FortiDB 5.1.13 Admin Guide

Tutorial: Generating PCI, SOX, and HIPAA compliance reports

You can configure FortiDB to monitor a database and generate alerts based on the following regulatory compliance standards:

  • Sarbanes-Oxley Act (SOX)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Health Insurance Portability & Accountability Act (HIPAA)

This example configures a Microsoft SQL Server database. Before you start the tutorial, ensure that the database has the required configuration. For more information, see Microsoft SQL Server target database pre-configuration.

Create a target

A target specifies a database for FortiDB to monitor.

  1. Log in to FortiDB using the following credentials (the default values):
  2. User Name admin
    Password fortidb1!$
  3. In the navigation menu, go to Target Database Server > Targets.
  4. On the Targets page, click Add.
  5. On the General tab, enter the following information. For this example, the target is a Microsoft SQL Server database:
  6. Name dam_pci_sox
    Type Microsoft SQL Server
    DB Host Name/IP The IP address or name of the machine where the database is located (for example, test_machine or
    Port The number of the port the database uses; the default port is 1433
    Connect At Server Level (default)
    DB Name The name of the database. Because this target connects at the server level, the database name is master and you cannot change it.
    User Name The database user name
    Password The password for the database user
    DB Activity Monitoring Select Allow.
  7. To verify that the connection parameters are correct, click Test Connection.
  8. The message “Success” is displayed at the top of the page.

  9. Click Save.
  10. The dam_pci_sox item is displayed in the list of targets.

Add the PCI, SOX, and HIPAA policy groups to the target
  1. In the navigation menu, click DB Activity Monitoring > Monitoring Management.
  2. Click dam_pci_sox (the name of the target you created).
  3. On the General tab, confirm that the following default Audit Configuration values are selected:
  4. Collection Method SQL Trace
    Trace Folder Enter the full path of the existing trace folder (for example, C:\SQLTrace)
    Polling Frequency 60 (default)
  5. To test the collection method, click Test.
  6. The message "Success" is displayed the top of the page.

  7. Click the Alert Policy Groups tab.
  8. Select PCI Policies and click >> (right arrows) to move the item to the Selected Policy Groups list.
  9. Select Sox Policies and click >> (right arrows) to move the item to the Selected Policy Groups list.
  10. Select HIPAA Policies and click >> (right arrows) to move the item to the Selected Policy Groups list.
  11. Click Save.
Start monitoring

To start monitoring the database, click the General tab, and then click Start Monitoring.

Monitor Status displays Starting and then Running.

Configure and export PCI and SOX reports
  1. Using a database client-side application, execute several SQL statements that generate data.
  2. For example, to generate data that is captured in a History of Privilege Changes report, execute SQL statements that change privileges.

  3. To create a PCI compliance report, click Report > PCI Reports.
  4. For this example, select PCI - Successful/Unsucessful Database Logins.
  5. On the Generate Audit PCI Report page, configure the report using the following values:
  6. Export as PDF (default)
    W/P Reference

    Enter the work paper reference value, if required.

    This value is a tracking mechanism customers can use to identify and place controls around reports.

    Date Range Enter start and end dates for report (click the calendar icons to select dates using the date picking tool)
  7. Confirm that the target database is displayed in the Targets list.
  8. If there is no data, the database name does not appear in the box.

  9. In the bottom-right corner of the page, select Export.
  10. Your browser downloads the report file.

  11. Repeat the compliance report steps to generate the following report types:
    • Sox Report: History of Privilege Changes.

    • HIPAA Report: Privilege Changes

See also