Rules for securing DBMS

Rule examples

These examples illustrate the rule syntax.

Example 1
OSUSER = 'mycompany\john' AND APPLICATION CONTAINS 'sqlplus' AND HOST = 'johnlaptop.localdomain' AND IP =
192.168.1.7

Action: Allow

The above rule allows john to use SQL*Plus from his station (defined by host name and IP address), thereby bypassing many of
the rules that come later (such as preventing SQL*Plus from being used).

Example 2
APPLICATION CONTAINS 'sqlplus' OR APPLICATION CONTAINS 'toad'

Action: Log-high, e-mail-high, terminate

This rule terminates any access by the applications Toad or SQL*Plus. It also sends a high-severity alert and email message to the
McAfee Database Security administrator.

Example 3
STATEMENT CONTAINS 'emps'

Action: log-medium

This example assumes that the emps.* columns include sensitive data that require protection, and that emps.salary and emps.cc
are particularly sensitive.

This rule provides an alert every time an SQL statement includes the string emps, alerting on any access attempt to columns
containing the name emps (or any other SQL statement component that includes the string emps). Even when the user is not
actually accessing the objects (for example, the DBMS prohibits access based on authorization rules), this rule generates alerts
(in contrast to using object, see example 4 below).

Example 4
OBJECT = 'emps.salary' OR OBJECT = 'emps.cc'

Action: log-high, email-high

This example assumes that the tables emps.salary and emps.cc are particularly sensitive.

This rule provides a high-level alert and an email each time the specified objects are accessed. An alert appears whether the
object is accessed in a view, a stored procedure, a trigger, or another database. In this case, if the DBMS successfully restricts the
user from accessing the objects, an alert is not generated because the object is not accessed.

52 McAfee Database Security 4.7.x Product Guide

6| Rules for securing DBMS

Example 5
Statement contains 'drop session' Alert low

Statement contains 'alter DBMS' Alert low

Statement contains 'drop table' Alert Low

Statement contains 'grant' Alert low

Statement contains 'grant dba' Alert medium

Statement contains 'grant sysdba' Alert medium

Statement contains 'noaudit' and osuser <> 'mycompany\johnd'

Action: Alert-high email-high

In this example, the user receives alerts when various DDL commands are executed, and a high importance e-mail is sent to the
administrator when someone other than the DBA attempts to stop auditing.

Managing rule objects

Define rule objects, which can then be used as components in other rules.

This can be particularly helpful when working with Allow rules. For example, a rule object might be used in the definition of a
rule intended to allow a specific range of IP addresses.

Rule objects are managed on the Rule Objects tab of the Rules page.

McAfee Database Security is provided with several predefined rule objects. These predefined objects are used in the predefined
rules and are listed on the Rule Objects tab.

Create a rule object

Define a rule object for a static or active directory and then use that object as components in multiple rules.

Task
1. On the Rules page, select the Rule Objects tab, then click New Object.
2. From the Type list, select the type of identifier for the rule object.
3. In the Name field, enter a name for the rule object.
4. In the Value field, enter the object value (according to the selected type).
5. In the Comment field, enter a brief comment or description.
6. If you want to define a dynamic object and enable the use of LDAP security groups for this rule object in creating rules,
select Dynamic Object.

McAfee Database Security 4.7.x Product Guide 53

6| Rules for securing DBMS

Note

The use of dynamic objects is possible only if LDAP is enabled.

7. If you want to upload a list of values from an existing file, browse the file and click Upload to upload the list.

Note

You can upload only .csv file format.

8. Click Save.

Results

The rule object is automatically added to the list of available values according to identifier type and can be used in rule
definitions.

View or edit rule object properties

View and edit the properties of an existing rule object.

Task
1. On the Rules page, select the Rule Objects tab.
2. Click the Properties icon in the required row.
3. In the Properties of rule object dialog box, edit the rule object properties, then click Save.

Delete a rule object

Delete a rule object, after making sure that it is not included in the definition of existing enabled rules.

Task
1. On the Rules page, select the Rule Objects tab.
2. Click the Remove icon in the required row.
3. When prompted for confirmation, click OK.

Results

The rule object is removed from the Rule Objects list. Any existing rules that incorporate the rule object are automatically
invalidated.

DVM-based rule objects

DVM rule objects are based on specific findings that include result sets. Once defined, the rule object is updated each time the
test is executed.

There are several types of DVM-based rule objects:

• Specific DVM rule object — A rule object is distinct to a specific test on a specific database instance.

54 McAfee Database Security 4.7.x Product Guide

6| Rules for securing DBMS

• Global DVM rule object (distributed) — A rule object can be defined to contain values for all database instances where
the test is executed. The rule object values for each database instance are populated by the result of the check on the
instance. With this rule object, you can create a single rule object definition, with a single custom rule that refers to it.
You can then apply the rule to multiple database. The rule object values per instance is populated by the relevant values
retrieved by the check from the instance, when last executed.
• Global DVM rule object (Master Repository) — A rule object can be defined from a single result set, but contain
values for different database instances. This rule object retrieves the values for each database instance from a Master
Repository (table) and behaves similarly to the Global DVM rule Objects (distributed) type. The rule object values for a
specific instance are populated by values retrieved from the Master Repository query (DVM check) when last executed,
based on the filtering criteria and values.

Add a specific DVM rule object

You can add a rule object to a specific test on a specific database instance.

Task
1. In the VA Results, select the result you want to add the rule object.

2. Click the Create Rule Object from Result icon .

3. In the Create Rule Object from Result, select the Rule Object Type and the object value fields to include in the rule object.
4. (Optional) The Expression field can be used to augment the value format or structure when needed.
5. Click Create.
6. In the Properties of rule object, select the appropriate rule object type based on the values, then enter a name for the rule
object.

Note

To recalculate the object values again, click Recalculate link.

7. In the Empty List Behavior, you can define whether to ignore rules that rely on the rule object when there are no values or
set a static value.
8. Click Save.

Add a global DVM rule object (distributed)

Add a rule object that contains values for all database instances where a test is run.

Task
1. In the VA Results, select the result you want to add the rule object.

2. Click the Create Rule Object from Results icon .

3. In the Create Rule Object from Result, select the Rule Object Type and the object value fields to include in the rule object.
4. (Optional) The Expression field can be used to augment the value format and structure when needed.
5. Select the Global DVM Rule Object (Advanced) checkbox.
6. Select Based on DVM results per instance, the type of rule object, for distribution.

McAfee Database Security 4.7.x Product Guide 55

6| Rules for securing DBMS

7. Click Create.
8. In the Properties of rule object, select the appropriate rule object type based on the values, then enter a name for the rule
object.

Note

To recalculate the object values again, click Recalculate link.

9. (Optional) To view the values for a specific instance, enter the instance name in the Show values field (auto-complete is
available for instance names), then click Show to view the list of values linked to that instance.
10. Based on the Empty List Behavior, you can define whether to ignore rules that rely on the rule object when there are no
values or set a static value.
11. Click Save.

Add a global DVM rule object (Master repository)

Add a rule object from a single result set that contains values for different database instances.

Task
1. In the VA Results, select the result you want to add the rule object.

2. Click the Create Rule Object from Results icon .

3. In the Create Rule Object from Result, select the Rule Object Type, and the object value fields to include in the rule object.
4. (Optional) The Expression field can be used to augment the value format/structure if needed.
5. Select the Global DVM Rule Object (Advanced) checkbox.
6. Select Based on DVM results from global table, the type of rule object, for master repository.
7. In the Filtering Expression, enter the column name (wrapped in $ sign) you want to use as the filtering value (the value
used determines which values are sent to the different database instances).
8. In the Filtering Criteria, enter the criteria for evaluating the filtering expression.
9. Click Create.
10. In the Properties of rule object, select the appropriate rule object type based on the values, then enter a name for the rule
object.

Note

To recalculate the object values again, click Recalculate link.

11. (Optional) To view the values for a specific instance, enter the instance name in the Show values field (auto-complete is
available for instance names), then click Show to view the list of values linked to that instance.
12. In the Empty List Behavior, you can define whether to ignore rules that rely on the rule object when there are no values or
set a static value.
13. Click Save.

56 McAfee Database Security 4.7.x Product Guide

6| Rules for securing DBMS

Script configuration
Configure a signed script

A signed script enables you to run the script on one or more database without triggering alerts. Create signed scripts for specific
time frames or specific database.

This functionality is intended for advanced users only.

Note

If the signed script does trigger an alert, the script appears in the Print View of the alert details.

Task
1. On the Rules page, select the Signed Scripts tab, then select Create New Script.
2. In the Name field, enter the script name.
3. In the Comment field, enter a brief description in the designated fields.
4. From the Type drop-down list, select the type of script (MSSQL or Oracle).
5. Click Choose File to browse and upload the script file.
6. In the From Date and To Date fields, set the time period for the validity of the signed script.
7. Click DBMSs & Groups to select the DBMSs to run the script on.
8. Select one or more relevant DBMSs or DBMS groups, then click Select.
The selected DBMSs and DBMS groups are listed in the Script Configuration.
9. To enable the script, select the Enabled checkbox.
10. Click Save.

Results

The signed script appears in the Signed Scripts list.

View or edit a signed script

Edit the name, type or date settings of signed script configuration. You cannot modify the script in anyway.

Task
1. On the Rules page, select the Signed Scripts tab.
2. In the Signed script list, click the Properties icon in the required row.
3. (Optional) In the Script Configuration, edit the name of the script.
4. (Optional) In the Script Configuration, change the type of script, MS SQL or Oracle according to the database.
5. (Optional) In the Script Configuration, set the time period for the validity of the signed script in the From Date and To Date
fields.
6. (Optional) To disable the script, deselect the Enabled checkbox.
7. Click Save.

McAfee Database Security 4.7.x Product Guide 57

6| Rules for securing DBMS

Delete a signed script

Delete a signed script that is no longer required to run on database.

Task
1. On the Rules page, select the Signed Scripts tab.
2. In the Signed Scripts list, click the Delete icon in the required row.
3. When prompted for confirmation, click OK.

Results

The signed script is removed from the Signed Script list.

Download a signed script

You can download any signed script to modify or archive.

Task
1. On the Rules page, select the Signed Scripts tab.
2. In the Signed Scripts list, click the Download signed script icon in the required row.

Results

The signed script is downloaded and the location where the file is saved depends on your default settings.

Application mapping
Create an audit rule to monitor DBMS

When you identify an activity in the DBMS that should be monitored or audited, create a rule to monitor such actions in the
future.

Application mapping is performed on every DBMS and provides information about activities taking place on the DBMS, including
which applications are being run and by which users.

Note

The sensor needs to run for some time (normally a day or two) to collect enough information to use application mapping
effectively.

Task
1. On the Rules page, click the Application Mapping tab, then click Audit Wizard.
2. From the Select DBMS drop-down list, select the DBMS for which you want to create an audit rule.
Basic statistics are displayed indicating the application actions collected for the selected DBMS.
3. In the Audit by area, select Full Audit to monitor all elements on the DBMS or select one of the available options from the
drop-down list.

58 McAfee Database Security 4.7.x Product Guide

6| Rules for securing DBMS

The page is refreshed according to the selected option type. The options available are Application, Host, IP, and Schema.

For example, if Application is selected, the page is refreshed to enable you to select one or more applications.

4. Select the checkboxes where the rule is to apply. For example, if you select audit by Application, you can select one or more
applications.
5. (Optional) To create an exception to the rule, click Edit Filters in the Rule Exceptions area.
The Rule Exceptions area is expanded to display the available exception categories in a tree like hierarchy.
6. Select the exception category, then select the checkboxes for which the audit needs to be ignored. The resulting exception
is displayed in the Exceptions selected text box.

Note

Click Clear exception to deselect the checkbox. You can choose multiple exception categories as required.

7. Click Create Rule. The rule is validated and added to the Custom Rules list.
The rule configuration is displayed in the Custom Rules tab.
8. Click Save.

If you would like to refine the rule further, in the Rule statement field, enter the rule comparator statements.

Create a mapping exception rule

Use the sample information collected by McAfee Database Security about the access to the DBMS, to create exception rules.

After McAfee Database Security collects sampled information about the access to the DBMS, the DBMS Access Info tab shows
detailed information about the most commonly used clusters of applications, users, IP addresses, and more, which have
accessed the DBMS during the sampling period, including a count for each cluster

This information gathered can be used for the following:

• Create exception rules For example, if a rule is created with an exception for a certain combination of IP address,
application and user, then this rule will not generate alert or event when the syntax of a rule exception is matched.
• Create monitoring rules For example, alert or audit each time the combination of user x, application y and IP z is
detected.

You can define exceptions to your custom rules by creating an Allow rule and placing it before the relevant rules in the Custom
Rules list. This option is normally used when you identify an activity that happens often and does not require monitoring. You
can also create an Alert rule for a specific combination. This option is used when you identify activity that should be monitored.

Task
1. On the Rules page, select the Application Mapping tab, then select DBMS Access Info.
2. From the Select DBMS drop-down list, select the DBMS whose application mapping information you would like to review.
Click Apply.
The application mapping information for the selected DBMS is displayed in the Display Settings table.
3. (Optional) To filter the display settings for the DBMS, enter the relevant criteria in the filter area, then click Apply.

McAfee Database Security 4.7.x Product Guide 59

6| Rules for securing DBMS

4. To create an Allow rule:

a. Click the Create Allow Rule icon in the required row.

The Allow rule is displayed in Custom Rules tab.
b. Click Save.
The Allow rule is created and added to the Custom Rules list.
5. To create an Alert rule:
a. Click the Create Alert Rule icon in the required row.
The Alert rule is displayed in Custom Rules tab.
b. Click Save.
The Alert rule is created and added to the Custom Rules list.
c. Configure the Alert rule in the Audit Wizard tab of Application Mapping.

Repeat for more entries in the table, as required.

Working with tags

You can use special tags to facilitate the systematic application of rules for specific purposes to specific DBMSs. Tags are applied
to specific rules. The tags can then be used to apply multiple rules to a DBMS.

The use of tags is intended for advanced users of the enterprise version and is purely optional.

Tags are created in the rule definition process. Existing tag assignments can be edited in the rule definition at any time.

Assign tags to rules

Use the tags applied to specific rules to allow bulk application of these rules to your DBMS. Assign these tags to existing custom
rules by creating or selecting the tags in the rule definition.

Task
1. On the Rules page, click the Custom Rules tab.
2. In the Custom Rules list, click the Edit Rule icon in the required row.
The rule properties are displayed.
3. To assign a tag to the rule, enter the tag name in the Tags field or enter a space in the field to select the tag from the
drop-down list.
4. Click Save.

Assign rules to DBMSs based on tags

Assign rules with specific tags to DBMS after checking the extent to which the rules with these tags have been applied.

Task

1. On the Rules page, select the Tags-DBMSs tab, then click the View Tags icon on the top right corner.

60 McAfee Database Security 4.7.x Product Guide

6| Rules for securing DBMS

Note

This option is enabled only if you have at least one custom rule that includes a tag.

2. Select a tag from the Tags drop-down list.

Tag per DBMSs list the rules that include selected tags and the DBMSs for which you can apply the tags.
3. In the Actions column, click Apply All in the required row.
4. When prompted, click OK.
The rules that contain these tags are applied to the DBMS or DBMSs groups.

Note

To remove the tagged rules from the DBMS, click Remove All.

View tags per DBMS and DBMSs group

View the distribution of tags according to DBMSs and DBMS groups.

Task
1. On the Rules page, select the Tags-DBMSs tab, then click View DBMSs.
2. From the DBMS Groups and DBMSs drop-down list, select the DBMS or DBMS group.
The Tag per DBMS Groups and DBMSs list indicates the extent to which the available tags have been applied to the
selected DBMS or DBMS group.

Rule revisons
Rule revisions and history are important for several reasons. For example, if you need to roll back changes after mistakes are
made in the policy or to comply with various standards and best practices. You can view the state of rules at any specific point in
time and the revisions made to rules over time.

View rule revision details

View the version and history of rules at any specific point in time. Each rule revision entry reflects the existing rules at a given
point in time, providing a virtual snapshot of the state of rules in the system. The rule revision details provide information on
the changes made from one revision to the next, indicating whether changes have been made to the rules since the previous
snapshot was recorded.

In addition, you can view the details of a previous revision and roll back to that previous revision if necessary.

Task
1. On the Rules page, select the Rule Revisions tab.
2. In the Rule Revisions list, select the required rule revision, then click the Properties icon in the required row.
The Custom Rules Revision or vPatch Rules Revision is displayed based on the selected rule revision, listing the
parameters for each rule.
3. To view the rule modification details in th rule revision, click the icon in the required row.

McAfee Database Security 4.7.x Product Guide 61

6| Rules for securing DBMS

Details regarding the rule modifications are displayed in read-only format.

4. In the Rule Revisions list, select the required rule revision, then click the Properties icon in the required row.
The Custom Rules Revision or vPatch Rules Revision is displayed based on the selected rule revision, listing the
parameters for each rule.
5. To roll back the rule details to this rule revision, click the Roll back to revision link.

Note

You cannot roll back rule objects.

Compare revision details

Select two revisions in the Rule Revisions list and compare their details.

Task
1. On the Rules page, select the Rule Revisions tab.
2. In the Rule Revisions list, select the checkboxes for two revisions, then click Compare.

Note

You can only compare revisions of the same type. For example, you cannot compare a vPatch revision with a custom
rule revision.

The Custom Rules Revision or vPatch Rules Revision is displayed based on the selected rule revision.
3. (Optional) To get rule revision comparator report, click Generate report.
4. To roll back the rule details to the older rule revision, click the Roll back to revision link.
You cannot roll back rule objects.

Configure notification for rule modification

You can configure McAfee Database Security to notify you whenever a rule is modified.

If application mapping is enabled, you can also configure the system to automatically purge application mapping alerts when a
configured number of alerts is exceeded.

Task
1. On the Rules page, select the Settings tab.
2. Select the Send notification when rule changed checkbox, then enter the email address where the notification is to be sent
in the Send email to field.

Note

The email server settings must be configured on the System page to route email alerts correctly.

62 McAfee Database Security 4.7.x Product Guide

6| Rules for securing DBMS

3. In the Subject field, enter the text that appears in the subject line of the notification email.
4. In the Quiet Period field, enter the number of minutes during which no further notifications are sent.
5. In the When Application Mapping alerts exceed fields:

• Set the number of alerts that triggers an automatic purge action.

• Set the number of alerts to purge. Alerts are purged on a first-in-first-out basis, meaning that the oldest alerts are
removed and the most recent alerts retained.

6. (Optional) To purge all saved mapping alerts for all DBMSs, click Purge All.

Note

To purge all application mapping data for a specific DBMS only, click Purge in the DBMS Configuration tab for that
DBMS.

7. Click Save.

McAfee Database Security 4.7.x Product Guide 63

7| Vulnerability assessment scan for database

Vulnerability assessment scan for database

Using McAfee Vulnerability Manager for Databases you can configure VA scans for the database to identify a wider range of risks,
such as weak passwords or missing patches.

You can configure multiple VA scans to run against one or more databases.

Managing VA Scans
Create a VA scan

A VA scan runs one or more groups of tests on the database. Schedule a newly created VA scan at set intervals or choose to run
an on-demand scan.

The available test groups are preconfigured, except for the custom test group that contains any customized tests defined in the
VA Tests page. You can disable specific tests in a test group for a specific scan.

Task
1. On the VA Scans page, in the VA Scan Configuration tab, click Create New Scan.
2. In the Scan Name field, enter a name for the scan. The name typed must clearly reflect the nature of the scan. For example,
Monthly vulnerability scan of production databases.
3. In Scan by level, select the severity levels to be included in the scan.
4. (Optional) Select Rebuild password scan to recheck the database connections for the databases associated with the test
group.
5. To determine which tests are to be performed as part of the scan:
a. In the Test Groups area, click Select Test Groups.
b. In the Test Groups dialog box, select one or more test groups.
c. Click Done to return to the scan properties page.

Note

You can filter the test group by name.

6. (Optional) To view the list of all tests or disable specific tests in the selected test groups:
a. Click Select Planned Tests.
b. In the Edit/View planned tests dialog box, click to disable a specific test for this scan. The icon toggles to .

Note

You can filter the tests by Sysid or Name.

c. Click Done to return to the scan properties page.

64 McAfee Database Security 4.7.x Product Guide

7| Vulnerability assessment scan for database

7. In the Actions area, select the actions to be taken when a scan result is returned:

• McAfee Database Security Console — Generates a result on the VA Results page based on the selected result
priority.
• Syslog — Sends the result to the Syslog.
• Windows Event Log — Sends the result to the Windows event log.
• Log to file — Sends the result to the log file.
• Automatically resolve to — Resolves the result and assigns it as defined in the resolve type.
• Send result to email — Sends an email notification in addition to the alert in the log, with the specified importance,
low, medium, or high.

Note

To select the options, you need to enable these in System page.

8. To select the DBMSs for scanning:

a. In the Run on area, click DBMSs & Groups.
Install on DBMSs and DBMS Groups dialog box is displayed.
b. Select the DBMS groups and DBMS from the Install on DBMS Groups and Install on DBMSs tabs.
c. (Optional) To exclude any DBMS from scanning, select the required DBMS from the Exclude DBMSs.
d. Click Select to return to the scan properties page.
The selected DBMSs and DBMS groups are listed on the scan properties page.
9. To enable a scan, select Enable scan.
10. To schedule the scan to run at regular intervals, select the Schedule enabled checkbox, then configure the required
scheduling intervals.
11. (Optional) In the Description field, enter a free text, description, or comment.
12. Click Save.

Results

The new scan configuration is listed in the VA scan list.

Enable or disable vulnerability assessment scan

Enable or disable VA scans scheduled for the database at any time.

Tip

If the scan configuration is partially done, you can disable the scan to temporarily prevent the scan from running.

Task
1. On the VA Scans page, in the VA Scan Configuration tab, click the Edit VA Scan icon in the required row.
2. In the VA scan properties page, select or deselect the Enable scan option as required.

Scheduling a scan is possible only when you enable the scan.

McAfee Database Security 4.7.x Product Guide 65

7| Vulnerability assessment scan for database

Note

To disable all VA scans in the VA scans list, click the Actions drop-down list and then select Disable VA Scans.

Clone a vulnerability assessment scan

Clone an existing VA scan. This eliminates the need to define all the scan properties from scratch while creating scans that share
many common properties.

Task
1. On the VA Scans page, in the VA Scan Configuration tab, click the Clone Scan icon in the required row.
2. When prompted for confirmation, click OK.
The new scan is added in the VA scan list and it is disabled. To enable the new scan, click the icon that toggles to
icon.
3. To edit the scan name and modify specific scan properties, click the Edit VA Scan icon .
4. Edit the scan name and modify the scan properties as required.
5. Click Save.

Results

The scan is added to the VA scan configuration list.

Schedule a VA scan

Schedule a scan to run on the database at regular intervals according to your requirement.

Task
1. On the VA Scans page, in the VA Scan Configuration tab, click the Edit VA Scan icon in the required row.
2. In the scan properties page, you must select Enable scan to schedule a scan.
3. To schedule the scan to run at regular intervals, select the Schedule enabled checkbox and configure one of these
scheduling intervals:

• To run a scan at intervals, select by hour every, then select the time interval between scans.
• To run the scan on the required days, select by day, then select the days of the week and the time to run the scan.
• To run the scan on a monthly basis, select by month every, select the number of months between scans and the
time to run the scan.
• To run the scan on an advance scheduling, select advanced cron, enter the expression based on the cron syntax.
• To run the scan only once, select Run only once.
4. Click Save.

Results

The scan properties are updated to include the new scheduling information.

Run a VA scan

Manually initiate a vulnerability scan at any time.

66 McAfee Database Security 4.7.x Product Guide

7| Vulnerability assessment scan for database

Before you begin

You must select the Enable scan in the VA scan configuration.

Task
1. On the VA Scans page, in the VA Scan Configuration tab, click the Run icon in the required row.
2. In the confirmation dialog box, click OK.

Results
Note
The vulnerability scanning starts and the state of the scan is viewed in VA scan configuration list.
You can also run or rerun the vulnerability scan from the VA Scan Result Summary tab.

Stop a VA scan

Stop a VA scan that is in progress.

Task
1. On the VA Scans page, in the VA Scan Configuration tab, click the Stop icon in the required row.
2. In the confirmation dialog box, click OK.
The state of the scan is updated to Stopped.

Remove a VA scan

If a VA scan is no longer required, remove it from the VA scan list.

Tip

If you think you might need the scan in the future, you can disable it for now and re-enable it later.

Task
1. On the VA Scans page, in the VA Scan Configuration tab, click the Remove icon in the required row.
2. In the confirmation dialog box, click OK.

Results

The scan is removed from the VA scan list.

Apply actions to VA scan list

View the VA scan results for the database and apply specific actions for a set of VA scans.

Task
1. On the VA Scans page, in the VA Scan Configuration tab, apply appropriate filter criteria.
2. Click the Actions drop-down list, then select Apply actions.
3. In Scan Actions, select the required actions and click Apply.

McAfee Database Security 4.7.x Product Guide 67

7| Vulnerability assessment scan for database

Results

The selected actions are applied to the VA scans and it can be viewed under scan properties of each scan.

Remove actions from VA scans

Remove actions from the VA scans that are no longer required.

Task
1. On the VA Scans page, in the VA Scan Configuration tab, apply appropriate filter criteria.
2. Click the Actions drop-down list, then select Remove actions.
3. In the Scan Actions, select the required actions and click Remove.

Results

The selected actions are removed for all the VA scans.

Add DBMS for VA scans

Add the DBMS groups and DBMSs to include in the VA scans.

Task
1. On the VA Scans page, in the VA Scan Configuration tab, apply appropriate filter criteria.
2. Click the Actions drop-down list, then select Install on DBMSs.
3. To add VA scans for DBMSs , click Install on DBMS.

Note

To exclude VA scans for particular DBMSs, click Exclude DBMSs and select the required DBMSs.

4. To add VA scans for DBMS group, click Install on DBMS Group.

Note

You can filter the DBMS or DBMS groups by its name.

5. Select the required DBMSs or DBMS groups and click Done.

Results

The selected DBMSs or DBMS groups are configured for VA scans and it can be viewed under scan properties of each VA scan.

Remove VA scans from DBMSs

Remove the DBMSs or DBMS groups from the VA scans that are no longer required.

68 McAfee Database Security 4.7.x Product Guide

7| Vulnerability assessment scan for database

Task
1. On the VA Scans page, in the VA Scan Configuration tab, apply appropriate filter criteria.
2. Click the Actions drop-down list, then select Remove from DBMSs.
3. To remove VA scans for DBMSs, click Remove DBMS.

Note

To exclude VA scan for particular DBMSs, click Exclude DBMSs and select the required DBMSs.

4. To remove VA scans for DBMS groups, click Remove DBMS Group.

Note

You can filter the DBMS or DBMS groups by its name.

5. Select the required DBMSs or DBMS groups and click Done.

Results

The selected DBMSs or DBMS groups are removed from VA scans.

View the summary of VA scan result

View the summary of the vulnerability assessment scans performed on the databases.

The VA Scan Result Summary indicates the number of results of each level of severity, for each test category, and for all
databases included in the scan.

Task
1. On the VA Scans page, click the VA Scan Results Summary tab.
2. In the VA summary list, click the Details icon in the required row.
The VA scan result summary details page displays the DBMS category and the total number of results (all tests) for each
severity for that database. Expand the DBMS scan result by clicking the plus sign to view the breakdown of results according
to test category.

Generate VA scan summary report

Generate a VA scan report that contains a graph with an overall number of databases against each risk level and also an
individual graph of each database with number of risks against the risk level for that database. The VA scan summary report can
be generated and exported in HTML or PDF format.

Task
1. On the VA Scans page, click the VA Scan Results Summary tab.
2. Click the Report icon in the required row.

McAfee Database Security 4.7.x Product Guide 69

7| Vulnerability assessment scan for database

3. In the Select DBMSs For Report, select the DBMS for which the scan report needs to be generated.
4. From the Report type drop-down list, select Scan summary.

Note

To generate scan test report, select Scan Tests.

5. From the Report Format drop-down list, select PDF or HTML.

6. Click Create Report.

Results

The scan summary is generated in the selected format (.pdf or .html).

70 McAfee Database Security 4.7.x Product Guide

8| Vulnerability assessment tests

Vulnerability assessment tests

A VA scan includes one or more tests. A test comprises specific checks to perform against the database.

In addition to using the predefined (out-of-the-box) VA tests, you can create customized VA tests to suit the needs of your
organization. These custom tests can be added to the preconfigured test groups.

VA tests are normally created by advanced users only. We recommended to create VA tests only after running VA scans several
times and becoming deeply familiar with Vulnerability Manager capabilities.

Custom tests can be assigned to the custom or data discovery categories.

Create and define a custom vulnerability assessment test

In addition to using the predefined VA tests, create customized VA tests to suit your organizational needs. Add these custom tests
to the preconfigured test groups.

Task
1. On the VA Tests page, click Create New VA Test.
2. In the Test Name field, enter a name for the test.

The name entered clearly reflects the nature of the test.

3. From the Result Type drop-down list, select the type of test results to return.
4. In the Test field, enter the test parameters in SQL command format.

For example, this DBMS Result Set test would return a list of users granted the DBA role when run on an Oracle database:

select * from dba_role_privs where granted_role = 'DBA'

This Yes/No command would return a Yes result if dynamic SQL is detected in Oracle outside of SYS:

select 'yes' from dual where exists (select 1 from dba_source where upper(text) like '%EXECUTE IMMEDIATE%'
and owner <> 'SYS');

5. From the Level drop-down list, select the level of severity to assign to test results.
6. From the Test Category drop-down list, select Custom or Data Discovery.

Data Discovery is used when the rule is designed to discover particular tables or columns in the database. Choosing this
category is essential so that you can later turn the results into rule objects.

7. In the Test Groups field, enter the test groups name or enter a space in the field to select test groups from the drop-down
list.
8. In the System Test Groups, under All System Groups list, select one or more test groups to include in the operating system
test, then click to move them to the Selected System Groups list.

McAfee Database Security 4.7.x Product Guide 71

8| Vulnerability assessment tests

Note

To remove a test group from the Selected System Groups list, select it, then click to move it to the All System
Groups list.

9. (Optional) To exclude the test from running on one or more DBMSs, click Remove test from DBMS, then select the DBMSs
to exclude. Click Select.
10. (Optional) Select the Report test failures to VA scan error log.
11. (Optional) In the Description field, enter a free text/description or test.
12. (Optional) In the Memo field, add a advisory memo or an action note.
13. Click Save.

Results

The test is added to the custom tests list.

Remove a custom VA test

Remove a custom VA test that is no longer required.

Note

You cannot delete the preconfigured VA test from the list.

Task
1. Click the VA Tests page.
2. (Optional) Filter the custom VA tests.
3. In the VA test list, click the Delete Test icon in the required row.
4. When prompted for confirmation, click OK.

Results

The custom VA test is removed from the list.

Import VA test
Import the VA tests into VA Tests list and it is saved in the default location.

Task
1. On the VA Tests page, click Actions drop-down list.
2. Click Import Tests.
3. In the Import Tests dialog box, browse the required .xml file. and click Import.

Results

The VA tests are imported to the VA Tests list.

72 McAfee Database Security 4.7.x Product Guide

8| Vulnerability assessment tests

Export VA test
Export the VA tests from the VA Tests list and it is saved in the default location.

Task
1. On the VA Tests page, click Actions drop-down list.
2. Click Export tests.

Results

The VA tests are exported to an XML file and it is saved in a default location.

McAfee Database Security 4.7.x Product Guide 73

9| Regulations and compliance rule

Regulations and compliance rule

McAfee Database Security enables you to create security rules based on established international standards, including General
Data Protection Regulation (GDPR), PCI-DSS, Sarbanes Oxley (SOX), SAS-70, Gramm-Leach-Bliley Act (GLBA), and HIPAA. In
addition, a Best Practices wizard helps in initiating an audit policy for regulatory compliance purposes.

Usually, it is important to enable vPatch rules on all in-scope databases (if they are not already enabled).

A compliance rule can be applied to all DBMSs or to specific DBMSs and DBMS groups. The Compliance page lists the regulations
for which compliance rules can be configured.

Configure compliance rules

Configure compliance rules using the respective compliance wizard, which simplifies the creation of activity monitoring rules.
Compliance rules are based on various established standards and regulations.

The specific definitions required in defining a compliance rule vary based on the type of regulation, so the parameters set in the
configuration and the number of pages in the compliance wizard vary accordingly. Follow the on-screen instructions to configure
a compliance wizard.

The following procedure explains how to create custom rules for GLBA compliance.

Task
1. On the Compliance page, click More to view different regulation.
2. Select the type of regulation for which you want to verify compliance, then click Select.
The Compliance page is displayed, indicating that the selected compliance wizard has not been completed and provides
information required to configure a compliance rule for the selected type of regulation.
3. Click Configuration Wizard to begin the process of configuring the compliance rule.
4. Select the DBMSs and DBMS groups where you want to apply the compliance rule, and click Next.

Note

If a red message appears after clicking Next, there is a problem with the values entered. Fix the settings, then click Next
again.

5. In Application OS Users, enter or upload the OS user names that are used by application database users and click Next.
You can upload the details in the .csv file format.

Note

If you need to exit the wizard and continue the configuration later from the point where you stopped, click Proceed
Later.

74 McAfee Database Security 4.7.x Product Guide

9| Regulations and compliance rule

6. In Application Database User Name, enter or upload all user names that are used by your approved applications to access
the databases, and click Next.
7. In Approved Application, enter or upload all applications that are allowed to access customer information records on the
database and click Next.
8. In Approved IP Addresses, enter the list of all IP addresses that are allowed to access customer information records on the
database, and click Next.
9. In the Customer Information Records Tables, enter the database tables that contain cardholder data or sensitive data in
any of the selected DBMSs and click Next.
10. In DCL Commands, view the DCL commands and click Next.
You do not need to change the DCL command list. If you want to modify the DCL commands, enter or upload the DCL
commands.

Note

Clicking Reset resets the default values for that step only.

11. In the DDL Commands, view the DDL commands and click Next.

You need not change the DDL command list. If you want to modify the DDL commands, enter or upload the DDL
commands.

12. In DML Commands, view the DML commands and click Next.

You need not change the DML command list. If you want to modify the DML commands, enter or upload the DML
commands.

13. In Privileged OS Users, enter or upload all OS user names used by the privileged database users, and click Next.
14. In Privileged Database Users, enter or upload all privileged database users, which include the DBA user names and any
other database user name that has high permission in any of the selected databases.

Note

Do not include user names that the applications use, these are added elsewhere.

15. Click Next.

16. In Completed, read the instructions carefully, then select Enable GLBA Compliance Rules.

Note

If this option is not selected, the rule is created but it is not enabled. Make sure that vPatch rules are enabled on all
in-scope databases.

17. Click Finish.

McAfee Database Security 4.7.x Product Guide 75

9| Regulations and compliance rule

A GLBA tab is added for the new regulation, showing the set of rules created based on predefined rule templates for that
regulation type, including level and defined action.

In addition, you can now filter alerts and other data according to the compliance type. When applicable, you can select the
required regulation type in the Compliance drop-down list.

Save partial compliance rule settings

Exit Configuration Wizard at your choice and continue the configuration later from the point where you stopped.

Task
1. Click Configuration Wizard.
2. In the compliance wizard, click Proceed Later.
A pop-up message indicates that the data has been saved, and you can complete the configuration later.
3. Click OK.

To return to the wizard, select the regulation type and click Configuration Wizard. Although the wizard contains the values
you previously configured, review your settings and continue from where you left off.

Edit compliance rules

Edit the settings of a compliance rule.

Task
1. On the Compliance page, click the type of compliance rule regulation to be edited.
2. Click Edit Configuration.
3. In the Compliance Rules Configuration dialog box, select the required action:

• Reconfigure rules
• Enable rules

Note

If the compliance rules are enabled, the Disable rules option is displayed.

• Remove configuration completely.

4. When prompted for confirmation, click OK.

Caution

Exercise caution in selecting Remove configuration completely; this action cannot be reversed. This action totally
deletes the existing configuration. The compliance wizard is automatically displayed, prompting you to completely
redefine the regulation.

76 McAfee Database Security 4.7.x Product Guide

10| McAfee Database Security sensor

McAfee Database Security sensor

McAfee Database Security sensors are responsible for monitoring access to the DBMSs and sending transaction data to the
McAfee Database Security server. After installation, a sensor must be approved before it can begin active monitoring of a DBMS.

View DBMSs monitored by the sensor

View the list of DBMSs assigned to a sensor on the Sensors page.

Task
1. Click the Sensor page.
2. Select the required sensor in the Sensor list.

The DBMSs monitored by the selected sensor are listed under DBMSS detected by.

View or edit sensor details

View sensor properties and the details of the monitored DBMS in the sensor properties page. You can edit certain properties.

Task
1. Click the Sensors page.
2. In the sensor list, click the Properties icon in the required row.
These sensor details are displayed on the Details tab of the sensor properties page.
3. To view the statistics for the DBMSs monitored by the selected sensor, click DBMS details tab.

Add a DBMS to a sensor

Manually add a DBMS that needs to be monitored, in the sensor properties page.

Task
1. Click the Sensors page.
2. In the Sensors list, click the Properties icon in the required row.
3. Click the DBMS details tab.
4. Click Add a DBMS manually.
5. In the Database Properties dialog box, configure these mandatory parameters:
a. Select New for a new DBMS (when adding a DB2 with multiple partitions, add the first partition. If you have already
added a partition for the DBMS, select Cluster then select the first partition that was already added).
b. In the Type field, select the type of database.
c. In the SID field, enter the database instance identifier.
d. In the DBMS Home field, enter the name of the DBMS home directory.
e. In the Architecture field, enter database architecture, 32-bit or 64-bit.
6. Click Save.

McAfee Database Security 4.7.x Product Guide 77

10| McAfee Database Security sensor

Results

The DBMS is added and it can be viewed in the DBMS details list.

Approve a sensor
Approve a sensor before it can actively start monitoring a database.

On the Sensors page, if the sensor is approved, the name of the user who approved the sensor appears in the Approved By field.
If the sensor is not approved, the button appears.

Task
1. Click the Sensors page.
2. In the sensor list, click the Approve icon in the required row to approve the sensor.

If a new sensor reports that it is monitoring a DBMS that is already recognized by McAfee Database Security, you are
prompted to select the DBMSs to monitor.

If the sensor ID exists in the system, the Approve Sensor page is displayed.

3. From the Available actions drop-down list, select how you want to handle this sensor:

• New — Indicates this is a new sensor. If you select New, you need to change the sensor ID to a unique one.
• Merge — Indicates this is the same sensor, for example, following reinstallation, and both instances should be
treated as a single sensor.
• Delete — Indicates this sensor was added in error and should be removed from the configuration.
4. Click OK.

Approve the DBMSs

If a new sensor reports that it is monitoring a DBMS that is already recognized by the McAfee Database Security system, approve
the DBMS when you approve the sensor.

Task
1. On the Approve DBMS page, select the DBMSs to be monitored by the sensor.

You can filter the list of DBMSs by selecting All DBMSs, New DBMSs, or Existing DBMSs from the drop-down list

2. If more than one DBMS has the same name, select one of these from the adjacent drop-down list:

• New — Indicates this is a new DBMS that needs to be monitored separately from the existing DBMS.
• Merge — Indicates this DBMS is the same DBMS and the entries should be merged.
• Cluster — Indicates that the DBMS is included in a cluster (and your policy for the DBMS will be installed on all
cluster members). If you select Cluster, the display expands to show details for the DBMS.

You can choose whether you want to install triggers on each DBMS. It is highly recommended to use triggers (chosen by
default) with Oracle DBMSs. Triggers used by McAfee Database Security are highly efficient and have minimal impact on

78 McAfee Database Security 4.7.x Product Guide

10| McAfee Database Security sensor

the DBMS performance. Use triggers with MS SQL servers when you intend to use McAfee Database Security's prevention
capabilities (allowing you to stop DDL actions before they take place). You can always change your choice later by selecting
DBMS properties on the DBMSs tab, or by selecting Manage DBMSs on the Sensors page.

3. Click Save to complete the approval process.

Results

The name of the logged on user is displayed in the Approved By column.

Change the sensor action for a DBMS

Determine how the sensor handles a specific DBMS by setting the action to start or stop monitoring the database.

Task
1. Click the Sensors page.
2. Select the sensor in the Sensors list.
The DBMSs monitored by the selected sensor are listed in DBMSs detected by.
3. In the required DBMS row, set one of these monitoring actions:

• Click Start Monitoring to set the sensor to monitor a DBMS, then select the DBMSs to be monitored on the
Approve DBMS page.
• Click Manage DBMS, select the DBMSs to be monitored and click Save.
4. Click Stop Monitoring to set the sensor to stop monitoring a DBMS.

Sensor management
Stop a sensor

Stop a sensor that is no longer used for monitoring a database or when you need to change the advance properties of a sensor.
This results in the database not being monitored by that particular sensor.

A stopped sensor is not deleted from the Sensors list.

Task
1. Click the Sensors page.
2. In the sensor list, click the stop icon in the required row.
3. When prompted for confirmation, click OK.

Results
Note
The sensor is stopped and no longer monitors the DBMS.
Click Enable to resume its monitoring activities.

McAfee Database Security 4.7.x Product Guide 79

10| McAfee Database Security sensor

Restart a sensor

You can restart the sensor process as long as the sensor is connected. Use this function if you suspect that the sensor is
malfunctioning or asked to do so by tech support. This action is not available when a sensor is stopped or disconnected.

Task
1. Click the Sensors page.

2. In the sensor list, click the Restart sensor icon in the required row.
3. When prompted for confirmation, click OK.

Results

The sensor is restarted and resumes its monitoring activities.

Delete a sensor

Delete a sensor that is no longer used for monitoring purposes.

A deleted sensor is not deleted from the web console, or from the DBMS itself, but its status is set to DELETED.

If you want to uninstall the sensor from the DBMS, you must access the DBMS host and uninstall the sensor, such as, using rpm
-e in Linux machines, or uninstall in MS Windows.

Task
1. Click the Sensors page.
2. In the Sensors list, click the Delete icon in the required row.
3. When prompted for confirmation, click OK.

Results
Note
The sensor no longer monitors the DBMS.
The resolution state of alerts previously generated by the removed sensor is automatically updated to Sensor Deleted in the
alerts list.

Setup the Data Access Layer (DAL) connection using TLS 1.2
When configuring the additional sensor connection (DAL), McAfee Database Security is able to connect to MS SQL servers which
only have TLS 1.2 enabled.

Before you begin

• You must install MS SQL Native Client 2011 as part of the MS SQL database instance. You can install it during the MS SQL
database installation, or you can download and install it directly from the Microsoft website.
• Make sure to select the option SQL Client Connectivity SDK when you run the installer.

Task
1. Click the Sensors page.
2. In the sensors list, select the required sensor properties .

80 McAfee Database Security 4.7.x Product Guide

10| McAfee Database Security sensor

3. Expand the Advanced option, and enter mssql.sqlncli.enable=1.

4. Click Save.

Troubleshooting the sensor installation

Troubleshooting procedures

If you encounter problems while installing the sensor, for example, if you have installed a sensor and No sensors detected is
displayed when you log in to the web console, follow the steps outlined.

Check if the McAfee Database Security sensor process is up and running:

• On Linux or Solaris, run: /etc/init.d/ mfe-dbs-sensor status

• On AIX, run: /etc/rc.d/init.d/ mfe-dbs-sensor status
• On HPUX, run: /sbin/init.d/ mfe-dbs--sensor status
• On Windows, run: services.msc and look for the service McAfee-DBS-Sensor

If the sensor service is down and does not come up after you run it, check that the McAfee Database Security server has a valid
license. If the sensor was connected to the server before applying the license, you need to manually restart the sensor.

If you are still unable to run the McAfee Database Security sensor, contact McAfee support after running the diagnostic tool.

If the McAfee Database Security sensor is not on the McAfee Database Security server sensors' list:

1. Verify that the server IP address and port are set correctly in the McAfee Database Security sensor's configuration
file (located in Linux: /etc/sysconfig/mfe-dbs-sensor; Solaris: /etc/default/mfe-dbs-sensor; AIX: /etc/mfe-dbs-sensor;
HPUX: /etc/rc.config.d/mfe-dbs-sensor; and on Windows, run McAfeeDBSConfig.exe). If they are not set correctly,
update the configuration file and restart the McAfee Database Security sensor service.
2. Verify that the sensor can reach the server port, using ping <server ip> and telnet <server ip> <port number>.

• If it is not reachable, verify that there is no firewall blocking the communication (check that McAfee Database
Security sensor communication port is open for TCP). If it is blocked, enable TCP communications on that port and
restart the McAfee Database Security sensor service.
• If the McAfee Database Security server IP address and port are reachable from the McAfee Database Security
sensor computer and you still do not see the sensor on the sensors list on the McAfee Database Security server,
run the diagnostic tool, then contact McAfee support for assistance.
• If you are still unable to reach the McAfee Database Security server from the McAfee Database Security sensor
server, contact your system administrator for support.

If no DBMSs are displayed for your McAfee Database Security sensor:

• On Windows platforms, run the diagnostic tool and then contact McAfee support for assistance.
• On non-Windows platforms, verify that:
You have group read and execute permissions on $ORACLE_HOME and $ORACLE_HOME/dbs, and group read
permissions on $ORACLE_HOME/dbs/sp*.ora and $ORACLE_HOME/dbs/init*.ora.

McAfee Database Security 4.7.x Product Guide 81

10| McAfee Database Security sensor

Your ORACLE_HOME group is either dba or oinstall. If not, add the relevant Oracle group to the mcafee OS
user.
Your oratab file (under /etc/oratab or /var/opt/oracle/oratab) points to the correct ORACLE SID and
ORACLE_HOME (entries in the file are in this format: $ORACLE_SID:$ORACLE_HOME:<N|Y>:). If the entries are
incorrect, fix them and restart the McAfee Database Security sensor service. Otherwise, contact McAfee
Support after running the diagnostic tool.
If your oratab file is in a different location, you can configure the sensor by editing the startup script
accordingly (on Linux or Solaris: /etc/init.d/mfe-dbs-sensor; on AIX: /etc/rc.d/init.d/mfe-dbs-sensor;
on HPUX: /sbin/init.d/mfe-dbs-sensor) by adding "-r <oratab full path>/oratab" to the start
function.
After editing the startup script, run the McAfee Database Security sensor.

3. If the DBMS appears on the Sensors list, but is listed as disconnected:

• Verify that Oracle is version 8.1.7 or later, or MS SQL Server 2000 or later, or Sybase ASE 12.5. If you are trying to
monitor another DBMS version, verify with McAfee support that the version is already supported.
• If the McAfee Database Security sensor is still unable to monitor your DBMSs, run the diagnostic tool, then contact
McAfee support.

Run the diagnostic tool (Analytic package)

Running the diagnostic tool creates an output file for you to provide to McAfee support when requesting assistance.

You can change the sensor log level and remotely create an Analytic package.

Task
1. On the Sensors page, click the Properties icon in the row for the sensor.
2. From the Log Level drop-down list, select DEBUG.
3. Run the McAfee Database Security sensor for five minutes (no sensor restart is required).
4. Click Generate.
5. Restore the log level to INFO after troubleshooting is complete.

The analytic package output file name is displayed when the process is complete. Send the file by email to the McAfee
support team.

If you are running an earlier version or having trouble connecting to the sensor, perform these steps:

6. Change the log level from INFO to DEBUG in the sensor configuration file as follows:

• On Linux — /etc/sysconfig/mfe-dbs-sensor
• On Solaris — /etc/default/mfe-dbs-sensor
• On AIX — /etc/mfe-dbs-sensor
• On HPUX — /etc/rc.config.d/mfe-dbs-sensor
• On Windows — McAfeeDBSConfig.exe

7. Run the McAfee Database Security sensor for 10 minutes.

8. Run the diagnostic tool:

82 McAfee Database Security 4.7.x Product Guide

10| McAfee Database Security sensor

• On Linux — /sbin/service mfe-dbs-sensor create_analytic_package

• On Solaris — /etc/init.d/mfe-dbs-sensor create_analytic_package
• On AIX — /etc/rc.d/init.d/mfe-dbs-sensor create_analytic_package
• On HPUX — /sbin/init.d/mfe-dbs-sensor create_analytic_package
• On Windows — Analytics.exe

Results

The Analytic package output file name is displayed when the process is complete. Send the file by e-mail to the McAfee support
team.

Sensor log files

Sensor log files use a base name (referred to later as <BASE_NAME>). The name on Linux and Unix is dbs.log and on Windows it
is logfile.log.

• Sensor main log — Name: <BASE_NAME>. This log file contains general logging regarding the sensor. This includes
communication flow, database detection, statistics and management of monitored DBMSs.
• Sensor DBMS instance log — Name: <BASE_NAME>_<DBMS Unique Name>. The sensor maintains a log file per
monitored DBMS instance. The log file contains information for the specific monitored DBMS instance. This includes
DBMS details, statistics and alerts.
• Standard output log — Name: <BASE_NAME>.std. This log file contains the standard output and standard error output
of the Sensor process. The file contains a log line every time the Sensor is started and may contain sparse periodic
information output. This file should not contain errors and should not grow in size. The file is not rolled over. If it grows
beyond 1 MB it is recommended to review the file and, if needed, report it to McAfee support.
• Cache Statistics log — Name: <BASE_NAME>.log_caches. This log file contains statistics about internal caches used by
the sensor. This file can help help in the analysis of sensor resource utilization.

Sensor log file size

When a log file reaches it maximum size, the log file is backed up by adding the number 1 after its file name extension and a new
log file is created. The extension numbering of any exising backup files are incremented sequentially. For example, when dbs.log
reaches it maximum size, it is renamed to dbs.log.1; the file dbs.log.1 is renamed to dbs.log.2, and so on, up to the maximum
number of log files configured (the default setting is 13).

When the maximum number of files is reached, the oldest file is deleted.

Sensor log file size and maximum number of log files are configured on the Sensor properties page in the management console.

Sensor log format

The sensor main log and sensor DBMS instance logs use this format: <DATE> T[<THREAD ID>] F[<FILE NAME>] L[<LINE
NUMBER>] <SEVERITY> <MESSAGE>.

Sample log message:

McAfee Database Security 4.7.x Product Guide 83

10| McAfee Database Security sensor

Tue May 27 2014 19:22:11.056 T[6504] F[Profile.cpp] L[935] NOTICE Loading profile

The logs contain these fields:

• DATE — The time and date the log line was written. Time is formatted according to the local time zone of the machine
where the sensor runs.
• THREAD ID — Operating system thread ID. The sensor is a multi-threaded process. This field can be used to monitor the
activity of a single thread.
• FILE NAME, LINE NUMBER — Source file name and line number where the log line was called in the code. This helps
McAfee Support and engineering to identify the code the log entry was generated from.
• SEVERITY — Severity of the log entry. These are the available log severity levels in order of severity:
ERROR — Represents an unexpected error or conditions that the sensor has encountered. Log lines with the
ERROR severity indicate a problem that requires review.
WARNING — Represents transient conditions that might later lead to an error. These log entries can provide
insight into subsequent errors. These log entries do not require review if not accompanied by ERROR entries.
NOTICE — Sensor's default log level, useful information about the proper operation of the sensor.
INFO — Medium level of detailed information about sensor operation. This log level might be requested by
McAfee Support for troubleshooting if DEBUG is generating too many log entries and logs are rolling over.
DEBUG — High level of detailed information about sensor operation. This log level is used by support and
engineering teams for troubleshooting.
TRACE — Low level tracing information that might be requested by development teams. This log level is intensive
and should not be set unless explicitly requested by McAfee Support.

• MESSAGE — Log message can span multiple lines.

Note

The minimum severity level to write to the log file is configured on the Sensor properties page in the management
console. The default and recommended level is NOTICE, meaning that NOTICE, WARNING and ERROR log lines are
written to the log file. Changing to a log level below NOTICE can cause extensive logging and affect sensor resource
utilization.

Sensor startup logging

When the sensor starts, it writes a special header in the log file in the following format: *************************** Security
Sensor Started [ <DATE> ]***********

Monitoring the sensor logs for this header can indicate when the sensor experienced a restart. Multiple sensor restarts in a
short time period can indicate an issue that requires further investigation. On Unix/Linux systems, the sensor DBMS instance log
also contains the start header as the instance is monitored by a child process that can be started and stopped. A process that
experiences multiple restarts in a short time period can also indicate an issue that requires further investigation.

84 McAfee Database Security 4.7.x Product Guide

10| McAfee Database Security sensor

Sensor cache statistics logging

Starting from version 4.4.7, the sensor will log periodically (hourly) into a special file statistics about its cache usage. This file
can assist to analyze resource utilization of the sensor. The file contain statistics for these sensor caches: rule cache, stored
procedure cache, prepared statement cache, session per NIC, and the network session buffers.

The format of each log entry beyond the standard header is:

< MONITORING_COMPONENT>: <SUB_COMPONENT> <STATS_INFO>

The log contains these fields:

• MONITORING_COMPONENT — Either NETWORK or MEMORY. Indicates the monitoring technology that the statistics info
entry is related to.
• SUB_COMPONENT — One of the following depending on the stats info entry:
DB instance name - Format: DB[<full_db_name>]
A network interface name - Format: NIC[<full_nic_name>]
GLOBAL - A global stats info entry not related to a specific network interface or DB instance

• STATS_INFO — The statistics information to be logged.

Sample log messages:

Sat Nov 8 2014 20:42:19.349 T[2484] F[CacheStatisticsFileManager.cpp] L[120] NOTICE NETWORK: GLOBAL: Network
Session Buffer: Global cache used[8192] out of [268435456] bytes,rate[~0%] : Global cache in limits: OK

Sat Nov 8 2014 20:42:19.349 T[2484] F[CacheStatisticsFileManager.cpp] L[120]

NOTICE NETWORK: DB[myhost_SQL2012RTM_6049d7b3295c468a7b638d4ff2738352ab4c794a]: Stored Procedure
Cache[maxSize[81920KB],load[0%]] Rule Cache[disable]

Sat Nov 8 2014 20:42:19.365 T[2484] F[CacheStatisticsFileManager.cpp] L[120] NOTICE MEMORY :

DB[myhost_SQL2012RTM_6049d7b3295c468a7b638d4ff2738352ab4c794a]: Stored Procedure

Cache[maxSize[81920KB],load[22%],elements[2695],averElemSize[6881B],access[139],misCount[34],misRate[24%],hitCount[105],
[access[0]] Rule
Cache[maxSize[52428800],used[80%],nodes[165],totalAccessCount[7261],totalHitCount[3730],totalHitRate[51%],totalMissCount

Sat Nov 8 2014 20:42:19.381 T[2484] F[CacheStatisticsFileManager.cpp] L[120]

NOTICE NETWORK: DB[myhost_SQL2012RTM_6049d7b3295c468a7b638d4ff2738352ab4c794a]: Prepared Statement
Cache[maxSize[51200KB],load[0%],elements[32],averElemSize[1460B],access[0]]

Sat Nov 8 2014 20:42:19.343 T[2484] F[CacheStatisticsFileManager.cpp] L[120] NOTICE NETWORK:

Nic[\Device\NPF_{EA4063F0-407E-46D7-A634-6A2A8502D1EC}(0.0.0.0)]: Number Of sessions[1]

Searching sensor logs for errors

You can use the "] ERROR " search string to identify errors in the sensor logs.

McAfee Database Security 4.7.x Product Guide 85

10| McAfee Database Security sensor

For example, to search for errors using the Linux/Unix grep utility:

grep '] ERROR ' dbs.log*

For example, to search for errors using the Windows find utility:

find "] ERROR " logfile.log*

Common log errors explained

Data access layer errors

Data access layer (DAL) errors are identified by a file name of the form: Dal*.cpp.

For example: DalOracle.cpp, DalTeradata.cpp, DalMSSQL.cpp. They usually occur when the sensor fails to connect or execute a
statement on the database. If the failure is critical, the sensor sends a message box notification (Error 9 - DAL_ERROR) to the
server with details of the failure. These errors can also appear in the log in non-critical situations, such as when the database is
shutting down or restarting. In such cases, it is best to examine the log and see if the situation is resolved once the database is
up and running.

An error log indicating failure to delete the failed login trace during a database restart:

Sat Jun 14 2014 01:43:34.202 T[4016] F[DalMSSQL.cpp] L[1574] ERROR Failed to delete failed login trace
[<INSTANCE NAME>]

Log line later on successful connection:

Sat Jun 14 2014 01:45:08.943 T[3760] F[DalMSSQL.cpp] L[1542] NOTICE Successfully switch off failed login trace
[<INSTANCE NAME>]

Communication errors

Communication errors are identified by the file names: ServerConnection.cpp and ServerTransportTCPSSL.cpp.

They usually occur when the sensor has a problem communicating with the server. The problem might be transient (such as a
network disconnect). It is best to examine the log to see if the communication resumed following the error.

An error log entry (followed by warning message with more info) indicating failure to communicate:

Mon Aug 26 2013 03:50:40.258 T[2072] F[ServerConnection.cpp] L[249] ERROR Failed to send message now

Mon Aug 26 2013 03:51:10.259 T[2072] F[ServerTransportTCPSSL.cpp] L[530] WARNING Unable to connect to
server xx.xx.xx.xx(host.com):1996 (Resource temporarily unavailable) randStatus(1), errno is 10035, ssl err:
error:00000000:lib(0):func(0):reason(0)

Log line later upon successful connection:

86 McAfee Database Security 4.7.x Product Guide

10| McAfee Database Security sensor

Mon Aug 26 2013 03:51:20.480 T[2072] F[ServerTransportTCPSSL.cpp] L[609] NOTICE Connected to server: xx.xx.xx.xx
local IP: xx.xx.xx.xx(host.com)

McAfee Database Security 4.7.x Product Guide 87

11| Monitoring and protecting DBMS

Monitoring and protecting DBMS

McAfee Database Security provides protection for the DBMSs where McAfee Database Security sensors have been installed as
well as DBMSs available for VA scans.

The monitoring policy for a DBMS comprises of various rules that are enabled and applied on that DBMS. After installing a
McAfee Database Security sensor on a DBMS host server, if more than one DBMS is installed on the host, the DBMS must be
approved in the McAfee Database Security configuration before a monitoring policy can be applied to it.

The DBMSs page lists the DBMSs where McAfee Database Security sensors have been installed, and enables you to view the
properties of each DBMS.

Add a DBMS for vulnerability assessment

Configure multiple DBMSs for vulnerability assessment by adding the DBMS to the VA server and configuring the necessary
settings.

Task
1. On the DBMSs page, click the DBMS tab.
2. Click Add VA DBMS.
3. From the DBMS type drop-down list, select the database type, such as, Oracle, MSSQL, MYSQL, SQL Azure, or Sybase.
Due to MySQL licensing restrictions, you need to download the MySQL JDBC driver from the MySQL website:

• Download the Platform Independent (Architecture Independent), ZIP Archive file from http://dev.mysql.com/
downloads/connector/j/
• Extract the file and copy mysql-connector-java-<version no>.jar to <Server Installation Directory>\common\lib
• Restart the McAfee Database Security server
4. In the Host/IP field, enter the name of the host server or IP address, then click test to verify the validity of the host name or
IP address.
5. Configure these host parameters:

• In the Port filed, enter the number of the port for connecting to the database. Click test to check its validity.
• In the Sid, Database Name, or Instance Name field, enter the respective service name or database instance ID on
the server. Click test to check its validity.

Note

The field varies based on the type of database selected in the DBMS type.

6. On the DBMS Connection, enter the user name and password to be used to connect to the DBMS. Scripts that create a user
with the correct and minimal permissions for scanning are available in the screen.
7. (Optional) Click Advanced to configure more VA parameters (used for troubleshooting purposes only):

• Connection String — (Optional) The connection string used to connect the DBMS.

88 McAfee Database Security 4.7.x Product Guide

11| Monitoring and protecting DBMS

• Connection Properties — (Optional) Properties typically used by Technical Support for troubleshooting the DBMS
connection.
• Enable alternative DBMS connection (advanced users only, for DAM only): When selected, alternative
connections can be made using these parameters:

User Name — The user name to be used to connect to the DBMS.

Password — The password to be used to connect to the DBMS.
Connection String — The connection string used to connect the DBMS. This parameter is applicable for
Oracle DBMSs only.

8. Click Test DBMS Connection to check the connectivity between the VA server and the database.
9. (Optional) To view users that were excluded from weak password tests, expand the Exclude Users from test section. The
listed users are exempt from weak password tests based on exceptions in the VA Results page. You can manually delete a
user from the list if needed.
10. (Optional) Click OS Connection and select Enable os check to configure the connection and test the operating system:

• OS User Name — The user name to be used to log on to the operating system.
• OS Password — The password to be used to log on to the operating system.
• Test OS Connection — Check the connection of operating system.
11. Click Save.

DBMS properties and trigger settings

View and edit the DBMS properties

View and edit the properties of a DBMS, such as its name, description, and DBMS group assignment.

The DBMS properties also include the trigger settings for the DBMS. A Data Definition Language (DDL) trigger can be added to
the monitored database to prevent DDL actions before they happen.

Stopping a DDL action requires relevant custom rules, for example, cmdtype = drop table and user <> $privileged_users.
The DDL trigger was designed to have minimal impact on the DBMS. But, with heavy DDL traffic, the delay that the DDL trigger
introduces can cause unwanted latency.

Task
1. On the DBMSs page, click the DBMS tab.
2. In the DBMS list, click the Edit Configuration icon in the required row.

Results

The DBMS Configuration tab displays the properties of the selected DBMS.

Add a new DML trigger

The DML trigger delays DML actions so that they can be prevented. DML trigger is available for customers who want to audit
before and after values when data changes occur. The DML trigger introduces latency, so it is recommended to use this feature
sparingly.

McAfee Database Security 4.7.x Product Guide 89

11| Monitoring and protecting DBMS

Task
1. On the DBMSs page, click the DBMS tab.
2. In the DBMS list, click the Edit Configuration icon in the required row.
3. Click the DML Triggers Configuration tab, then click Add New Trigger.
4. Select Use VA Credentials or provide username and password for the new trigger.
5. In the Trigger Display Name, enter the name to be displayed.
6. In Select DB drop-down list, select the database to apply the trigger.
7. In the Select Table drop-down list, select the table to apply the trigger.
8. In the Select Columns, select the column to apply the trigger.
9. In the Select DML CMD Type To Audit, select the Insert, Update and Edit to audit.
10. (Optional) In the Select Trigger Actions, select the Delay Transactions By and provide the required time period.
11. Click Create Triggers.

View DML monitoring results

For the added DML trigger, you can view the results of the DML actions on the VA Results page.

Note

The DML triggers are created in the properties of a VA DBMS. The DML trigger is available only for DBMSs where VA is
enabled.

Task
1. On the VA Scans page, create a VA scan that includes the test group DML Audit.
2. In the Run on area, select the database for which the DML trigger is created.
3. Click Save.
4. Run the VA scan as scheduled or manually.

Results

The DML results are viewed on the VA Results page.

Enable or disable DML triggers

You can enable or disable DML triggers.

Task
1. On the DBMS page, click the DBMS tab.
2. In the DBMS list, click the Edit Configuration icon in the required row.
3. In the DBMS Configuration tab, expand DDL/DCL Monitoring.
4. Select Enable Triggers.

To disable the trigger, deselect Enable Triggers.

90 McAfee Database Security 4.7.x Product Guide

11| Monitoring and protecting DBMS

Enable or disable redo buffer monitoring

Redo buffer monitoring enables McAfee Database Security to obtain DDL statements without installing triggers and it is available
for Oracle databases. This monitoring technique monitors the Oracle redo-log.

Note

Enabling redo buffer monitoring disables triggers.

Task
1. On the DBMSs page, click the DBMS tab.
2. In the DBMS list, click the Edit Configuration icon in the required row.
3. In the DBMS Configuration tab, select or deselect the Monitor Redo Buffer option as required.

Configure failed logon

Determine the number of failed logons in a set time period that is considered abnormal for the DBMS.

Note

Only vPatch rules use the failed logon feature.

Task
1. On the DBMSs page, click the DBMS tab.
2. In the DBMS list, click the Edit Configuration icon in the required row.
3. In the DBMS Configuration tab, expand Failed Login Monitoring and select Enable Failed Login Monitoring checkbox.
4. In the Failed Login Count field, set the number of failed attempts to log on a single DBMS in the defined Failed Login
Measure Period that triggers an alert.
5. In the Failed Login Measure Period field, set the time period (in seconds) in which, if the Failed Login Count is exceeded, an
alert is triggered by the vPatch rules.
6. Click Save.

Enable application mapping

Configure the mapping of application access per DBMS. Application Mapping is enabled by default for every new monitored
DBMS.

Before you begin

Turn off this function after configuring the policy and determining that application mapping is no longer required.

Task
1. On the DBMSs page, click the DBMS tab.
2. In the DBMS list, click the Edit Configuration icon in the required row.
3. In the DBMS Configuration tab, expand Application Mapping, then select Enable Application Mapping checkbox.

McAfee Database Security 4.7.x Product Guide 91

11| Monitoring and protecting DBMS

4. In the Limit Application Mapping Alerts per Second field, set the maximum number of application mapping alerts are
sampled per second.
5. In the Notify When Database Events Count Exceeds field, set the number of database events, which when exceeded,
triggers notification.
6. Click Save.

Note

To purge all application mapping data for the DBMS, click Purge in the DBMS Configuration tab. To purge all saved
mapping data for all DBMSs, click Purge on the Settings tab of the Rules page.

Add actions to DBMS

You can add an action to multiple DBMSs.

Task
1. On DBMSs page, click the DBMS tab.
2. Select the required DBMSs from the DBMS list.
3. From the Actions drop-down list, select Add actions.
4. In the DBMS Actions, select the required actions and edit their properties.
5. Click Apply.

Results

The action that is applied are updated in the respective DBMS properties and it can be viewed under DBMS Configuration tab.

Configure the character set

Set the correct character set from the DBMS properties page. The correct character sets are pre-configured, by default.

Sometimes (such as if the DBMS is configured with one character set but another character set is being used), manual
configuration of the character set is required.

Task
1. On the DBMSs page, click the DBMS tab.
2. Select the required DBMSs from the DBMS list.
3. From the Actions drop-down list, select Add actions.
4. In the DBMS Actions, select the Charset and change the required character set from the drop-down list.
5. Click Apply.

Add DBMS from TNS

Oracle databases can be added for vulnerability assessment by uploading their tnsnames.ora file.

Task
1. On the DBMSs page, click the DBMS tab.

92 McAfee Database Security 4.7.x Product Guide

11| Monitoring and protecting DBMS

2. From the Actions drop-down list, select Add DBMS from TNS.
3. In the Create DBMS from TNS file dialog box, choose the required .ORA file and click Upload.
4. Select the DBMS instance.
5. Provide the username and password to configure a VA DBMS and click Create VA DBMSs.

Results

The Oracle database is added to the DBMS list for vulnerability assessment.

View sensors by DBMS

View the list of sensors used to monitor a DBMS on the DBMSs page.

Task
1. On the DBMSs page, click the DBMS tab.
2. Select the required DBMS in the DBMS list.

Results

The sensors that monitor the selected DBMS are listed, including the name and status of the sensor.

Monitor a clustered database

You can monitor clustered databases by installing sensors on the cluster nodes.

Task
1. Finish the installation of the first sensor, approve the sensor and the database.
2. Install the second sensor, approve the sensor without approving the database.
3. In the Sensors page, select the second sensor, then click Start Monitoring on the sensors detected database.
A dialog box is displayed with the DBMS details.
4. Select Cluster from the drop-down list.
5. Select the database that is part of this cluster, then click Save.

Results

In the DBMS page, the clustered databases are displayed.

Working with network scans

Network scans search your network for databases that have not yet been added to the VA DBMSs. Discovered DBMSs can be
added to VA scans. To monitor the databases, install a sensor on the database server host.

DBMS network scans are configured on the DBMS Network Scanner tab.

Create a network scan

Create multiple network scans to search your network for database that has not yet been added to the DBMSs list.

Discovered DBMSs can be added to VA scans. To monitor the database, install a sensor on the database server host.

McAfee Database Security 4.7.x Product Guide 93

11| Monitoring and protecting DBMS

Task
1. On the DBMSs page, select the DBMS Network Scanner tab, then click Create Network Scan.
The Update Network Scan dialog box is displayed.
2. In the IP Ranges field, set the range of IP addresses to be scanned on the network.
3. In the Network Timeout field, set the timeout for IP connectivity.
4. In the Number of scanning thread fields, set the maximum number of concurrent scans.
5. To check the IP connectivity before scanning the ports, select the Check ICMP/Echo before ports checkbox.
6. To schedule the network scan, expand Schedule Network Scan, then select the Schedule enabled checkbox and configure
one of these scheduling intervals:
a. To run the scan more than once a day, select by hour, then indicate the interval between scans.
b. To run the scan on the required days, select by day, then select the days of the week and the time to run the scan.
c. To run the scan on a monthly basis, select by month every, select the number of months between scans and the time
to run the scan.
d. To run the scan on an advance scheduling, select advanced cron, enter the expression based on the cron syntax.
e. To run the scan only once, select Run only once and this will not rerum as per schedule.
7. To scan for Oracle servers, expand Advanced Scan Configuration for Oracle, then set these parameters:
a. Select the Check Oracle checkbox.
b. To automatically add the default Oracle ports, select the Add Oracle default ports checkbox.
c. In the Ports to scan field, specify the ports to be scanned on the Oracle servers.
d. To guess the Oracle SID names, select the Brute force Oracle names checkbox.
8. To scan for MS SQL servers, expand Advanced Scan Configuration for MssqL, then set these parameters:
a. Select the Check MS SQL Server checkbox.
b. To automatically add the default MS SQL ports, select the Add MS SQL Server default ports checkbox.
c. In the Ports to scan field, specify the ports to be scanned on the MS SQL servers.
d. To guess the MS SQL instance names, select the Brute force MS SQL Server names checkbox.
9. To scan for Sybase servers, click Advanced Scan Configuration for Sybase, then set these parameters:
a. Select the Check Sybase checkbox.
b. To automatically add the default Sybase ports, select the Add Sybase Server default ports checkbox.
c. In the Ports to scan field, specify the ports to be scanned on the Sybase servers.
d. To guess the Sybase instance names, select the Brute force Sybase instance names checkbox.
10. To scan for DB2 servers, expand Advanced Scan Configuration for DB2, then set these parameters:
a. Select the Check DB2 checkbox.
b. To automatically add the default DB2 ports, select the Add DB2 Server default ports checkbox.
c. In the Ports to scan field, specify the ports to be scanned on the DB2 servers.
d. To guess the DB2 instance names, select the Brute force DB2 Server names checkbox.
11. To scan for MySQL servers, expand Advanced Scan Configuration for Mysql, then set these parameters:
a. Select the Check MySQL checkbox.
b. To automatically add the default MySQL ports, select the Add Mysql default ports checkbox.
c. In the Ports to scan field, specify the ports to be scanned on the MySQL servers.
12. To scan for PostreSQL servers, expand Advanced Scan Configuration for Postgresql, then set these parameters:
a. Select the Check Postgresql checkbox.
b. To automatically add the default Postgresql ports, select the Add Postgresql default ports checkbox.

94 McAfee Database Security 4.7.x Product Guide

11| Monitoring and protecting DBMS

c. In the Ports to scan field, specify the ports to be scanned on the Postgresql servers.
13. Click Save Network Scan.

Results

The scan is added to the network scans list.

View network scan results

The DBMS Network Scanner tab lists the configured network scans and their results.

Task
On the DBMSs page, click the DBMS Network Scanner tab.

The DBMS Network Scanner list displays the scan details.

Create a VA DBMS from scan results

You can view the details of a scan in the network scan list and create a VA DBMS for a database instance in the scan results.

Task
1. In the network scan list, click the Scan Results icon in the required row.

The Create VA DBMS From Scan Results is displayed, listing the detected database instances, including IP addresses, ports,
instance names, and database type.

2. Select the database instance for which you want to create a VA DBMS.
3. In the Username and Password fields, specify the user name and password used to connect the database.
4. Click Create VA DBMSs.

Results

The DBMS is added to the DBMSs list of the DBMS tab.

Rerun a network scan

You can rerun a scan to check for new database that are not added to the DBMS.

Task
1. On the DBMSs page, click the DBMS Network Scanner tab.
2. Click the Run icon in the required row.
3. When prompted for confirmation, click OK.

Results

The network scanning starts and the status of the scan is viewed in network scan list.

Stop a network scan

Stop a network scan that is in progress.

McAfee Database Security 4.7.x Product Guide 95

11| Monitoring and protecting DBMS

Task
1. On the DBMSs page, click the DBMS Network Scanner tab.
2. Click the Stop icon in the required row.
3. When prompted for confirmation, click OK.
The status of the scan is updated to CANCELED.

Delete a network scan

If a scan is no longer required, you can remove it from the Network Scan Results list.

Task
1. On the DBMSs page, click the DBMS Network Scanner tab.
2. Click the Delete icon in the required row.
3. When prompted for confirmation, click OK.

Managing DBMS groups

Create a DBMS group

Create DBMS groups for easily assigning rules to a group of DBMSs. Define multiple DBMS groups to suit your enterprise needs.

Rules that are applied to a DBMS group are applied to all group members.

A DBMS group can comprise any number of DBMSs. A specific DBMS can be a member of more than one DBMS Group. Rules
that are installed on a DBMS group are applied to all group members.

Task
1. On the DBMSs page, click the DBMS Group tab.
2. Click New DB Group.
3. In the Properties of DBMS Group, enter the name of the DBMS group in the Name field.
4. Enter a brief informative description of the group in the Description field.
5. Select the DBMSs to include in the group from the All DBMSs list, then click to move it to the Selected DBMSs list.

Note

To remove a DBMS from the Selected DBMSs list, select the DBMS and then click .

6. Click Save.

View and edit a DBMS group

You can view and edit the properties of a DBMS group.

96 McAfee Database Security 4.7.x Product Guide

11| Monitoring and protecting DBMS

Task
1. On the DBMSs page, click the DBMS Group tab.
2. Click the Properties icon in the row for the rule object.
3. In the Properties of DBMS Group, edit the DBMS group properties.
4. Click Close.

Delete a DBMS group

Delete a DBMS group that is no longer needed, by exercising caution in doing so.

Deleting a DBMS group does not delete the DBMSs that were included in the group. But, if you delete a DBMS group that is used
in a rule, the rule is automatically disabled for all members of that DBMS group. As a result, if the rule was applied only to that
DBMS group, the rule must be assigned to specific DBMSs or other DBMS groups in the rule definition for it to have any impact.

Task
1. On the DBMSs page, click the DBMS Group tab.
2. Click Remove DBMS Group icon in the required row.
3. When prompted for confirmation, click OK.

The DBMS group is removed from the DBMS Groups list.

Note

If the system detects specific problems related to the proposed deletion, an additional message describes the potential
consequences and prompts you to again confirm that you want to delete the DBMS group.

McAfee Database Security 4.7.x Product Guide 97

12| Roles and permissions

Roles and permissions

McAfee Database Security enables you to assign different levels of permissions to different administrators by assigning each
administrative user to a specific role. Each role comprises a specific set of permissions that are granted to those users assigned
to the role.

Predefined roles
McAfee Database Security is provided with a set of predefined roles. You can assign users to predefined roles or you can create
and assign new roles.

The available predefined roles are:

• Read_Only — Enables the user to view all screens and settings, but cannot perform operations like, create or edit rules,
and resolve alerts.
• McAfee Database Security_Operator — Enables the user to perform operations in the system, but cannot change the
security policy and related objects.
• Policy_Creator — Enables the user to create and edit rules, and configure other system components, but the policy
creator is not authorized to view alerts.
• Read_Only Alerts_And_Dashboard — Provides the user with read-only access to the Dashboard and the Alerts list.

View and edit roles

View and edit the properties of a role from the Role Properties.

Task
1. On the Permissions page, select the Roles tab.
2. In the Roles list, click the Properties icon of the required role.
3. In the Role Properties, edit the detail as required, and click Save.

Create a new role

Depending on your organizational needs, create multiple roles, each of which comprises a unique set of permissions.

A role can also be based on the permissions set of another role, eliminating the need to define each permission set separately.
This enables you to conveniently create a specialized group of users with the combined permissions of one or more groups or
specific permissions.

Task
1. On the Permissions page, select the Roles tab, then click Create New Role.
2. In the Name field, enter a name for the role.
3. In the Description field, enter a brief description of the new role.

98 McAfee Database Security 4.7.x Product Guide

12| Roles and permissions

4. (Optional) To use an existing system of defined users, select the LDAP checkbox. The LDAP server must be configured first
on the System page. A drop-down list is displayed, listing all LDAP roles detected in the system. Select an LDAP role that
matches an existing security group in the Active Directory and configure the permissions this LDAP role should have in the
McAfee Database Security system.

To use more than one LDAP role, create separate roles for each LDAP security group.

Note

Allow 60 seconds between the first configuration of the LDAP server and the definition of the LDAP roles.

5. Select the required permissions for the new role from the All Permissions list, then click right arrow icon to move it to
the Selected permissions list.

Note

To remove a permission from the Selected permissions list, select the permission, then click the left side arrow icon
.

6. To include the permission set of an existing role in the new role, select the role in the All roles list, then click right arrow icon
to move it to the Selected roles list.

Note

To remove a role from the Selected roles list, select the role, then click .

7. In the View Alert permissions by Rules area, select the rules for which the role is authorized to view alerts.
8. Click Save.

Edit the permissions of an existing role

Change the permission set that is defined for an existing role. The new settings are automatically applied to users assigned to the
edited role.

Task
1. On the Permissions page, select the Roles tab.
2. In the Roles tab, click the Properties icon in the required row.
The Role Properties displays the properties of the selected role.
3. Edit the role permissions as required by moving specific permissions or roles to and from the Selected permissions list and
Selected roles list, respectively, as required.
4. Click Save.

McAfee Database Security 4.7.x Product Guide 99

12| Roles and permissions

Remove a role
Remove a role that is no longer needed.

When a role is removed, users assigned to that role automatically lose the corresponding permissions set. But, if the user is
assigned with additional roles or specific permissions, those permissions are not affected.

Task
1. On the Permissions page, select the Roles tab.
2. Click the Remove Role icon in the required role.
3. When prompted for confirmation, click OK.

Results

The role is removed from the list.

100 McAfee Database Security 4.7.x Product Guide

13| Users

Users
Users are assigned roles with specific permissions, which define the ways in which they can use the McAfee Database Security
system.

Access to the McAfee Database Security web console is restricted to authorized users (administrators).

Add a user
Add authorized users to the system and define the ways in which they are allowed to use the system.

You can assign more than one role to a user. In addition, you can assign specific permissions to a user.

Task
1. On the Permissions page, click the Users tab.
2. Click Create New User.
The User Properties page is displayed.
3. In the User Name field, enter a user name for the user.

The maximum length for a username must be 15 characters and minimum length must be 4 characters.

4. In the First Name field, enter the first name of the user.

The maximum length for the first name must be 30 characters and minimum length must be 1 character.

5. In the Last Name field, enter the surname of the user.

The maximum length for the last name must be 30 characters and the minimum length must be 1 character.

6. From the Status drop-down list, select the status, ACTIVE, or INACTIVE to be assigned to users.
7. Enter the user password in the Password field, then enter again in the Confirm Password field.
8. To apply the system password policy on this user's password, select Enforce password policy.

Note

The password policy is configured on Password Policy tab of the Permissions page.

9. (Optional) To force the user to change the password when they logon for the first time, select Change password on next
login.
10. If one or more specific permissions are to be assigned to the user, select the required permissions from the All Permissions
list, then click to move them to the Selected permission list.

McAfee Database Security 4.7.x Product Guide 101

13| Users

Note

To remove permissions from the Selected permissions list, select the permissions, then click .

11. To assign the permission set of an existing role to the new user, select the required role from the All Roles list, then click
to move the role to the Selected Roles list.

The permission sets of the selected roles are assigned to the user.

Note

To remove a role from the Selected Roles list, select the role, then click

12. In the Default Login Page drop-down list, select the required page.
13. In the View alert/result permissions by DBMSs, select the DBMS groups and DBMSs for which the user is authorized to
view alerts.
14. In the View alert permissions by Rules, select the rule for which the user is authorized to view alerts.
15. Click Save.

View and edit the user details

View the properties of a user from the User Properties page and edit the details if necessary.

Task
1. On the Permissions page, click the Users tab.
2. Click the Properties icon in the required row.
3. In the User Properties, edit the detail as required, and click Save.

Change user permissions

Change the permissions assigned for an existing user by changing the roles or specific permissions assigned to the user.

Task
1. On the Permissions page, select the Users tab.
2. Click the Properties icon in the required row.
The User Properties page is displayed.
3. In the User Properties, edit the user permissions as required by moving specific permissions or roles to and from the
Selected permissions list and Selected roles list, respectively.
4. Click Save.

Change user password

If the user has forgotten the password, you can change the password of an existing user.

102 McAfee Database Security 4.7.x Product Guide

13| Users

Task
1. On the Permissions page, click the Users tab.
2. Click the Properties icon in the required row.
3. In the User Properties, click Change Password.
4. In the Change Password dialog box, enter a new password in the New Password field, and Confirm Password field.
The password must contain at least four characters.
5. (Optional) To force the user to change the password when they log on for the first time, select Change password on next
login.
6. Click OK.

Remove a user
Remove a user from the Users list, thereby revoking all user permissions.

A user that has been removed can no longer access the application or any of its functionalities.

Task
1. On the Permissions page, click the Users tab.
2. Click Remove icon in the required row.
3. When prompted for confirmation, click OK.

Results

The user is removed from the list and is no longer authorized to access the application.

Export users
Export the list of McAfee Database Security users or administrators into an XML file.

Note

This option is intended for advanced McAfee Database Security users only. It is available only to authorized users.

Task
1. On the Permissions page, click the Users tab.
2. Click Export Users.
A Note dialog box is displayed with the information that Alert DBMS permissions and Alert Rule permissions are not
exported.
3. Click OK.

Results

The displayed users are exported to an XML file and it can be saved in the preferred location. The password in the exported XML
are encrypted.

McAfee Database Security 4.7.x Product Guide 103

13| Users

Import users
Import a previously defined list of users into the Users list.

Task
1. On the Permissions page, click the Users tab.
2. Click Import Users.
An Import Users dialog box is displayed.
3. Browse the required .xml file, then click Import.

Note

A Duplicate Users and Roles dialog box is displayed if the roles exist in the system. Select the required roles to import.

Results

The users contained in the .xml file are added to the Users list.

Configure password policy

Configure the password requirements that apply to the user passwords.

The default password policy requires that a user password includes at least one uppercase letter, at least one lowercase letter,
and at least one digit or special character (printable ASCII non-alphanumeric character).

Note

The default password policy is defined in the server-custom.properties file.

Task
1. On the Permissions, select the Password Policy tab.
2. To enforce the use of special characters in user passwords, select Yes in the Enforce special characters drop-down list.
3. From the Password minimum length drop-down list, select the minimum number of characters to be included in a
password.
4. To force users to change their passwords at regular intervals, from the Enforce password change every drop-down list,
select how often the users must change their passwords.

Note

Select Do Not Enforce, if a password change is not required at regular intervals.

5. From the New password minimum lifetime drop-down list, select the minimum time after which users are prompted to
change their passwords.

104 McAfee Database Security 4.7.x Product Guide

13| Users

6. To prevent users from resetting their passwords to previously used passwords, select the time period from the Prevent
password repetition drop-down list.
7. To temporarily block the failed logon attempts from the same IP address, select Yes from the Prevent brute force attack
drop-down list.
8. To prevent username and password matches, select Yes from the Prevent user equals password drop-down list.
9. To lockout a user after multiple failed logon attempts, select the number of failed logons after which the user is locked out
of the system in the Lockout after failed logins drop-down list.
10. From the adjacent lock duration drop-down list, select the duration of the lockout period.
11. Click Save.

McAfee Database Security 4.7.x Product Guide 105

14| System

System
The System page provides several system functions, including interface configuration, custom rule groups, resolve types, and a
history of actions taken by users in the graphical user interface.

Configuring system interfaces

Configure the outgoing email account

The outgoing email settings defined in the Email tab determine the mailbox that is used by McAfee Database Security to send
notifications, alerts, and traps.

Task
1. On the System page, select the Interfaces tab.
2. Click Email and configure the email parameters.
3. Click Save.

Note

To send test mail to the configured mail address, click Test email.

Configure LDAP

Use LDAP to search existing Active Directory groups, making role and user setup easier.

Task
1. On the System page, click the Interfaces tab.
2. Click LDAP, and then select Use LDAP to enable the feature.
3. Configure the LDAP parameters.
4. Click Save.

Once you have finished configuring the LDAP settings, you can configure McAfee Database Security roles based on your
LDAP roles.

Configure multiple LDAP servers

Multiple-LDAP functionality enables you to configure additional LDAP servers and retrieve rule object values from other LDAP
servers.

Additional LDAP servers are configured in the custom properties file, with this structure and content:

multi.ldap.<N>.name=<LDAP server name>

multi.ldap.<N>.rootPath=<LDAP server root path>

106 McAfee Database Security 4.7.x Product Guide

14| System

multi.ldap.<N>.base=<LDAP server base>

multi.ldap.<N>.domain=<LDAP server domain name>

multi.ldap.<N>.username=<Username to connect to LDAP server2>

multi.ldap.<N>.password=<Encrypted password3>

multi.ldap.<N>.url=<LDAP server URL>

Where N stands for a plain number in a running sequence of numbers.

After configuring the LDAP servers, the McAfee Database Security management server must be restarted.

The configured servers appear in the System → Interfaces → LDAP.

When you configure the LDAP server credentials, the LDAP server password is encrypted using the migration tool. Run
migration_tool.bat (located in the bin directory), then follow the on-screen instructions.

Note

This configuration allows using the additional LDAP servers only as rule object data sources. You can log on to the
McAfee Database Security management servers with an AD user using only the primary configured LDAP server (the server
configured on the interface Systems → Interfaces → LDAP ).

Once additional LDAP servers are configured, rule object values can be populated using those servers. To reference a group in
an additional LDAP server, the fully qualifying name of the group is required (groups from the primary LDAP server can still be
addressed using the short names).

Auto-complete is available for both the primary LDAP server and other configured servers.

Configure SNMP

Configure McAfee Database Security to use SNMP for internal communication and to send traps to third-party applications.

Task
1. On the System page, click the Interfaces tab.
2. Click SNMP, and select Use SNMP to enable McAfee Database Security to use SNMP for internal communications.
3. Configure the SNMP parameters.
4. (Optional) Click View SNMP MIB file to view the .mib file in an external browser as .txt file.
5. Select Use SNMP Trap and configure these SNMP trap parameters to send traps to a third-party application.
6. Click Save.

Configure the Syslog

Configure McAfee Database Security to use the syslog to monitor alerts.

McAfee Database Security 4.7.x Product Guide 107

14| System

Task
1. On the System page, click the Interfaces tab.
2. Click Syslog, then select Use Syslog.
3. Configure the Syslog parameters.
4. Click Save.

Configure a proprietary alert format

McAfee Database Security provides CEF format configured by default. This proprietary alert format can be configured in the
properties file.

Task
1. On the server machine, go to <install dir>/conf.
2. Click the server-custom.properties file and modify it as required.
3. Save the file and restart the server.

Results

If the custom format is selected on the Syslog Configuration page, the respective file configuration is displayed.

Configure the Windows event log

Configure McAfee Database Security to use the Windows event log to monitor alerts.

Note

Windows event log is supported on Windows XP or later, and Windows Server 2003 or later.

Task
1. On the System page, click the Interfaces tab.
2. Click Windows Log and select Use Windows Event Log to enable monitoring alerts.
3. Configure the parameters in the Windows Event Log Configuration.
4. Click Save.

Configure log file settings

Configure McAfee Database Security to save log entries in a file.

Task
1. On the System page, click the Interfaces tab.
2. Click Log to File and select the option Log to File.
3. Configure the parameters in Log to File Configuration page.
4. Click Save.

108 McAfee Database Security 4.7.x Product Guide

14| System

Configure Insights

McAfee Database Security Insights provides users with the ability to collect and analyze large amounts of data, as well as
visualization capabilities and data-exploration interfaces.

To use Insights, you have to configure the McAfee Database Security server to export alerts and VA results to the server where
Insights is installed.

Task
1. On the System page, click the Interfaces tab.
2. Click Insights and select Use Insights.
3. In the Hostname/IP field, enter the IP address of the server where Insights is installed in the designated fields.
4. In the Port field, enter the port number of the server where Insights is installed in the designated fields.

Note

When Insights is used, a default user, sngimport, is created and the user name and password fields are automatically
populated. If you have manually changed the password on the Insights server, you must also set that password in the
Password field.

5. In the Transfer Interval field, enter how often to send the data (in milliseconds). The minimum value is 30,000 milliseconds
(30 seconds).
6. Select one or more of the following types to export:

• Export Alerts (McAfee Database Security events)

• Export VA Results (McAfee Database Security findings)
7. (Optional) Click Test to test the connection.
If the test is successful, an alert is generated.
8. Click Save.

Note

The Restore Default Values option resets the user name, password, and transfer interval for Insights.

Archiving alerts
Archive alerts automatically or manually to view them later and to reduce the overall size of the alerts list.

If archive is encrypted, it must be decrypted before it is reloaded.

You can also unarchive the existing archives to view the alerts they contain, or remove alert archives that are no longer required.
Existing archives are listed in the Archives tab of the System page.

McAfee Database Security 4.7.x Product Guide 109

14| System

Configure automatic alert archiving

Configure McAfee Database Security to automatically archive alerts in a specific location and at preset intervals.

Task
1. On the System page, click the Archives tab.
2. Click Settings and in the Archive Folder Path field, set the location where the archived files are to be stored.

Note

By default Auto archive by number of alerts, is enabled and alerts are archived when the number of alerts exceeds
10,000 (by default the 30,000 oldest alerts are archived).

3. To disable automatic archiving (not recommended), deselect the Auto Archive Enabled checkbox.
4. Select the Auto archive by time and schedule the archiving process as follows:

• To schedule archiving at hourly intervals, select by hours, then set the interval between each archive.
• To schedule daily archiving, select by day, then select the day of the week and time period for archiving to take
place.
• To schedule monthly archiving, select by month every, then set the number of months between each archive and
the time period.
• To run the archive process once, select Run Only Once. After executing, the scheduler property is deleted.
5. Enter the age of alerts to be archived in the Archive Alerts older than fields, by setting the number and time unit (days,
weeks, months).
6. Select Enable Archive RuleAction to archive alerts directly instead of storing the alerts in the database.
7. From the Archive RuleAction Rolling Period drop-down list, select the rolling period as DAY or HOUR.
8. Click Save.

Manually archive alerts

Manually initiate the archiving process at any time.

Task
1. On the System page, click the Archives tab.
2. Enter the age of alerts to be archived in the Archive Alerts older than fields, by setting both the number and time unit
(days, weeks, months).
3. Click Archive Now.

Results

All alerts older than the set age are archived.

Reload an archive

Access alerts or VA results by running an unarchive process on the files.

110 McAfee Database Security 4.7.x Product Guide

14| System

Task
1. On the System page, click the Archives tab, then select Archive History.
2. In the Archives list, click Reload Archive in the required row.
The archived alerts are reloaded to the Alerts page.
3. To view the alerts for a specific archive, select the archive file from the Archives drop-down list, then click Apply.

Note

Follow the same procedure to reload VA results archive.

Reload partial archives

Filter the alerts that are contained in an alerts archive and unarchive only the data that meets specific criteria.

Task
1. On the System page, click the Archives tab.
2. Click Archive History and expand the Archive Load Filter.
3. From the Archive Type drop-down list, select the type of archive.
4. From the Filter by drop-down list, select Execution Time, and then enter From and To information.
5. Click Add.
6. Set additional filter properties as required, then click Upload to load the data that meets the filter criteria.

Rearchive alerts

You can remove unarchived alerts from the Alerts page by rearchiving them.

Task
1. On the System page, click the Archives tab.
2. Click Archive History and in the archives list, click Unload Archive in the required row.

Results

The Archives drop-down list in the Alerts page no longer shows the respective archived alert.

Note

To rearchive the entire archive list, click Unload All Archives before the Archive list header.

Remove an alert archive

To conserve space, remove archives that are no longer relevant on the server.

McAfee Database Security 4.7.x Product Guide 111

14| System

Caution

The removal of an archive might not be permitted under company or legal regulations. Check your organization's security
policy before trying to remove an archive.

Task
1. On System page, click the Archives tab.
2. Click Archive History and in the archives list, click Remove Archive icon in the required row.
3. When prompted for confirmation, click OK.

Viewing clusters
The Cluster tab is used when the McAfee Database Security server is deployed in cluster mode. It displays view-only information
regarding the servers, including the sensors installed on each server. It is intended for the use of McAfee Database Activity
Monitoring users only.

For cluster configuration instructions, contact McAfee support .

Quarantining users
If a rule action is set to Terminate user session and the Quarantine user for option is selected, then a user can be placed
in quarantine for a predefined period. While in quarantine, the user cannot reconnect to the DBMSs for which the rule was
triggered.

Configure the quarantine parameters

Set the parameters according to which users are placed in quarantine.

Before you begin

First review your current alerts before deciding on the best way to identify a user in your network. The best option is when one
parameter is always unique in your network. For example, terminal is unique in some networks, but it is not used in others.

Task
1. On the System page, click the Quarantine tab.
2. Click Settings and select or deselect the checkboxes for the parameters that define when a user can be quarantined.

The system applies the operator "and" to the selected parameters.

For example, if you select User and IP address, when triggered by a rule, the system checks the user name and the IP
address (for example, Scott and 192.168.7.7). The system denies access to any subsequent SQL statements that comes
from 192.168.7.7 and the user Scott. Statements coming from 192.168.7.7 where the user Jerry is allowed.

3. Click Save.

Remove a user from quarantine

Remove a user from quarantine so that they can access the DBMS.

112 McAfee Database Security 4.7.x Product Guide

14| System

Task
1. On the System page, click the Quarantine tab.
2. In the Quarantine list, click Unquarantine in the required row.
3. Enter the reason for removing the user from quarantine, then click Unquarantine.

Results

The user is removed from both the quarantine and the Quarantine list, and is again able to access the DBMS.

Viewing action history

Set a time period for deleting actions history

Set the period of time after which actions are automatically deleted from the Actions History.

Task
1. On the System page, click the History tab.
2. In the Actions History list, select the Delete actions older than checkbox, and enter the number of days after which actions
have to be deleted.
3. Click Save.

View actions history details

View the details of an action in the Actions History list.

Task
1. On the System page, click the History tab.
2. In the Actions History list, click the Properties icon in the required row.
The Properties for action displays the action details.

Managing server logs

Configure the server logs

Determine the types of server logs created as well as the maximum size of the log file.

Before you begin

Perform these tasks, when instructed to do so by McAfee support .

Task
1. On the System page, click the Troubleshooting tab.
2. From the Log Level drop-down list, select the type of logs to be created.

By default, the log level is set to INFO.

3. In the Log file size field, set the maximum size of the log file.

McAfee Database Security 4.7.x Product Guide 113

14| System

By default, the file size is in MB.

4. Click Save.

Download the server logs

Download and view the server logs files for troubleshooting purposes. You can also send these server log files to the McAfee
support .

Task
1. On the System page, click the Troubleshooting tab.
2. Click Download Logs.

Results

The server logs are downloaded as .zip file. The location where the file is saved depends on your default settings.

Configure automatic resolution of IP addresses

Configure the automatic resolution of IP addresses on the Troubleshooting tab.

Task
1. On the System page, click the Troubleshooting tab.
2. Select Resolve IP from Host for Alert and click Save.

Note

By default, this feature is selected. Disabling of this feature is only needed in cases of severe network load.

System messages
View system message details

View the system messages generated by the system in response to various conditions and events in the system. You can view the
properties of a message on the Message Details.

The Messages list displays the messages like, when a sensor stops communicating with the server or when a license is about to
expire. These messages displays the level of severity.

You can also view the number of unread high severity messages under Severe Messages, which appears at the top of each page.

Task
1. On the System page, select the Messages tab.
2. In the Messages list, click the Properties icon in the required message row.
The Message Details page is displayed.
3. (Optional) To stop receiving this type of message, click the Click here to stop receiving link.

114 McAfee Database Security 4.7.x Product Guide

14| System

Mark system messages as read or unread

Mark the system messages as read or unread in the Messages list.

Unread messages appear in bold type; read messages appear in regular type.

Task
1. On the System page, click the Messages tab.
2. In the Messages list, click Mark all as Read or Mark all as Unread as required.

Delete a system message

Delete a system message that is no longer relevant.

Task
1. On the System page, click the Messages tab.
2. In the Messages list, click the Delete icon in the required row.
3. When prompted for confirmation, click OK.
The message is removed from the list.

Configure system messages

Configure the system to generate alerts for all system messages, when sensors are disconnected, when specific number of
custom rule alerts are received, or when specific number of vPatch alerts are received.

Task
1. On the System page, click the Messages tab.
2. Click Configuration and select the required options for the system to generate alerts for the system messages.

View back-end DBMS details

View basic information about the back-end database and schedule a specific day and time to backup the DBMS details.

The read-only DBMS details vary according to database type, such as, HSQLDB, Oracle, or MS SQL.

On the System page, click the Backend DBMS details tab to view the back-end DBMS details.

Schedule a backup for DBMS details

Schedule a backup for DBMS details at regular intervals according to your requirement.

Task
1. On the System page, click the Backend DBMS details tab.
2. To schedule a backup for DBMS details, select the Schedule enabled checkbox and configure one of these scheduling
intervals:

• To back up DBMS details on specific days, select by day, then select the days of the week and the time to start the
backup.

McAfee Database Security 4.7.x Product Guide 115

14| System

• To back up DBMS details on a monthly basis, select by month every, select the number of months between back
ups and the time to start the backup.
• To back up DBMS details on an advance scheduling, select advanced cron, enter the expression based on the cron
syntax.
• To back up DBMS details only once, select Run only once. The scheduler property will be deleted after execution.
3. Click Run or Save.

Syslog fields directory

The syslog custom configuration can be edited in the <Database Security install dir>/conf/server-custom.properties file.

The following files need to be copied into this file from the <install dir>/webapps/ROOT/WEB-INF/config/application/
server.properties file. You can view this file to see how CEF and Sentinel are configured.

Note

Do not change the server.properties file. All changes should be made in the server-custom.properties file.

Verify that all changes comply with the CEF protocol:

• The header should have pipe (|) delimited fields

• The body should have space delimited 'key=value' format. log.format.body.custom=externalId=$id$
rt=$executionTime.time$ cs1=$database.name:20$ cs1Label=DBMS dst=$agent.ip$ src=$sourceIP$
duser=$execUser:20$ suser=$osUser:20$ shost=$sourceHost:30$ dproc=$execProgram:20$ act=$cmdType:15$
cs2=$operation:225$ cs2Label=SqlStatement cs3=$accessedObjects.name:200$ cs3Label=AccessedObjects
log.format.header.custom =CEF:0|Sentrigo|Hedgehog|$serverVersion$|alert|$rules.name:150$|$importance$|
log.format.header.escaping.custom=\\| log.format.header.seperator.custom=, log.format.body.escaping.custom=\=
log.format.header.escape.char.custom=\\ log.format.body.escape.char.custom=\\ log.format.body.seperator.custom=|
log.format.empty.value.custom= log.format.length.value.custom=255 log.format.convert.newline.custom=true

You can then change log.format.body.custom to fit your format. The format is flexible. Each keyword identified by $<key word>$
is replaced with its value from the alert. It is also possible to specify a maximum length for the field.

For example: $agent.hostname:20$

If the length is not specified, the value of log.format.length.value.custom is used.

The following keywords can be used to define the format.

Keyword Description

$clientInfo$ Client info field from Oracle database (string,

maximum: 100)

116 McAfee Database Security 4.7.x Product Guide

14| System

Keyword Description

$executionTimeMillis$ Execution time in millis format (number, 64-bit)

$executionTimeStr$ Execution time in date format: dd MMM yyyy

HH:mm:ss (string, maximum: 32)

$severity$ Severity of the alert (High, Medium, Low) (string,

maximum: 20)

$agent.hostname$ Host name of the sensor the alert was received from
(string, maximum: 255)

$operation$ Statement executed (string, unlimited)

$osUser$ OS user (string, maximum: 100)

$execUser$ Database user (string, maximum: 100)

$realExecUser$ Real database user (string, maximum: 100)

$serial$ Oracle session serial (number, maximum: 64-bit)

$sid$ Session ID (number, maximum: 64-bit)

$terminal$ Terminal (string, maximum: 100)

$execProgram$ Executing program (string, maximum: 100)

$sourceHost$ Source host (string, maximum: 255)

$sourceIP$ Source IP address (string, maximum: 16)

$databaseName$ Database name (string, maximum: 255)

$accessedObjects.name$ Delimited list of accessed objects pipe; (string,

unlimited)

McAfee Database Security 4.7.x Product Guide 117

14| System

Keyword Description

$clientId$ Oracle client Identifier field (string, maximum: 64)

$cmdType$ SQL command type (string, maximum: 64)

$module$ Oracle module field (string, maximum: 64)

$contextInfo$ Microsoft SQL context info field; (string, maximum:

200)

$logonTime$ Session log on time (string, maximum: 32)

$inflowObjects.name$ Delimited list of inflow accessed objects pipe,

delimited (string, unlimited)

$inflowSQL.statement$ Inflow SQL statement (string, unlimited)

$enduserName$ End-user name (relevant for IDentifier only) (string,

maximum: 64)

$enduserModule$ End-user module (relevant for IDentifier only) (string,

maximum: 64)

$enduserAction$ End-user action (relevant for IDentifier only) (string,

maximum: 64)

$enduserIP$ End-user IP address (relevant for IDentifier only)

(string, maximum: 16)

$action$ Oracle action field (string, maximum: 64)

$rules.name$ Rules that triggered the alert (string, unlimited)

$rules.ruleTags.name$ Tags used in the rules that triggered the alert (string,
unlimited).

$rules.comment$ Rule comment field (string, unlimited)

118 McAfee Database Security 4.7.x Product Guide

14| System

Keyword Description

$id$ Alert ID (number, 64-bit)

$database.type$ Type of database. Possible values ORACLE, MSSQL,

MSSQL2000 (string, maximum: 32)

$database.version$ version of the database (string, maximum: 255)

$agent.ip$ IP address of the monitoring agent (string,

maximum: 32)

The server must be restarted after modifying the server-custom.properties file before the changed properties can take effect.

McAfee Database Security 4.7.x Product Guide 119

15| Checking for security updates

Checking for security updates

You can check for the new updates for vPatch security, VA security, and other software in the Updates page. This page displays
the history of previously installed updates also.

Configure security update settings

Determine whether the rules or tests are automatically updated, and when the automatic security updates are to take place.

vPatch rules and VA tests are provided by McAfee Database Security to help monitor and prevent attacks against known
vulnerabilities and to scan databases for security issues, respectively.

Task
1. On the Update page, click the Update Settings tab.
2. To automatically check for all updates, select Check for available updates automatically.
3. Select the required auto-installation option as follows:

• To disable the automatic installation feature, select No auto-installation.

• To install the update in real-time, select Real-time (auto-install when new updates are available).
• To install the updates on a specific day and time, select Schedule installation, then select the day of the week and
the time when the update is to begin.

• To install the updates only once on specific day and time, on a one-off basis, select Run Only Once. When this
one-off installation event has occurred, the Security Update Auto-Installation will revert to No auto-installation.

4. Click Save.

Manually check for updates and install vPatch security

Manually check for vPatch security updates and install it if necessary.

Task
1. On the Update page, click the vPatch Security Updates tab.

The currently installed version is indicated in the vPatch Security Updates tab.

2. Click Check for new vPatch updates.

The Security Update dialog box displays list of available updates. If no updates are available, a message is displayed
accordingly.
3. Select the update, and then click Install.

Note

If you try to install an earlier version of vPatch security updates, your are prompted to confirm that you really want to
install it.

120 McAfee Database Security 4.7.x Product Guide

15| Checking for security updates

Manually check for updates and install VA security

Manually check for VA security updates and install it when needed.

Task
1. On the Update page, click the VA Security Updates tab.

The currently installed version is indicated in the VA Security Updates tab.

2. Click Check for new VA updates.

The VA Security Update dialog box displays the list of available updates. If no updates are available, a message is displayed
accordingly.

3. Select the update, and then click Install.

Note

If you try to install an earlier version of VA security, your are prompted to confirm that you really want to install it.

Manually check for updates and install server software

Manually check for server software updates and install it.

Task
1. On the Update page, click the Software Updates tab.
2. Click Check for new McAfee Database Security releases.

The Server Software Update dialog box displays the list of available updates.

Note

If no updates are available, a message is displayed accordingly.

3. Select the required update, then click Install.

Manually check for updates and install sensor software

Manually check for sensor updates and install it when needed.

Task
1. On the Update page, click the Software Updates tabs.
2. Click Check for new sensor updates.
A list of available sensor updates are displayed for each platform.

McAfee Database Security 4.7.x Product Guide 121

15| Checking for security updates

Note

If no updates are available, a message is displayed accordingly.

3. Select the required update, then click Manual Install.

Install offline updates

Install security updates, sensor updates, and software updates from a file that you have downloaded or received from McAfee
support personnel.

Task
1. On the Update page, click the vPatch Security Updates, VA Security Updates, or Software Updates tab as required.
2. To install an update from a local file (offline installation), click For offline installation upload an update file.
3. Click Browse to locate and select the installation file with a file extension .SUP.
4. Click Upload.

View the update history

View the history of previously installed security updates, server updates, or sensor updates, including both automatic and
manual updates.

Task
1. On the Update page, click the Security Updates, or Server Updates tab as required.
2. Click Updates History.

You can view the previously installed version details.

122 McAfee Database Security 4.7.x Product Guide

16| Generating reports

Generating reports
You can generate a wide range of reports using McAfee Database Activity Monitoring. By default, McAfee Database
Security reports are displayed in HTML format in an external browser window. Alternatively, you can generate reports
in .doc, .pdf, .rtf, .xml, or .xls formats.

You can generate System Reports and Dynamic Reports as you require.

Generating system reports

The system reports are available on the System Reports tab of the Reports page.

Different reports are available in the System Report tab and these can be generated in the available formats.

• Alerts Per DBMS

• Alerts Per DBMS
• Most Critical Alerts
• Alerts Per Rules
• Alerts Per Tags
• All Rules
• Custom Rules
• vPatch Rules
• Inactive Custom Rules
• Rules per DBMS
• Sensor Drill Down
• DBMS Drill Down
• Top critical alerts per single DBMS
• Top critical alerts per multiple DBMS
• History Actions
• Compliance

The following procedure explains how to generate report for Alerts Per DBMS:

Task
1. On the Reports page, click the System Reports tab.
2. For the required category of report, click the Run report icon in the Run column.
3. In the Alerts Per DBMS, set the report criteria:
a. Select the required DBMS for which the reports to be generated.
b. Enter From and To date for the reports to generate.
c. (Optional) Enter a brief description or comment in the Comments field. This comment is displayed at the top of
report.
4. (Optional) To generate the report as a PDF, select PDF view.

McAfee Database Security 4.7.x Product Guide 123

16| Generating reports

Note

By default, the report is generated in HTML format in an external browser window.

5. Click Run report.

Results
Note
The report is generated and displayed.
The procedure remains similar to generate other System Reports.

Working with dynamic reports

Create multiple dynamic reports for alerts, test results, or system objects. For each report, you define one or more filters that
determine which alerts, results, or objects are included in the dynamic report.

Dynamic reports can present data in summary or detailed formats. The dynamic report options are available in the Dynamic
Alert Reports, Dynamic VA Result Reports, and Dynamic System Reports tabs of the Report page.

Create a detailed dynamic report

Create dynamic reports for alerts or for test results. The dynamic report options are available in the Dynamic Alert Reports,
Dynamic VA Result Reports and Dynamic System Reports tab of the Report page.

You can create multiple dynamic reports to meet the needs of your organization. For each report, you can define one or more
filters that determine which alerts or results are included in the dynamic report.

Unless you choose the HTML format, you can configure the report to run automatically at scheduled intervals and send the
report as an email attachment.

Procedure for creating a detailed report remains same for Dynamic Alert Reports, Dynamic VA Result Reports, and Dynamic
System Reports.

The following procedure explains how to create a detailed Dynamic Alert Reports:

Task
1. On the Reports page, in the Dynamic Alert Reports tab, click New Report.
2. In the Name field, enter a name for the dynamic report.

Tip

Provide the name that reflects the nature of the report.

3. In the Description field, enter a brief description of the dynamic report.

4. From the Report type drop-down list, select Detailed.
5. In the Filter by area, set the filters to be applied for the report:

124 McAfee Database Security 4.7.x Product Guide

16| Generating reports

• To define a filter, select the required criteria from the Filter by drop-down lists, then click Add. The filter is added to
the Selected Filter Fields table.

Note

In Dynamic System Reports, when you define a filter for Database Groups, you can add multiple database
group names separated only with comma.

• To remove a filter from the Selected Filter Fields table, click Remove in the corresponding row.
• To filter the report to include only data from the most recent scan, select Last Run Results (This option is available
for Dynamic VA Result Reports only).

6. From the Report Format drop-down list, select the format in which the report needs to be generated.
7. From the Group B (x axis) drop-down list, select the criteria, such as, Level, DBMS, or Sensor for grouping data in the
report.
8. Set the criteria for sorting data:

• To sort by a specific parameter in ascending order, select the parameter in the left column of Sort by list, then click
to move it to the right column.
• To sort by a specific parameter in descending order, select the parameter in the left column of Sort by list, then click
to move it to the right column.
• To remove a parameter from the Sort by list, select the parameter, then click to move it to the left column list.
The parameter is sorted by selected criteria in the order in which they appear in the right column of Sort By list.
Select a parameter, then click or to reposition it in the Sort By list.

9. Set the fields to be displayed in the report:

• To include a field in the report, select the parameter in the Available Report Fields, then click to move it to the
Selected Report Fields list.
• To exclude a field from the report, select the parameter in the Selected Report Fields list, then click to move it
to the Available Report Fields list.

10. To run the report based on a schedule (available only for .xls and .pdf report formats), select Schedule Enabled and
configure these parameters:
a. Select the interval at which you want the report to run, by hours, by day, or by month, and set the relevant frequency.
b. In the Start Time field, set the time of day to run the report. This option is available when you select by day or by
month every.
c. (Optional) Select advanced cron to run the report on an advance scheduling, and enter the expression based on the
cron syntax.
d. (Optional) Select Run Only Once to run the report only once on the scheduled time.
11. (Optional) Configure the report notification settings:
a. Enter the email address in the Send notification by email to send a notification when the report is ready.
b. Select Attach report, to send the report as an attachment to the given email message.
12. Click Save to save the report without running it or click Run to generate the report.

McAfee Database Security 4.7.x Product Guide 125

16| Generating reports

Create a summary dynamic report

A summary dynamic report displays key report data in a bar or pie chart, accompanied by a table with the corresponding data.
Summary reports can be generated in .html, .doc, .pdf, .rtf, or .xls format.

Unless you choose the HTML format, you can configure the report to run automatically at scheduled intervals and send the
report as an email attachment.

Note

Microsoft Excel format is available for detailed reports only.

Procedure for creating a summary report remains same for Dynamic Alert Reports and Dynamic VA Result Reports.

The following procedure explains how to create a detailed Dynamic Alert Reports:

Task
1. On the Reports page, in the Dynamic Alert Reports tab, click New Report.
2. In the Name field, enter a name for the dynamic report.

Tip

Provide the name that reflects the nature of the report.

3. In the Description field, enter a brief description of the dynamic report.

4. From the Report type drop-down list, select Summary.
5. In the Filter by area, set the filters to be applied for the report:

• To define a filter, select the required criteria from the Filter by drop-down lists, then click Add. The filter is added to
the Selected Filter Fields table.
• To remove a filter from the Selected Filter Fields table, click Remove the corresponding row.
6. From the Report Format drop-down list, select the format in which the report needs to be generated.
7. From the Graph type drop-down list, select the type of graphic such as, Bar, Multi-Bar or Pie to display the data summary.

Note

A Multi-Bar graph stacks data based on two different variables. For example, you can create a Multi-Bar graph that
groups the data according to both DBMS and severity levels to view the distribution of alerts across the databases. If
Multi-Bar is selected, you must define the properties assigned to the two axes in Group (subtotal) by.

8. From the Group B (x axis) drop-down list, select the criteria such as, Level, DBMS, or Sensor for grouping data in the report.
9. To run the report based on a schedule (available only for .pdf, .doc, or .rtf report formats), select Schedule Enabled check
box, and configure one of these parameters:

126 McAfee Database Security 4.7.x Product Guide

16| Generating reports

• To run a report at intervals, select by hour every, then select the interval between each report generation.
• To run the report on the required days, select by day, then select the days of the week and the time to run the
report.
• To run the report on a monthly basis, select by month every, then select the number of months between each
report generation and the time to run the scan.
• To run the report on an advance scheduling, select advanced cron, and enter the expression based on the cron
syntax.
• To run the report only once on the scheduled time, select Run Only Once.
10. Configure the report notification settings as follows:

• If you want to send a notification when the report is ready, enter the email address in the Send notification by
email to field.
• If you want the report to be sent as an attachment to an email message, enter the email address in the Send
notification by email to field, then select Attach report.

11. Click Save to save the report without running it, or click Run to generate the report.

View or edit the properties of a dynamic report

View or edit the properties of a dynamic report on the Dynamic Alert Reports tab, Dynamic VA Result Reports tab, or Dynamic
System Reports tab according to the required dynamic report type (alerts or results).

Procedure for viewing dynamic report remains same for Dynamic Alert Reports, Dynamic VA Result Reports, and Dynamic
System Reports.

The following procedure explains how to view the Dynamic Alert Reports.

Task
1. On the Reports page, in the Dynamic Alert Reports tab, click the properties icon in the required row.
2. Change the report properties as required.
3. Click Save.

Schedule a dynamic report

Schedule a dynamic report to run at a specific time.

Note

This report is available only in .xls and .pdf formats.

Procedure for scheduling a dynamic report remains same for Dynamic Alert Reports, Dynamic VA Result Reports, and Dynamic
System Reports.

The following procedure explains how to schedule a Dynamic Alert Reports:

McAfee Database Security 4.7.x Product Guide 127

16| Generating reports

Task
1. On the Reports page, in the Dynamic Alert Reports tab, click the Properties icon in the required row.
2. In the Dynamic Reports list, click the properties icon in the row for the report. The properties of the dynamic report are
displayed in the dynamic reports tab.
3. To schedule the report generation at regular intervals, select the Schedule enabled checkbox and configure one of these
scheduling intervals:

• To run a report at intervals, select by hour every, then select the interval between each report generation.
• To run the report on the required days, select by day, then select the days of the week and the time to run the
report.
• To run the report on a monthly basis, select by month every, then select the number of months between each
report generation and the time to run the scan.
• To run the report on an advance scheduling, select advanced cron, enter the expression based on the cron syntax.
• To run the report only once on the scheduled time, select Run Only Once.
4. Set the email address to receive the report output file. You need to configure the email server on the System tab first.
5. Click Save.

Results

The report definition is updated to include the new schedule settings.

The scheduled report output is saved in the McAfee Database Security server machine to the path specified in the properties
file <Server root>\webapps\ROOT\WEB-INF\config\reports\britConfig.properties in the server.reports.xls Directory
property, which is by default located in the <Server root>\webapps\ROOT\export\ folder.

Advanced scheduling is based on cron syntax.

Allowed Special
Field Name Mandatory Allowed Values Characters

Seconds Yes 0–59 ,-*/

Minutes Yes 0–59 ,-*/

Hours Yes 0–23 ,-*/

Day of month Yes 1–31 ,-*?/LW

Month Yes 1–12 or JAN-DEC ,-*/

Day of week Yes 1–7 or SUN-SAT ,-*?/L#

128 McAfee Database Security 4.7.x Product Guide

16| Generating reports

Allowed Special
Field Name Mandatory Allowed Values Characters

Year No empty, 1970–2099 ,-*/

Examples of advanced scheduling:

Expression Schedule

0 0 12 * * ? Run at 12 p.m. (noon) every day

0 15 10 ? * * Run at 10:15 a.m. every day

0 15 10 * * ? Run at 10:15 a.m. every day

0 15 10 * * ? * Run at 10:15 a.m. every day

0 15 10 * * ? 2005 Run at 10:15 a.m. every day in 2005

0 * 14 * * ? Run every minute starting at 2 p.m. and ending at

2:59 p.m., every day

0 0/5 14 * * ? Run every 5 minutes starting at 2 p.m. and ending at

2:55 p.m., every day

Run a dynamic report

Manually run a dynamic report rather than waiting for the scheduled report to initiate.

Procedure to run a report remains same for Dynamic Alert Reports, Dynamic VA Result Reports, and Dynamic System Reports.

The following procedure explains how to create a detailed Dynamic Alert Reports:

Task
1. On the Reports page, click the Dynamic Alert Reports tab.
2. In the Reports List, click the Run icon in the required report.

Results

You can view the generated report (.pdf, .rtf, .doc, or .xls) in the defined location. The HTML report is viewed in the browser.

McAfee Database Security 4.7.x Product Guide 129

16| Generating reports

Delete a dynamic report

Delete a dynamic report that is no longer needed.

Procedure for deleting a detailed report remains same for Dynamic Alert Reports, Dynamic VA Result Reports, and Dynamic
System Reports.

The following procedure explains how to delete a detailed Dynamic Alert Reports:

Task
1. On the Reports page, click the Dynamic Alert Reports tab.
2. In the Reports List, click the Remove report icon in the required row.
3. When prompted for confirmation, click OK.

Set the logo for the reports

Choose to display the default logo on reports or configure the system to display a custom logo in reports.

We recommend that the logo is saved as a .gif or .jpg of 700x200 in size.

Task
1. On the Reports page, click the Settings tab.
2. Select one of these options:

• Use Default Logo — The logo that appears in the user interface is displayed in the reports.
• Use Custom Logo — A different logo is displayed in the reports. If you select this option, select the graphic file with
the logo.

3. Click Save.

Note

The Settings tab provides option to delete the older reports.

130 McAfee Database Security 4.7.x Product Guide

17| External databases and McAfee Database Security server

External databases and McAfee Database Security

server
Migrating the internal database to an external database
The McAfee Database Security server comes bundled with an efficient in-memory back-end database. The database is ideal
for customers with moderate alert volumes. The existing database can be replaced with a commercial database. The back-end
migration tool is used to migrate the internal database to the external database.

An external database may be used if:

• There is an expectation of a large volume of alerts (more than 100 k alerts between archive events).
• There is a requirement to create backups of the back-end database.
McAfee Database Security supports the use of following external database:

• Oracle versions 10g and up.

• MS SQL 2005 (Service Pack 2) and later.
A simple CLI command is used to migrate the database. The back-end migration tool is used to migrate the internal database to
the external database and it supports these options:

• Migrating the internal database to the external database. If at any stage, you revert to the internal database, the data
stored on the external database is no longer accessible to the McAfee Database Security server.
• Changing the password used to authenticate the server to the database.
The migration procedure varies based on the database types (Oracle or MSSQL). When migrating to an external database, any
existing data is automatically moved from the internal database to the external database when it is created.

Migrate to an MSSQL database

Migrate the internal database to MSSQL database using the migration tool. Configure the MSSQL database user before using
the migration tool to migrate. A user name and password are required to complete the process. The user must have sufficient
permissions to create a database.

Before you begin

• Make sure that you have administrator rights to run the migration tool.
• The McAfee Database Security Server must be stopped before you try to set up the external database.
• It is recommended to copy the file server-custom.properties located in the <installation directory>/conf folder and
save it under another name, for example, mcafee-custom.properties.1.

If you do not want to grant create database permissions to the database user to access the McAfee Database Security server
database, you can migrate the database manually.

McAfee Database Security 4.7.x Product Guide 131

17| External databases and McAfee Database Security server

Task
1. Manually create the databases SNTRSRV and SNTRSRV_BACKUP using a user with create database permissions.
2. Run the migration script and provide it with a database user that is now only required to have these permissions on the
SNTRSRV and SNTRSRV_BACKUP databases:

• db_datareader
• db_datawriter
• db_ddladmin
3. Start the migration tool in one of these ways:

• On a Windows system, open a command prompt (cmd), then go to the bin directory under the root install directory.
For example: C:\Program Files\Mcafee\McAfee Database Security\bin Then, run the bat file, migration_tool.bat.
• On a Linux system, run: /etc/init.d/mfe-dbs-server db-migrate

4. Select an action, type migrate.

5. Select the database type, type mssql.
6. Type in the MSSQL username and password that you defined.
7. Type in the IP address of the host server where the database is located.

Note

If the external database is on the local host, the external IP address or host name of the server should be used. Do not
use local host or 127.0.0.1.

8. When prompted to enter the MSSQL Listening Port, type in the number of the MSSQL port of the database host used for
listening, for example, 1433. Verify that TCP/IP communication is enabled for that IP address and port.

Results

After the process is completed, a message is displayed indicating the duration of the process and whether the process
completed successfully.

When the process completes successfully, the server-custom.properties file is modified to contain properties that enable McAfee
Database Security to connect to the external database.

Note

If the process fails, examine and verify that the properties listed on the screen are correct. For further assistance, contact
McAfee support with the process output.

Migrate to an Oracle database

Migrate the internal database to Oracle database using migration tool. Define two new Oracle database users before using the
migration tool to migrate. The resulting user names and passwords are required to complete the process. Both users should

132 McAfee Database Security 4.7.x Product Guide

17| External databases and McAfee Database Security server

have the permissions: resource and connect. Only the first user is used by the McAfee Database Security server; the second user
is used for backup during upgrade scenarios.

Before you begin

• Make sure that you have administrator rights to run the migration tool.
• The McAfee Database Security server must be stopped before you try to set up the external database.
Task
1. Start the migration tool in one of these ways:

• On a Windows system, open a command prompt, then go to the bin directory under the root install directory. For
example, C:\Program Files\Mcafee\McAfee Database Security\bin Then, run the bat file, migration_tool.bat.
• On a Linux system, run: /etc/init.d/mfe-dbs-server db-migrate

2. Select an action, type migrate.

3. Select the database type, type oracle.
4. Type the user name and password for the first Oracle user.
5. Type the user name and password for the second Oracle user.
6. Type the IP address or host name of the server where the database is located.
7. Type the number of the Oracle listening port, for example, 1521.
8. Type the database instance SID.

Results

After the process is completed, a message is displayed indicating the duration of the process and whether the process is
completed successfully.

When the process completes successfully, the server-custom.properties file is changed to contain properties for enabling McAfee
Database Security to connect to the external database.

The server-custom.properties file is located in the following location:

<installation directory>/conf

Note

If the process fails, examine and verify that the properties listed on the screen are correct. For further assistance, contact
McAfee support with the process output.

Change the configured password for the external database

Typically, all database user passwords change periodically. When the external database is subject to such changes, the McAfee
Database Security server will not be able to connect to the external database. The back-end migration tool provides a way to
change the configured password. This process is also useful for checking connectivity to the external database.

Before you begin

• Make sure that you have administrator rights to run the migration tool.
• The McAfee Database Security server must be stopped before you try to set up the external database.

McAfee Database Security 4.7.x Product Guide 133

17| External databases and McAfee Database Security server

The McAfee Database Security back-end migration tool's validation option is intended to create an encrypted password for
accessing the external database. The resulting encrypted value is displayed on the standard output. This value can then be
copied into the McAfee Database Security server, server-custom.properties file, to change the authentication password to
connect to the external database.

Note

The process for validating connectivity depends on the target platform where the server is installed.

The following task applies to Windows platforms.

Task
1. Start the migration tool in one of these ways:

• On a Windows system, open a command prompt, then go to the bin directory under the root install directory. For
example, C:\Program Files\Mcafee\McAfee Database Security\bin Then, run the bat file, migration_tool.bat.
• On a Linux system, run: /etc/init.d/mfe-dbs-server db-migrate

2. Select an action, type validate. This loads the properties specified in the file server-custom.properties.
3. Type the user name and password. If validating an Oracle database, type in the second user name and password when
prompted.
4. Type the database driver or press enter to accept the default.

For example, <com.microsoft.sqlserver.jdbc.SQLServerDriver>

5. Type the URL or press enter to accept the default.

After the validation process completes, a message is displayed indicating whether the properties are correct and listing a
summary of the properties.

When prompted, indicate if you want to save the connection properties to the configuration file.

6. If you choose not to save the new configuration, you can do so later by editing the server-custom.properties file located in
the following location:

<McAfee Database Security Server install dir>/conf

• If you are working with an Oracle database, copy the last two lines of the summary and replace the corresponding
lines in the server-custom.properties file. The properties are database.password and database.backup.password.
• If you are working with an MSSQL database, copy the last line of the summary and replace the corresponding line in
the server-custom.properties file. The property is database.password.

Note

The exact order of the properties in the server-custom.properties file can vary.

134 McAfee Database Security 4.7.x Product Guide

17| External databases and McAfee Database Security server

Create your own database (advanced configuration)

If you need restrictive permissions for the external database user and want to create the database before running the migration
tool, use the advanced configuration option.

This section describes the guidelines for independently creating an external MSSQL database.

If you choose to create the database on your own, these conditions must be met:

• You need to create two databases, named SNTRSRV and SNTRSRV_BACKUP, respectively.
• On each database, enable the READ_COMMITTED_SNAPSHOT, transaction isolation level by running these commands:
ALTER DATABASE SNTRSRV SET READ_COMMITTED_SNAPSHOT ON
ALTER DATABASE SNTRSRV_BACKUP SET READ_COMMITTED_SNAPSHOT ON

• Both databases should be owned by the user created for the McAfee Database Security server, for example, DBSS.
• The user must be the dbowner who has all permissions for the databases.

Working with the McAfee Database Security server in cluster mode

McAfee Database Security supports running the McAfee Database Security server in clusters to provide high availability and
performance.

Configure your McAfee Database Security servers to work in cluster mode

Configuring the McAfee Database Security servers to work in cluster mode improves system availability and performance.
Cluster mode is configured in the server-cluster.xml file for each server in the cluster.

Task
1. Install McAfee Database Security server and configure one of the McAfee Database Security servers to work with an
external database.
2. Install McAfee Database Security server on the other systems in the cluster computers.
3. Stop all McAfee Database Security servers.
4. Rename the file server-cluster-example.xml to server-cluster.xml located in the following location:

<McAfee Database Security Server install dir>\conf

5. Edit the file so it contains information about all servers you intend to use in the cluster in this format:

<!--
This is an example server-cluster.xml file. It is used for configuring the server cluster. Each server
element host and port configurations should match the Server configuration. Id field must be in the
range of 0 to 999. Each server should have a unique id and the id shouldn't be changed onced assigned
to a server.
In none cluster mode the server uses id 0. Thus, if migrating to cluster mode (for example you have a
server running and you wish to move to a cluster configuration) the migrated server should receive id
0.
––>
<servers>
<server>

McAfee Database Security 4.7.x Product Guide 135

17| External databases and McAfee Database Security server

<!––
either ip or host name
-->
<host>cluster1.sample.com</host>
<!--
https listen port of the server
-->
<port>8443</port>
<id>0</id>
</server>
<server>
<host>cluster2.sample.com</host>
<port>8443</port>
<id>1</id>
</server>
<server>
<host>192.168.1.101</host>
<port>8443</port>
<id>2</id>
</server>
</servers>

Each server XML element should contain these fields:

• host — The host name or the IP address of the McAfee Database Security server.
• Port — The https port of the McAfee Database Security server.
• id — A unique ID for each server, in the range 0-999. The McAfee Database Security server that has been migrated
to work with an external database should be assigned ID of 0.

The ID should not be changed once assigned to a server.

6. Copy the file server-cluster.xml from <McAfee Database Security Server install dir>\conf to all the servers in the
cluster.
7. On the server working with an external database, edit your server-custom.properties file located in <McAfee Database
Security Server install dir>\conf directory. You can add to it these optional parameters:

• server.server.address — If the server has different internal and external IP addresses, configure here the internal IP
address (as the server sees itself). For example, server.server.address=192.168.150.111
• server.cluster.ip.whitelist — A list of IP addresses, which are the only ones allowed to connect to the cluster,
separated by semicolons. For example, server.cluster.ip.whitelist=127.0.0.1;192.168.150.23
• server.cluster.secret — A shared secret for all the computers in the cluster. Each server will agree to receive connect
requests only from other servers in the cluster that have the same secret. If not specified, a default internal secret
is used. For example, server.cluster.secret=mysecret
• server.cluster.keystore — An alternative keystore location, if you want to use a location other than the one
in the server.xml file located in the <McAfee Database Security Server install dir>\conf directory. For example,
server.cluster.keystore=C:\Program Files\McAfee\server\httpsKeystore\.keystore
• server.cluster.keystore.type — The type of the alternative keystore used. For example,
mcafee.cluster.keystore.type=JKS

136 McAfee Database Security 4.7.x Product Guide

17| External databases and McAfee Database Security server

• server.cluster.keepalive — The time in milliseconds after which the server assumes another cluster computer
is down, if it does not receive a connection request from it. The default value is 60000. For example,
server.cluster.keepalive=100000

8. Copy the server-custom.properties file to all servers in the cluster.

9. Restart all cluster servers.

The cluster configuration details can be viewed on the Cluster tab of the System page.

Troubleshooting for cluster environment

If you encounter problems in a cluster, you must troubleshoot the cluster mode configuration.

If your cluster environment is not responding, verify that:

• All server-custom.properties files on the cluster computers are identical.

• All server-cluster.xml files on the cluster computers are identical.
• All cluster servers' HTTPS ports are accessible from all other cluster computers (with the host name/IP and port as they
appear in the server-cluster.xml file).
• The external DB host and port (as configured in the server-custom.properties file) are accessible from all other cluster
computers.

If you are still unable to work with your server in the cluster mode configured, contact McAfee support .

Backup and recovery

The McAfee Database Security server stores the configuration of the system, including policy profiles of each sensor, DBMS
information and more. Also, the server stores alerts and test result data.

You can back up the database server and no other backup is needed (sensors do not store any data and this need not be backed
up or restored).

A complete backup of the server is performed in three stages. The recovery process uses the backup files to restore the system.

Note

In addition, we recommended saving the installation files of the latest installed server version where you can easily find them
in case you need to reinstall the application.

Back up the server configuration files

The server stores its configuration files in the conf directory.

The conf directory is at Windows:

<Root install dir>\conf

McAfee Database Security 4.7.x Product Guide 137

17| External databases and McAfee Database Security server

For example, C:\Program Files\mcafee\mcafee database security\conf\

The configurations stored in these files include listening ports, cluster configuration, external database configuration, and
customer-specific custom configurations. Changes in the configuration files are made manually. We recommend backing up all
configuration files each time a configuration change is made.

The server also stores a unique server identifier in the file unique.txt at Windows:

<Root install dir>\webapps\ROOT\WEB-INF\config\application

This file is generated when the server runs for the first time.

Back up the server back-end databases

The server uses a back-end database to store system configurations, including policy profiles for each sensor and alerts.

The server supports two types of back-end database:

Database Definition

Internal backend database (evaluation only) The server comes bundled with an in-process back-
end database. The database is only supported in
product evaluations and must store a maximum of
100,000 alerts between archive events.

External backend database The server can work with Oracle or MSSQL external
databases. The use of an external database is
required when the server is used in production and
was designed to handle a large volume of alerts.
Additionally, the use of an external database enables
the use of standard DBMS tools to manage the
database.

Back up the internal database

The internal in-process database is file-based and stores its data in a set of files.

On Windows platforms, all data files reside in the hsqldb_data directory at:

<Root install dir>\webapps\ROOT\WEB-INF\hsqldb_data

To back up the internal database, all files in the specified hsqldb_data directory must be copied.

Back up the external database

When running the server with an external database (Oracle or MSSSQL), use your regular DBMS tools to perform backups.

138 McAfee Database Security 4.7.x Product Guide

17| External databases and McAfee Database Security server

Back up the schema according to the database types.

Database type Definition

Oracle Back up the full schema of the users used by server

to connect to Oracle.

MSSQL Back up the database, SNTRSRV.

Back up archive files

Configure McAfee Database Security to automatically archive alerts in a specific location and at preset intervals.

Archive files storage directory is configured through the web console on the System → Archives → Settings page.

The default archive location directory on Windows platforms is at:

<Root install dir>\webapps\ROOT\WEB-INF\archive

Archive files must be backed up according to company policy.

Note

Archiving to an external shared storage mount point can be configured through a Windows UNC path, enabling you to use
the same backup procedure as for the external storage.

Recover the system

In the event of a system failure or disaster (such as disk failure), use the backed up files to restore the system.

Task
1. Resolve the issue that caused system failure, for example, replace a failed disk.
2. Reinstall the server.

Note

We recommended you to install the same version as previously installed. If you need an installation file, then contact
McAfee support .

3. Restore the configuration files.

4. Restore these back-end databases:

• Internal database — Restore latest backup files to hsqldb_data directory.

• External database (Oracle or MSSQL) — Use your regular DBMS tools to perform the database restore.

McAfee Database Security 4.7.x Product Guide 139

17| External databases and McAfee Database Security server

5. Restore the archive files.

140 McAfee Database Security 4.7.x Product Guide

18| XML API

XML API
The XML API enables you to query the DAM server for data through an XML interface.

Note

Some parameters were added in the latest product version. To ensure all parameters are supported, upgrade your product to
the latest version. For more information about XML API, see McAfee Knowledge Base article KB72411.

Configure the XML API

Configure the XML API on the System page to query the DAM server.

Task
1. On the System page, click the Interfaces tab, and select XML API.
2. Select XML API enabled.
3. Click Save.

Results

The XML API enabled.

Create a dedicated user

To use the XML API, you must provide the logon credentials of a user with the Use XML API permission granted. McAfee
recommends you to create a dedicated user for this purpose.

Task
1. On the Permissions page, select Users, then Create New User to add a user.
2. Assign the new user Xml api permissions only.
The Xml api and the related sub-permissions are added to the Selected permissions list.

The administrator can assign selected sub-permissions, rather than all Xml api permissions.

Results

The XML API uses a Representational State Transfer (REST) format for request response processing. The XML REST API receives
requests through standardized HTTP GET/POST parameters and the response is an XML response.

Use the XML API

Enable the XML API allows you to request information from the DAM Server using a standardized HTTP GET/POST request and
receive the response in an XML format. You can find the detailed structure of the XML reply in the XSD file located in the System
→ Interfaces → XML API tab.

McAfee Database Security 4.7.x Product Guide 141

18| XML API

Task
1. Enable the service through the System tab.
2. Access the service by authenticating with a user that has the XML API permission (default administrator user has the
relevant permission). Authentication is done via HTTP Basic Auth.
3. Use the following base URL for a request: <server URL>/xmlapi.svc.

The XML API allows you to perform queries regarding alerts, VA results, DBMSs, sensors and others.

To test the XML API, a simple browser request can be used. For example, to get a list of sensors and their current state,
issue the following request in a browser (replace localhost with relevant domain name or IP address):

https://localhost:8443/xmlapi.svc?service=sensor

Note

The port number mentioned here varies depending on the McAfee Database Security configuration.

The web browser test displays a dialog box asking for a username and password in order to successfully submit the XML
API request.

A successful request then results in an XML response that enumerates the sensors known to McAfee Database Security.
These sensor details are not limited to current instances, but also deleted sensor instances.

Each service supports a set of parameters that can be used to limit the request. For example, the alert service supports the
HH$TimeBackPeriod parameter, which specifies the time back in milliseconds that an alert was executed at. For example, to
get all alerts from the last five minutes, issue the following request:

https://127.0.0.1:8443/xmlapi.svc?service=alert&HH$TimeBackPeriod=300000

List of supported request parameters

The type of query is specified with the request parameter named service, which can receive one of these parameters.

Query type Definition

sensor Query sensor status, start/stop monitoring

alert Query alerts

varesult Query VA results

dbms Query dbms list including summary of last VA scans

142 McAfee Database Security 4.7.x Product Guide

18| XML API

Query type Definition

scans Query VA scans

add-db Add and configure a VA database

update-db Update a VA database

batchupdate-db Batch update database

delete-db Delete a database

add-db-to-group Add a database to a group

remove-db-from-group Remove a database from a group

add-scan Add a VA scan

update-scan Update a VA scan

delete-scan Delete a VA scan

start-scan Initialize a VA scan

ruleobject Set, delete and list rule objects

resolve-results Resolving of results

resolve-alerts Resolving of alerts

sensor-restart Restart sensors

rules Perform operations on rules

dbgroups Perform operations on database groups

app-mapping Perform operations on application mapping

McAfee Database Security 4.7.x Product Guide 143

18| XML API

Query type Definition

sensor-mgmt Approve and delete sensors

Sensor request parameters

Retrieves sensor information, start or stop monitoring database, and updates specific sensor properties.

Service Sensor

Permission SENSOR XML API

Version 4.4.9 or later

Parameter Definition

HH$Action List (default), start-db, stop-db, update

HH$Name String

HH$Id Long

HH$Sid String

HH$ApprovedBy User ID

HH$Hostname String

HH$Ip String

HH$Database Database ID

HH$Approved CSV approved status

The valid values are APPROVED, DENIED, and
PENDING

144 McAfee Database Security 4.7.x Product Guide

18| XML API

Parameter Definition

HH$Status Communication status

The valid values are ALIVE, DELETED,
DISCONNECTED, and STOPPED

HH$Server Server ID

HH$pageSize Long — The maximum number of results per call.

The default value is -1 (ALL)

HH$pageNum Long — The number of the page to return. The

default value is 0

HH$Sensor-db-id Long — (Optional) Database-sensor-db

This number reflects the connection between sensor
and database

Note: You can get this variable value from

using the regular sensor service. Find the related
XML node <database> of your sensor. In the
XML node <database>, you may find XML node
<sensor-db-id>

HH$EnableNetMonitor Enable or disable the network monitoring option

HH$AddParams Add a list of advanced parameters to the sensor in

the format param1:value1,param2:value2
The values of existing parameters are updated
automatically after adding the list of advanced
parameters

HH$RemoveParams Remove a list of advanced parameters from the

sensor

Examples

McAfee Database Security 4.7.x Product Guide 145

18| XML API

Note

The port number mentioned here varies depending on the McAfee Database Security configuration.

• To get all connected sensors: https://127.0.0.1:8443/xmlapi.svc?service=sensor&HH$status=ALIVE

• To start monitoring database: https://127.0.0.1:8443/xmlapi.svc?service=sensor&HH$Action=start-db&HH$Sensor-
db-id=10000000
• To stop monitoring database: https://127.0.0.1:8443/xmlapi.svc?service=sensor&HH$Action=stop-db&HH$Sensor-
db-id=10000000
• To enable network monitoring for all (non-deleted) sensors: https://127.0.0.1:8443/xmlapi.svc?
service=sensor&HH$Action=update&HH$EnableNetMonitor=true

Alert request parameters

Retrieves alerts information. The parameter are used to filter the alerts.

Service alert

Permission ALERT XML API

Version 4.4.9 or later

Parameter Definition

HH$ExecutionTimeFrom Date (format: dd MMM yyyy HH:mm:ss)

HH$ResolveReason String

HH$Resolves CSV Resolve IDs

HH$Id Long

HH$Agents CSV Agent IDs

HH$TagName String

HH$DbGroupName String

HH$ExecutionTimeTo Date

146 McAfee Database Security 4.7.x Product Guide

18| XML API

Parameter Definition

HH$Databases CSV Database IDs

HH$Operation String

HH$OsUser String

HH$ResolvedBy User ID

HH$Severities CSV ActionSeverity names (INFO, NOTICE, LOW,

MEDIUM, and HIGH)

HH$SourceHost String

HH$SourceIP String

HH$Rules CSV Rule IDs

HH$ResolveNames CSV Resolve name string

HH$RuleName String

HH$QuarantineId String

HH$ReleaseTimeAfter Date

HH$ReleaseTimeBefore Date

HH$ExecUser String

HH$DatabaseId Database long

HH$ExecProgram String

HH$Module String

HH$ModifyDateFrom Date

McAfee Database Security 4.7.x Product Guide 147

18| XML API

Parameter Definition

HH$ModifyDateTo Date

HH$Sid Integer

HH$TimeBackPeriod Long

HH$pageSize Long — The maximum number of results per call

The default value is 100 and the value -1 for all the
results

Note

ResolveNames works only with already existing resolve types.

For example, to get maximum of 5000 unresolved alerts from host myhost, issue the following request:

https://127.0.0.1:8443/xmlapi.svc?service=alert&HH$SourceHost=myhost&HH$ResolveNames=Unresolved&HH$pageSize=5000

VA result request parameters

Retrieves VA results list.

Service varesult

Permission VA Result XML API

Version 4.4.9 or later

Parameter Definition

HH$ExecutionTimeFrom Date (format: dd MMM yyyy HH:mm:ss)

HH$ResolveReason String

HH$Resolves CSV Resolve IDs

148 McAfee Database Security 4.7.x Product Guide

18| XML API

Parameter Definition

HH$Id Long

HH$TagName String

HH$DbGroupName String

HH$ExecutionTimeTo Date

HH$Databases CSV Database IDs

HH$ResolvedBy User ID

HH$Severities CSV ActionSeverity names (INFO, NOTICE, LOW,

MEDIUM, and HIGH)

HH$RuleName Tests that generated the result

HH$ScanNames Scan names that generated the result

HH$Categories CSV VA result categories to include in the response

HH$SqlFix VA results containing the specified SQL fix

HH$pageSize Long — The maximum number of results per call

The default value is 100 and the value -1 is for all the
results

For example, to get VA results with severity HIGH from scan name, myscan, issue the following request:

https://127.0.0.1:8443/xmlapi.svc?service=varesult&HH$Severities=HIGH&HH$ScanNames=myscan

DBMS request parameters

Retrieves the list of databases.

Service dbms

McAfee Database Security 4.7.x Product Guide 149

18| XML API

Permission DBMS XML API

Version 4.6.0 or later

Parameter Definition

HH$Id Long

HH$Name String

HH$VaConfigured Boolean — Search for DBMSs configured for VA

HH$MonitorStatus DAM monitoring status: FULL, PARTIAL, and NONE

HH$Agents Comma-separated list of Agent IDs

HH$Description String

HH$MajorVersion String — Version of the DBMS

HH$DbType String — One of the database types

HH$$RuleStats Boolean — If set to false, then the total number of

rules (custom and predefined) are not calculated

Note: The default value is true

HH$$ScanStats Boolean — If set to false, then the scan summary is

not included

Note: The default value is true

HH$pageSize Long — The maximum number of results per call.

The default value is -1 (ALL)

150 McAfee Database Security 4.7.x Product Guide

18| XML API

Parameter Definition

HH$pageNum Long — The number of the page to return. The

default value is 0

Examples

Note

The port number mentioned here varies depending on the McAfee Database Security configuration.

• To get a list of DBMSs with VA enabled: https://127.0.0.1:8443/xmlapi.svc?service=dbms&HH$VaConfigured=true

• To get the list of database without calculating the total number of rules: https://127.0.0.1:8443/xmlapi.svc?
service=dbms&HH$$RuleStats=false

Note

The parameters HH$$RuleStats and HH$$ScanStats are helpful when the time consumed for the completion of service call
is very high. It eliminates rules and scans statistics from the database output, since these operation can take long time when
the network connection to the back-end database is slow.

Scans request parameters

Retrieves the list of active scans.

Service scans

Permission Scans XML API

Version 4.4.9 or later

Parameter Definition

HH$name String

HH$tags String

McAfee Database Security 4.7.x Product Guide 151

18| XML API

Parameter Definition

HH$Deleted Boolean

HH$Valid Boolean

HH$Enabled Boolean

HH$Modified Boolean

HH$Databases Comma-separated list of database group names

HH$SysIdentifiers Comma-separated list of test SYS identifiers

HH$pageSize Long — The maximum number of results per call.

The default value is -1 (ALL)

HH$pageNum Long — The number of the page to return. The

default value is 0

For example, to get the list of active scans, issue the request:

https://127.0.0.1:8443/xmlapi.svc?service=scans&HH$Valid=true

Add VA database request parameters

Adds a VA database.

Service add-db

Permission Add DB XML API

Version 4.4.9 or later

Note

Depending on the database type, you must provide either an instance name or a port number. For advanced scenarios, it is
possible to provide a full connection URL.

152 McAfee Database Security 4.7.x Product Guide

18| XML API

Note

In MSSQL, you are not allowed to provide both parameter, instance and port number.

Parameter Definition

HH$Name Custom display name for the DB

HH$Description String

HH$DbType One of these database types:

• ORACLE
• MSSQL
• MYSQL
• SYBASE
• DB2
• DB2AS400
• DB2ZOS
• TERADATA
• POSTGRESQL
• SAPHANA
• MSSQL2000
• SQLAZURE
• MongoDb

HH$Host String

HH$Port Integer

HH$Instance String

HH$EnableVA Boolean
Enable or disable VA section. The default value is
true

HH$Username String (mandatory)

HH$Password String

McAfee Database Security 4.7.x Product Guide 153

18| XML API

Parameter Definition

HH$ConnUrl Full connection URL (for advanced scenarios)

HH$Properties Additional properties (name=value pairs on each

line)

HH$OUs Comma-separated list of OUs

HH$ExcludeUsers A list of users to exclude

HH$validateCredentials Boolean
Enable or disable verify connection. The default
value is true for add db

If support for OS scanning is required, use these parameters.

Parameter Definition

HH$OSType One of DCOM and SSH

HH$OSUsername String

HH$OSPassword String

HH$OSCert String

HH$OSCertPassword String

HH$OSPort Integer (SSH port)

If SSH tunneling is required, use these parameters.

Parameter Definition

HH$OSTunnelUsername String

154 McAfee Database Security 4.7.x Product Guide

18| XML API

Parameter Definition

HH$OSTunnelPassword String

HH$OSTunnelCertificate String

HH$OSTunnelCertificatePassword String

HH$OSTunnelHost String

HH$OSTunnelPort Integer

For example, to add a new MSSQL database name SQL_DB, issue the request:

https://127.0.0.1:8443/xmlapi.svc?service=add-
db&HH$Name=SQL_DB&HH$DbType=MSSQL&HH$Host=127.0.0.1&HH$Instance=SQL2005&HH$Username=uname&HH$Password=pword

Update database request parameters

Updates a database.

Service update-db

Permission Update DB XML API

Version 4.4.9 or later

Parameter Definition

HH$Id Integer — The ID of the database to update

HH$Name Custom display name for the DB

HH$Description String

HH$DbType One of the database types

McAfee Database Security 4.7.x Product Guide 155

18| XML API

Parameter Definition

HH$Host String

HH$Port Integer

HH$Instance String

HH$EnableVA Boolean — Enable or disable VA section

There is no default value for this parameter

HH$Username String (Optional)

HH$Password String

HH$ConnUrl Full connection URL (for advanced scenarios)

HH$Properties Additional properties (name=value pairs on each

line)

HH$OUs List of OUs (CSV)

HH$ExcludeUsers List of users to exclude

HH$validateCredentials Boolean — Enable or disable verify connection

(Default = false update db)

More optional parameters for DAM part only.

Parameter Definition

HH$EnableAlternative Boolean — Enable or disable alternative connection

HH$AltUsername String — User name

HH$AltPassword String — Password

HH$AltConnectionString String — Connection string

156 McAfee Database Security 4.7.x Product Guide

18| XML API

Parameter Definition

HH$EnableNetMonitor Boolean — Enable or disable network monitoring

HH$NetMonitorPorts String — Monitoring ports separated comma list of

ports (numeric)

HH$EnableMemMonitor Boolean — Enable or disable memory monitoring

HH$NetMonitorServiceNames List (CSV) of service names — Optional and

applicable for Oracle DB only

To update a database with the ID#10000000:

Note

The port number mentioned here varies depending on the McAfee Database Security configuration.

• https://127.0.0.1:8443/xmlapi.svc?service=update-
db&HH$Id=10000000&HH$EnableAlternative=true&HH$AltUsername=sa&HH$AltPassword=somepassword&HH$AltConnectionString=
MOBL In this particular example, the update-db action is applied only for the database instance 10000000.
• https://127.0.0.1:8443/xmlapi.svc?service=update-
db&HH$Id=10000000&HH$EnableNetMonitor=true&HH$NetMonitorPorts=1443,2443&HH$EnableMemMonitor=true

Batch update database request parameters

Batch updates a database.

Service batchupdate-db

Permission Update DB XML API

Version 4.6.5 or later

Parameter Definition

HH$Name Filter by database name (like operation)

McAfee Database Security 4.7.x Product Guide 157

18| XML API

Parameter Definition

HH$DbType One of the database types

HH$DbVersion Filter by database version

HH$DbVersionCompare Operator to compare the database version value to

EQ, GT, LT, GE, LE, NE

HH$EnableNetMonitor Boolean — Enable or disable network monitoring

HH$EnableMemMonitor Boolean — Enable or disable memory monitoring

HH$AddParams Add a list of advanced parameters to

each matching database in the format
param1:value1,param2:value2

Note: The list of advanced parameters

updates the value of existing parameters. This
overrides the use of the sensor's advanced
parameters

HH$RemoveParams Remove a list of advanced parameters from each

matching database

For example, to enable network monitoring for all databases of type MSSQL and version less than 2008 (SQL Server version=10),
submit a request:

https://127.0.0.1:8443/xmlapi.svc?service=batchupdate-
db&HH$DbType=MSSQL&HH$DbVersion=10&HH$DbVersionCompare=LT&HH$EnableNetMonitor=true

Delete VA database request parameters

Deletes a VA database.

Service delete-db

Permission Delete DB XML API

158 McAfee Database Security 4.7.x Product Guide

18| XML API

Version 4.4.9 or later

Parameter Definition

HH$Id Integer — The ID of the database to delete

For example, to delete a database with ID#10006000, submit the request:

https://127.0.0.1:8443/xmlapi.svc?service=delete-db&HH$Id=10006000

Add database to groups request parameters

Adds a database to database groups.

Service add-db-to-group

Permission Add DB to Group

Version 4.4.9 or later

Parameter Definition

HH$Id Integer — The ID of the database to add to the

groups

HH$Groups Comma-separated list of group names to add the

database to groups

For example, in order to add a database with ID#10007000 to the groups DB-Group1 and DB-Group2, submit the request:

https://127.0.0.1:8443/xmlapi.svc?service=add-db-to-group&HH$Id=10007000&HH$Groups=DB-Group1,DB-Group2

McAfee Database Security 4.7.x Product Guide 159

18| XML API

Note

If a database group name contains the comma character (,) then the name must be URL encoded twice to make sure the
comma character will not be considered as a separator. You can use an online URL encoder service, www.urlencoder.org. For
example, if the database group name is test,more%test, then after encoding it, the result is twice the input, for example,
test%252Cmore%2525test.

Remove database from groups request parameters

Removes a database from the database groups.

Service remove-db-from-group

Permission Remove DB from Group

Version 4.4.9 or higher

Parameter Definition

HH$Id Integer — The ID of the database to remove from the

groups

HH$Groups Comma-separated list of group names to remove the

database from groups

For example, to remove database with id #10007000 from groups DB-Group1 and DB-Group2, submit the request:

https://127.0.0.1:8443/xmlapi.svc?service=remove-db-from-group&HH$Id=10007000&HH$Groups=DB-Group1,DB-Group2

Note

If a database group name contains the comma character, then the name must be URL encoded twice to ensure the
comma character is not considered as a separator. You can use an online URL encoder service: www.urlencoder.org. For
example, if the database group name is test,more%test, then after encoding it, the result is twice the input, for example,
test%252Cmore%2525test.

Add VA scan request parameters

Adds a VA scan.

160 McAfee Database Security 4.7.x Product Guide

18| XML API

Service add-scan

Permission Add Scan XML API

Version 4.4.9 or higher

Parameter Definition

HH$Name String

HH$Description String

HH$Schedule Schedule in cross tab format

HH$DatabasesAdd Add comma-separated list of DB IDs

HH$DatabasesRemove Remove comma-separated list of DB IDs

HH$GroupsAdd Add comma-separated list of DB group names

HH$GroupsRemove Remove comma-separated list of DB group names

HH$DatabaseExceptionsAdd Add comma-separated list of DB IDs to exclude from

the scan

HH$DatabaseExceptionsRemove Remove comma-separated list of DB IDs to exclude

from the scan

HH$TagsAdd Add comma-separated list of categories (tags)

HH$TagsRemove Remove comma-separated list of categories (tags)

HH$OmmittedRulesAdd Add comma-separated list of rule IDs to exclude

from the scan

McAfee Database Security 4.7.x Product Guide 161

18| XML API

Parameter Definition

HH$OmmittedRulesRemove Remove comma-separated list of rule IDs to exclude

from the scan

HH$actions Comma-separated list of actions.

Available actions: LOG, EMAIL, SYSLOG, WINLOG,
FILELOG, AUTO_RESOLVE

HH$winLevel Winlog level

HH$fileLevel File log level

HH$sysLevel Syslog level

HH$resolve Name of resolution (in case AUTO_RESOLVE action is

set)

HH$email Email address (in case EMAIL action was set)

HH$Severity Comma-separated list of severities to check (HIGH,

MEDIUM, LOW, NOTICE, andINFO)

HH$Enabled Boolean

HH$StorePassword Boolean — Store weak passwords

HH$RebuildPassword Boolean — Rebuild the password cache

HH$OUs List of comma-separated OUs

HH$Server The server that this scan belongs to (relevant when

the server is configured as a cluster)

For example, to add a new scan on database with ID#10007000 on category Audit, submit the request:

https://127.0.0.1:8443/xmlapi.svc?service=add-scan&HH$Name=newScan&HH$DatabasesAdd=10007000&HH$TagsAdd=Audit

162 McAfee Database Security 4.7.x Product Guide

18| XML API

Update VA scan request parameters

Updates a VA scan.

Service update-scan

Permission Update scan XML API

Version 4.4.9 or higher

Parameter Definition

HH$Id ID of the scan to update

HH$Name String

HH$Description String

HH$Schedule Schedule in cross tab format

HH$DatabasesAdd Add comma-separated list of DB IDs

HH$DatabasesRemove Remove comma-separated list of DB IDs

HH$GroupsAdd Add comma-separated list of DB group names

HH$GroupsRemove Remove comma-separated list of DB group names

HH$DatabaseExceptionsAdd Add comma-separated list of DB IDs to exclude from

the scan

HH$DatabaseExceptionsRemove Remove comma-separated list of DB IDs to exclude

from the scan

HH$TagsAdd Add comma-separated list of categories (tags)

McAfee Database Security 4.7.x Product Guide 163

18| XML API

Parameter Definition

HH$TagsRemove Remove comma-separated list of categories (tags)

HH$OmmittedRulesAdd Add comma-separated list of rule IDs to exclude

from the scan

HH$OmmittedRulesRemove Remove comma-separated list of rule IDs to exclude

from the scan

HH$actions Comma-separated list of actions

Available actions: LOG, EMAIL, SYSLOG, WINLOG,
FILELOG, and AUTO_RESOLVE

HH$winLevel Winlog level

HH$fileLevel File log level

HH$sysLevel Syslog level

HH$resolve Name of resolution (in case AUTO_RESOLVE action is

set)

HH$email Email address (in case EMAIL action is set)

HH$Severity Comma-separated list of severities to check (HIGH,

MEDIUM, LOW, NOTICE, and INFO)

HH$Enabled Boolean

HH$StorePassword Boolean — Store weak passwords

HH$RebuildPassword Boolean — Rebuilds the password cache

HH$OUs Comma-separated list of OUs

HH$Server The server that this scan belongs to (relevant when

the Server is configured as a cluster)

164 McAfee Database Security 4.7.x Product Guide

18| XML API

For example, to update scan with ID#10009000 and add database with IDs #10006000 and 10007000 submit the request:

https://127.0.0.1:8443/xmlapi.svc?service=update-scan&HH$Id=10009000&HH$DatabasesAdd=10006000,10007000

Start VA scan request parameters

Starts a VA scan.

Service start-scan

Permission Run Scan XML API

Version 4.4.9 or later

Parameter Definition

HH$Id ID of the scan to start

For example, to start scan with ID#10008000, submit the request:

https://127.0.0.1:8443/xmlapi.svc?service=start-scan&HH$Id=10008000

Delete VA scan request parameters

Deletes a VA scan.

Service delete-scan

Permission Delete Scan XML API

Version 4.4.9 or higher

Parameter Definition

HH$Id ID of the scan to delete

McAfee Database Security 4.7.x Product Guide 165

18| XML API

For example, to delete the scan with ID#10008000, submit the request:

https://127.0.0.1:8443/xmlapi.svc?service=Delete-scan&HH$Id=10008000

Rule objects request parameters

Performs operations on rule objects.

Service ruleobject

Permission Object XML API

Version set, delete - 4.4.9 or later

list - 4.4.9-P2 or later
object-api-restricted - 4.6.3 (52890) or later

• object-name — Name of the rule object to modify.

• action — One of set, delete, and list. If set is used, the value-append, value-delete or value-set must be defined. set —
Creates the object if it does not exist or manipulates an existing object. When choosing the set action, in case rule-object
does not exist, then the action-type should be selected.

object-type — String (Mandatory). The rule object type. common values: STATEMENT, ip, object (provide one of
value-set, value-append, and value-delete).
value-set — Sets values for the rule object. If the rule object does not exist, it gets created.

object-description - Optional description.

value-append - Appends the specified values to the rule object. Multiple values may be specified in a comma-
separated list.
value-delete - Delete all specified values from the rule object. Multiple values may be specified in a comma-
separated list.
object-api-restricted - true or false (default = false). Mandatory when creating new rule object which is API
restricted (manipulated only via XML API).

db-ids — Mandatory. The list of database IDs (DAM). Multiple values may be specified in a comma-
separated list, for example, db-ids=10200000,10201000.
value-set, value-append, or value-delete — Mandatory, provide group of values.

object-default-value — Alternative or default value for the case of missing mapping otherwise
rule is ignored.
— Optional only on value-set. Multiple values may be specified in a comma-separated list (for
example, object-default-value=Windows, Linux, Mac).
— in order to reset value provide empty value (object-default-value=).

166 McAfee Database Security 4.7.x Product Guide

18| XML API

Note

Interaction with such an API restricted object involve providing mapping of keys (via parameter: db-ids) and values (via
parameters: value-set/value-append/value-delete). Therefore, order is important and also the number of db-ids should be
equal to number of groups of values. Keep your values non-empty for the set operation to reset values. You may use a pair of
brackets ().
For example, the parameter line:
db-ids=12600000,12601000&value-set=(WIN,LINUX)(MAC1,MAC2)is actually mapping 12600000 => WIN,LINUX and
12601000 => MAC1,MAC2

Group of values — The collection of multiple elements, each one is surrounded with special brackets: [(' , ')] whereas each
element is constructed from multiple non-empty values specified as comma-separated list.

Format: [(V1,V2,...Vn)][(W1,W2,...Wm)]

Examples

• (WIN1)][(WIN2)] - Two groups of one element each

• [(WIN1,WIN2,WIN3)][(WIN1)][(WIN2)]
Examples for rule object

Note

Only one value action (append, set or delete) is allowed per a single request

• List the rule object: https://127.0.0.1:8443/xmlapi.svc?service=ruleobject&action=list

• Find a rule object: https://127.0.0.1:8443/xmlapi.svc?service=ruleobject&object-name=nameOfRuleObject
• Add a new rule object with a value list (1.1.1.1,1.1.2.2), type (ip) and a description ('Black
List IPs'), issue the request: https://127.0.0.1:8443/xmlapi.svc?service=ruleobject&action=set&object-
name=blacklist_ip&value-set=1.1.1.1,1.1.2.2&object-type=ip&object-description=Black%20List%20IPs
• Delete a specific value (1.1.2.2) from a rule object: https://127.0.0.1:8443/xmlapi.svc?
service=ruleobject&action=set&object-name=blacklist_ip&value-delete=1.1.2.2
• Delete completely a rule object use: https://127.0.0.1:8443/xmlapi.svc?
service=ruleobject&action=delete&object-name=blacklist_ip

Examples for API restricted

• Create a simple API restricted rule

object: https://127.0.0.1:8443/xmlapi.svc?service=ruleobject&action=set&object-type=STATEMENT&object-
name=name&object-api-restricted=true&db-ids=12600000&value-set=[(val1)]
• Create an API restricted rule object with a default value, which
behaves like map between 3 databases to single value each: https://
127.0.0.1:8443/xmlapi.svc?service=ruleobject&action=set&object-type=STATEMENT&object-name=name&object-
api-restricted=true&db-ids=12600000,12601000,12602000&value-set=[(val1)][(val2)][(val3)]&object-default-
value=d1

McAfee Database Security 4.7.x Product Guide 167

18| XML API

• Delete values from API restricted

rule object: https://127.0.0.1:8443/xmlapi.svc?service=ruleobject&action=set&object-name=name&db-
ids=12600000,12601000,12602000&value-delete=[(val1)][(val2)][(val3)]
• Append values for API restricted
rule object: https://127.0.0.1:8443/xmlapi.svc?service=ruleobject&action=set&object-name=name&db-
ids=12600000,12601000,12602000&value-append=[(val0,val1)][(val0,val2)][(val0,val3)]
• Set values for db-ids and reset values for
specific db-id: https://127.0.0.1:8443/xmlapi.svc?service=ruleobject&action=set&object-name=name&object-
type=STATEMENT&db-ids=12600000,12601000,12602000&value-set=[(val0,val1)][(val0,val2)][()]

Resolve alerts request parameters

Resolves alerts.

Service resolve-alerts

Permission Alert XML API

Version 4.4.9 or later

QUERY parameters are used to select which alerts will be resolved:

Parameter Definition

HH$ExecutionTimeFrom Date (format: dd MMM yyyy HH:mm:ss)

HH$ResolveReason String

HH$Resolves CSV Resolve IDs for the resolution field

HH$Id Long

HH$Agents CSV Agent IDs

HH$TagName String

HH$DbGroupName String

HH$ExecutionTimeTo Date

168 McAfee Database Security 4.7.x Product Guide

18| XML API

Parameter Definition

HH$Databases CSV Database IDs

HH$Operation String

HH$OsUser String

HH$ResolvedBy User ID

HH$Severities CSV ActionSeverity names (INFO, NOTICE, LOW,

MEDIUM, and HIGH)

HH$SourceHost String

HH$SourceIP String

HH$Rules CSV rule IDs

HH$ResolveNames CSV Resolve name string

HH$RuleName String

HH$QuarantineId String

HH$ReleaseTimeAfter Date

HH$ReleaseTimeBefore Date

HH$ExecUser String

HH$DatabaseId Database Long

HH$ExecProgram String

HH$Clientid String

HH$Module String

McAfee Database Security 4.7.x Product Guide 169

18| XML API

Parameter Definition

HH$ModifyDateFrom Date

HH$ModifyDateTo Date

HH$Sid Integer

HH$TimeBackPeriod Long

SET parameters are used to pass the values to be set for the alerts subset selected by the above parameters.

Parameter Definition

HH$$resolveReason String

HH$$resolveName Resolve name string such as Resolved, Unresolved,

and False Alarm.

For example, to resolve all the unresolved alerts received during the past five minutes, submit the request:

https://127.0.0.1:8443/xmlapi.svc?service=resolve-alerts&HH$ResolveNames=Unresolved&HH$TimeBackPeriod=300000&HH$
$resolveName=Resolved

Resolve results request parameters

Resolves VA Results.

Service resolve-results

Permission VA Result XML API

Version 4.4.9 or later

QUERY parameters are used to select the results that has to be resolved.

170 McAfee Database Security 4.7.x Product Guide

18| XML API

Parameter Definition

HH$ExecutionTimeFrom Date (format: dd MMM yyyy HH:mm:ss)

HH$ResolveReason String

HH$Resolves CSV resolve IDs

HH$Id Long

HH$TagName String

HH$DbGroupName String

HH$ExecutionTimeTo Date

HH$Databases CSV database IDs

HH$ResolvedBy User ID

HH$Severities CSV ActionSeverity names (INFO, NOTICE, LOW,

MEDIUM, and HIGH)

HH$RuleName Tests that generated the result

HH$ScanNames Scan names that generated the result

HH$Categories CSV VA result categories to include in the response

HH$SqlFix VA results containing the specified SQL fix

SET parameters are used to pass the values to be set for the results subset selected by the above parameters:

Parameter Definition

HH$$resolveReason String

McAfee Database Security 4.7.x Product Guide 171

18| XML API

Parameter Definition

HH$$resolveName Resolve name string such as Resolved, Unresolved,

and False Alarm.

For example, to resolve all the results received during the past 24 hours, submit the request:

https://127.0.0.1:8443/xmlapi.svc?service=resolve-results&HH$TimeBackPeriod=86400000&HH$
$resolveName=Resolved&HH$$resolveReason=DONE

Sensor restart request parameters

Restarts a sensor.

Service sensor-restart

Permission Sensor Restart XML API

Version 4.9-P1 or later

Parameter Definition

HH$Id CSV list of longs

For example, to restart sensors 10100000 and 1020000, submit the request:

https://127.0.0.1:8443/xmlapi.svc?service=sensor-restart&HH$Id=10100000,10200000

Rules request parameters

Manage or list the custom rules like adding, updating, deleting, and batch updating.

Service rules

Permission Object XML API

Version list — 4.4.9 or later

add, update, delete — 4.6.3 or later

172 McAfee Database Security 4.7.x Product Guide

18| XML API

batchupdate — 4.6.5 or later

Parameter Definition

HH$Id ID of the selected rule. Valid for the operations; list,

update, delete

HH$Name Select a rule by name or give the rule a name during

add action

HH$NewName The new rule name when updating the rule. Valid
only for the update operation. Optional but cannot
be empty.

HH$RuleType Filter rules by type: custom/predefined,

default=custom (optional parameter)
Predefined rules cannot be added or deleted.
Predefined rules can be updated, however, these
fields are protected: Rule Name, Rule Expression,
Send Alert Action, and Advanced Rule Options.

HH$Severity Filter rules by send alert severity

The severities are namely, INFO, NOTICE, LOW,
MEDIUM, and HIGH

HH$SortOrder The sort order number representing the new

location of the new or updated rule
The sort number starts at 1 and can be seen on the
Custom Rules list, under the column no.

HH$Operation The operation to perform list, add, delete, and

update
Default value is list. All rule types (custom,
predefined) can be listed, but only custom rules can
be managed

HH$Expression The rule expression that is sent to the sensor

McAfee Database Security 4.7.x Product Guide 173

18| XML API

Parameter Definition

HH$Exceptions List of exception expressions separated by a logical

operator that can be either $OR$ (OR operator) or
$AND$ (AND operator).
An example of three expressions: object = '888-888'
OR action CONTAINS '8888' $OR$ cmdtype NOT
IN ('update') $AND$ client_ip = 1.2.3.4 AND
client_host_name LIKE 'host'

HH$InstallOnDBs Install this rule on a list of databases by ID

HH$InstallOnDBGroups Install this rule on a list of database groups by name

HH$InstallOnDBsExclude Exclude installation of this rule on a list of databases

by ID

HH$Tags A list of tags

HH$Comment The comment field

HH$Enable Enable rule true or false

The default value is true

HH$RuleAction The action to perform when a rule is matched

The format of HH$RuleAction parameter is JSON-like as follows:

{
allow_rule : {
global_allow,
}
|
send_alert :
{
severity: INFO|NOTICE|LOW|MEDIUM|HIGH¹,
to_archive |
console : {
snmp_trap, terminate_session:{quarantine_user_for:10}
},
syslog: TRACE|DEBUG|INFO|WARN|ERROR|FATAL,
event_log:TRACE|DEBUG|INFO|WARN|ERROR|FATAL,
log_file: TRACE|DEBUG|INFO|WARN|ERROR|FATAL,
email:
{

174 McAfee Database Security 4.7.x Product Guide

18| XML API

severity: INFO|NOTICE|LOW|MEDIUM|HIGH,
addresses: “list_of_email_addresses”²
},
stop_processing_rules
}
}

¹ Action Severities (INFO, NOTICE, LOW, MEDIUM, HIGH) and Log Levels (TRACE, DEBUG, INFO, WARN, ERROR, and FATAL) should
be in upper case

² list_of_email_addresses is a list of email addresses separated by a semicolon. The entire list should be enclosed in double
quotes.

Parameter Definition

HH$EditRoles The roles that are granted edit permission for this
rule

HH$AdvancedOptions Advanced rule options currently contain just the

monitoring source
The format is JSON-like, for example:
{monitoring_source:AUTO}. The valid values for
monitoring_source are: AUTO, ALL, MEMORY,
NETWORK

HH$AdvActionScript Action script

HH$AdvSensitiveRegex Mask sensitive data regular expression

HH$AdvLimitAlertsSec Limit alerts per second, value can be one of

1,5,10,100,1000 or -1 which mean unlimited
The default value is 1000

HH$AdvLimitAlertsSession Limit alerts per session, value can be one of

1,5,10,100,1000 or -1 which means unlimited
The default value is -1

HH$AdvMinRowsForAlert Minimum rows for alert

HH$AdvApplyActionsRuleTrigger A list of 2 numbers N, S that means you can apply

actions when rule triggers N times in S seconds

McAfee Database Security 4.7.x Product Guide 175

18| XML API

Parameter Definition

HH$AdvAutoResolve Automatically resolve to one of the values: False

Alarm, Resolved

HH$AdvIgnoreSigned True or false

The default value is false

HH$AddTerminateSession True or false

The parameter is used for batch updates

HH$AddQuarantineUserFor A number that is used for batch updates

When specified and the value is > 0, then this rule
action will be added/updated. When the value is 0,
then the rule action will be removed from the filtered
rules

Note

You can use the HH$Id parameter and specify the rule ID. However, note that the rules use revisions and the ID might change
with a new revision. The best option to identify a rule is by its name.

Examples

List List all custom rules:

Note: The port number mentioned here

varies depending on the McAfee Database
Security configuration.

https://127.0.0.1:8443/xmlapi.svc?
service=rules&HH$RuleType=custom
List all predefined rules:
https://127.0.0.1:8443/xmlapi.svc?
service=rules&HH$RuleType=predefined
Get specific rule with ID=210:
https://127.0.0.1:8443/xmlapi.svc?
service=rules&HH$Id=210
Get specific rule with name=MyRule:

176 McAfee Database Security 4.7.x Product Guide

18| XML API

https://127.0.0.1:8443/xmlapi.svc?
service=rules&HH$Name=MyRule

Add Add a new rule with:

• Name: big-rule
• Expression: Statement contains 'credit'
• Rule Action: {send_alert: {severity: MEDIUM,
console: {}}}
• Exception list: cmdtype NOT IN ('update') $AND$
client_ip = 1.2.3.4 AND client_host_name LIKE 'host'
• Install On DB Groups: All DBMSs
• Install On DBs: 10500000
• Exclude DBs: 10300000,10301000
• Tags: t1,t3,t5
• Comment: This is just a comment
• Roles: Read_Only
• Advanced Options: {monitoring_source:AUTO}
• Action script: select * from dual
• Mask sensitive data regex: (\d\d\d\d\d)+
• Limit alerts per second: 100
• Limit alerts per session: Unlimited
• Minimum rows for alert: 666
• Apply actions when rule triggers 9 times in 2
seconds.
• Auto resolve: False Alarm
• Ignore Signed: True
For the sake of simplicity, the parameters and their
values are listed. Parameters needs to be https://
www.urlencoder.org/.

Parameter Definition

HH$Operation add

HH$Name big-rule

HH$Expression statement%20cont
ains%20%27credit
%27

HH$RuleAction %7Bsend_alert%3
A%20%7Bseverity

McAfee Database Security 4.7.x Product Guide 177

18| XML API

Parameter Definition

%3A%20MEDIUM
%2C%20console%
3A%20%7B%7D%7
D%7D

HH$Exceptions cmdtype%20NOT
%20IN%20(%27up
date%27)%20%24
AND%24%20client
_ip%20%3D%201.2
.3.4%20AND%20cli
ent_host_name%2
0LIKE%20%27host
%27

HH$InstallOnDBGr All%20DBMSs
oups

HH$InstallOnDBs 10500000

HH$InstallOnDBsE 10300000,1030100
xclude 0

HH$Tags t1,t3,t5

HH$Comment this%20is%20just
%20a%20commen
t

HH$EditRoles Read_Only

HH$AdvancedOpti %7Bmonitoring_so
ons urce%3AAUTO%7
D

HH$AdvActionScri select%20%2A%20
pt from%20dual

178 McAfee Database Security 4.7.x Product Guide

18| XML API

Parameter Definition

HH$AdvSensitiveR %28%5Cd%5Cd%5
egex Cd%5Cd%5Cd%29
%2B

HH$AdvLimitAlerts 10
Sec

HH$AdvLimitAlerts -1
Session

HH$AdvMinRowsF 666
orAlert

HH$AdvApplyActio 9,2
nsRuleTrigger

HH$AdvAutoResol FalseAlarm
ve

HH$AdvIgnoreSign true
ed

Note: The output of the add operations is the

rule that was added.

Sort order The custom rule Monitor Credit Table has a sort
order of 8, and it needs to be moved to the end of
the list which has 65 rules.

Parameter Definition

HH$Operation update

HH$Name Monitor%20Credit
%20Table

McAfee Database Security 4.7.x Product Guide 179

18| XML API

Parameter Definition

HH$SortOrder 65

https://localhost:8443/xmlapi.svc?
service=rules&HH$Operation=update&HH$Name=Moni
tor%20Credit%20Table&HH$SortOrder=65

Delete Delete the rule with the name: big-rule

https://localhost:8443/xmlapi.svc?
service=rules&HH$Operation=delete&HH$Name=big-
rule

Update Update the rule with the name: Big-rule and set new
values. Note that the Exclude DBs value is erased

• New name: bigger-rule

• Rule Action: {send_alert: {severity: INFO,
to_archive}}
• Exclude DBs: (none)
• Tags: t8
Parameter Definition

HH$Operation update

HH$Name big-rule

HH$RuleAction %20%7Bsend_aler
t%3A%20%7Bseve
rity%3A%20INFO%
2C%20to_archive%
7D%7D
HH$InstallOnDBsE
xclude=

HH$Tags t8

https://localhost:8443/xmlapi.svc?
service=rules&HH$Operation=update&HH$Name=big-

180 McAfee Database Security 4.7.x Product Guide

18| XML API

rule&HH$RuleAction=%7Bsend_alert%3A%20%7Bsever
ity%3A%20INFO%2C%20to_archive%7D%7D&HH$Install
OnDBsExclude=$HH$Tags=t8

Note: The output of the update operations is

the rule that was updated.

Batch update Batch update all the vPatch rules with Severity=HIGH
by adding Terminate action and Quarantine = 12.

Parameter Definition

HH$Operation batchupdate

HH$AddTerminate true
Session

HH$AddQuarantin 12
eUserFor

HH$Severity HIGH

HH$RuleType PREDEFINED

https://LOCALHOST:8443/xmlapi.svc?
service=rules&HH$Operation=batchupdate&HH$AddT
erminateSession=true&HH$AddQuarantineUserFor=1
2&HH$Severity=HIGH&HH$RuleType=PREDEINED

Note

When updating the rule, if you want to reset the value of a specific parameter, then the value of that parameter should be left
empty.

Database groups request parameters

Performs operations like add, remove, update, and list on a database group.

Service dbgroups

McAfee Database Security 4.7.x Product Guide 181

18| XML API

Permission DBMS XML API

Version 4.4.9 or later

Parameter Definition

HH$Name The name of the database group

HH$Action The action to perform on the database group

HH$Description The description of the database group

HH$NewName The new name of the database group

Note

If the HH$Action parameter is not specified, the list action is used as default. Also, if the HH$Name is missing when listing
database groups then all the db groups are listed.

Example

Note

The port number mentioned here varies depending on the McAfee Database Security configuration.

• List all the database groups: https://127.0.0.1:8443/xmlapi.svc?service=dbgroups

• List all the databases that are attached to the db group named: my_dbgroup https://127.0.0.1:8443/xmlapi.svc?
service=dbgroups&HH$Name=my_dbgroup
• To add a new database group named: db_group1 https://127.0.0.1:8443/xmlapi.svc?
service=dbgroups&HH$Action=add&HH$Name=db_group1&HH$Description=This%20Group%20is%20mine
• To delete the database group name: db_group3 https://127.0.0.1:8443/xmlapi.svc?
service=dbgroups&HH$Action=delete&HH$Name=db_group3
• To update the database group name: db_group9 and change the name to a new value: db_group101 https://
127.0.0.1:8443/xmlapi.svc?service=dbgroups&HH$Action=update&HH$Name=db_group3&HH$NewName=db_group101

182 McAfee Database Security 4.7.x Product Guide

18| XML API

Note

Database group names are unique.

Application mapping request parameters

Display the application mapping for a database.

Service app-mapping

Permission Object XML API

Version 4.6.4 or later

Parameter Definition

HH$Id The database ID

HH$Name The database name

HH$Columns Comma separated list of columns for output

Valid values are: TERMINAL, HOST, IP, APPLICATION,
MODULE, OSUSER, and USER. This parameter is
optional and the default value is the list of all the
valid value

HH$Schema If this parameter is present (value is ignored) then

the SCHEMA column is added to the output

HH$pageSize Long
The maximum number of results per call

HH$pageNum Long
The number of the page to return. The default value
is 0

Note

Specify the database ID or name and not both the fields.

McAfee Database Security 4.7.x Product Guide 183

18| XML API

The XML output of the column names is mapped.

Column name XML output name

TERMINAL terminal

HOST soutceHost

IP sourceIP

APPLICATION execProgram

MODULE module

OSUSER osUser

USER execUser

SCHEMA scheams.name

For example, to list the application mapping for a database name with all available columns, use:

https://127.0.0.1:8443/xmlapi.svc?service=app-mapping&HH$Name=SalesDB&HH$Schema

Sensor management service request parameters

Service sensor-mgmt

Description Approve and delete sensors

Permission Sensor Mgmt Xml Api

Version 4.6.5 or later

184 McAfee Database Security 4.7.x Product Guide

18| XML API

Parameter Definition

HH$Id The sensor ID. This is a mandatory parameter

This value can be a single sensor ID, comma
separated list of IDs, or -1 for all

HH$Action Action to perform on sensor(s). Valid values are

approve, delete, and undelete

Examples

To delete all sensors:

https://127.0.0.1:8443/xmlapi.svc?service=sensor-mgmt&HH$Action=delete&HH$Id=-1

To approve a sensor:

https://127.0.0.1:8443/xmlapi.svc?service=sensor-mgmt&HH$Action=approve&HH$Id=10002000

To approve multiple sensors:

https://127.0.0.1:8443/xmlapi.svc?service=sensor-mgmt&HH$Action=approve&HH$Id=10002000,1002300,10002500

McAfee Database Security 4.7.x Product Guide 185

19| McAfee Database Security Insights

McAfee Database Security Insights

McAfee Database Security monitors DBMS Management Systems (DBMSs) and protects them from internal and external threats.

McAfee Database Security Insights provides users with the ability to collect and analyze large amounts of data, as well as
visualization capabilities and data-exploration interfaces.

Key features
Insights provides improved visibility into DBMS user activity and vulnerability.

• Advanced filtering
Free text search
Ability to save and reapply filters
Timeline options - predefined and configurable intervals and resolutions

• Configurable dashboard widgets

Graphical display of key data
Wide range of available widgets to place events in context
Breakdown of events according to specific elements

• Easy deployment and configuration

• Workflow management capabilities
Assign events and Vulnerability Assessment (VA) findings to specific team members
Update status of events and findings

How Insights works

Insights is used with the McAfee Database Security standalone server.

McAfee Database Security supports simple, single DBMS installations and complex, multi-server, multi-DBMS installations. When
the add-on is installed, McAfee Database Security pushes all events and alerts to the add-on user interface, regardless of where
they are stored in McAfee Database Security.

186 McAfee Database Security 4.7.x Product Guide

19| McAfee Database Security Insights

Note

Only new alerts and findings are forwarded from McAfee Database Security server to Insights. Existing alerts and findings are
not imported.

Access the web console

You can access the web console using a standard web browser.

Before you begin

Insights supports these browser:

• Mozilla Firefox 1.5 or later

• Microsoft Internet Explorer 7.0 or later
• Chrome 47 or later
• A minimum of 128-MB RAM

Task
1. In your web browser, enter the URL of the server configured in the installation in this format:

https://<servername>:<port number>

Note

The default port number is 8443.

2. Enter your user name and password, then click Log in.

McAfee Database Security 4.7.x Product Guide 187

19| McAfee Database Security Insights

You can configure the system to use your own security certificate instead of the default one. For details, see PD25035.

Web console components

The web console provides easy access to important data.

The web console includes these components:

• Insights Navigation pane — Provides access to these modules.

Reporting — Provides data on security events and Vulnerability Assessment (VA) findings.
Analytics — Provides application mapping and database risk information.
Administration — Enables you to manage system users, interfaces, logs, and indices.

• Filters area — Enables you to determine the time frame and filter criteria for the displayed data.
• Widgets — Displays data for a specific property in list, chart, or graphical format. You can add multiple widgets to focus
on specific data.
• Table — Displays the relevant data in tabular form. You can add or remove columns from the table to focus on specific
aspects of your investigation.

Insights system-wide functionality

The user interface incorporates several system-wide functionalities.

Set the time frame

Set the time period for the data displayed on any page by selecting an option from the Time frame drop-down list.

You can select an interval relative to the present (for example, Last Hour, Last 12 Hours, Last Day, Last Week, or All) or select

Custom to select a specific time and date range using a calendar control.

Table options

Select the columns that appear in tables, adjust their width, and sort the data that they contain.

Sort data

Sort a table by a criterion at any time by clicking the column head. Click again to reverse the order (ascending or descending).

Select columns

Add or remove columns from tables by clicking columns above the table, then selecting or deselecting the column names.

Adjust column width

Increase or decrease the width of a column by dragging the header divider to the left or right.

188 McAfee Database Security 4.7.x Product Guide

19| McAfee Database Security Insights

Export table data

Select rows within a table and export the data they contain into to a CSV, XML, or PDF file.

Task
1. Select one or more rows in the table, then select Actions → Export.
2. In the Export dialog box, select the required type of output file (CSV, XML, or PDF) and select the fields that you want to
include the exported data.
3. Click OK.

Work with filters

You can set the filter criteria that determine the items that appear. You can then save the filter criteria as customized filters,
eliminating the need to redefine the filter criteria each time you view the page.

Define a filter

You can filter lists and tables to display data that match specific criteria.

Note

The search function is based on the elastic approach. For more about elastic queries, see https://www.elastic.co/guide/en/
kibana/3.0/queries.html.

Task
1. In the first filter field, set the filter criteria in any of these ways:
a. Type your query using simple syntax (as you would in a standard search engine).
b. Select items from a list or widget.
c. If you select an item in a list, it is added to the filter as an inclusion. If you click the box at the end of a row and select
Filter Out, the item is entered into the filter as an exclusion (preceded by a minus sign).
d. If you select items in more than one widget, the items are added with the AND operator.
2. Click Apply.

Results

All lists and widgets are filtered to display only the entries that match the filter criteria.

Filter syntax

The filter is based on the elastic search syntax.

Enter filter criteria in this format:

keyword: (value)

For example, to include users named DVM, type execUser:(dvm).

McAfee Database Security 4.7.x Product Guide 189

19| McAfee Database Security Insights

Keywords entered as filter criteria are case sensitive.

You can use wildcards and operators as shown here.

Filter criteria examples Results

execUser:(-dvm) Items where dvm is NOT the value in the execUser

field.

execUser:(*engine*) Items where engine is found anywhere in the

execUser field.

execUser:(-*engine*) Items where engine is NOT found anywhere in the

execUser field.

execUser:(dvm root admin) && execProgram: Items where dvm root admin is included in the
(vascan) execUser field AND the execProgram is vascan.

execUser:dvm OR execProgram:vascan Items where dvm root admin is included in the

execUser field OR the execProgram is vascan.

Filter keywords

Use these keywords to define filter criteria.

Keyword Type Description

accessedObjects.fullName string Accessed object full name

accessedObjects.Name string Accessed object name

accessedObjects.Owner string Accessed object owner

accessedObjects.type string Accessed object type

action string Action

applicationId string Application ID

190 McAfee Database Security 4.7.x Product Guide

19| McAfee Database Security Insights

Keyword Type Description

batchCmdTypes string Batch command types

bindVars.name string Bind variable name

bindVars.type string Bind variable type

bindVars.value string Bind variable value

clientAcctstr string Client accounting

clientApplName string Client application name

clientHostName string Client hostname

clientId string Client ID

clientInfo string Client info

clientIp string Client IP address

clientName string Client name

clientWrkstnname string Client workstation name

cmdType string Command type

connectionType string Connection type

contextInfo string Context info

database.name string Database name

database.type string Database type

database.version string Database version

McAfee Database Security 4.7.x Product Guide 191

19| McAfee Database Security Insights

Keyword Type Description

dbContainer string Database containter (Oracle 12c)

enduserAction string End user action

enduserIP string End user IP address

enduserModule string End user module

enduserName string End username

errorCode string Returned error code

execUser string Database username

executionTime date Event execution time

inflowObjects.fullName string Inflow SQL - accessed object full

name

inflowObjects.name string Inflow SQL - accessed object

name

inflowObjects.owner string Inflow SQL - accessed object

owner

inflowObjects.type string Inflow SQL - accessed object type

inflowSQL string Inflow SQL - statement

lastWorkFlow.assignedBy string Workflow assigned by

lastWorkFlow.assignee string Workflow assignee

lastWorkFlow.comment string Workflow comment

lastWorkFlow.date date Workflow update date

192 McAfee Database Security 4.7.x Product Guide

19| McAfee Database Security Insights

Keyword Type Description

lastWorkFlow.resolution string Workflow resolution

logonTime date Session login time

module string Module name

netHost string Network resolved hostname

netIP ip Network resolved IP address

osUser string Operating system username

rules.id string Triggered rule ID

rules.name string Triggered rule name

rules.type string Triggered rule type

schema string Database schema

sensor.host string Sensor host

sensor.id string Sensor ID

sensor.ip ip Sensor IP address

sensor.name string Sensor name

sessionActions string Session triggered actions

severity number Severity (1-5) where 5 is highest

sid number Session ID

sourceHost string Source host

McAfee Database Security 4.7.x Product Guide 193

19| McAfee Database Security Insights

Keyword Type Description

sourceIP ip Source IP address

sqlStatement string SQL statament

stmtHash string Statement Hash

terminal string Terminal name

Save a filter

You can create and save multiple filters, then alternate between the saved filters as needed. This eliminates the need to redefine
the filter criteria each time you view a page.

Task
1. From the Saved Filters drop-down list, select Save Current.
2. Name the filter, then click OK.

Results

The filter name is added to the Filters list.

Apply a filter

By default, the most recently applied filter is applied each time you access a page, however you can apply a different saved filter
instead.

Task
1. From the Saved Filters drop-down list, select the saved filter.
The filter criteria appear in the Filter field.
2. Click Apply.

Delete a filter

You can delete a saved filter that is no longer relevant.

Task
1. On the Saved Filters drop-down list, click the X next to the filter name.
2. When prompted for confirmation, click Yes.

The filter is no longer available for reuse.

194 McAfee Database Security 4.7.x Product Guide

19| McAfee Database Security Insights

Work with widgets

Widgets help put events and findings into context by aggregating the displayed data into specific elements.

Depending on the element, a widget displays data in one of these formats:

• List — Displays the top 10 items of the selected type, based on their occurrences.
• Graph — Displays data in a timeline based line graph. The Y axis shows each timeline point's events/findings count.
You can filter widgets to explore data and view it in different formats and resolutions.

Add a widget

You can add widgets on all main web console pages. The available widgets are based on context.

Task
In the Widgets area, click Add Widget, then select a widget from the drop-down list.

Remove a widget

You can remove a widget from the console display.

Task
In the Widgets area, click the X on the widget pane.

Filter data based on widget list items

When you add a widget list item to the filter or exclude an item, the data on the page is automatically refreshed.

Task
1. To include an item in query results, click the box at the end of the row and select Add to a Query.
The item is added to the filter definition.
2. To exclude an item from query results, click the box at the end of a row and select Add to a Query (exclude).
The item added to the filter definition as an exclusion (preceded by a minus sign).

Log out

When you are not actively using the web console, we recommend that you log out of the system.

For security purposes, the system automatically logs you out if it does not detect activity for several minutes.

Task
Click Log Out at the top of any page.

Reporting
The Reporting presents extensive data on the security events and findings detected by McAfee Database Security to enable
monitoring and remediation, as well as the generation of reports.

McAfee Database Security 4.7.x Product Guide 195

19| McAfee Database Security Insights

The Reporting includes the Events, Findings, and Reports pages.

The data displayed on these pages can be filtered by various criteria, such as time frame, event properties, Finding properties,
and workflow status.

Workflow management
Workflow management enables you to distribute task monitoring among team members.

The assigned user is then responsible for following up and taking any required actions to remediate risks. Users can change the
workflow status of an item (for example, from unresolved to resolved or false positive), or assign an item to another user.

For easier viewing, users can filter the displayed data to view only items assigned to them or items with a specific workflow
status.

A workflow can include multiple steps based on changes in status and assignee. The details of each step appear in the Workflow
area at the bottom of the Event Details or VA Finding Details page.

Events

View events

The Events page displays event-related data for the selected time frame.

Task
1. From the navigation pane, select Reporting → Events.
User-configurable widgets appear near the top of the page. The Events table appears below the widgets.

Tip

To add or remove columns from Events table, click Columns, then select or deselect the names as required.

2. To view the details of a specific event, click an event in the Events table.
The Event Details page displays the main properties of the selected event, including severity, database details, command
type, rules, SQL statements, connection information, and workflow details.
3. From the Actions menu, you can:

• Update the event status.

• Assign the event to another user.
• Export the event details.

Update the event status

You can update the status of events from the Event Details page or Events table.

Task
1. On the Event Details page, click Actions → Workflow.

196 McAfee Database Security 4.7.x Product Guide

19| McAfee Database Security Insights

2. From the Status drop-down list, select the event status or type in a new status name, then click OK.

Assign an event to another user

You can assign events to another user from the Event Details page or Events table.

Task
1. On the Event Details page, click Actions → Workflow.
2. From the Assign to drop-down list, assign an Insights user to handle the event, then click OK.

Export events

You can export event details into a CSV, PDF, or XML file for further analysis. You can include all event fields in the exported file or
select specific fields based on your analysis needs.

Task
1. Select one or more events in the Events table, then click Actions → Export to display the Export dialog box.
2. From the Export to drop-down list, select the type of output (CSV, PDF, or XML).
3. From the Select fields list, select the fields that you want to include in the output or Select All to include all available data
for the selected events.
4. Click OK.

Event properties

You can add these event properties to the Events table or display them as widgets on the Events page.

Option Definition

Accessed Object Full Name The full name of the DBMS object accessed as a
result of the operation.

Accessed Object Name The short name of the DBMS object accessed as a
result of the operation.

Accessed Object Owner The owner of the DBMS object accessed as a result
of the operation.

Accessed Object Type The type of the DBMS object accessed as a result of
the operation.

Action The application action.

Application The application that created the SQL statement.

McAfee Database Security 4.7.x Product Guide 197

19| McAfee Database Security Insights

Option Definition

Application ID The ID of the application that created the SQL

statement that triggered the event.

Batch CMD Types The batch SQL command types.

Bind Variables Content of the input parameter of a SQL query.

Client Accounting Client accounting details.

Client App Name The client application name.

Client Host Name The client host name.

Client ID The ID of the application user that triggered the

event.

Client Info Client information.

Client IP The IP address of the client that triggered the event.

Client Name The name of the client that triggered the event.

Client Workstation Name The name of the client workstation that triggered the
event.

CMD Type The SQL command type.

Connection Type The type of connection used to connect to the host

operating system (DCOM for Windows; SSH for Linux
or UNIX).

Context Info (MSSQL only) The user information.

This field is used instead of the Application, Module,
and Client ID fields that are used in Oracle.

Counter Amount of times the event occurred.

198 McAfee Database Security 4.7.x Product Guide

19| McAfee Database Security Insights

Option Definition

Database Name The name of the database for which the event was
generated.

Database Type The database type.

Database Version The database version.

DB Container The database container.

End User Action The action performed by the end user.

End User IP Address The IP address of the end user.

End User Module The end user module.

End User Name The name of the end user.

Error Code The error code returned for the event.

Execution Time The date and time of the scan that detected the
event.

Inflow Object Full Name The full name of the original PL/SQL program unit
within the DBMS that originated the SQL command.

Inflow Object Name The full name of the original PL/SQL program unit
within the DBMS that originated the SQL command.

Inflow Object Owner The owner of the original PL/SQL program unit
within the DBMS that originated the SQL command.

Inflow Object Type The type of PL/SQL program unit within the DBMS
that originated the SQL command.

Inflow SQL Statement The type of SQL statement.

McAfee Database Security 4.7.x Product Guide 199

19| McAfee Database Security Insights

Option Definition

Log-On Time (MSSQL only). The time when the user logged on to
the application. This field, when taken together with
the Session ID, provides a unique session identifier.

Module The module that generated the alert (if available).

Monitoring Source Network monitoring, Memory monitoring, In process

monitoring.

Net Host The network resolved host name.

Net IP Address The network resolved IP address.

OS User The operating system user.

Real Exec User The real user behind the execution request.

Row Number The row number of the data requested from within a
table.

Rule ID The ID of the rule that generated the event.

Rule Name The name of the rule that generated the event.

Rule Type The type of rule that generated the event.

Rules All rules that triggered for this particular event.

Schema The database schema.

Sensor The sensor that generated the event.

Sensor Host The host server of the sensor that generated the
event.

200 McAfee Database Security 4.7.x Product Guide

19| McAfee Database Security Insights

Option Definition

Sensor IP The IP address of the sensor that generated the

event.

Sensor Name The name of the sensor that generated the event.

Serial (Oracle only) The serial number generated by Oracle

for this instance of the Session. This ID, when taken
together with the Session ID, provides a unique
session identifier.

Session Actions The actions triggered during the session.

Session ID The session ID provided by the DBMS.

Severity The level of severity assigned to the event.

Source Host The host server of the source.

Source IP Address The IP address of the source.

SQL Statement The SQL statement that triggered the event.

Statement Duration The duration of the statement.

Statement Hash The statement hash tag.

Statement Num The number of the statement.

Terminal The user terminal (if available).

Transaction Token Returns a unique identifier for the transaction.

User The user whose action triggered the event.

Workflow History History of the workflow for a particular event

(assigned to User A or User B within Insights).

McAfee Database Security 4.7.x Product Guide 201

19| McAfee Database Security Insights

Note

Some of the mentioned properties are not available as widgets.

Findings

View findings

The Findings page displays relevant data for the selected time frame.

Task
1. From the navigation pane, select Reporting → Findings.

User-configurable widgets appear near the top of the page. The Findings table appears below the widgets.

2. To add or remove columns from the Findings table, click Columns, then select or deselect the names as required. For
complete list of available properties, see Finding properties.
3. To view the details of a specific finding, click the finding in the Findings table.
The Finding Details page displays the main properties of the selected finding, including severity, check names, check
history, scan information, and workflow details.

Update the finding status

You can update the status of findings from the Finding Details page or Findings table.

Task
1. On the Finding Details page, click Actions → Workflow.
2. From the Status drop-down list, select the finding status or type a new status name, then click OK.

Assign findings to another user

You can assign findings to another user from the VA Finding Details page or VA Findings table.

Task
1. On the VA Finding Details page, click Actions → Workflow.
2. From the Assign to drop-down list, assign an Insights user to handle the findings, then click OK.

Export findings

You can export finding details into a CSV, PDF, or XML file for further analysis. You can include all findings fields in the exported
file or select specific fields based on your analysis needs.

Task
1. Select one or more findings in the Findings table, then click Actions → Export to display the dialog box.
2. From the Export to drop-down list, select the type of output (CSV, PDF, or XML).
3. From the Select fields list, select the fields that you want to include in the output, or Select All to include all available data
for the selected findings.
4. Click OK.

202 McAfee Database Security 4.7.x Product Guide

19| McAfee Database Security Insights

Finding properties

You can add these properties to the Findings table or display them as widgets on the Findings page.

Option Definition

Check Category The category of the check that detected the findings.

Check Description A brief description of the check that detected the

findings.

Check Name The name of the check.

CheckSysId A unique, system-generated check ID.

Database Name The name of the database for which findings were
detected.

Database Type The type of database where the finding was

detected.

Database Version The type of database where the finding was

detected.

Detected Time The date and time when the finding was detected.

First Detection If True, indicates that this is the first time this finding
was detected.

Fixed Time The date and time when SQL fix is applied.

Information Findings information.

Scan Name The name of the scan that detected the finding.

Scan Time The date and time of the scan that detected the
finding.

Severity The severity of the findings.

McAfee Database Security 4.7.x Product Guide 203

19| McAfee Database Security Insights

Option Definition

SQL Fix If available, the SQL fix that can be used to resolve
the reported issue.

State The finding state.

Workflow Assignee Name The team member assigned to handle the finding.

Workflow Status The status assigned to the finding in the workflow.

Reports

McAfee Database Security reports are based on filter criteria. Each report consists of one or more sections, each containing the
results of a different filter.

Reports can be generated in CSV, XML, or PDF formats. You can run a report on demand or schedule a report to run a regular
intervals.

Existing reports are listed on the Reports page.

View existing reports

Existing reports are listed on the Reports page.

Task
From the navigation pane, select Reporting → Reports.

Results

The Reports list includes these details for each report.

Option Description

Name The name of the report.

Object Type The types of objects included in the report.

Report Type The level of report information included in the

report.

204 McAfee Database Security 4.7.x Product Guide

19| McAfee Database Security Insights

Option Description

Format The report output format (CSV, PDF, or XML).

Description A description of the report.

Last Run Date The date and time when the report was last run.

Last Run Report Click the View link to download the most recent
report output.

Create a report

Each report contains the results of at least one filter. Each filter has a single object type (event or finding). You define the filter
criteria and the scope of the data included, including which fields are included and the time frame. You can also define how the
data is sorted and grouped.

Task
1. From the navigation pane, select Reporting → Reports.
2. Click Create Report to display the Report Details page.
3. In the General section, set these general parameters:

• Enter a report name and a brief description of the report.

• From the Format drop-down list, select the required format (CSV, PDF, or XML).
• (Optional) Click Upload Logo File to include a logo in the report, then select the image file and click Open.
4. In the Scheduling section, set when and how often to run the report:
a. Select Scheduling Enabled.
b. Set one of these frequency options:

• Daily at — Runs the report each day at the hour selected from the drop-down list.
• Weekly on — Runs the report on each of the selected weekdays. Runs the report on each of the selected
weekdays.
• Monthly every — Runs the report on the selected month.
• By Cron expression — Runs the report according to the input timing expression.
• Run Only Once — Runs the report one time only.
c. (Optional) To receive an email when the report is ready, select Send Notification by Email to, then enter the recipient
email addresses. Use semicolons to separate multiple addresses To attach the report to the email message, select
Attach Report.
5. In the Filter section, set the filter criteria:
a. In the Headline field, enter a brief name for the filter.
b. From the Object Type drop-down list, select the type of objects to include in the report ( Events or Findings).
c. From the Detail Level drop-down list, select the report type:

McAfee Database Security 4.7.x Product Guide 205

19| McAfee Database Security Insights

• Details — Contains all field data.

• Summary — Contains only the number of results or widgets.
d. In the filter fields, enter a query, then set the time frame for the report data.

Note

Click Estimate for an indication of the number of items the report would return.

e. In the Limit Report items field, set the maximum number of items to include in the report.

Note

By default, the maximum number of items for each filter section is 5,000.

f. Click Sort by, then select the field according to which you want the data to be sorted and select Ascending of
Descending to set the sort direction.
g. Click Group by, then select the field according to which you want to group the data.

Note

If you use the Group by option with a Summary filter, the report returns a count of the results for each group. If
you use the Group by option with a Summary filter and widgets, a single widget is returned for each filter (and not
for each group within the filter).

6. (Optional) Click Add Filter to define an additional filter section to the report.
7. Click Save.
8. (Optional) Click Run.

Results

The report and its run status are listed in the Reports table.

Duplicate a report

You can use an existing report definition as the basis for creating a new report, for example, if you want to produce a report with
the same filter criteria but in a different format.

Task
1. From the navigation pane, select Reporting → Reports.
2. Select the report to duplicate, then select Actions → Duplicate Report.
3. On the Report Details page, edit the report settings as required.
4. Click Save.

206 McAfee Database Security 4.7.x Product Guide

19| McAfee Database Security Insights

Run an existing report

You can run a report at any time, regardless of its scheduled settings.

Task
1. From the navigation pane, select Reporting → Reports.
2. Select the report to run, then select Actions → Run Report.

Delete a report

You can delete an existing report.

Task
1. From the navigation pane, select Reporting → Reports.
2. Select the report to run, then select Actions → Delete Report.

Analytics

Insights enables the configuration of LDAP parameters, index management, and troubleshooting.

Application mapping

Application mapping provides a visual representation of the events that take place in your system based on the specific filter
criteria.

You can drill down and view events on these levels:

• Database — Events are aggregated by database (default level).

• Source IP — Events are aggregated by source IP address for the selected database.
• User ID address — Events are aggregated by user ID for the selected source IP address.
• Command type — Events are aggregated by command type for the selected user ID.

The number of events that link each level is indicated on the lines (edges) that connect them.

Task
From the navigation pane, select Analytics → Application Mapping.

Database risk

The database risk feature provides an overview of the risk level associated with your databases. The risk level ranges from 0
(lowest) to 100 (highest). You can view the aggregated risk across your databases or the risk factors for a specific database.

View database risk summary

The database risk summary indicates the aggregated risk level for your databases based on the type and quantity of events.

Task
1. From the navigation pane, select Analytics → Database Risk.

McAfee Database Security 4.7.x Product Guide 207

19| McAfee Database Security Insights

The Risk Level, Database Type, and Database Verion widgets appear at the top of the page. The databases table appears
below the widgets.

2. (Optional) Enter a query to restrict the data to a specific subset of databases, then click Apply.
3. (Optional) Select Actions → Recalculate Risk to refresh the risk data.

View database risk details

Database risk details include the calculated risk level of the database instance, based on the various data points available. The
risk level ranges from 0 (lowest) to 100 (highest).

Task
On the Database Risk page, in the Databases table, click the database row.
The information on the Database Risk Details page is organized into logical sections.

Section Description

Overall Vulnerabilities Indicates the overall number of vulnerability

assessment findings on the database instance,
based on the severity level. Only high and medium
severity findings are evaluated in this section.

Access Distribution Provides an assessment of the database reachability,

based on the unique IP addresses, users, and
applications accessing the database.

Sensitive Data Indicates the sensitivity of the data in the database

instance by factoring the amount of data discovery
findings.

Vulnerable Accounts Calculates the risk based on the vulnerable accounts

in the database.

Finding explorer

The Finding Explorer displays the findings per database based on a query, according to the check category that returned the
findings.

Task
1. From the navigation pane, select Analytics → Finding Explorer.
2. Enter a query, then click Apply.

208 McAfee Database Security 4.7.x Product Guide

19| McAfee Database Security Insights

Administration
Insights enables the configuration of LDAP parameters, index management, and troubleshooting.

Access control

McAfee Database Security facilitates teamwork by enabling multiple users to access the console.

Add a user

If you have global administrator permissions, you can add users to the system.

Task
1. On the Administration → Users, click Add New User.
2. Enter a user name, the user's given name, and password in the designated fields, then click Save.

Change a user password

If you have the necessary permissions, you can change a user's password.

Task
1. On the Administration → Users, click the name of the user.
2. In the Password dialog box, click Change password.
3. In the Password and Confirm Password fields, enter the new password, then click Save.

Delete a user

If you have the necessary permissions, you can delete users from the system.

Task
On the Administration → Users page, select a user, then select Actions → Delete User.

Troubleshooting logs

The information in logs can play an important role in the troubleshooting process.

The system logs can be set to the Error, Info, Debug, or Trace levels. The system's default log level is INFO, which has a minimal
impact on performance.

Edit the log settings

Some scenarios require an increase in the log level, to provide additional details as part of the support process. In addition, you
can set the maximum log file size and other log properties.

Task
1. From the navigation pane, select Administration → Troubleshooting.
2. Edit the log settings, then click Save.

McAfee Database Security 4.7.x Product Guide 209

19| McAfee Database Security Insights

Generate an analytic package

You can generate and download an analytic package to send to McAfee technical support for troubleshooting purposes.

Task
1. From the navigation pane, select Administration → Troubleshooting, then click Generate Analytic Package.
After the package is generated, it appears in the Existing Package list.
2. Click Download Package to download the .zip file.

Index management

Index management shows the structure of the Alerts (Events) and VA Results (Results) stored in the backend database
(ElasticSearch). Each events index represents one day and contains the events from that day. Each Results index represents
one month, and contains the results from that month.

The Index Management page provides an overview of the index health, the number of closed/open indices, and the distribution
by index type. You can filter the indices using the static widgets or by entering a filter query.

Indices can be defined as Open or Closed. Open indices appear in search results in the Events or Findings pages. Closed indices
remain in the back-end database, but do not show up in search results.

View the indices list

The Index Management page provides an overview of the index health, the number of closed/open indices, and the distribution
by index type. You can filter the indices using the static widgets or by entering a filter query.

Task
1. From the navigation pane, select Administration → Index Management.
2. (Optional) Enter a query to restrict the data to a specific subset, then click Apply.

Widgets at the top of the page indicate the aggregated health, state, and types of indices.

Results

The Indices list includes these details for each report.

Option Description

Name The name of the index.

Type The type of index such as, Event or Result.

Count The number of entries.

Size The size of the index entry.

210 McAfee Database Security 4.7.x Product Guide

19| McAfee Database Security Insights

Option Description

Health The health level:

• Green
• Red
• N/A - Not available

State The state of the index (Open or Closed).

Open an index

You can open a closed index so that it again appears in search results.

Task
On the Index Management page, select one or more closed indices, then select Actions → Open Indices.

Close an index

You can close an index so that it no longer appears in search results. Closed indices remain in the back-end database.

Task
On the Index Management page, select one or more open indices, then select Actions → Close Indices.

Delete an index

Closed indices can be deleted to remove them from the back-end database.

Task
On the Index Management page, select one or more closed indices, then select Actions → Delete Indices.

LDAP configuration

You can configure an LDAP server to use for the purpose of logging in to the system.

Note

Only Microsoft Active Directory servers are supported at this time.

Task
1. Select Administration → Interfaces → LDAP Configuration, then click Add Server.
2. Enter the LDAP server base, domain and URL in the designated fields.

McAfee Database Security 4.7.x Product Guide 211

19| McAfee Database Security Insights

Note

The URL must be in format ldap:// or ldaps://.

3. (Optional) Enter the root path to the LDAP server.

4. Enter the username and password for the LDAP server.
5. (Optional) Expand the Advanced area to configure the connection and read timeout periods (in seconds).
6. Click Test Connection to check the validity of the parameters entered.
7. Click Save.

Results

To delete a server, select the corresponding checkbox in the LDAP Configuration table, then selectDelete from the Actions
menu.

212 McAfee Database Security 4.7.x Product Guide

COPYRIGHT
Copyright © 2024 Musarubra US LLC.

Trellix and FireEye are the trademarks or registered trademarks of Musarubra US LLC, FireEye Security Holdings US LLC and their affiliates in the
US and /or other countries. McAfee is the trademark or registered trademark of McAfee LLC or its subsidiaries in the US and /or other countries.
Skyhigh Security is the trademark of Skyhigh Security LLC and its affiliates in the US and other countries. Other names and brands are the
property of these companies or may be claimed as the property of others.