Imperva Cyber Community

Expand all | Collapse all

Audit policies general misconfiguration

  • 1.  Audit policies general misconfiguration

    Posted 18 days ago
    Hello,

    In DAM an alarm received as below -

    ===========================================================================================================
    Audit policies general misconfiguration
    Description
    There are audit policies at risk of losing audit

    The following audit policies: [ DDL commands, Database configuration changes, Database connections, New Databases, New Users Account, PCI - Audit of newly created objects under system schema, PCI - Modification audit of system-level objects, PCI - Privileged operations on users and privileges management, Privilege manipulation, Table related commands, Users and Privileges Management Commands ] are not properly configured and are at risk of losing audit. The reason is no archiving is configured and no external logger is configured on these policies.
    =====================================================================================================================

    I am not able to understand why this alert triggered suddenly as we did not any changes the Audit policies. What could be reason for it?

    Also, in the alarm I could see the start time and end time does it mean, the alarm was automatically acknowledged ?


    #DatabaseActivityMonitoring

    ------------------------------
    Chintan Myakal
    Sr.Cybersecurity Analyst
    Mumbai
    ------------------------------


  • 2.  RE: Audit policies general misconfiguration

    CHAMPION
    Posted 18 days ago
    Hello,

    The change you must have done is applying the policies mentioned to any database service, so the audit policies are now active and collecting audit data. You should configure an archiving action set under "Policy Name" - Archiving, for all the policies mentioned on the error so the error will be resolved.

    Hope it helps,

    ------------------------------
    Sabajete Elezaj
    Security Engineer
    Snt Albania
    Tirana
    ------------------------------



  • 3.  RE: Audit policies general misconfiguration

    Posted 18 days ago
    The configuration under Archive settings is  - Default Archiving Settings. As I mentioned , I did not do any changes in Archive settings. (apply or remove or change)
     I want to know, what could have caused this alarm trigger ?

    ------------------------------
    Chintan Myakal
    Sr.Cybersecurity Analyst
    Mumbai
    ------------------------------



  • 4.  RE: Audit policies general misconfiguration

    CHAMPION
    Posted 18 days ago
    You applied the policy in a database service. So under "Policy Name" -> "Apply To" you have applied the policy and the policy is active and collecting audit data. That's what triggers the alarm.
    In Archive Settings you should schedule the Archive, so check the Recurring and set Date & Time.

    The alert is to help you not lose audit data by archiving them.



    ------------------------------
    Sabajete Elezaj
    Security Engineer
    Snt Albania
    Tirana
    ------------------------------



  • 5.  RE: Audit policies general misconfiguration

    Posted 18 days ago
    I want you to understand, I did not apply any audit policy to any database server as no DB server was integrated in last 2 months. This alarm triggered
    on 8th of August.

    As I mentioned, under under Archive settings  - Default Archiving Settings is configured. Can we find out the reason in anyway for triggering of this alarm ? Below is screenshot.



    ------------------------------
    Chintan Myakal
    Sr.Cybersecurity Analyst
    Mumbai
    ------------------------------



  • 6.  RE: Audit policies general misconfiguration

    CHAMPION
    Posted 18 days ago
    Since the alert has a start time and end time it means is no longer active. So the policies were applied and up-applied. Go to System Events on 8 August, filter Subsystem=Config and look for Event Type = Policy Changed, Configuration Changed.

    Again its just an alert so you don't loose audit data, nothing critical.

    Regards



    ------------------------------
    Sabajete Elezaj
    Security Engineer
    Snt Albania
    Tirana
    ------------------------------



  • 7.  RE: Audit policies general misconfiguration

    Posted 16 days ago
    Hi Sabajete,

    I checked under system events > Audit and I found the audit logs for  - [DDL commands, Database configuration changes, Database connections, New Databases, New Users Account, PCI - Audit of newly created objects under system schema, PCI - Modification audit of system-level objects, PCI - Privileged operations on users and privileges management, Privilege manipulation, Table related commands, Users and Privileges Management Commands] -  audit policies were purged on 8th August 2021 at 12 am midnight. But, the alarm notification triggered in the morning around 6.15 am and ended
    at 11.51 am.

    Do you have any answer for this ?

    ------------------------------
    Chintan Myakal
    Sr.Cybersecurity Analyst
    Mumbai
    ------------------------------