Using CTE and Imperva Database Activity Monitoring (DAM) Simultaneously

Security administrators can protect execution of processes/binaries on CTE agents from a ptrace attachment. This prevents process injection attacks through ptrace system call. Refer to Blocking ptrace system calls to prevent process injection attacks for more information.

Using Ptrace and DAM

Thales CipherTrust Transparent Encryption and Imperva Database Activity Monitoring (DAM) can operate simultaneously on the same system if the ptrace attachment is not blocked on the system. Choose one of the following two configuration options from the Advanced Security Configuration that do not affect DAM agent functionality.

• Disabled_for_all

• Enabled_for_Authenticators (Default setting)

Disabling ptrace protection for Imperva DAM processes when setting to Enabled for All

During Imperva DAM and Thales CTE integration testing, Thales discovered that when the ptrace_configuration option is set to enabled_for_all in CTE, the DAM audit logs do not generate. This is because the enabled_for_all option blocks ptrace injection for all system binaries. Imperva DAM uses InjectionManager to inject shared libraries into database processes to monitor database activity. Since CTE blocks all ptrace injections in this mode, DAM fails to inject these shared libraries into the database processes. As a result, no logs are generated or sent to the gateway server.

The solution is for CTE to exempt certain applications from ptrace protection using client settings. You need to specify the binary that performs the tracing, and tag it with |allow_ptrace| in the client settings in CipherTrust Manager. If the binary is also listed under a host setting, the tag must be combined accordingly. For example, if the binary falls under the Authenticator client setting, the tag in the client settings should be:

|Authenticator+allow_ptrace|

Ensuring the Correct CTE/DAM Service Startup and Shutdown Order

CipherTrust Transparent Encryption services and DAM services must be started and stopped in the correct order to prevent problems with any data that is guarded by CipherTrust Transparent Encryption. This order is important any time these services need to be started or stopped, such as:

• During the normal startup and shutdown of your Linux host.

• Before enabling a scheduled upgrade of CipherTrust Transparent Encryption.

• Before performing a manual upgrade of CipherTrust Transparent Encryption.

• As needed for maintenance or troubleshooting.

Starting or Stopping DAM and CipherTrust Transparent Encryption Manually

CTE Commands for Stopping and Starting the Agent

DAM Commands for Stopping and Starting the Agent

See Adding Dependencies to systemd Unit Configuration Files for more information.

Ensuring the proper order

Perform the following steps in this exact order:

1. Stop the DAM agent monitoring.

2. Stop CipherTrust Transparent Encryption.

3. Perform the CTE or DAM upgrade or maintenance.

4. Start DAM agent monitoring.

5. Start CipherTrust Transparent Encryption.

Prerequisites

1. Install CTE v7.8.0 on the agent and register it with CipherTrust Manager.

2. Ensure that Imperva DAM is installed and configured correctly on the MX server.

Exempting Applications

1. Update the client settings to include the allow_ptrace tag for the InjectionManager binary.

   

2. In the Client window, click Advanced Security Configuration and ensure that Enabled_For_All is selected.

3. Restart the MX server agent and database service to apply the updated CTE client settings:

   1. Stop the DAM agent service.

   2. Stop the database service.

   3. Start the database service.

   4. Start the DAM agent service.

   Note

   Consult the Imperva documentation for more information.

4. Perform any activity on the database. You should now see this activity reflected in the MX server DB audit logs.