OS User Chaining

Save PDF

Feedback

Working with Database Activity Monitoring
Overview
- Introducing SecureSphere Database Security
  - Available Licenses for SecureSphere Database Security Products
  - Application Data Security
    - Tracking Database Users
    - Multi Layer Protection
- The Imperva DAM System
- SecureSphere Architecture
- SecureSphere User Interface
- SecureSphere Main Features
Discovering and Classifying Network Assets
- Introduction to SecureSphere Discovery and Classification
- Understanding the Discovery Window
- Major Discovery and Classification Tasks
  - Using Service Discovery to Populate a SecureSphere Site
- Working with SecureSphere Scans
- Managing Discovered Servers
  - Analyzing Discovered Servers
    - Viewing Discovered Server Details in Tabular View
    - Viewing Discovered Servers in Graphical Views
- Working with Discovered Servers
- Managing Classified DB Data
  - Analyzing Classified DB Data
    - Analyzing Classified DB Data in Tabular View
      - Classified DB Data Details
    - Viewing Classified DB Data in Graphical Views
  - Editing, Accepting, Rejecting Classified DB Data
    - Editing Classified DB Data
    - Manually Accepting or Rejecting Classified DB Data
Basic SecureSphere Configuration
- Basic Configuration Overview
  - Browser Support
  - Exporting and Importing Individual Objects
- Basic Configuration Guidelines for Gateways, Management Servers and Agents
- IPv6 Support
  - IPv6 Support in DAS
- Basic Site Configuration
- Basic Server Group Configuration
  - Server Group Best Practices
  - Basic Server Group Configuration Tasks
- Configuring Server Group Direct Access Information
  - Configuring Override Default OS Credentials for a Specific DB Service
- Understanding Server Group Parameters
- Basic Database Services Configuration
- Managing Database Applications
  - Adding a New Database Application
  - Understanding Database Application Parameters
    - Database Application Definitions Parameters
    - Database Application Applied Policies Information
- General Basic Configuration Tasks
- Adding Session Identifiers Used for Session Tracking
- Configuring Action Sets and Followed Actions
- Activating Settings
- Database Connection Encryption
Onboarding an Oracle Database to SecureSphere
- Planning
- SecureSphere Configuration
  - Channel Aging
  - Monitoring Rules
- Security Policies
- Auditing
- Agent Installation Main Tasks
Software Update
- SecureSphere Software Update Overview
  - Understanding Families
  - Understanding the Workflow of Software Update
- The Software Update Synchronization Process
  - Online Synchronization
  - Manual Synchronization
- Selecting and Uploading the Software Installation Packages
  - Understanding the Target Version Window
  - Understanding the Procedure for Uploading Software Installation Packages
    - Selecting a Target Version for Update
      - Selecting a Target Version for Update of a Single Agent Instance
    - Uploading Software Installation Packages to the MX
- Updating the Software
- Configuring Software Update Settings
- Using the Agent Compatibility Package
User Rights Management
- Introduction to SecureSphere User Rights Management
- User Rights Management Main Tasks
- Working with User Rights Scans
- Analyzing Database User Rights
- Viewing User Rights Details
  - Reviewing User Rights Paths
  - Examining Derived Rights
- Managing Discovered User Rights
Monitoring
- Monitoring Models in SecureSphere
- Understanding Alerts, Events and Violations
  - Monitoring Architecture
- Monitoring Checklist
- Working with the Dashboard
- Managing Alerts
- Managing Violations
- Managing Blocked Sources
  - Viewing Blocked Sources
  - Releasing Blocked Sources
- Managing System Events
  - Viewing System Events
  - Understanding System Events
    - Understanding the System Events Table
    - Configuring System Events to Interface with 3rd Party Tools
- Filtering Alerts and Violations
System Monitoring
- Working with Alarms
  - Understanding the Alarm Details Window
- Working with the Alarms History Window
- Configuring Alarms
  - Configuring Alarm Notifications
- Acknowledging Alarms
- Adding a Note to an Alarm
Risk Management
- Introduction to SecureSphere Risk Management
- Scanning and Assessing Databases
Security Policies
- Introducing Security Policies
- Security Policy Main Tasks
- Network Security Policies
- Database Service Level Security Policies
- Exporting DB Security Violations to Imperva Sonar
- DB Application Level Policies
- z/OS DB Service Level Security Policies
  - Enabling Blocking Using z/OS Security Policies
- z/OS File Service Policies
Reporting
- Reports Introduction
- Report Terminology
- Understanding the Reports Window
- Working with Reports
- Creating and Managing Reports
- Filtering Reports
  - Basic Filter Criteria
- Configuring Imperva DAM to Export DAM Reports to Imperva Sonar
  - Configuring Imperva DAM to Export Reports to Imperva Sonar - Common Instructions
  - Configuring Imperva DAM to Export Reports to Imperva Sonar - Instructions for Specific Report Types
- Migrating MX Audit Report Definitions to DSF Hub
Auditing
- Introduction to Auditing
- Working with Auditing
- Analyzing Audit Data
- Taking Action on Audit Results
- Configuring Filter Criteria
  - Dynamically Change Filter Based on Audit Data
- Managing Audit System Status
- Managing Archived Audit Data
- Integrating Auditing with SIEMs
- Mounting Audit Archive Directories
  - Mounting the Audit Archive Directory (CIFS and NFS)
- Log Collector
- Audit Policies
  - Working with Audit Policies
  - Predefined Database Audit Policies
- Sending DB Audit Data to Imperva Sonar
Database Profiles
- Understanding DB Profiles in SecureSphere
- Database Profile Tasks
  - Viewing Database Profiles
- Database Profiles - Working with Users and User Groups
- DB Profile Users and User Group Tabs
- Working with DB Query Groups and Queries
  - Managing Query Group Modes
    - Switching the Mode of a Query Group
    - Switching the Mode of all Query Groups
  - Displaying Query Group Graphs
- DB Profile Policy
  - Tuning a DB Profile Policy
    - Viewing and Editing the DB Profile Default Policy
    - Disabling Automatic Database Profiling
- Reducing the Size of the Profile
  - Using Query Groups to Reduce Profile Size
  - Using User Names to Reduce Profile Size
- DB Profile APU (Automatic Profile Update)
Universal User Tracking
- Understanding Universal User Tracking
- SQL Connection User Tracking
- Direct User Tracking
  - Direct User Tracking Architecture
  - Configuring Direct User Tracking
- SAP Business Objects
Signatures
- Working with Signatures
- Working with Dictionaries
- Standard Dictionaries
Exporting DAM Audit Data and Security Violations to Sonar
- Configuring Imperva DAM to Export Events Data to Sonar
- Understanding Large Scale Gateways and Large Scale MX
Advanced SecureSphere Configuration
- Advanced Configuration Overview
  - Identifying Advanced Configuration Requirements
- Applying Policies
  - Applying Security Policies to the Objects in the Sites Tree
  - Applying Security Policies to the Objects in the Applications Tree
    - Working with Application Groups
    - Applying/Unapplying Automatic Application of a Policy to New Server Groups, Services, and Applications
- Managing Archive and Key Settings
  - Managing Keys
    - Exporting Default Keys
    - Uploading Default Keys
  - Defining Archive Settings
  - Configuring and Applying Archive Settings
- Working with Action Sets and Followed Actions
  - Action Sets and Followed Actions Overview
  - Action Set Main Tasks
  - Working with Default Action Sets
  - Creating Custom Action Sets
  - Action Interface Types
  - Configuring Action Interface Parameters
    - Run on Every Event
    - SNMP Traps
  - Assigning Followed Actions
    - Directly Assigning Followed Actions from the Security Policy Window
- Working with Global Objects
  - Summary of Global Objects
  - Creating New Global Objects
  - Working with Global Ports Groups
  - Configuring IP Groups
    - Importing an IP Group from a CSV File
    - Creating an IP Group Individually
  - Configuring Cloud Accounts
    - Adding a New Cloud Account
    - Configuring a Cloud Account
- Configuring Sensitive Data Protection
  - Using Sensitive Data Dictionary Groups
  - Masking Data in Elements
    - Attaching a Sensitive Dictionary Group to a Service
- Working with Data Types
  - Creating a New Data Type
  - Configuring Database Data Types
- Configuring Windows Domains
  - Configuring the Default Domain Name
  - Configuring Default Domain Credentials
  - Configuring Active Directory Settings
  - Configuring Kerberos Support
- Generic Dictionary Groups
- Protecting and Auditing Custom Information with Lookup Data
  - Predefined Lookup Data Sets
  - Creating a Lookup Data Set
  - Configuring and deleting Lookup Data Sets
- Enriching Data
  - Creating an Enrichment Policy
  - Configuring Data Enrichment Policies
  - Configuring Data Enrichment Policy Rules
    - Configuring Data Enrichment Web Policy Rules
      - Configuring Data Enrichment from a Lookup Data Set
      - Configuring Data Enrichment from Event SQL
        Working with Stored Procedures
        Content Hashing in Data Enrichment Policies
- Introducing Active Modules
- Change Tracking - External Objects
  - Overview of Change Tracking - External Objects
  - Before Running a Change Tracking - External Objects Policy
    - Change Tracking - External Objects Policy Permissions
    - Change Tracking - External Objects - Policy Configuration
  - Creating a New Change Tracking - External Objects Policy
  - Viewing a Change Tracking - External Objects Policy
  - Editing a Change Tracking - External Objects Policy
- Application Structure Modeling
- Working with Tasks
  - Tasks Overview
  - Task Types
  - Understanding the Tasks List
  - Task Followed Action Configuration Guidelines
  - Creating Review Tasks
  - Creating Assignment Tasks
  - Working with Open Tasks
    - Completing Review Tasks
    - Completing Assignment Tasks
- Configuring Preferences
  - Configuring User Details
  - Changing Passwords
  - Configuring User Preferences
- Configuring Syslog
  - Understanding Syslog Fault Tolerance
  - Configuring Available Space for Syslog Buffering (Optional)
- Configuring Integration with Third Party Management Systems
  - Configuring the Gateway's Syslog Client Message Size
  - Configuring the Gateway's Syslog Placeholder Value Size
  - Increasing query field length for Syslog
  - Configuring Integration with ArcSight
  - Integrating with RSA enVision
  - Archiving to Amazon S3
  - Configuring Integration with BMC Remedy Service Desk
  - Configuring Integration with Active Directory for User Management
- System Event Policies
  - Working with System Events Policies
  - Creating a System Events Policy
  - Importing and Exporting System Event Policies
- Configuring Scheduling
  - Understanding the Execution Plan
- Text Replacement
  - Working with Text Replacement
  - Removing Dynamic Elements using Text Replacement
- Configuring Stored Procedures Automatic Update
  - Privileges Required to Access Stored Procedures
- Defining and Protecting Database Objects
  - Overview of Defining and Protecting Database Objects
  - Working with Privileged Operations and Command Groups
    - Creating Privileged Operations Groups
    - Creating Command Groups
  - Configuring Stored Procedure Support
    - Configuring Stored Procedure Groups
  - Creating a Database Table Group
  - Adding Stored Procedure and Table Groups to a Database Application
  - Configuring a Database Owner
    - Configure the Database Owner Global Object
    - Configure a Database Service with a Database Owner
  - Export to XML
    - How the Exporting to XML Works
    - Working with Imperva Open API
- Track Value Changes
  - Overview of Track Value Changes
  - Before Running a Tracking Value Changes Policy
    - Track Value Changes Policy Permissions
    - Preparing to use Track Value Changes
  - Creating a Track Value Changes Policy
  - Viewing a Track Value Changes Policy
  - Editing a Track Value Changes Policy
SecureSphere Agents
- SecureSphere Agent Overview
- Installing the SecureSphere Agent
- Advanced Agent Configuration
- Command Line Scripting Language
  - Conventions for Command Line Scripting
  - Syntax for Command Line Scripting
Gateway Cluster
- General Overview of Gateway Cluster
- Gateway Cluster Concepts
- Setting up a Cluster from Scratch
- Converting an Existing Gateway Group into a Cluster
- Managing a Cluster
- Monitoring a Cluster
- Maintaining a Cluster
- Special Cluster Configurations
  - Configuring a Cluster Behind a NAT
  - Assigning Agents Monitoring an Oracle Database Cluster to a Large Server Cluster
- Understanding Cluster High Availability
Appendix Event Types
MXs Managed by SOM
- Working with SOM
- Registering MXs
  - Setting Up SSL with Certificate Authentication
  - Removing MXs from SOM
- Deploying MX and SOM Behind a NAT
  - Understanding MX Deployment Behind a NAT
Writing Signatures and Regular Expressions
- Writing Signatures
- Regular Expressions
SecureSphere Agent for DB2-400
- Introducing SecureSphere Agent for DB2/400
  - Overview
- Getting Started
- After Installation
- *AGENT Audit Types
- Uninstalling SecureSphere Agent for DB2/400
- Configuring DB2-400 Query Length
- Additional Configuration
Placeholders
- Working with Placeholders
  - Working with Standard Placeholders
  - Working with Collection Placeholders
    - Understanding Single Collection Placeholders
    - Understanding the Nested Collection Placeholder
- List of Standard Placeholders
  - Correspondence Table
- List of Collection Placeholders
- Advanced Options
  - DTFormat
- Macros for Use with Placeholders
- Splunk Placeholders
  - List of Splunk Placeholders
- ArcSight Placeholders and Syntax
  - Examples of Syslog Events for ArcSight
  - CEF Fields
    - Standard Fields
    - Extended Fields
Filter Criteria and Report Data Fields
- Filter Criteria and Report Data Fields Overview
- Dataset: Lookup Attribute Usage Example
- Alert and Violation Criteria
- Audit Report Criteria
  - DB Audit Report Criteria
- Agent Criteria
- Assessment Criteria
- System Event Criteria
- User Rights Report Criteria
  - DB User Rights
- Task Report Criteria
- Configuration Report Criteria
- Risk Management Filter Criteria
  - Assessment Results Filter Criteria
- Discovery Report Match Criteria
- Discovery Filter Criteria
- Active Module Criteria
- Profile Criteria
  - DB Profile - Detailed Report
- Custom Policies Match Criteria
  - Database Custom Policies Match Criteria
  - Advanced Criteria
    - Understanding the Advanced Criteria
    - Understanding the Don't Match If... Condition
      - Advanced Criteria with One Value Only
      - Advanced Criteria with More than One Value
- Enrichment Policy Match Criteria
  - DB Service Enrichment Policy Match Criteria
Report Columns
- Columns Available in Alert Reports
  - Alert Report Available Columns
  - Alert Event Available Columns
- Columns Available in Audit Reports
  - DB Audit Data Audit Report
  - Audit Time Grouping Columns
- Columns Available in Assessment Reports
- Columns Available in System Event Reports
- Columns Available in Task Reports
- Columns Available in DB User Rights Reports
- Columns Available in Configuration Reports
- Columns Available in Active Module Reports
- Columns Available in Discovery Reports
- Columns Available in Profile Reports
  - DB Profile - Detailed Report Columns
Pre-Defined Reports
- Alert Reports
- Active Module Reports
- System Events Reports
- Audit Reports
Required Permissions
- Notes on MSSQL 2008 and Higher
- Required Permissions for File Classification
- Required Permissions for Data Classification
  - Supported Database Types for Classification
- Required Permissions for Assessment
- Required Permissions for Stored Procedures
- Required Permissions for Database User Rights Management
Alert Aggregation Descriptions
- Alert Aggregation Descriptions
Troubleshooting Hashed Users
SAP Configuration
- Configuring the SecureSphere Gateway
- Monitoring SAP Transactions
- Defining SAP Transactions
  - Configuring SAP Transactions for use in SecureSphere
- Other Audit Policies
- Database Table Groups
Rule.dn Associated IDs
- About Rule.dns
- List of Rule.Dn Associated IDs
Database Audit Parser Strings
- MySQL and MariaDB audit parser strings
- Oracle audit parser strings
- DB2 audit parser strings
- Teradata audit parser strings
- SAP Hana audit parser strings
Supported Data Types
- Supported Data Types - Oracle
- Supported Data Types - SQL Server
- Supported Data Types - Sybase
- Supported Data Types - Informix
- Supported Data Types - MySQL
- Supported Data Types - DB2
- Supported Data Types - Netezza
Glossary
Property Rights Notice
End User License and Services Agreement

HomeDatabase Activity Monitoring User Guide...SecureSphere AgentsSecureSphere Agent OverviewOS User Chaining

Table of Contents

OS User Chaining

Also available in:
v14.7
v14.18
v14.17
v14.16
v14.15
v14.14
v14.13
v14.12
v14.11
V14.10
v14.9
v14.8
Last UpdatedMar 14, 2025
2 minute read

OS User Chaining

Note: This section is relevant only for database SecureSphere Agent.

The SecureSphere Agent tracks the chain of OS users, so that if a local user logs in with one OS user name and then performs a series of "identity changes" through the use of the su command, the SecureSphere Agent will include the chain of user names and the remote login IP address in the audit record. Also, the remote login IP address will be reported as the source IP address instead of the fictitious IP address defined in the Fictitious Network Parameters section of the Settings tab (see General Settings - Fictitious Network Parameters Section).

The OS user chain is available as a match criterion for use in security, data enrichment and audit policies.

In audit policies, the Source of Activity match criterion can be used to specify the source IP address.

In a policy’s Match Criteria tab, you can specify the OS user chain as a match criterion. If the selected OS user’s name is present anywhere in the chain, the match is successful.

In an audit policy’s Settings tab, you can specify the OS user chain as an index field. For more information, see Configuring General Audit Policy Settings.

EXAMPLE:

For example, suppose a non-Windows user enters the following commands (passwords have been omitted for clarity):

login: root

su bob

su alice

su charlie

... <charlie accesses the database> ...

In Windows, the same effect could be achieved using Remote Desktop.

Non-Windows SecureSphere Agent report the entire chain, for example, "root > bob > alice > charlie". Windows SecureSphere Agent report only the first and last user names in the chain.

Was this topic helpful?

Like Dislike

Database Activity Monitoring User Guide

Filters

Source Type

Application Security

Data Security

Network Security

Application Performance

Product Versions

Hypervisor Installation

Document Type

Public Cloud

Community Content Type

Product Area

OS User Chaining

Table of Contents

OS User Chaining

Provide feedback for this topic

Save PDF

Provide feedback for this topic