Académique Documents
Professionnel Documents
Culture Documents
Technical Training
Student Exercises
GU202G, ERC: 2.1
3721, Version 001-1
GU2022XSTUD
InfoSphere Guardium V9
Technical Training
Student Exercises
GU202G, ERC: 2.1
3721, Version 001-1
GU2022XSTUD
V8.2
cover
Student Exercises
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International
Business Machines Corp., registered in many jurisdictions worldwide.
The following are trademarks of International Business Machines Corporation, registered in
many jurisdictions worldwide:
AIX
DB2
InfoSphere
Tivoli
AS/400
Guardium
S-TAP
z/OS
DB
Informix
System z
V8.2
Student Exercises
TOC
Contents
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Exercises description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Exercise 1. Using the Guardium CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Exercise 2. Creating Guardium Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Exercise 3. Archiving Collected Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Exercise 4. Installing GIM and S-TAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Exercise 5. Creating Guardium Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Exercise 6. Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Exercise 7. Updating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Exercise 8. Installing and Configuring CAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Exercise 9. Running a Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Exercise 10. Creating a Simple Query and Report . . . . . . . . . . . . . . . . . . . . . . . . . 10-1
Exercise 11. Creating a Query with Drill-down . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1
Exercise 12. Creating Multiple Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1
Exercise 13. Creating a Compliance Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1
Contents
iii
Student Exercises
iv
V8.2
Student Exercises
TMK
Trademarks
The reader should recognize that the following terms, which appear in the content of this
training document, are official trademarks of IBM or other companies:
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International
Business Machines Corp., registered in many jurisdictions worldwide.
The following are trademarks of International Business Machines Corporation, registered in
many jurisdictions worldwide:
AIX
DB2
InfoSphere
Tivoli
AS/400
Guardium
S-TAP
z/OS
DB
Informix
System z
Trademarks
Student Exercises
vi
V8.0
Student Exercises
pref
Exercises description
This course includes the following exercises:
Using the Guardium CLI
Creating Guardium Users
Archiving Collected Data
Installing GIM and S-Tap
Creating Guardium Groups
Creating a Policy
Updating a Policy
Running a Vulnerability Assessment
Creating a Simple Query and Report
Creating a Query with Drill-down
Creating Multiple Queries
Creating a Compliance Workflow
In the exercise instructions, you can check off the line before each
step as you complete it to track your progress.
Most exercises include required sections which should always be
completed. It might be necessary to complete these sections before
you can start later exercises. Some exercises might also include
Exercises description
vii
Student Exercises
optional sections that you might want to complete if you have sufficient
time and want an extra challenge.
viii
V8.2
Student Exercises
EXempty
1-1
Student Exercises
Exercise instructions
Follow these instructions to perform the exercise. Ask your instructor for assistance if
necessary.
Warning
Remember that Linux commands and arguments are case sensitive. Type commands,
usernames, and passwords exactly as shown.
Information
You will often see the IBM InfoSphere Guardium product referred to as SQL Guard (or
SQLGuard). SQL Guard is the old name of the product before it was changed to IBM
InfoSphere Guardium not all references have yet been updated. In these materials, we
will just refer to the product as Guardium.
1-2
V8.2
Student Exercises
EXempty
__ 2. Following a successful login, you will arrive at the CLI prompt as shown below:
The prompt is made up of the machine hostname and domain name - these were
configured when Guardium was installed. You can inspect these directly by entering
the following CLI commands (press Enter at the end of each command to view the
results):
v9collector01.ibm.com> show system hostname
v9collector01.ibm.com> show system domain
Information
Most Guardium CLI commands consist of a command word followed by one or more
arguments. The argument can be a keyword or a keyword followed by a variable value (for
example, an IP address, subnet mask, date, and so on). Commands and keywords are not
case sensitive, but element names are.
In the above example, which just uses the show command and subsequent
keywords, entering SHOW SYSTEM HOSTNAME would work just as well.
__ 3. The basic show command can be used to inspect many different configuration
parameters. For example, enter the following commands to inspect the network
configuration:
v9collector01.ibm.com> show network interface all
1-3
Student Exercises
__ 4. If you cannot remember all the command arguments, then the Guardium CLI will list
them for you. For example, just enter the show command by itself (or show ?):
This lists all the possible arguments that can follow the show command.
Similarly, just entering show network will list the possible arguments that can follow
the show network command:
Information
All Guardium CLI commands are documented in the CLI Reference Appendix. This is
included in the IBM InfoSphere Guardium Version 9.0 Appendices document (available in
pdf format) that accompanies the product software.
1-4
V8.2
Student Exercises
EXempty
__ 6.
Information
In a real world situation, it is likely that you will be accessing the Guardium CLI remotely via
something like ssh, rather than directly using the console as you have been doing so far
(ssh or Secure Shell is a network protocol that allows data to be exchanged using a secure
channel between two networked devices).
In this step, we will launch the second VMware image (which also fulfills the
database server role) and use that to access Guardium.
Access the SUSE Linux image:
a. In the elab portal, double click on the Xming icon. The SUSE Linux window
will open.
b. At the login prompt, enter the username root (all lower case letters) and
press Enter. Enter the password guardium (all lower case letters) and press
Enter.
__ 7. Right-click in an open area of the Windows desktop and select Open Terminal
from the pop-up menu.
Test the connection to the Guardium image using the ping command:
dbserver01:~ # ping 192.168.169.9
Verify that you can ping successfully. Press CTRL-c to terminate the ping command.
__ 8. From the terminal window, login to the Guardium image as the cli user using ssh:
dbserver01:~ # ssh cli@192.168.169.9
When prompted (it takes around 30 seconds initially), enter the same password as
before. If you are prompted about the authentication of the host, respond yes to
continue.
__ 9. When you are successfully logged in to the Guardium CLI, use the CLI ping
command to ping the database server (there needs to be two-way communication
between Guardium and the database server):
v9collector01.ibm.com> ping 192.168.169.8
Verify that you can ping successfully. Press CTRL-c to terminate the CLI ping
command.
__ 10. For the remaining activities in this class, we will use the Guardium Console Web
application rather than the CLI to configure Guardium. To make life a little easier, the
Web application's password validation has been disabled, and password expiration
and Web session timeouts have been extended. Verify this as follows:
1-5
Student Exercises
Open a terminal window (right-click and Open Terminal) and enter the command
db2cc & to start the IBM DB2 Control Center application in a separate window.
Select Advanced and click OK to dismiss the startup configuration dialog.
Expand the tree view on the left of the application by selecting
All Systems->GUARDIUM
TRAINING->Instances->db2inst1->Databases->SAMPLE->Tables.
The display will look similar to the screenshot shown.
1-6
V8.2
Student Exercises
EXempty
Notice that there is a running DB2 instance called db2inst1 with a single database
called SAMPLE which contains a number of tables. It is this instance and database
that we will subsequently monitor.
1-7
Student Exercises
__ 14. Under the SAMPLE database, expand the User and Group Objects node and click
DB Users.
Notice that a number of database users have been defined (9 in total). We will refer
to these in subsequent activities.
__ 15. Close the DB2 Control Center application and the terminal window. Log out the
db2inst1 user and log back on as root (password guardium).
__ 16.
Information
It will greatly assist you in understanding Guardium's capabilities if the database instance
you are monitoring is in constant use preferably with multiple users performing a variety
of different tasks. We have simulated this in our training environment using a continuously
running Linux cron job that is constantly executing a number of different database scripts.
You will briefly inspect these scripts so that you are aware of the nature of this activity.
1-8
V8.2
Student Exercises
EXempty
sleep 10
/home/db2inst1/db2scripts/db2-priv-users1.sh 1
sleep 60
/home/db2inst1/db2scripts/db2-dml-nonpriv.sh 1
sleep 60
/home/db2inst1/db2scripts/db2-priv-users1.sh 1
sleep 60
/home/db2inst1/db2scripts/db2-select.sh 2
sleep 60
/home/db2inst1/db2scripts/db2-storedprox.sh 1
sleep 60
/home/db2inst1/db2scripts/db2-exceptions.sh 1
sleep 60
/home/db2inst1/db2scripts/db2-priv-users2.sh 1
sleep 60
/home/db2inst1/db2scripts/db2-setup.sh 1
This script is being constantly run as a cron job. Cron is a time-based job scheduler
in UNIX operating systems. cron enables users to schedule jobs commands or
shell scripts to run periodically at certain times or dates. Our cron job executes a
number of other scripts (which reside in the same directory) between specified sleep
intervals. It is these scripts which actually perform a variety of tasks against the DB2
database.
Inspect one or two of these scripts using the cat command. Do not worry about the
exact commands that these scripts are running just satisfy yourself that they are
indeed performing a variety of different database tasks using a number of different
users (those you saw earlier in the DB2 Control Center).
__ 18. Close any terminal windows that you have open.
End of exercise
1-9
Student Exercises
V8.2
Student Exercises
EXempty
2-1
Student Exercises
Exercise instructions
__ 1. In the SUSE Linux image, start the Firefox Web browser (either enter the command
firefox https://192.168.169.9:8443 &
in a terminal window or click Computer in the task bar and choose Firefox from the
list of Favorite Applications).
__ 2. Firefox's home page is set to the Guardium Console web application's url https://192.168.169.9:8443. Click OK to accept the certificate warning and progress
to the Guardium login page.
2-2
V8.2
Student Exercises
EXempty
You will be prompted to change the password. Set the new password to ibm.
Information
Guardium comes with two built-in users that you can use to access the Guardium Console
Web application administratively:
accessmgr: A member of the accessmgr role. Use this user to create other users
and roles, and to set role memberships.
admin: A member of the admin role. Use this user for all other administrative
functions.
You cannot delete these users, nor can you remove them from their default roles.
__ 3. Once you have successfully logged on as accessmgr, you will be presented with
two tabs Access Management and Data Security. Access Management should be
selected by default (if it is not, then select it).
Click the User Browser link to see the list of current Guardium users. There will be
only two users defined so far - the built-in accessmgr and admin users.
2-3
Student Exercises
Click the Add User button and enter the following information:
Username
User01
Password
guardium
First Name
Henry
Last Name
Xavier
henry@ibm.com
Disabled
Un-checked
Remember to uncheck the Disabled check box (it will be checked by default). You
can disregard the text about the password characteristics since, as we saw in the
previous activity, password validation has been disabled.
Click Add User.
__ 4. Repeat this process to create the remaining three users (all with password set to
guardium):
User02, Tracy Yuen, tracy@ibm.com
User03, Dan Charles, dan@ibm.com
User04, Pat Deacy, pat@ibm.com
__ 5. When you are done adding the users, the display on your browser should look
something like this:
2-4
V8.2
Student Exercises
EXempty
Click the Roles link for User01 and add the user to the infosec role by checking the
appropriate checkbox (you will see that User01 is already a member of the user role
leave this checked).
2-5
Student Exercises
Double-click on individual users or roles and then select Record Details from the
pop-up menu. This will show you further information about that users role
memberships or the users assigned to a specific role. This report does not display
details of the admin user or role.
2-6
V8.2
Student Exercises
EXempty
__ 7. Logout of the Guardium Console Web application and close the browser.
End of exercise
Copyright IBM Corp. 2011, 2014
2-7
Student Exercises
2-8
V8.2
Student Exercises
EXempty
3-1
Student Exercises
Exercise instructions
Follow these instructions to perform the exercise. Ask your instructor for assistance if
necessary.
__ 1. In the SUSE Linux image, log on as root. Start Firefox and log on to the Guardium
Console Web application as admin. The beginning password is guardium. You will
be prompted to change the password; change it to ibm.
Information
Notice that the screen is very different from the previous exercise where you logged in as
accessmgr. The accessmgr user is a member of the accessmgr role and is restricted to the
few tabs and pages related mostly to user and role access to Guardium. The admin user is
a member of the admin role which exposes all the administrative functions available
(except for those associated with user and role access management). There are numerous
tabs and pages associated with these functions.
__ 2. Before we look at data archiving, let us enable IP to hostname aliasing for this setup
(this will tell Guardium to show the actual hostname corresponding to an IP address
if available). This will not actually have much effect in this training environment
because we do not have a DNS (Domain Name Server); however, it is an example
of something that you would normally do in a real world installation.
Click the Administration Console tab to access the Adminstration
Console pane, and then expand Configuration and click
IP-to-Hostname Aliasing.
V8.2
Student Exercises
EXempty
__ 3.
Information
Simply applying this configuration setting does not actually do much (other than saving the
setting to the Guardium database, of course). You still need to instruct Guardium to actually
do the aliasing. You can either do this immediately by clicking the Run Once Now button or
schedule the activity on a periodic basis. Let us do both options.
Set the activity to start at 10 pm every day (this is the start time recommended by
the Guardium Implementation Best Practices Guide to avoid potential conflicts with
other scheduled activities).
3-3
Student Exercises
Notice that the traffic light symbol has now turned green to indicate a scheduled
activity.
Click the Run Once Now button to execute the process immediately. A dialog box
will tell you the process may take some time to perform; click OK to acknowledge
this. You will get a confirmation message when the process is complete. Click OK to
continue.
__ 4.
Information
Now let us get to the data archiving part. In this exercise, you will configure the system to
archive data to a folder on the SUSE Linux image. You would normally archive data older
than 1 day and ignore data older than 2 days to just archive the previous day's activity;
however, in this training environment, it is likely that this would result in nothing being
archived. So to see some effect from this activity, you will extend the archive data set well
into the past to pick up some previously collected data.
You will also disable any purging of collected data for the purposes of this exercise
(it will be useful to you in later exercises to have some past data to work on). Again,
this is not something you would normally do. Usually collected data should be
regularly purged from the system once it has been archived to save space.
V8.2
Student Exercises
EXempty
Select the SCP protocol (we are just sending the data to a file system)
and enter the following data:
Host
192.168.169.8
Directory
/root
Username
root
Password
guardium
Click on OK to continue.
3-5
Student Exercises
__ 5.
Information
At this point, you would normally want to schedule the archive and purge activity to run
overnight on a regular basis (the Guardium Implementation Best Practices Guide
recommends a 1:30 am start time dependent on your specific requirements); however, that
is a long time to wait to see some effect. You will run the activity immediately so you can
observe the result.
Click the Run Once Now button (it should have become active once the Apply
completed) to execute the activity immediately.
When the system prompts you that the operation is complete, click OK to continue.
__ 6. To see what is going on, use the Guardium Monitor pages to report on the activity.
Click the Guardium Monitor tab to access the Guardium Monitor pane, and then
click the Aggregation / Archive Log link.
3-6
V8.2
Student Exercises
EXempty
This built-in report shows activity by default from the previous week. After a short
delay, you should see messages similar to those shown indicating that archiving has
successfully completed.
__ 7. Confirm that the data has been successfully filed in the specified /root folder.
Minimize the web console window. Open a terminal window if one is not already
open. Since you are logged on to the SUSE Linux machine as the root user this
should take you directly to the /root folder.
Enter the following command to list any archived data files:
# dbserver01:~ # ls *.enc
In this example, the archive activity resulted in the creation of a total of 11 files
corresponding to 11 days of archived data. Data is always collected and archived on
a daily basis. Your number of files may vary.
For reference, the file naming convention is as follows:
Close the terminal window and maximize the web console window.
__ 8. Guardium maintains a catalog of archived data files. The catalog can be used if you
ever need to restore any archived data to the system. Let us check that your
archived data files show up in the Guardium catalog.
3-7
Student Exercises
Verify that your archived data files are present in the Guardium catalog.
__ 9. Logout of the Guardium Console and close the browser. Exit any open terminal
sessions.
3-8
V8.2
Student Exercises
EXempty
End of exercise
3-9
Student Exercises
V8.2
Student Exercises
EXempty
4-1
Student Exercises
Exercise instructions
Follow these instructions to perform the exercise. Ask your instructor for assistance if
necessary.
__ 1. Open the SUSE Linux image and log on as user root / password guardium. First,
you will apply the license keys and install the GIM.
__ 2. Open the console web interface, and log in as admin / ibm.
__ 3. Navigate to Administration Console Configuration System.
__ 4. Minimize the console web interface window. On the desktop, locate the Keys folder.
Double click on the Keys folder to open it.
__ 5. In the Keys folder, locate the file named Collector V9 Base Key. Open this file by
double clicking on it.
__ 6. In the gedit window that opens, highlight the collector key value and select EDIT
COPY.
4-2
V8.2
Student Exercises
EXempty
__ 7. Close the gedit and Keys folder windows, and maximize the console web interface
window. Paste the Collector license key into the License Key prompt area using
EDIT PASTE.
__ 8. Scroll to the bottom of the screen and click on the Apply button. Nothing may appear
to happen, but if you scroll back up you should see that the License Key prompt area
is blank.
__ 9. Repeat this process for the DAM Standard V9 append key and also for the DAM
Advanced V9 append key.
__ 10. Scroll to the bottom of the screen and click on the Restart button. At the Are you
sure prompt, answer by clicking the OK button. It will take about 5 minutes for your
Guardium appliance to reboot. You will know it is complete when the web console
interface launches properly. After the reboot is done, log back on to the console web
interface as admin/ibm.
__ 11. First, you will install the GIM. The installation media has already been copied to a
folder on the SUSE Linux image.
Open a terminal window on the SUS Linux image and navigate to the /root/GIM
folder:
dbserver01:~ # cd /root/GIM
List the folder contents:
4-3
Student Exercises
dbserver01:~/GIM # ls
guard-bundle-CAS-v81_r24276_1-suse-10-linux-i686.gim
guard-bundle-DISCOVERY-v81_r24276_1-suse-10-linux-i686.gim
guard-bundle-GIM-v81_r24276_1-suse-10-linux-i686.gim.sh
guard-bundle-STAP-v81_r24276_1-suse-10-linux-i686.gim
The GIM installation media is highlighted above. This folder also contains
installation media for the S-TAP, the instance DISCOVERY module and the
Configuration Auditing System (CAS) module. You will use GIM to install the first two
of these shortly (and the third in a later exercise).
__ 12. You will install the GIM into the folder /usr/guardium - this folder already exists. To
install the GIM, you will enter a command with the following syntax:
./guard-bundle-GIM-guard-<OS Version>.sh -- --dir <install directory> --sqlguardip
<collector or Central Manager IP address> --tapip <database server IP address>
In this exercise, you will install GIM into the /usr/guardium directory. The collector IP is
192.168.169.9 and the database server IP is 192.168.169.8. So your command will
appear as follows:
dbserver01:~/GIM # ./guard-bundle-GIM-v81_r24276_1-suse-10-linux-i686.gim.sh ---dir /usr/guardium/ --sqlguardip 192.168.169.9 --tapip 192.168.169.8
Warning
Be careful that you type this command correctly it is easy to make a mistake here.
4-4
V8.2
Student Exercises
EXempty
After scrolling through the license agreement (or press q to skip to the end), you will
see the following messages:
Installing modules ....
Installation completed successfully
The installation should complete very quickly.
__ 13. There should now be two running processes created and started by the installation.
The GIM client process (gim_client.pl) and the GIM supervisor (guard_supervisor).
Verify that these processes are running using the following command:
dbserver01:~/GIM # ps -ef | grep guard
/usr/bin/perl /usr/guardium/modules/GIM/8.1.00_r24276_1-1298979196/gim_client.pl
/usr/guardium/modules/perl
/usr/guardium/modules/SUPERVISOR/8.1.00_r24276_1-1298979201/guard_supervisor
These processes are maintained by the Linux init process. Entries should have been
added to the /etc/inittab file to enable this.
Enter the following command and verify their presence:
dbserver01:~/GIM # tail -5 /etc/inittab
__ 14. After successfully completing the GIM installation, the two GIM processes should be
visible from the Guardium Console.
Exit the terminal window and maximize Firefox. You should still be logged
into the console web interface as admin/ibm.
4-5
Student Exercises
Click the Administration Console tab and select Module Installation >
Process Monitoring.
You should see a GIM process and a SUPERVISOR process running on your
database server.
__ 15.
Information
It is your objective in this exercise to use GIM to install the S-TAP and DISCOVERY
modules on the database server. You saw earlier that the installation media for these
modules reside in the /root/GIM folder. For GIM to be able to install these modules, they
must first be uploaded to the Guardium collector.
4-6
V8.2
Student Exercises
EXempty
Your screen should look like the above screenshot at this point.
Click the checked icon (import this module) for each of the uploaded files. Click OK
to accept the import and OK (again) to confirm its completion.
__ 16.
Information
The next step is to actually install the S-TAP and DISCOVERY modules on the database
server. The tool provides two (very similar) ways of doing this; Setup By Client choose
one or more client systems and then install a selected module on those clients; or Setup By
Module choose a specific module and then install on one or more client systems.
In the following steps, you will install the S-TAP module using Setup By Client and
the DISCOVERY module using Setup By Module so that you can see both
mechanisms.
4-7
Student Exercises
Click the Setup By Client link and then click Search (you can leave all
the search criteria fields empty - since we only have one client we do not
need to refine the search in any way).
Check the box for your database server (there will be only one in this case - if
you have multiple servers, you can select as many as you like).
Click Next.
4-8
V8.2
Student Exercises
EXempty
4-9
Student Exercises
Click Next.
Information
The next page allows you to enter a set of parameters to configure the module that you are
about to install. The screen is split into two sections a set of common module parameters
(this would be applied to all clients if you had selected multiple database servers
previously) and a set of Client Module Parameters to allow you to set parameters for a
specific client.
You will be changing settings under the Client Module Parameters section.
You will only need to enter values into three of the parameters.
a) Set KTAP_LIVE_UPDATE to Y.
Hint
Scroll to the right. KTAP_LIVE_UPDATE will be the first field highlighted in a yellow-orange
color.
V8.2
Student Exercises
EXempty
After making these changes, click Apply to Clients (click OK to confirm the
change).
__ 18. Next click Install/Update. A scheduling window will appear:
4-11
Student Exercises
Schedule the install immediately by entering NOW into the Schedule Date and click
Apply.
Click OK to dismiss the confirmation dialog.
__ 19. You can monitor progress using the GIM Event List page under the Guardium
Monitor tab.
V8.2
Student Exercises
EXempty
Installation will normally take a minute or so. Verify successful installation in the GIM
Event List.
Hint
The refresh button is an icon with two yellow arrows.
__ 20. Your S-TAP should now be up and running and recognized by the Guardium
Collector. You can verify this by clicking the System View tab.
4-13
Student Exercises
Information
Although your S-TAP is running, it will not be doing very much as it is not yet aware of any
database instances running on your database server. It needs to have one or more
inspection engines configured. This can be done manually; however, you will use the
DISCOVERY module to automate this.
__ 21. Click the Administration Console tab and go to Module Installation > Setup By
Module.
There is no need to enter any search criteria, just click the Search button.
__ 22. Highlight the BUNDLE-DISCOVERY_8.1.00_r24276_1 module from the list of
modules and click Next.
V8.2
Student Exercises
EXempty
__ 23. Select the database server on which you would like to install by checking the box
(an easy choice as there is only one) and click Next.
__ 24. As before, the module parameter page is split into two - Common Module
Parameters and Client Module Parameters. You will change just one Client Module
Parameter.
Set DISCOVERY_JAVA_DIR to /opt/ibm/db2/V9.7/java/jdk32/jre.To help you
avoid typing errors, this path is stored in a Java setting file on your Linux Desktop so you should be able to copy/paste the path.
Hint
You can access a typing area by clicking on the pencil icon to the right of the value box.
Click Apply after entering the value in this typing area.
4-15
Student Exercises
Schedule the install immediately by entering NOW into the Schedule Date and click
Apply.
Click OK to dismiss the confirmation dialog. Installation will take a minute or so.
__ 26. Using the BACK button, return to the Client selection window. Click on the i to the
right of the checkbox.
V8.2
Student Exercises
EXempty
__ 27. The Installation Status box will be displayed. Scroll down to locate Discovery, and
look at its status. If it is INSTALLED, the installation is complete. If it is anything else,
click the Refresh button until it is installed or it generates an error message.
__ 28. Using the BACK button, return to the Client selection window.
4-17
Student Exercises
__ 29. To confirm that the DISCOVERY module has installed successfully, go to the
Guardium Monitor tab and click GIM Events List.
__ 30. To view any database instances found by the DISCOVERY module, click the Daily
Monitor tab and click the Discovered Instances link (this might take an additional 5
minutes or so).
You should see the single DB2 database instance running. From here, you can
quickly create an S-TAP Inspection Engine based on the newly discovered instance.
V8.2
Student Exercises
EXempty
On the next page, confirm that the settings appear correct (you do not need to change any
in this case) and click Invoke now.
__ 31. When the task in complete, you will see this completion page:
4-19
Student Exercises
V8.2
Student Exercises
EXempty
__ 33. Let us review what you have done here. You first installed the GIM on the database
server and used that to install both an S-TAP module and a DISCOVERY module.
You then used the DISCOVERY module to discover any running database
instance (one was found), and to create and configure an inspection engine for that
database instance.
The Guardium Collector should now be receiving database traffic from the S-TAP.
This can be verified using the SYSTEM VIEW tab on the Administrative Console.
The existing S-TAP / Inspection Engine should be displayed in green under the
S-TAP Status Monitor section. Additionally, the S-TAP numbers for DB2 under the
Current Status Monitor section should no longer be 0, but should be an
ever-increasing value. (Remember, there is a continuously running cron job
generating a variety of database activity from multiple users. The S-TAP / Inspection
Engine are monitoring this traffic.)
__ 34. Logout of the Guardium Console, close the browser and any open terminal
windows.
End of exercise
4-21
Student Exercises
V8.2
Student Exercises
EXempty
5-1
Student Exercises
Exercise instructions
Follow these instructions to perform the exercise. Ask your instructor for assistance, if
necessary.
__ 1. In the SUSE Linux image, start Firefox and log on to the Guardium Console as
admin/ibm.
__ 2. Click the Tools tab and select Group Builder from the list of tools.
You do not need to supply any Group Filter parameters, just click Next.
__ 3. You are going to create a new group using manual entry rather than modify one of
the existing groups. Enter the following information in the Create New Group area of
the screen. (You may need to scroll down to find this area.):
Application Type
Group Description
Group Type Description
Public
-tr Trusted Users
USERS
Information
It is good practice to identify the groups that you create with some sort of prefix (in this
case, we have used -tr) to distinguish user added groups from the built-in ones. In addition,
the '-' character at the beginning means that your groups appear at the top of the list of
groups and are consequently easier to find and select.
5-2
V8.2
Student Exercises
EXempty
5-3
Student Exercises
Note: You may have to click the refresh button (two yellow arrows) to the right of Add
an existing Member to Group to populate the drop down list.
Click Back to return to the group list (you should see your new group at the top).
__ 5. Add a second new group called -tr Privileged Users:
Application Type
Group Description
Group Type Description
Public
-tr Privileged Users
USERS
Do not add any new users to the group; click the Add button to create the group,
and then just click the Back button where you should see your new (but empty)
group at the top of the list.
__ 6. Highlight your new -tr Privileged Users group and click the Populate from Query
button.
5-4
V8.2
Student Exercises
EXempty
__ 7. Select a pre-existing query called Detailed Sessions List from the query
drop-down (we will look at how to build queries later).
Select DB User Name from the Fetch Member from Column drop-down
Set the Date parameters to NOW -1 DAY and NOW (the query will just
scan your recently collected data for DB users)
Enter a wildcard search character '%' for the Server IP (as shown)
Click Save to save the query parameters
5-5
Student Exercises
__ 8. The query will run and return a list of recent database users. From the results list,
just check the A2840 user and the SCOTT user:
Click Import to add the select member to the Group. Click OK to accept the import
confirmation.
Click Back to return to the Group list.
Click the Back button to return to the Group list.
__ 9. For your final group, you will add some new members to a built-in group called
Sensitive Objects.
Highlight the Sensitive Objects group and click the Populate from Query button.
This time select a query called Objects List.
5-6
V8.2
Student Exercises
EXempty
Select Object Name from the Fetch Member from Column drop-down and set the
date parameters as before.
Save your query parameters (click the Save button) and execute the query by
clicking Run Once Now.
From the list of query results, select the following objects:
db2inst1.cc_numbers
db2inst1.G_EMPLOYEES
db2inst1.G_PRODUCTS
v_cc
Click Import to add the selected objects to the group. Click OK when prompted with the
successful dialog.
Click Back to return to the Group list.
5-7
Student Exercises
__ 10. The Guardium Monitor tab features a Guardium Group Details page which you
can use to view your new groups.
By default, the page will show all group details. To narrow it down to the ones that
you have just created, click the pencil icon on the top right of the page to customize
the portlet.
__ 11. Change the wildcard selection for the group description to read -tr% (as shown
below).
End of exercise
5-8
V8.2
Student Exercises
EXempty
6-1
Student Exercises
Exercise instructions
Follow these instructions to perform the exercise. Ask your instructor for assistance if
necessary.
__ 1. In the SUSE Linux image, start Firefox, and log on to the Guardium Console as
admin/ibm.
__ 2. Before you create any policies, you should notice that there is no default policy
created or installed. (We are using an out-of-the-box Guardium system.) To verify
this:
- Click the Administration Console tab and choose the Policy Installation link.
- Notice that the Currently Installed Policy is empty no policy is currently
being enforced.
__ 3.
Information
In the work you are about to perform, you will create a policy of your own, which will
become the currently installed and enforced policy for your Guardium system.
Click the Tools tab and choose Policy Builder from the list of tools.
6-2
V8.2
Student Exercises
EXempty
You will see the list of existing policies - ignore these and create your own by clicking
the New button.
__ 4. Enter a Policy description of -Exercise 6 (the leading '-' character just keeps your
policy at the top of the list for convenience) and a Policy category of Training.
Click the Apply button to save your new (but still empty) policy.
6-3
Student Exercises
__ 5. Next click the Edit Rules button to see the policy rules - there, of course, will not
be any listed yet.
6-4
V8.2
Student Exercises
EXempty
__ 6. Enter a Description of Ignore S-TAP session for trusted users (good practice to
make rule descriptions sensible as they can show up in subsequent reports) for your
rule and select -tr Trusted Groups from the DB User Group drop-down.
__ 7. Click the Add Action button and select the IGNORE S-TAP SESSION action from
the drop-down.
Click Apply.
6-5
Student Exercises
Click the Save button to save your rule and return to the rules list for your policy.
__ 9. Add a second access rule to your policy by clicking the Add Access Rule button
again.
__ 10. Enter a Description for your rule Alert on access to sensitive objects, select -tr
Privileged Users from the DB User Group drop-down and Sensitive Objects from
the Object drop-down.
6-6
V8.2
Student Exercises
EXempty
Also change the Severity to HIGH (this will make it easier to see in the incident log
later).
__ 11. Click Add Action and select ALERT PER MATCH from the action drop-down.
Select SYSLOG as the Notification Type (we do not have any configured SNMP or
SMTP servers).
6-7
Student Exercises
Click Add (to add the SYSLOG notification receiver) and then click Apply.
__ 12. This rule has two actions. Add the second one now.
Click Add Action a second time to add another action. This time select LOG FULL
DETAILS from the action drop-down and click Apply.
Your rule should look like this:
6-8
V8.2
Student Exercises
EXempty
__ 13. Click Save to save your rule and return to the rules list for your policy.
6-9
Student Exercises
__ 14. Click the Back button twice to see your new policy at the top of the list of available
policies:
__ 15. It is time to replace the currently installed policy with your new one.
Click the Administration Console tab and select the Policy Installation link.
In the Policy Installer section, make sure that your new policy, -Exercise 6, is
highlighted and select Install from the drop-down:
V8.2
Student Exercises
EXempty
Click OK. You should see your policy shown as the currently installed policy.
__ 16. Now it is time to admire your results! Let us start with the privileged users rule. Click
on the Incident Management tab. Database usersScott and A2840 are privileged
users (that is, members fo the -tr Privileged User group that you created earlier). In
your policy, you configured the Alert to write to SYSLOG. However, an Alert also
shows up as a policy violation, which is displayed here on the Incident Management
pane.
6-11
Student Exercises
You might need to wait a few minutes for some results to show up (remember that
continuously running cron job?).
You might also need to sort by Session Start time (click the Session Start column
title) to see the latest sessions on the first page of the report.
__ 17. The rule for ignoring trusted user access will be harder to track, since there is no
built in report that includes that information. Instead, you will need to create your
own query and report processes we will cover in the upcoming lab exercises.
__ 18. Logout from the Guardium Console and close the browser.
End of exercise
V8.2
Student Exercises
EXempty
7-1
Student Exercises
Exercise instructions
Follow these instructions to perform the exercise. Ask your instructor for assistance, if
necessary.
__ 1. In the SUSE Linux image, start Firefox and log on to the Guardium Administration
Console as admin/ibm.
__ 2. Since you are making a change to a policy that is already installed, the easiest way
to do this is to use the Currently Installed Policy page.
Click the Administration Console tab and choose the Policy Installation link. You
will see your installed policy displayed.
Edit the Alert on access to sensitive objects rule by clicking the Edit icon (circled
in the screenshot).
7-2
V8.2
Student Exercises
EXempty
__ 5. Remove the existing LOG FULL DETAILS action by clicking the Delete icon.
7-3
Student Exercises
Add a new LOG MASKED DETAILS action and use the directional icons to move it
to the top of the action list.
Save your modified rule by clicking the Save button and returning to the rules list for
your policy.
__ 6. Add a new exception rule to your policy by clicking the Add Exception Rule
button. Enter the following data:
Description
Severity
DB User
Exception Type
Minimum Count
Reset Interval
Warning
Be sure to enter the period character '.' in the DB User field. This tells Guardium to apply
the rule to the same user. If you omit the period, then failed logins from completely different
users might trigger the rule.
7-4
V8.2
Student Exercises
EXempty
Add the ALERT PER MATCH action with SYSLOG notification and Save your rule.
__ 7. Use the directional icons to move your new rule to the top of the list, so that your rule
list looks like this:
7-5
Student Exercises
__ 8. To implement the original plan, you need to add one final rule to log details of what
any privileged users are up to.
Click the Add Access Rule button.
Enter the following data:
Description
DB User Group
Continue to next rule
Warning
Remember to check the Cont. to next rule checkbox. If you do not do this rule processing
will stop at this rule.
7-6
V8.2
Student Exercises
EXempty
7-7
Student Exercises
End of exercise
7-8
V8.2
Student Exercises
EXempty
8-1
Student Exercises
Exercise instructions
Follow these instructions to perform the exercise. Ask your instructor for assistance, if
necessary.
__ 1. In the SUSE Linux image, start Firefox and log on to the Guardium Console as
admin/ibm.
__ 2. Your first task is to upload and install the Configuration Auditing System (CAS)
license key. Navigate to Administration Console Configuration System, and
then minimize the Web window to return to the Windows desktop.
On the desktop, locate the Keys folder. Double click on the Keys folder to open it.
In the Keys folder, locate the file named CAS Key.txt. Open this file by double
clicking on it.
In the gedit window that opens, highlight the CAS key value and select EDIT
COPY.
Close the gedit and Keys folder windows, and maximize the console web interface
window. Paste the CAS license key into the License Key prompt area using EDIT
PASTE.
Scroll down and click Apply.
__ 3. Scroll to the bottom of the screen and click on the Restart button. At the Are you
sure prompt, answer by clicking the OK button. It will take about 5 minutes for your
Guardium appliance to reboot. You will know it is complete when the web console
interface launches properly. After the reboot is done, log back on to the console
web interface as admin / ibm.
__ 4. Your next task is to install the CAS Agent software on the database server. You will
use GIM to do this the process is similar to the S-TAP installation you performed
earlier.
Click the Administration Console tab and navigate to the Module Installation >
Upload page.
8-2
V8.2
Student Exercises
EXempty
Click the circled icon to import the module to the Guardium database. Click OK to
confirm the import and OK (again) to acknowledge a successful import.
__ 5. Click Setup By Client and then click the Search button to locate all database
servers (there will be only one).
Select your database server (check the box) and click Next.
8-3
Student Exercises
__ 7.
Information
The only module parameter you need to set is the Java runtime directory (in the same way
that you did earlier for the DISCOVERY module). Remember the directory path is saved in
the Java setting file on your Desktop to enable you to copy/paste the value.
8-4
V8.2
Student Exercises
EXempty
Click Apply to Clients and then click OK to acknowledge the application. Next, click
Install/Update.
Hint
You may need to move the cursor to another field to activate the necessary buttons.
When prompted, enter a Schedule Date of NOW. Click Apply to start the
installation, and select OK to acknowledge the application.
__ 8. Click the Guardium Monitor tab and select GIM Events List to check the status of
the installation (might take a few minutes to complete). Use the refresh button to
update the display.
8-5
Student Exercises
__ 9.
Information
You will perform the remainder of this exercise as a normal Guardium user - User01 which
you created earlier (it is easier to get to the CAS tools as a non-administrative user). First,
though, you need to give User01 access to the CAS tools.
8-6
V8.2
Student Exercises
EXempty
__ 10. Login as User01 (password guardium). When prompted, change the password to
ibm. The console screen will look quite a bit different from the administrative view
that you are used to seeing.
Click the Assess/Harden tab and choose Config. Change Control.
8-7
Student Exercises
8-8
V8.2
Student Exercises
EXempty
Under the CAS Configuration Navigator, choose UNIX and DB2 under List Filtering.
Let's take a look at one of these. Highlight the first template (Default Unix/DB2
Template Set Unix DB2) and click Modify.
__ 12. Review the type of information monitored with this template.
8-9
Student Exercises
V8.2
Student Exercises
EXempty
__ 14. Highlight the CAS host (there will be only one) and click Modify.
8-11
Student Exercises
__ 15.
Information
For a given CAS host, this page allows you to configure one or more templates that CAS
will use to monitor your database server. You can see that a default template for the UNIX
operating system has already been added for you (this needs no further configuration).
However, the database (DB2, in this case) templates need to be configured specifically,
they need to be told how to access a given database. This is achieved by creating a
Datasource for use by each template (multiple templates can share the same datasource).
Select Default UNIX/DB2 Template Set: UNX DB2 from the drop-down and click
Add Datasource
V8.2
Student Exercises
EXempty
SLES10
check
Checked
db2inst1
guardium
50001
Sample
db2inst1
/home/db2inst1
Hint
Be sure to use the appropriate upper / lower case letters.
8-13
Student Exercises
Click Apply and then OK to save the data. This will expose a Test Connection
button.
Click the Test Connection button. Verify that the datasource can connect.
V8.2
Student Exercises
EXempty
Then click Add to add the datasource to the template. Be patient it might take a
minute or so.
__ 19. You will see your new datasource/template combination listed.
Select a second template from the drop down Default UNIX/DB2 Template Set
V8.0: UNX-DB2 and add the same datasource to that template (do not create a new
datasource - just re-use the one you just created).
Your CAS Host Instance Definitions list should now look like this:
8-15
Student Exercises
Hint
You may have to click the REFRESH button if one of the entries is in a pending state.
__ 20. At this point, CAS is up and running and monitoring your database server for
changes. To see what it is looking at, click Assess/Harden > Change Reports.
There will be a lot of information shown initially in these reports as when CAS is
newly configured and started it will pretty much report everything as being changed.
After a period of time, it becomes easier to interpret the results. For example, wait a
few minutes and then open a terminal window and touch one of the files that CAS is
monitoring:
8-16 InfoSphere Guardium V9 Technical Training
V8.2
Student Exercises
EXempty
Set the Monitored_Item value from % (all items) to %bashrc (the file you touched).
Scroll down and click the Update button.
You should begin to be able to see how CAS tracks changes to your system:
8-17
Student Exercises
__ 21. Logout of the Guardium Console and close the browser and exit any open terminal
windows.
End of exercise
V8.2
Student Exercises
EXempty
9-1
Student Exercises
Exercise instructions
Follow these instructions to perform the exercise. Ask your instructor for assistance, if
necessary.
__ 1. Log on to the SUSE / Linux image as root / guardium. Start Firefox and log on to
the Guardium Console as admin / ibm.
__ 2. You will need to upload and install the Vulnerability Assessment (VA) license key.
Navigate to Administration Console Configuration System, and then
minimize the Web window to return to the Windows desktop.
On the desktop, locate the Keys folder. Double click on the Keys folder to open it.
In the Keys folder, locate the file named VA Key.txt. Open this file by double clicking
on it.
In the gedit window that opens, highlight the VA key value and select EDIT COPY.
Close the gedit and Keys folder windows, and maximize the console web interface
window. Paste the VA license key into the License Key prompt area using EDIT
PASTE.
Scroll to the bottom of the screen and click on the Apply button. Nothing may appear
to happen, but if you scroll back up you should see that the License Key prompt area
is blank.
__ 3. Scroll to the bottom of the screen and click on the Restart button. At the Are you
sure prompt, answer by clicking the OK button. It will take about 5 minutes for your
Guardium appliance to reboot. You will know it is complete when the web console
interface launches properly. After the reboot is done, log back on to the console web
interface as User01 / ibm.
__ 4. Click the Assess/Harden > Vulnerability Assessment tab and click the Define
what database you want assessed button.
9-2
V8.2
Student Exercises
EXempty
__ 5. On the Security Assessment Finder page, click New to create a new assessment
(none exist at this time).
__ 6. Enter a name for your assessment in the Description field: DB2 Security
Assessment.
Click Add Datasource and add the datasource that you created in the previous
exercise (there is no need to create a new one here).
9-3
Student Exercises
9-4
V8.2
Student Exercises
EXempty
Click the DB2 tab and highlight one or more tests from the (lengthy) list. You may
choose the ones shown in the screenshot or pick your own. Limit your selections to
no more than 6 or 7 tests (you want all this to run quickly so you can see the effect).
Click the Add Selections button to add your selections to the list at the top of the
page. You might need to use the scroll bar at the bottom of the page to see the Add
Selections button.
__ 8. Click the Back button to return to the Security Assessment Builder page and again
to return to the Security Assessment Finder page.
__ 9. You are now ready to run the assessment. Click the Run Once Now button.
9-5
Student Exercises
__ 10. The Guardium Job Queue report on the right of the page shows you the status of
your assessment. Refresh the report to see the current status.
9-6
V8.2
Student Exercises
EXempty
When you see the status marked as COMPLETED, click the View Results button to
see the results of the assessment tests.
Depending on exactly what tests you selected, your report should look something
like this:
__ 11. Close the report, logout of the Guardium Console and close the browser.
End of exercise
Copyright IBM Corp. 2011, 2014
9-7
Student Exercises
9-8
V8.2
Student Exercises
EXempty
10-1
Student Exercises
Exercise instructions
Follow these instructions to perform the exercise. Ask your instructor for assistance, if
necessary.
__ 1. In the SUSE Linux image, start Firefox and log on to the Guardium Console as
User01/ibm.
__ 2. First, let us create a new Reports tab. Click the Customize link (top right of your
screen).
Enter a name for the pane: User01 Reports and click Apply.
__ 4. Click the link for your new User01 Reports pane.
__ 5. Select Menu pane from the Layout drop-down and click the Save button to save
your change.
V8.2
Student Exercises
EXempty
Click Save (again) on the Customize Pane screen to return to the main screen. You
should see your new User01 Reports tab listed.
__ 6. Now let us get to the Query creation part. Click Monitor/Audit > Build Reports.
10-3
Student Exercises
__ 7. On the Query Finder page, click the New button (there are lots of built-in queries
but you are creating your own).
__ 8. Name your query -Trusted Sessions and select Session as the Main Entity.
Click Next.
__ 9. Add the following fields to the Query Fields pane:
Client IP
Server IP
DB User Name
Source Program
These fields are all part of the Client/Server entity. To add the fields, click
Client/Server in the Entity List on the left of the screen and either click each field
and select Add Field from the pop-up menu or just drag the field to the Query Fields
list.
V8.2
Student Exercises
EXempty
__ 10. Use the directional icons to sort the list of fields as shown below.
Also determine the ordering of any results by checking the Order by checkboxes
for Client IP and DB User Name and setting their Sort Rank so that Client IP is
sorted first and DB User Name second.
Finally, check the Add Count checkbox (this will cause the subsequent report to
display counts of the sessions rather than details of each individual one).
__ 11. Your objective is to return session details for trusted users only. To achieve this, you
need to apply a condition to this query.
__ 12. Add the DB User Name field to the Query Conditions pane and select IN GROUP
from the Operation drop-down.
10-5
Student Exercises
__ 13. Add DB User Name as a Query Condition (as before) and select IN GROUP as the
operator. You should now be able to find and select -tr Trusted Users as the group.
V8.2
Student Exercises
EXempty
and then select User01 Reports from the list of panes. Click OK to acknowledge the
change.
Click the User01 Reports tab where you can admire your new report.
Information
Although you have been working on a Query pretty much all the time, when you clicked the
Add to Pane button, Guardium automatically created a Report with the same name as
the Query. It is the Report that gets placed on the designated User01 Reports pane. The
Report is responsible for the look and feel of the results that you see on the screen. The
Query is responsible for the content.
If you want to see details of the Report that was created, click Monitor/Audit >
Build Reports and click the Define how information should be presented button.
You should be able to locate and inspect the Report from there (it will have the same
name as the query you just created). Do not make any changes at this time.
10-7
Student Exercises
__ 15. By default, the Start Date/End Date settings are for the last 3 hours of data. You can
change this if you want by clicking the Customize icon (show circled above) and
modify the setting as shown below (NOW-30 HOUR):
Click the Update button to save any changes and re-run the report.
__ 16. Logout of the Guardium Console and close the browser.
End of exercise
V8.2
Student Exercises
EXempty
11-1
Student Exercises
Exercise instructions
Follow these instructions to perform the exercise. Ask your instructor for assistance, if
necessary.
__ 1. In the SUSE Linux image, start Firefox and log on to the Guardium Console as
User01/ibm.
__ 2. Navigate to Monitor/Audit > Build Reports > Track data access.
Click New to create a new query.
Enter a query name of -Accessed Database Objects and a main entity type of
Object.
Click Next.
__ 3. Add the following Query Fields:
Entity
Client/Server
Client/Server
Client/Server
Attribute
Server IP
Client IP
DB User Name
Entity
Client/Server
Client/Server
Command
Object
Attribute
Service Name
Source Program
SQL Verb
Object Name
Attribute
DB User Name
Client IP
Operator
LIKE
LIKE
Runtime Param.
Parameter
Parameter
DBUser
ClientIP
V8.2
Student Exercises
EXempty
Information
Runtime parameter names can be anything you like - as long as they don't have spaces in
them. They will be visible in the report so best to make them something sensible.
__ 4. Click the Save button to save your query. Then click Add to Pane... to create the
corresponding report and add that to your User01 Reports page.
__ 5. Navigate to the User01 Reports pane and select the Accessed Database
Objects report. You will need to customize your report a little by adding wildcard %
characters for the ClientIP and DBUser runtime parameters.
11-3
Student Exercises
Click Update to save and run the report. You should get results similar to this:
__ 6.
Information
Testing the drill-down capability using your existing -Trusted Sessions report will not work
very well as, if you recall, the policy you created earlier specifically ignored S-TAP sessions
for trusted users (captures log on and log out but that is all).
You will need to create a brand new query and report which displays session
information for users who are not members of the trusted user group. The easiest
way to do this is to clone your -Trusted Sessions query into a -Privileged Sessions
query.
Navigate to Monitor/Audit > Build Reports > Track data access and select
-Trusted Sessions in the query name drop-down.
Click the Clone button. This will create a copy (or clone) of your query.
Give it a new name -Privileged Sessions and change the Runtime Param. Group
drop-down to -tr Privileged Users.
Save your query and Add to Pane as before.
V8.2
Student Exercises
EXempty
__ 7. Your User01 Reports pane should now have three reports on it.
Click the -Privileged Sessions report you will see session information for the two
users in that group (A2840 and SCOTT).
Double-click the SCOTT record to see the available drill-down reports.
11-5
Student Exercises
Select the -Accessed Database Objects drill-down report. Your report will now
pop-up in a separate window showing database object access information just for
the SCOTT user:
__ 8. Close the drill-down window, and then Logout of the Guardium Console and close
the browser.
End of exercise
V8.2
Student Exercises
EXempty
12-1
Student Exercises
Exercise instructions
Follow these instructions to perform the exercise. Ask your instructor for assistance, if
necessary.
__ 1. In the SUSE Linux image, start Firefox and log on to the Guardium Console as
User01/ibm.
__ 2. Navigate to Monitor/Audit > Build Reports > Track data access.
Create a query called -Privileged User DML+DLL Activity as follows:
Warning
Be careful when adding the third condition - it needs to be an 'OR' condition - not the
default 'AND'.
__ 3. Add the query to your User01 Reports pane and verify that it works as expected:
V8.2
Student Exercises
EXempty
__ 5. Add the query to your User01 Reports pane and verify that it works as expected:
12-3
Student Exercises
Information
Notice that full SQL details are not available for all users. This is because the policy you
installed in an earlier activity had a rule that only collected full SQL information (LOG FULL
DETAILS) for privileged users.
__ 7. Add the query to your User01 Reports pane and verify that it works as expected:
V8.2
Student Exercises
EXempty
Hint
Be sure to customize the report by setting the DBUser, ClientIP, and SourceProgram
parameters runtime values to the wildcard %.
__ 8. All the queries and their associated reports that you have created in the last three
exercises are only available to the User01 user. Let us make at least some of them
available to all users who are members of the infosec role (currently User01 and
User02).
Information
The process is to open the query editor and grant access to the specified role (infosec).
The corresponding report also needs to be made accessible to the infosec role. You must
do the query first, then the report (you will not be able to do it the opposite order).
12-5
Student Exercises
Click Apply to save your change. Click OK to acknowledge the save, and then click
Back to return to the query builder page.
Click Back to return to the Query Finder page.
__ 9. Repeat this for the following queries:
-Privileged Sessions
-Accessed Database Objects
-Session Details
__ 10. Navigate to Monitor/Audit > Build Reports > Define how information should be
presented.
Select the -Trusted Sessions report from the Report Title drop-down, then click on
Search:
V8.2
Student Exercises
EXempty
Check the infosec checkbox. Click Apply to save your change, and then click OK
to acknowledge the update.
Click the Back button to return to the Report Search Results page, and then click
the Back button (again) to return to the Report Finder page.
__ 11. Repeat this for the following reports:
-Privileged Sessions
-Accessed Database Objects
-Session Details
Copyright IBM Corp. 2011, 2014
12-7
Student Exercises
__ 12.
Information
All members of the infosec role should now have access to the above queries and reports.
You could at this point log on as User02 (another user who is a member of the infosec role),
create a new Reports pane and start adding the reports to the pane. However, it might be
more interesting if User02 could simply have the same layout as User01 (which would, of
course, include the User01 Reports pane that you have been using up to now).
The command will take a few minutes to complete (it will stop and re-start the
console application the 'gui').
When the command is complete, exit the CLI and close the terminal
window.
v9collector01.ibm.com> exit
__ 13. Open Firefox and log in to the Guardium Console Web application as User02
(password guardium). If prompted, change the password for User02 to ibm.
If you have not previously logged in as this user, you will see the User01 Reports
tab.
If you have previously logged in as User02, you will not see the User01 Reports tab.
This is because the CLI command in the previous step is only effective for users
who have not previously logged in. For users who have previously logged in the
following additional steps need to be performed:
V8.2
Student Exercises
EXempty
12-9
Student Exercises
OPTIONAL You may recall that in exercise 6, you created a rule (Ignore STAP session for trusted user) that you were unable to test because there was no query /
report associated with it. Now that you know how to create queries and reports, create one that will test this rule.
Report Name -Sessions
Display FieldsSession Start
Server IP
Client IP
DB User Name
Session Ignored
End of exercise
V8.2
Student Exercises
EXempty
Once started, the process will place work in the infosec role's To-Do
list (all users in this role will see the work - first one in gets to do it).
This work will be marked Continuable meaning that the system will
not wait for the user to complete the work before moving on to the next
receiver. The next receiver is the dba role. The work here is marked
Review and Sign; the work will not progress until a user in the dba role
has done exactly that. In addition, the user must explicitly Continue the
work to the next receiver. The next (and final) receiver is the audit role
where again the user must Review and Sign the work and must
Continue it to move it on in this case, to the end of the process.
You will also see how to escalate work. In the exercise, the infosec role
user (User01) will escalate the work to a specific user (User02) asking
that user to both Review and Sign the work. Escalation is not
something you design into an audit process it occurs at runtime at
the discretion of the user who is processing the work (we are showing
it in the diagram above so that the flow will be clear to you).
13-1
Student Exercises
Exercise instructions
Follow these instructions to perform the exercise. Ask your instructor for assistance, if
necessary.
__ 1. In the SUSE Linux image, start Firefox and log on to the Guardium Console as
User01/ibm.
__ 2. Click the Comply tab and click the Define an Audit Process button:
__ 3. A built-in audit process called Application Monitoring is always included. You will
create your own, though, so click the New button to go to the Audit Process
Definition page.
V8.2
Student Exercises
EXempty
__ 6. In the Receiver Table, add the following roles (leave Cont. unchecked for dba and
audit. Click the Sign radio button for dba and audit).
Copyright IBM Corp. 2011, 2014
13-3
Student Exercises
For each receiver that you add, you will be warned that SMTP is not configured.
Click OK to accept (and ignore) the warnings.
V8.2
Student Exercises
EXempty
__ 7. Under Audit Tasks, set Task Type to Report. Set the Description to Sessions, and
then select Session Details from the Report drop down list. Set the Task
Parameters as shown below:
13-5
Student Exercises
__ 8. Under Audit Tasks, set Task Type to Report. Set the Description to DDL Activity,
and then select DDL Commands from the Report drop down list. Enter a From and
To period in the Task Parameters section as shown below:
__ 9. Check the Active checkbox and then click the Apply button (at the bottom of the
page). Your completed audit process definition should look like this:
V8.2
Student Exercises
EXempty
__ 10. Click the Run Once Now button to start the process. Click OK to acknowledge the
action. Logout of the Guardium Console, and then log back in again (as
User01/ibm).
13-7
Student Exercises
V8.2
Student Exercises
EXempty
__ 12. This page lets you inspect any reports associated with the defined audit tasks (click
the + icon next to each report name to expand the report and see the details).
The only work that User01 has to do here is inspect the report details and, if
required, make a comment (which will be visible to other workflow participants).
Click the Comment button. Because no comments have yet been entered, the list
will be empty. Click the Add Comments button and add a comment, such as The
reports look good - approved., and then click on the Apply button. The
comment list will now have one comment in it. Click the Back button.
__ 13. User01 is also able to escalate this work to another role or user (maybe he/she
wants a second opinion, for example).
Click the Escalate button and select User02 as the Receiver.
Select the Review and Sign radio button and then click Escalate to create the work
item in User02's To-do list.
13-9
Student Exercises
You will be warned that User02 already has this item is his/her To-do list (User02 is
also a member of the infosec role). Click OK to accept and ignore the warning. Click
Close to close the escalation dialog.
__ 14. Click Close this Window (twice) to return back to the main Console page. Logout
of the Guardium Console, and then log back in as User01/ibm. Notice that the
To-Do item notification link has now disappeared, as you have performed your
designated work. Logout of the Guardium Console.
__ 15. Log in to the Guardium Console as User03 (a member of the dba role - password
should be guardium). When prompted, change the password to ibm.
You will notice that this user has an item in the To-do list. Click the link and then
click the View button to see the work details.
Information
Notice that the screen looks a little different from the previous user. In this step in the
workflow, you configured this user to both review and sign the work. In addition, this step
does not automatically continue (as the previous step did).
Click the + sign next to Distribution Status to view where the work has been (viewed
by the infosec role), where it currently is (viewed but not signed by User03 and
V8.2
Student Exercises
EXempty
escalated for review and signature to User02) and where it is going (not yet sent or
distributed - to the audit role).
__ 16. Click the Sign Results button to sign the work. This does not automatically move it
on to the next step (sending it to the audit role). You can also add a comment, if you
want, at this point.
To move the workflow on to the next step, click the Continue button.
Close the windows to return to the main Guardium Console screen. Logout of the
Guardium Console.
__ 17. Login to the Guardium Console as User04/guardium (User04 is a member of the
audit role). When prompted, change the password to ibm.
Notice that this user has an item in the To-do list.
Click the To-do link and click the View button to see the details.
Expand Distribution Status and Comments (to see any comments added by
previous users).
13-11
Student Exercises
Information
Notice that this is the final step in the original audit process definition that you created.
When you sign and continue the work here that will be it. However, the process will still be
running because of the escalation performed earlier by User01.
V8.2
Student Exercises
EXempty
Information
Notice that this user has a Sign Results button, but no Continue button. This is because
the work arrived here as a result of an escalation and is not part of the audit process
definition. It essentially has nowhere to go after this (unless this user chooses to further
escalate it).
Close the windows to return to the Audit Process To-Do List screen. Verify the
notification that The To-do List is empty. Close the window to return to the main
Guardium Console screen.
13-13
Student Exercises
__ 19. Once a user has processed any items in the To-do list and the notification links have
been removed, it is still possible for any user involved to review completed
processes.
Click the Comply tab and click the To-do list link (shown circled below):
V8.2
Student Exercises
EXempty
As well as showing any active items in the To-do list (there are none now, of course,
as you have processed them all), you can also see previous processes (listed under
Processes With No Pending Results).
13-15
Student Exercises
__ 20. Click the View button and expand the Distribution Status to see who did what in
this process.
__ 21. Close this window, logout of the Guardium Console and close the browser.
End of exercise
V8.2
backpg
Back page