Powered by Zoomin Software. For more details please contactZoomin

Database Activity Monitoring User Guide

Source Type
Application Security
Data Security
Network Security
Application Performance
Product Versions
Hypervisor Installation
Document Type
Public Cloud
    Community Content Type
      Product Area
      This guide
      Table of Contents

      OS User Chaining

       OS User Chaining

      Note: This section is relevant only for database SecureSphere Agent.

      The SecureSphere Agent tracks the chain of OS users, so that if a local user logs in with one OS user name and then performs a series of "identity changes" through the use of the su command, the SecureSphere Agent will include the chain of user names and the remote login IP address in the audit record. Also, the remote login IP address will be reported as the source IP address instead of the fictitious IP address defined in the Fictitious Network Parameters section of the Settings tab (see General Settings - Fictitious Network Parameters Section).

      The OS user chain is available as a match criterion for use in security, data enrichment and audit policies.

      In audit policies, the Source of Activity match criterion can be used to specify the source IP address.

      In a policy’s Match Criteria tab, you can specify the OS user chain as a match criterion. If the selected OS user’s name is present anywhere in the chain, the match is successful.

      In an audit policy’s Settings tab, you can specify the OS user chain as an index field. For more information, see Configuring General Audit Policy Settings.

      EXAMPLE:

      For example, suppose a non-Windows user enters the following commands (passwords have been omitted for clarity):

      login: root
      su bob
      su alice
      su charlie
      ... <charlie accesses the database> ...

      In Windows, the same effect could be achieved using Remote Desktop.

      Non-Windows SecureSphere Agent report the entire chain, for example, "root > bob > alice > charlie". Windows SecureSphere Agent report only the first and last user names in the chain.

      Was this topic helpful?