Académique Documents
Professionnel Documents
Culture Documents
Course Guide
IBM Guardium Foundations
e
ut
Course code 8G100 ERC 1.3
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
IBM Training
October 2016 edition
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
e
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
ut
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
ib
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF
tr
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
is
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
D
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
or
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other
e
claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those
products.
at
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to
the names and addresses used by an actual business enterprise is entirely coincidental.
ic
TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
l
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
up
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used
under license therefrom.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
ot
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and
o
other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
D
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
e
About this course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
ut
Course objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
ib
Agenda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Course description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
tr
Unit 1 IBM Guardium: Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
is
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Lesson 1 IBM Guardium functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
D
Guardium supports the whole data protection journey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
IBM Guardium - Data Security and Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
or
Main Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
The need for database access monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Native auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
e
Database access monitoring with IBM Guardium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Transparent, noninvasive, real-time Data Activity Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
at
Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Lesson 2 IBM Guardium components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
l
Uempty
Guardium architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Lesson 2 Capturing database traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Database activity monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Collector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Port mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Network tap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Software tap (S-TAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
e
S-TAP architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
ut
CAS architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Lesson 3 Using aggregation and central management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
ib
Multicollector environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Aggregators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
The Central Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
tr
Lesson 4 IBM Guardium hardware and software configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
is
Aggregator and Central Manager scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Dedicated aggregator scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
D
Dedicated Central Manager scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Enterprise load balancing using Central Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Lesson 5 Integrating IBM Guardium with other tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
or
Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
e
Unit 3 IBM Guardium: User interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
at
Uempty
User account, password, and authentication commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Certificate commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
GuardAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
e
Lesson 1 User management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
ut
accessmgr characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Access management user navigation menu options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
ib
Access Management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
User Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Adding a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
tr
Editing a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
is
User Browser - modifying roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Assigning user roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Deleting users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
D
Importing users from LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
or
Lesson 2 Role management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
User roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Creating a new role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
e
Customizing the navigation menu for a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Setting role permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
at
Alerter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Anomaly Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Global Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Lesson 2 Data management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
System backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Uempty
Data Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Catalog Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Results Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141
e
Lesson 1 Building groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
ut
What a Guardium Group is . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Methods to build groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
ib
Accessing the Group Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
Modifying existing groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Modifying existing group members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
tr
Creating a new group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
is
Group reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Lesson 2 Populating groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Adding members using manual entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
D
Adding members from a drop-down list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Group population by LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
or
LDAP group population setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Populating from a query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Populate from query options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
e
Populate from query results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Scheduling a population by query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
at
Uempty
Lesson 3 Access rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Access rule overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
Access rule description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Access rule criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Access rule actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
Access rule example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Alert rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Alert example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
e
Allow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
ut
Ignore session rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Ignore S-TAP Session action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
ib
Ignore Session example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
Ignore S-TAP Session rule: Trusted connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
Ignore Session criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
tr
Ignore Responses Per Session action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
is
Ignore SQL Per Session action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Ignore Session action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
D
Log Full Details policy action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208
Other logging options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
or
Lesson 4 Exception and extrusion rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Exception rule definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
Exception rules: Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
e
Failed login alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
at
Uempty
Unit 8 IBM Guardium: Auditing, vulnerability assessment, and discovery . . . . . . . . . . . . . . . . . 240
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241
Lesson 1 Using the configuration auditing system (CAS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Configuration auditing system (CAS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243
CAS agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
CAS templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Monitored Item Template Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
CAS hosts and instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
e
CAS reporting and status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249
ut
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250
Lesson 2 Performing vulnerability assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
ib
Vulnerability Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Security Assessment Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254
Vulnerability assessment tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
tr
Vulnerability Assessment integration with CAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257
is
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258
Lesson 3 Using database discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
D
Database discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260
Database discovery configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
or
Unit 9 IBM Guardium: Custom queries and reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264
e
Query and reporting overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265
Predefined reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266
at
Uempty
Runtime Parameters / Dynamic groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
Runtime Parameters / Dynamic groups: Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Drill-down reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
Drill-down report example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Searching for a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297
Report builder buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
e
ut
Unit 10 IBM Guardium: Compliance workflow automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
ib
Lesson 1 Creating a compliance workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Compliance Workflow Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Compliance Workflow Automation elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
tr
Compliance Workflow Automation log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
is
Compliance automation process components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Audit process name and archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
Audit tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310
D
Audit receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
or
Lesson 2 Managing audit results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Activating and running an audit process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316
To-do lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317
e
Report delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318
Workflow results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
at
Uempty
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
e
ut
ib
IBM Guardium Foundations
tr
is
D
or
e
at
ic
Uempty
IBM® Guardium® is a comprehensive data security platform that can help you support compliance
initiatives, privacy initiatives, big data security projects, and comprehensive data protection. You
can use the Guardium platform to analyze your data risk, protect critical data, and adapt data
security to the changes in your environment.
This course introduces students to the IBM Guardium product. It provides processes, procedures,
and practices necessary to configure Guardium to discover, classify, analyze, protect, monitor
access to, and control access to sensitive data. This includes performing vulnerability assessment,
e
data and file activity monitoring, masking, encryption, alerting, and quarantining functions. The
ut
following topics are among those included in this course:
• Use Guardium components
ib
• Navigate the administration console and use the command line interface to manage Guardium
functions
tr
• Create users and roles to manage Guardium user access
is
• Use the administration console to manage, configure, and monitor Guardium components
D
• Create and manage Guardium groups that facilitate queries and policy rules
• Create policy rules that process the information Guardium receives from databases and file
servers or
• Use Guardium tools to manage the systems, applications, and databases in a business
e
environment
at
• Build queries and create reports to gather data and examine trends
• Consolidate database activity monitoring tasks and streamline compliance processes
ic
Students learn through hands-on lab exercises and lab videos how to use the IBM Guardium
up
application. The lab environment for this course uses virtual machines hosted by IBM Remote Lab
Platform (IRLP).
D
Details
ot
Recommended 3 days
D
duration
Skill level Intermediate
Uempty
Course objectives
• Identify the primary functions of IBM Security Guardium
• Apply key Guardium architecture components
• Navigate the Guardium user interface and command line interface
e
• Manage user access to Guardium
ut
• Use the administration console to manage Guardium components
• Build and populate Guardium groups
ib
• Configure policy rules that process the information gathered from database and file servers
• Use the configuration auditing system, Vulnerability Assessment application, and Database Discovery
tr
to perform data security tasks
• Create queries and reports to examine trends and gather data
is
• Automate compliance workflow processes
D
• Use file access monitoring to keep track of the files on your servers
Course objectives
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
Uempty
Audience
This course is designed for database administrators, security administrators, security analysts,
security technical architects, and professional services using IBM Guardium.
e
Prerequisites
ut
Before taking this course, make sure that you have the following skills:
ib
• Working knowledge of SQL queries for IBM DB2 and other databases
• Working knowledge of NoSQL type databases
tr
• Working knowledge of UNIX commands
is
• Ability to use a UNIX text editor such as vi
D
• Familiarity with data protection standards such as HIPAA and CPI
or
e
at
l ic
up
D
ot
N
o
D
Uempty
Agenda
• IBM Guardium: Overview
• IBM Guardium: Architecture
• IBM Guardium: User interface
e
• IBM Guardium: Access management
ut
• IBM Guardium: System view and data management
• IBM Guardium: Groups
ib
• IBM Guardium: Policy management
• IBM Guardium: Auditing, vulnerability assessment, and discovery
tr
• IBM Guardium: Custom queries and reports
is
• IBM Guardium: Compliance workflow automation
• IBM Guardium: File activity monitoring
D
IBM Guardium Foundations
Agenda
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
Uempty
Course description
The course contains the following content:
1. IBM Guardium: Overview
IBM® Guardium® version 10 takes a major step forward with intelligence and automation to
safeguard data, enterprise-ready features, and increased breadth of data sources. This unit
e
introduces the capabilities of Guardium including activity monitoring and auditing. This unit also
ut
describes the components of Guardium.
ib
In this unit, you learn about how the components of IBM® Guardium® work together to provide
a holistic solution to discover, harden, monitor, and protect sensitive data.
tr
3. IBM Guardium: User interface
is
The IBM® Guardium® V10 release has many new features and enhancements. This updated
D
version provides a new and intuitive interface, making it very easy to navigate. The updated
menu includes a Guardium security lifecycle view, making navigation options easy to
understand and use. The new UI can be customized based upon the tools you need most. This
or
new release allows you to create and use dashboards to organize and manage your reports.
The configuration and control commands cover a large number of configuration settings within
e
the Guardium appliance. In this unit, you learn to navigate the Guardium interface, customize
dashboards, and use the search feature. You also learn to use the command line interface (CLI)
at
performing data security functions and use the built-in user roles including admin and
accessmgr to assign and delete roles to new users. In this unit, you learn to use the Access
Manager interface to create and maintain user accounts and roles.
D
unit teaches you to manage, configure, and monitor the system. In addition to viewing the
system, this unit teaches you to manage and archive data. Finally, this unit showcases crucial
N
methods to archive, perform system backup, and use the catalog archive function to prevent
running out of disk space, and to allow recovery from a loss of the Guardium system.
o
Guardium groups offer a powerful method to facilitate the creation of queries and policy rules. In
fact, without the use of groups, you might have to rely on conditional statements for queries and
policy rules. Groups can have one or many attributes and members can belong to multiple
groups. In this unit, you learn to how to build and populate the Guardium groups.
Uempty
7. IBM Guardium: Policy management
IBM Guardium gathers a large amount of information about data access from database and file
servers. This information is parsed and logged, yet this is not enough. You must provide
Guardium with a set of rules describing what should be done with the information. These rules,
or policies, tell Guardium what information S-TAP agents should send to the collectors and what
action to take when certain types of information are received. In this unit, you learn how to
configure the rules that tell Guardium how to process the information it receives from database
e
and file servers.
ut
8. IBM Guardium: Auditing, vulnerability assessment, and discovery
Guardium includes several tools you can use to perform data security tasks such as auditing,
ib
discovering vulnerabilities, and discovering databases. In this unit, you learn how to use the
built-in tools in Guardium, including the configuration auditing system (CAS), Vulnerability
tr
Assessment application, and Database Discovery to manage the systems, applications, and
is
databases that are included in your business environment.
D
The ability to generate reports that reflect the data collected in Guardium is necessary to
examine trends and gather data for management. Guardium receives and processes a great
or
deal of data. Policies specify which data the collector receives from endpoints. Queries specify
which data is displayed. Reports specify how and where the data is displayed. In this unit, you
learn how to create these queries and reports.
e
at
monitoring tasks and streamline your compliance process. In this unit, you learn how to
automate the processes involved with preparing compliance information for distribution and
l
review. This process includes creating a compliance workflow, distributing the workflow to
up
You can use Guardium file activity monitoring (FAM) to keep track of the files on your servers.
FAM capabilities include finding files, which is known as discovery, classifying the files, and
ot
monitoring the activity of files. You can use security policy rules to monitor and collect
file-related information. In this unit, you learn how to locate file entitlements and classification
N
data. You also create policies that log file activity and block access to a file.
o
D
e
ut
ib
IBM Guardium: Overview
tr
is
D
or
e
at
ic
IBM® Guardium® version 10 takes a major step forward with intelligence and automation to
safeguard data, enterprise-ready features, and increased breadth of data sources. This unit
introduces the capabilities of Guardium including activity monitoring and auditing. This unit also
D
Uempty
Unit objectives
• Identify the primary functions of IBM Guardium
• Describe the key components of the IBM Guardium solution
e
ut
ib
tr
is
D
IBM Guardium: Overview
Unit objectives
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
Uempty
Lesson 1 IBM Guardium functionality
e
Lesson: IBM Guardium functionality
ut
ib
tr
is
D
or
e
IBM Guardium: Overview © Copyright IBM Corporation 2016
at
Activity monitoring for databases is the flagship offering in the Guardium portfolio. In this lesson,
you learn about the importance of IBM Guardium monitoring and logging.
l ic
up
D
ot
N
o
D
Uempty
e
Sensitive Perform vulnerability assessment, discovery,
data discovery and classification
ut
Address Find and address personally identifiable information
ib
data privacy (PII), determine who is reading data, leverage masking
tr
Expand Big data platforms, file systems, or other platforms
platform coverage also require monitoring, blocking, reporting
is
Acute
compliance Database monitoring focused on changed data and
need automated reporting
D
IBM Guardium: Overview
Customers can start with basic and acute compliance needs, such as data access reports required
by auditors or regulation. Then they can expand coverage to other sensitive platforms, control and
l
monitor the access of privileged administrators, seek out sensitive data throughout the enterprise,
up
Uempty
e
1 Prevent data breaches
Prevent disclosure or leakages of sensitive data
ut
2 Ensure data privacy On Premise On Cloud
Prevent unauthorized changes to data
ib
Data at Rest Data in Motion
3
Reduce the cost of compliance
Automate and centralize controls across diverse regulations
tr
and heterogeneous environments Stored
(Databases, File Servers, Big Data, Data Over Network
Warehouses, Application Servers, (SQL, HTTP, SSH, FTP, email,. …)
Cloud/Virtual ..)
4 Identify Risk
is
Discover sensitive information, identify dormant data,
assess configuration gaps and vulnerabilities
D
Data Sensitive
Repositories Documents
1. Prevention of data breaches. Data breaches can originate from internal or external attacks.
These breaches can be due to deliberate attacks or accidental exposure.
changes to sensitive data. This might be due to intentional fraud or accidental modification.
Additionally, companies must be able to audit sensitive data modification to provide proof of
ot
data integrity.
3. Developing, implementing, and maintaining the policies to protect sensitive data can be
N
4. Addressing risk through policy requires a thorough understanding of the risks. Companies need
to fully understanding the extent and nature of sensitive data already present within a company,
D
as well as vulnerabilities. This requires tools that are able to detect potentially sensitive data, as
well as gaps in security.
Uempty
Main features
Discovery Masking
ki Vulnerability assessment Entitlements reporting Activity Blocking Dynamic data
classification encryption monitoring quarantine masking
e
DB and data discovery assessment monitoring monitoring
Data classification Assessment reports
ut
Data Activity Monitoring Blocking access
Data protection
Enterprise integrator subscription Real-time alerts Masking sensitive data
Queries and reports Configuration changes App end-user Users Quarantine
Threshold alerts Entitlement reporting
ib
identification
Compliance workflow • Data redaction
Normalized audit
Group management • Data encryption Redact sensitive
creation
Security integrations File-level encryption documents
tr
Compliance reporting
IT integrations Role-based access
control Compliance workflow • File activity monitoring
Data-level security
File access auditing Federate large Monitor/alert on file activity
is
Incident management
User/Roles management deployment
HR integrations • Optim data masking Central control
Central audit collection
D
Portal management Static masking
Self-monitoring Semantic and format
preserving
Data export options
Data imports options
IBM Guardium: Overview
Main Features
or © Copyright IBM Corporation 2016
e
IBM Guardium is a database security and monitoring solution that addresses the following aspects
of database protection:
at
• Real-time monitoring
• Built-in and custom reporting
l
up
• Vulnerability assessment
• Database discovery and data classification
ot
displayed
D
• Monitor: Collect and distribute information about how sensitive data is being accessed and
modified
• Protect: Block or mask data, quarantine users, and monitor file activity
Uempty
e
• Many corporations are required to monitor activity performed against their databases
ut
PCI requires that all access to credit card information is logged
SOX requires that all privileged user activity is monitored
ib
• Other corporations choose to monitor database activity for these reasons
To meet their own internal security requirements
To protect sensitive and valuable data
tr
is
D
IBM Guardium: Overview
The following list shows where you can find some of the regulations and industry standards:
• Sarbanes Oxley (SOX): a United States federal government regulation intended to reduce
l
up
accounting fraud
• Payment Card Industry (PCI): an industry standard managed by the Payment Card Industry
Data Security Standard (PCI DSS) and intended to protect consumer credit card data and
D
government regulation that includes provisions to protect the privacy of an individual’s health
and medical records
N
Corporations following these regulations and standards must enact policies and procedures to
meet the requirements of these regulations and standards. Additionally, a corporation might have
o
additional internal security requirements in order to protect data from unauthorized use and theft.
D
Uempty
Native auditing
• Without a solution such as Guardium, companies must rely on built-in auditing methods, also known
as native auditing, within each of their database platforms to meet monitoring requirements
• Native database auditing is not appropriate in many organizations for the following reasons
High resource utilization
e
Native auditing often consumes 10 to 12% of a server’s CPU
No separation of duties
ut
Because native auditing must be configured from within the database, DBAs have the ability to turn it off and
manipulate the log files
ib
These same DBAs and other privileged users often require the highest levels of monitoring because they have
open access to the database
Inconsistent auditing features
tr
Each database management system has a different method of logging and reporting on database activity,
making unified reporting difficult if not impossible
is
D
IBM Guardium: Overview
Native auditing
or © Copyright IBM Corporation 2016
e
Guardium can provide the ideal solution to the database monitoring needs of companies. Many
companies try to perform their monitoring using the native auditing capabilities of the database
at
management systems they work with. However, native monitoring has many drawbacks, including
the impact on the database system, the ability of users with high-level access such as database
ic
administrators to bypass native monitoring, and the difficulties of integrating the native monitoring
features of multiple database environments.
l
up
Creating and maintaining these native monitoring solutions can be a burden on the corporation, as
is ensuring that the native monitoring solutions conform to regulations and standards the
D
Uempty
e
• DBAs have no access to Guardium, unless provided by a Guardium administrator
ut
• Guardium collects database traffic from heterogeneous environments and standardizes it, allowing
one system to monitor multiple database types
ib
tr
is
D
IBM Guardium: Overview
intercepts database queries before they reach the database, and intercept query results before they
are passed to the requester, access can be blocked or reported, and data can be masked.
l
up
Guardium system can monitor and manage the security of different vendor database products.
ot
N
o
D
Uempty
e
(DB, Warehouses, Files, Big Data)
• DISCOVER
ut
• MONITOR
• PROTECT
Guardium
host-based probes • AUTOMATE
ib
• Single integrated appliance • 100% visibility including local privileged access
• Noninvasive/disruptive, cross-platform architecture • Minimal performance impact
tr
• Dynamically scalable • Does not rely on resident logs that can easily be erased by
attackers or rogue insiders
• SOD enforcement for privileged access
is
• No environment changes
• Autodiscover sensitive resources and data
• Prepackaged vulnerability knowledge base and compliance
• Detect or block unauthorized and suspicious activity reports for SOX, PCI, and similar regulations
D
• Granular, real-time policies and normalized audit: who, • Growing integration with broader security and compliance
what, when, how management vision
runs at a level below the database and application, no changes to the database or applications are
required.
ic
Separate collector appliances provide most of the resource-intensive processing, allowing the
l
database servers themselves to run with a minimum of interference. Alerts happen in real time.
up
Because the S-TAP agent runs on the server, at a low level below the databases and applications,
all access is monitored, unlike network monitoring, which does not detect activity running solely on
D
the database server. As an example, a privileged user working on the server console won’t be
detected by any solution that only monitors network traffic, but would be detected and could be
monitored or even blocked by Guardium.
ot
N
o
D
Uempty
Guardium
LOB Marketing Big Collector
Guardium
Data Analytics Collector
e
Asia Pacific data centers
ut
Europe data centers Guardium
Americas data centers Central Manager
and Aggregator
ib
.
Integration with LDAP/AD, IAM, change
management, SIEM, and archiving
tr
Guardium
Collector
is
• Central management: Policies pushed to collectors from central manager
• Central aggregation: Collectors aggregate data to central audit repository
D
• Unified solution for both distributed and IBM System z: Enterprise-wide compliance reporting, analytics, and forensics
• Enforcement (S-GATE): Prevents privileged users from accessing sensitive information
• Heterogeneous data source support: Databases, Data Warehouses, Files, Big Data
IBM Guardium: Overview
• Central management to provide uniformity of policies, which can be created once and
distributed to many diverse endpoints
ic
• Central aggregation to gather data security information from distributed sources for unified
processing, storage, and reporting
l
up
• Heterogeneous data source support to provide similar security capabilities for different sorts of
data repositories
ot
• Collectors gather activity about sensitive data from data repositories, provide real-time analysis,
and store it for further processing. A Guardium implementation has at least one, and generally
o
• Aggregators collect and merge information from multiple collectors. This provides an enterprise
view of sensitive data operations. Guardium implementations with multiple collectors have one
or more aggregators.
• A Guardium environment has one central management system, which controls and monitors all
collectors and aggregators in that environment and provides a holistic view through a single
console.
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Overview
impact on the normal database operations. The Guardium software tapping agent (S-TAP) forwards
network packets to a network appliance for processing.
l ic
up
D
ot
N
o
D
Uempty
Logging
• Real-time
• Strings parsed into smaller data elements
e
ut
ib
tr
is
D
IBM Guardium: Overview
Logging
or © Copyright IBM Corporation 2016
e
All defined and monitored database activity is logged in to the Guardium database in real time.
When a user issues a command or statement against a monitored database, it is immediately
at
logged in to the Guardium database and is immediately available for alerting or reporting.
Additionally, the strings are parsed into smaller data elements, so that data is easier to categorize
ic
Uempty
Lesson 2 IBM Guardium components
e
Lesson: IBM Guardium components
ut
ib
tr
is
D
or
e
IBM Guardium: Overview © Copyright IBM Corporation 2016
at
In this lesson, you learn about IBM Guardium components, such as quick search, reporting,
workflow automation, and file activity monitoring.
l ic
up
D
ot
N
o
D
Uempty
e
• Built-in and custom reporting
ut
• Compliance workflow automation
• Configuration auditing system
ib
• Vulnerability assessment
• Database discovery and data classification
tr
• File activity monitoring
is
D
IBM Guardium: Overview
The base product includes components for doing real-time database access monitoring, including
options to filter what is being monitored, to generate an alert whenever specific access is
ic
attempted, and to terminate access when needed. The base product also includes built-in and
customized reporting and compliance workflow, which automatically routes reports to the
l
appropriate users.
up
• Database discovery and data classification to automatically detect database existence and
locate data artifacts
N
Uempty
Enterprise-wide quick
search
e
Customizable
reports
ut
ib
tr
At-a-glance operational
Guided processes
is
dashboard
Drill-down analytics
D
IBM Guardium: Overview
stakeholders.
ic
The focus of the new user interface is to make navigation simple, especially for everyday tasks. An
example is the search bar on the top right side. It provides a number of functions, including those
l
To use the search bar, start typing what you are looking for and choices start appearing in a
drop-down list. You can define the scope of where you want that search to go.
ot
The Guardium user interface also places emphasis on guiding you through key end-to-end
N
The user interface also emphasizes visibility, including the following features:
o
• Customizable reports
• The ability to drill down on the new tools such as the investigative dashboard or the outlier
detection tool
Uempty
Quick Search
• Automatically discover and classify sensitive data to
expose compliance risks
• Analyze data usage patterns to uncover and
remediate risks
e
• Understand who is accessing data, spot anomalies,
ut
and stop data loss in real time
• Use the convenient graphical interface for identifying
ib
and responding to outliers detected by the algorithm
tr
is
D
IBM Guardium: Overview
Quick Search
or © Copyright IBM Corporation 2016
e
You cannot protect what you do not understand or know about. You must have the tools to easily
understand your data environment and help you make quick decisions about the risk on that data.
at
• Tracking activity against sensitive data and maintaining security on a continuous basis by
monitoring all transactions
• Discovering misconfiguration and vulnerabilities on the database setup
D
• Analyzing access and behavioral patterns on the fly or from audit data
ot
• Protecting against threats and data loss by automating controls to protect sensitive data with
real-time policy assessment and appropriate remediation
N
• Developing a picture of the security/risk posture and hardening the data environment
o
D
Uempty
e
• Filtering - Criteria specifying what is to be monitored
ut
• Alerting - Notification when specific actions occur
• Prevention - Blocking actions before they are processed
ib
tr
is
D
IBM Guardium: Overview
time.
ic
A rule specifies the criteria to use to decide the action’s context and which action to take.
l
A policy is set of rules applied against the database traffic as it is being monitored and logged into
up
the Guardium appliance database. Each rule contains a set of criteria and one or more actions.
A filter is a set of criteria that specifies when action is to be taken. As an example, a filter might
D
specify that an action be taken when a certain user attempts to access data in a certain table of a
specific database. The filter does not specify which action is to be taken, but is associated with a
rule that applies the filter and then, if the criteria in the filter are met, implements an action.
ot
An alert is a notification that a specific action has been taken. The alert specifies which action has
N
been taken, why that action was initiated, and the results of that action.
A preventive action is one that blocks an action before it is processed. As an example, a certain
o
SQL query might be intercepted, determined to be inappropriate, and blocked before it ever
D
Uempty
e
• Allow known application server session activity
(S-TAP/open mode)
ut
3
4
ib
tr
is
Monitoring and
prevention of
unauthorized access
by privileged users
D
Privileged user
Session Terminated
Uempty
e
• Applies filters
Add WHERE clause
ut
Change SELECT clause
Rewrite entire query Row-level masking (only dept #20)
ib
Change target table
• Has several benefits
tr
Dynamic masking
Restrict data access
is
Keeps original database intact
No involvement by database Note: There is Dynamic masking and fine-grained
administrator
D
access control for databases such as DB2, MSSQL,
Centralized policy control and Oracle
As an example, you might want database administrators to test queries against a table containing
sensitive data, such as a personal identification number. However, you want to allow them to only
l
view as much information as necessary to verify that the query is working. You might determine that
up
you want the database administrators to only be able to see the last four digits. This will allow them
to verify that data is being returned while still retaining a reasonable amount of privacy and
D
Guardium is able to intercept the query before it is sent to the database and rewrite the query by
ot
In the example in the slide, it only returns rows from department 20.
• Changing the SELECT clause, which creates column-level masking to change which columns
o
are returned
D
Uempty
This functionality provides many benefits, including those shown in the following list:
• Dynamic data masking with real-time response
• Restricting who can access what data, as well as when and how
• Fine-grained access control to sensitive data to complement and expand database controls
• Keeping the original data in the physical production databases intact
e
• No impact to database controls, nor involvement of the database administrator
ut
• Centralized policy control over diverse database formats
ib
• Prevent data breaches
tr
• Ensure data privacy
• Reduce the cost of compliance
is
• Identify security risks
D
• Enable safe sharing of data.
or
e
at
l ic
up
D
ot
N
o
D
Uempty
e
ut
Query Builder for
custom reports
ib
tr
is
Built-in reports
D
IBM Guardium: Overview
includes a flexible query builder, allowing users to create custom reports that meet specific needs.
l ic
up
D
ot
N
o
D
Uempty
Compliance automation
• Guided task flow to define an audit process
• Automated scheduled tasks and reports distribution
• Comments, review, sign-off
e
• Advanced workflow process (multiple states and transitions)
ut
ib
tr
is
D
IBM Guardium: Overview
Compliance automation
or © Copyright IBM Corporation 2016
e
The Guardium solution also includes Compliance Workflow Automation. This feature can be
configured to deliver reports, vulnerability assessments, and classification results to the appropriate
at
end users on a periodic basis. This process also tracks who has viewed or signed any process, and
also maintains a trail of any comments made by reviewers.
l ic
up
D
ot
N
o
D
Uempty
e
• Critical data values
ut
• Database configuration files
ib
tr
is
D
IBM Guardium: Overview
operating system level. The Configuration Auditing System (CAS) in Guardium monitors changes to
these OS database files, as well as changes to environmental variables and actual values within
ic
With the Guardium CAS, organizations can track all changes to the following objects:
up
• Security and access control objects such as users, roles, and permissions
• Database structures such as tables, triggers, and stored procedures
D
CAS can also detect accidental deletions or insertions of critical tables that can impact data
governance.
ot
• Critical data values such as data that affects the integrity of financial transactions
• The following types of database configuration objects that can affect security posture:
N
Uempty
Vulnerability assessment
A vulnerability assessment
evaluates the security of the
database environment
• Query-based tests
e
Result history
Patches, passwords, privileges,
ut
defaults
Summary
• Behavioral tests outlining
ib
Exceeding thresholds, executing results Filters and
sort controls
administrative commands
• CAS-based tests
tr
Operating system configuration
vulnerabilities
is
Detailed
Detailed test
description of
results
fixes
D
IBM Guardium: Overview
Vulnerability assessment
or © Copyright IBM Corporation 2016
e
The Guardium Vulnerability Assessment tool evaluates the security of your database environment.
It uses three different kinds of tests:
at
• Query-based tests check for vulnerabilities such as missing patches, weak passwords, poorly
ic
as excessive failed logins, clients executing administrative commands, and after-hours logins.
up
After running the selected tests, Guardium presents an overall report card along with details about
each result, including recommendations about resolving any issues it identifies as problem areas.
ot
N
o
D
Uempty
Database discovery
• Probes the network
• Locates servers running database services
• Reports on its findings
e
ut
ib
tr
is
D
IBM Guardium: Overview
Database discovery
or © Copyright IBM Corporation 2016
e
Due to the complexity of some environments and other factors, such as mergers and acquisitions,
some companies do not have a full inventory of their database servers. Database discovery probes
at
Uempty
Data classification
• Scans databases
• Locates objects matching certain patterns
• Reports on its findings
e
ut
ib
tr
is
D
IBM Guardium: Overview
Data classification
or © Copyright IBM Corporation 2016
e
Additionally, also due to the complexity of some environments and other factors, such as mergers
and acquisitions, some companies do not know where all of their sensitive data resides. Data
at
classification scans databases to find and classify any objects or fields containing sensitive data. In
the example shown above, data classification has located two tables that might contain sensitive
ic
credit card data and listed the column name where the data resides.
l
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Overview
and classify sensitive information contained in files, as well as control and monitor access to these
files.
ic
The slide illustrates one of the file activity monitoring reports that shows the result of the Discovery
l
and Classification process. It scans a directory, drive, USB, or any mounted drive and gives a list of
up
all files it contains, with the entitlements; that is, which users are authorized to do what on that file.
The classification tells you if the content of that file matches one of FAM’s decision plans, for
D
Uempty
Unit summary
• Identify the primary functions of IBM Guardium
• Describe the key components of the IBM Guardium solution
e
ut
ib
tr
is
D
IBM Guardium: Overview
Unit summary
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
e
ut
ib
IBM Guardium: Architecture
tr
is
D
or
e
at
ic
In this unit, you learn about how the components of IBM® Guardium® work together to provide a
holistic solution to discover, harden, monitor, and protect sensitive data.
D
ot
N
o
D
Uempty
Unit objectives
• Describe the basic architectural components of IBM Guardium implementation
• Identify the methods Guardium uses to capture database traffic
• Describe the functions of aggregation and central management
e
• Identify Guardium hardware and software configurations for various environments
ut
• List the tools that can integrate with Guardium
ib
tr
is
D
IBM Guardium: Architecture
Unit objectives
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
Uempty
Lesson 1 IBM Guardium architectural
components
e
ut
Lesson: IBM Guardium architectural
ib
components
tr
is
D
or
e
at
In this lesson, you learn the functions of IBM Guardium architectural components and how they
communicate.
l
up
D
ot
N
o
D
Uempty
Local
e
access Guardium
collector
ut
ib
Data servers Application servers
tr
Network
switch
is
Network
access
Internet
D
Client
• Database servers: These servers run the database, and generally will have an agent installed
ic
that resides below the database server and intercepts SQL queries and other calls to the
database server.
l
• Application servers: These servers might also have an agent installed, depending on their role.
up
• Network switches: Network switches route traffic and are a potential point for Guardium to
intercept database queries.
D
• Guardium collector: One or more Guardium systems gather and process information about data
access and security.
ot
Uempty
e
S-TAP
resource-intensive processing of this Sniffer can send Guardium Analysis Engine
ut
Database
• Additionally, a sniffer can send control control signals to analyzes, parses, and logs
server
STAP the appropriate data to the
signals to the S-TAP agent internal repository
ib
• The database client can communicate
with the database server, but all
communications are intercepted by the DB Server responds with
tr
appropriate information
S-TAP agent Client requests
information from
is
DB Server
D
Database client
IBM Guardium: Architecture
• Filtering information before sending to the collector to reduce network traffic and Guardium
ic
• Masking or redacting information in the result set based on policy from the Guardium collector
S-TAP can filter out unwanted result sets or authorized sessions and not send this information to
D
Uempty
Lesson 2 Capturing database traffic
e
Lesson: Capturing database traffic
ut
ib
tr
is
D
or
e
IBM Guardium: Architecture © Copyright IBM Corporation 2016
at
In this lesson, you learn how Guardium collects information about sensitive data access and
forwards that information for processing, logging, and other action.
l ic
up
D
ot
N
o
D
Uempty
e
• Failed login attempts • User attempting to access file
ut
• SQL commands • Type of file activity
• SQL errors Monitoring options
ib
• Returned data • Port mirroring
Mechanisms that access the data • Network tap
tr
• Network access • Software tap
• Local access
is
• Encrypted connection
D
IBM Guardium: Architecture
• Database activity:
ic
– Failed login attempts: Information about unsuccessful attempts to create an active session.
As an example, multiple attempts to log in to a session during nonworking hours might
D
log them.
– SQL errors: Improperly formatted SQL commands can indicate an attempt to access
N
sensitive data by users not familiar with the structure of the database, and might indicate
illicit activity.
o
Uempty
• File activity information:
– File name and type
– File location
– User accessing file
– What sort of file activity is being performed
e
Has there been an attempt to read the file? Copy the file to another location? Delete,
ut
rename, or modify the file?
It is also necessary to understand the mechanisms by which the data is accessed. As an example,
ib
is the access done by a remote user session, or by a user logged directly on to the server? Is the
connection encrypted or unencrypted? What protocol is used?
tr
When monitoring, several options can be used. These options are addressed in later slides.
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
Collector
• Hardware specification
Form factor: 1U rack server
Processor: 4x quad core
Storage: 2x 300GB - RAID-1
e
• Network configuration
ut
Gigabit network adapter with 4 network interfaces
eth0 port: Management port and S-TAP communication
other ports: Monitoring port for N-TAP/SPAN connection
ib
Network adaptor expansion option for additional N-TAP/SPAN
• Software configuration
tr
Kernel: Hardened Linux kernel (limited command line access)
Storage: Relational database (not directly accessible to users); an option is available for logging to flat files
is
stored on the collector
Interface: Secure web server providing graphical web interface
D
IBM Guardium: Architecture
Collector
or © Copyright IBM Corporation 2016
e
The central component of the Guardium solution is a network appliance called a collector.
at
The IBM Security Guardium solution is available as either a hardware or software offering:
• Hardware offering. There are two versions of the hardware configuration:
ic
– The x2000 has dual Intel Xeon E5-2630 v2 6C 2.6GHz 15MB cache processors and a
l
– The x3000 has dual Intel Xeon E5-2667 v2 8C 3.3GHz 25MB cache processors and a
ServeRAID M5200 Series 2GB Flash/RAID 5 upgrade.
D
Both versions of the hardware offering are based around a IBM x3550 M4 1U form factor
rack server and include the following features:
ot
64 GB of RAM
Two 300 GB hard drives
N
• Software offering. The solution can be delivered as software images to be deployed by the
customers on their own hardware either directly or as virtual appliances.
Uempty
Collector architecture
• Collector receives raw activity
data from S-TAP Alert
Security policy
• Database activity data is parsed ,QYHQWRU\GDWDĺ/RJ64/
Log
and evaluated on the collector construct
e
Data Collector
Terminate 6DOHVGDWDĺ/RJIXOO64/ database
server
• Inspection Engine applies action
ut
6HQVLWLYHGDWDĺ$OHUW
based on installed Security S-TAP LOGIN USER ...
SELECT... FROM ... 8QDXWKRUL]HGXVHUĺ7HUPLQDWH
Policy CREATE TABLE …
INSERT …
ib
DELETE ....
• Logging stored in normalized
relational database
tr
• Alerts sent based on notification
configuration
is
• Control signal sent to S-TAP for
filtering control and termination
D
actions
Collector architecture
or © Copyright IBM Corporation 2016
e
The collector performs the following functions:
at
• Applies security policies to this evaluated data to determine which actions should be applied
l
Uempty
Port mirroring
• Copy of network packets observed on the switch port
connected to data server is sent to collector
• Does not impact data server performance
Mirrored Guardium
e
• Requires network switch with port mirroring database collector
traffic
Switched Port Analyzer (SPAN)
ut
Collector
Roving Analysis Port (RAP) access
ib
Network
• Existing switch might not be able to accommodate multiple data switch
servers connected to that switch
tr
Database
• Adds the cost of a network switch with port mirroring feature traffic
is
• Encrypted and local connections will not be monitored
Data server
• Only recommended if network hardware already exists and
D
data server cannot handle any additional software load
Port mirroring
or © Copyright IBM Corporation 2016
e
Guardium can use several methods to gather data, including port mirroring, network tapping, and
software tapping (S-TAP). While S-TAP has become the primary method of data capture, it is still
at
When the Guardium solution was first developed, the goal was to provide a completely passive
method (that is, zero impact on the database server) to monitor database activity by capturing the
l
Most modern network switches contain one or two ports, called span ports or mirroring ports,
designated to monitor traffic on the switch. These ports can be configured to forward a copy of all
D
traffic to and from a database server to one of the promiscuous ports on the Guardium collector.
Guardium receives an exact copy of all database traffic that it can digest and log in its own internal
ot
database.
Uempty
Some disadvantages of port mirroring:
• Local traffic is not captured
• Most switch vendors provide a limited number of SPAN ports
• Network administrators do not want to give up their available span ports
• If spanning several servers, extraneous traffic might be captured
e
• Encrypted traffic requires key management to be logged
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
Network tap
• Dedicated network tap hardware sends a copy of data server
traffic to the collector (similar to port mirroring)
• Is not dependent on existing network hardware
Guardium
e
• Does not impact data server performance Mirrored collector
database
ut
• Adds the cost of the network tap for each data server traffic
Collector
access
• Requires direct connection to the collector
ib
• Data server has to be taken offline for installation Network
switch
• Encrypted and local connections will not be monitored
tr
Network
• Only recommended if data server has a high load and cannot tap
handle any additional software load
is
Database
traffic
Data server
D
IBM Guardium: Architecture
Network tap
or © Copyright IBM Corporation 2016
e
Another common hardware solution is a network tap. The database server’s network cable is
connected to the network tap, not directly into the switch. The tap is then connected to the switch
at
and to one or possibly two of the promiscuous ports on the Guardium collector. The network tap
acts as a Y connector; all traffic going to and from the database server also goes to the collector.
ic
Uempty
e
access collector
• Handles encrypted traffic +
ut
Mirrored
SSH/IPSEC, Oracle ASO, SQL Server SSL database
traffic
• Does not require any changes to database environment
ib
• Installed only once on every system regardless of how many Database Network
traffic switch
database instances and types are running +
tr
Mirrored
• No additional hardware is required and has a lower database
implementation cost traffic
is
(filtered)
• Specific traffic can be filtered so that not all traffic is sent to the S-TAP
Data server
collector, which reduces the network load significantly
D
S-TAP is the recommended
• Has less than 5% performance impact on the data server data activity monitoring option
local database activity to the collector. Local activity includes users directly accessing the system
from a physically attached device, as well as those connecting via SSH (secure shell) or remote
ic
desktop.
l
Initially, S-TAP was meant to complement the hardware solutions. A span port or network tap would
up
be used for network traffic, while S-TAP would be used for monitoring local traffic only. However,
S-TAP always included the ability to forward network traffic as well, eliminating the need for a
D
hardware solution.
Because of the ease in using a software solution, as compared to hardware solutions, and the great
ot
increases in S-TAP’s efficiency and sophistication, S-TAP has become the primary method of data
capture for Guardium customers. Only a small percentage of customers still use span ports or
N
network taps. However, it is still important to understand the hardware options, because S-TAP is
basically a software implementation of the span port and network tap solution; S-TAP forwards
network packets to the collector for logging.
o
D
S-TAP features:
• Lightweight agent running on the data server that forwards traffic, in the form of network
packets, to a Guardium collector
• Minimal resource utilization - 3 to 5% CPU, 10 MB memory mapped file
• Encrypted database traffic - handles most forms of database encryption (SSL, ASO, Kerberos,
and so on)
Uempty
• Redundancy - sends traffic to more than one collector
• Failover - provides failover to one or more collectors
• Load balancing - sends traffic across multiple collectors
• Prevention - blocks activity or terminate connection
• Clusters - supports migrating, floating, unavailable databases
e
• Encryption - communicates over an encrypted channel to the collector (TLS)
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
S-TAP architecture
• K-TAP (Kernel Tap) Data server
Kernel module hooks into Application/User level
client/server communication
Monitors DBMS network port Local
e
application/User
Different modules for versions of
Linux/Unix kernels
ut
• A-TAP (Application Tap) S-TAP DBMS
Monitors communication at
ib
application level K-TAP A-TAP
DB2, Informix, Oracle ASO
tr
Dependent on K-TAP
Shared
memory
is
o
Collector
Network layer
Kernel level
D
Network Application/User
S-TAP architecture
or © Copyright IBM Corporation 2016
e
The S-TAP is a user space daemon that collects data from various sources in order to send it to the
Guardium system for analysis and logging. It works with two submodules, K-TAP and A-TAP.
at
The kernel tap (K-TAP) is a kernel module that can intercept all client-server communication. It
ic
monitors the database management system network port. There are different versions of K-TAP for
different versions of Linux and Unix kernels.
l
up
The application tap (A-TAP) module monitors communications on an application level between
internal components of the database server. This allows Guardium to capture traffic that can only
be tapped at the database server application level. A-TAP uses K-TAP as a proxy to pass data to
D
S-TAP.
Two other, less-important components are Tee and PCAP. Tee is a proxy mechanism that reads
ot
and forwards traffic from local clients to a database server. Tee is an alternative to K-TAP. Tee and
K-TAP are almost mutually exclusive. Packet Capture, or PCAP, is seldom used on Unix systems,
N
Uempty
CAS architecture
• Is a Java module that monitors changes in Data server
baseline configuration Application/User level
Environment variables
Local
Configuration files application/User
e
Script outputs
Config file
ut
CAS
• Is an optional component
• Requires Java VM installed
ib
S-TAP
• Does not require S-TAP DBMS
K-TAP A-TAP
tr
is
Shared memory
D
Network layer
Kernel level
Collector
CAS architecture
or © Copyright IBM Corporation 2016
e
Independent of the S-TAP is the Configuration Audit System (CAS) module.
at
The CAS module is a Java module that monitors configuration information and sends this data to
the collector. It enables the CAS functionality, and is not required except for CAS. It does require a
ic
Java VM.
l
up
D
ot
N
o
D
Uempty
Lesson 3 Using aggregation and central
management
e
ut
Lesson: Using aggregation and
ib
central management
tr
is
D
or
e
at
In this lesson, you learn how Guardium aggregates information from multiple collectors to facilitate
a holistic view of data security in the enterprise. You also learn how Guardium centrally manages
l
Uempty
Multicollector environment
e
Collector
Collector
ut
ib
Aggregator &
Central Manager
tr
Collector
Collector
is
D
Remote locations
Multicollector environment
or © Copyright IBM Corporation 2016
e
There are limits to the amount of traffic that a single collector can log effectively. Because
exceeding this limit can result in a loss of data, in many implementations, multiple collectors are
at
required. The number of required collectors is usually a factor of the number of CPUs on each
database server and the type and quantity of traffic to be monitored.
ic
Centralized management and aggregation are required in an environment with multiple collectors.
l
These functions can be combined on a single server, or split onto different servers.
up
D
ot
N
o
D
Uempty
Aggregators
• An aggregator is an appliance dedicated to serve as the central repository of filtered/summarized
audit data from multiple collectors
• It has a similar hardware and software configuration as a collector
e
• Collectors send data to the aggregator on a scheduled basis
ut
• A centralized repository allows for enterprise-wide auditing
• Querying for reports is performed on the aggregator, which relieves collectors from the performance
impact of running complex reports
ib
• The aggregator allows collectors to be dedicated to monitoring and policy enforcement tasks
tr
is
D
IBM Guardium: Architecture
Aggregators
or © Copyright IBM Corporation 2016
e
When two or more collectors are used, one or more aggregators are included in the solution. An
aggregator is a separate type of appliance. It does not collect traffic directly from database servers.
at
Instead, each collector sends its data to an aggregator on a periodic basis, which is usually nightly.
The aggregator then merges the data from all of the collectors into its own internal database. This
ic
enables users to view all of the data from multiple collectors in a central location.
l
• A hardware solution, built around an IBM x3550 server, with similar configuration
• A software solution that clients can install on their own hardware or in a set of virtual machines
D
Central management supports enterprise-wide control and auditing. The aggregators can perform
the querying on the centralized repository, reducing the load on collectors. This enables collectors
ot
to dedicate all of their resources to other monitoring and policy enforcement tasks.
N
o
D
Uempty
e
• Central patch management
ut
• Centralized policy management - Unified security policy pushed out to all managed collectors
• Centralized users/roles/permissions and groups management
ib
• Centralized report definition and audit process definition
Implementation scenarios
tr
• Dedicated aggregator
is
• Dedicated Central Manager
• Aggregator and Central Manager
D
IBM Guardium: Architecture
An aggregator can also function as a Central Manager. The Central Manager can also reside on its
own server, separate from aggregators and collectors.
l
up
• They display the status of S-TAP agents on the managed servers across the enterprise.
• They centralize patch and policy management.
ot
Uempty
Lesson 4 IBM Guardium hardware and
software configurations
e
ut
Lesson: IBM Guardium hardware and
ib
software configurations
tr
is
D
or
e
at
In this lesson, you learn how a Guardium environment can be implemented to support small,
medium, and large enterprises. This lesson examines several implementation scenarios:
l
Uempty
Aggregate
Aggregator and Central Manager
Manages
e
ut
ib
tr
Collector 1 Collector 2 Collector 3 Collector 4
is
D
IBM Guardium: Architecture
Uempty
Manages Aggregator
e
ut
ib
Collector H1 Collector H4
tr
Collector S1 Collector S3
Collector S2
is
Collector H2 Collector H3
Sales databases
Human resources databases
D
IBM Guardium: Architecture
for all of the managed units, which are collectors and aggregators.
l ic
up
D
ot
N
o
D
Uempty
Central Manager
Aggregate
Manages
e
Aggregator
Aggregator
ut
ib
tr
Collector H1 Collector H4
Collector S1
is
Collector S3
Collector S2 Collector H2 Collector H3
D
Sales databases Human resources databases
functions only.
l ic
up
D
ot
N
o
D
Uempty
e
manual tracking and intervention
ut
• Eliminates the need to perform the following
tasks
ib
Manually evaluate the load of managed units
before assigning to an S-TAP agent
Define failover managed units as part of a post-
tr
installation S-TAP configuration
Manually relocate S-TAP agents to less-loaded
is
managed units
D
IBM Guardium: Architecture
The dynamic load balancer performs load collection periodically, which entails getting a snapshot of
ic
the current activity load for all active managed units and storing it in a load map. This load collection
does not affect other activity on the Central Manager.
l
up
You can specify the load collection using a fixed interval or dynamically. Dynamic collection is the
default and recommended setting. With dynamic collection, intervals are determined by the number
of managed units. You can plan one additional hour for every ten managed units. Dynamic intervals
D
guarantee a more accurate load map without overloading the Central Manager.
ot
N
o
D
Uempty
Lesson 5 Integrating IBM Guardium with other
tools
e
ut
Lesson: Integrating IBM Guardium
ib
with other tools
tr
is
D
or
e
at
In this lesson, you learn how Guardium integrates with other tools.
l
up
D
ot
N
o
D
Uempty
Integration
e
• Database servers
• File servers
ut
• FTP servers
ib
• Backup servers File server (Unix/Linux) Email server
• Email servers
tr
• Other servers
is
Database server SIEM
D
SNMP server LDAP/Active Directory
IBM Guardium: Architecture
Integration
or © Copyright IBM Corporation 2016
e
Guardium interacts with many other software servers in a corporate environment, including those
shown in the following list:
at
• Database servers
ic
– Enterprise Data Correlation; Guardium can upload data from external databases and
integrate it into its internal database
D
• Email servers
• Security information and event management (SIEM) servers such as IBM QRadar
N
• SNMP servers
D
IBM Guardium can be integrated with IBM InfoSphere BigInsights to monitor Hadoop environments.
IBM InfoSphere BigInsights includes an integrated capability called the Guardium Proxy to read and
send log messages to InfoSphere Guardium for analysis and reporting. With the proxy, BigInsights
sends messages from Hadoop logs to the InfoSphere Guardium collector.
Uempty
Unit summary
• Describe the basic architectural components of IBM Guardium implementation
• Identify the methods Guardium uses to capture database traffic
• Describe the functions of aggregation and central management
e
• Identify Guardium hardware and software configurations for various environments
ut
• List the tools that can integrate with Guardium
ib
tr
is
D
IBM Guardium: Architecture
Unit summary
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
e
ut
ib
IBM Guardium: User interface
tr
is
D
or
e
at
ic
The IBM® Guardium® V10 release has many new features and enhancements. This updated
version provides a new and intuitive interface, making it very easy to navigate. The updated menu
includes a Guardium security lifecycle view, making navigation options easy to understand and use.
D
The new UI can be customized based upon the tools you need most. This new release allows you
to create and use dashboards to organize and manage your reports.
ot
The configuration and control commands cover a large number of configuration settings within the
Guardium appliance. In this unit, you learn to navigate the Guardium interface, customize
N
dashboards, and use the search feature. You also learn to use the command line interface (CLI) to
perform basic system functions.
o
References:
D
Uempty
Unit objectives
• Navigate the Guardium control center
• Use the command line interface to update system parameters
e
ut
ib
tr
is
D
IBM Guardium: User interface
Unit objectives
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
Uempty
Lesson 1 Navigating the user interface
e
Lesson: Navigating the user interface
ut
ib
tr
is
D
or
e
IBM Guardium: User interface © Copyright IBM Corporation 2016
at
In this lesson, you learn how to navigate and configure the Guardium control center web-based
user interface.
l ic
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: User interface
user experience focuses on guiding the user through key end-to-end processes such as
discovering sensitive data.
ic
The Guardium V10 control center optimizes the Guardium experience through the following
l
features:
up
• Operational dashboard
• New user interface
D
• Drill-down capabilities
• Streamlined processes, including quick navigation
o
D
Uempty
Top banner
e
ut
Shows or hides left Notifications, Tasks, Search bar User pull-down menu
navigation menu and Help
ib
tr
is
D
IBM Guardium: User interface
Top banner
or © Copyright IBM Corporation 2016
e
The top banner has the following features:
at
• Search bar: Allows search of data activity, file activity, and user interface objects and resources
up
• User pull-down menu: Allows customization of user interface, editing of account information,
and signout
D
ot
N
o
D
Uempty
Navigation menu
e
ut
Navigation menu with Navigation menu with
icons and labels icons only
ib
tr
is
D
IBM Guardium: User interface
Navigation menu
or © Copyright IBM Corporation 2016
e
The navigation menu groups objects and resources by function. You can display this menu with or
without labels by clicking the >> or << icon on top of the navigation menu.
at
Many resources are available through more than one path. As an example, you can access a
ic
resource called the Group Builder by going to Setup > Tools and Views > Group Builder or
Protect > Security Policies > Group Builder.
l
up
You can create new groups in the navigation menu, and add items to these new groups.
D
ot
N
o
D
Uempty
Search bar
e
ut
ib
tr
is
D
IBM Guardium: User interface
Search bar
or © Copyright IBM Corporation 2016
e
The Guardium interface top banner contains a search field. You can use the search field to search
within three separate contexts:
at
• Data: This context opens a window that lists database activity, errors, and policy violations.
ic
• File: This context opens a window that lists file activities, errors, policy violations, and
entitlements.
l
up
• User Interface: As you enter terms, Guardium resources and objects appear as options. In the
example above, typing report returns a list of reports and where in the navigation menu you
can find the reports.
D
In the Data and File contexts, leave the search box blank to get all audit data, or specify terms to
narrow the entries returned. As an example, if searching with the File context, entering csv returns
ot
files that contain that term in their name. In the new window, you can add filters to the results by
using either of these methods:
N
• Clicking a value in the results area or from one of the facets to the left of the audit results
• Entering search terms manually in the search field that appears in the new window
o
D
Uempty
Guided processes
e
ut
ib
tr
is
D
IBM Guardium: User interface
Guided processes
or © Copyright IBM Corporation 2016
e
Guardium V10 eases tasks by providing guided processes. These processes list the steps required
to complete a task. You can complete each step in or out of sequence.
at
In the example above, the user has completed the first step, providing a name to the rule, and is in
ic
the middle of the second step, defining the rule criteria. After defining the rule criteria, the user
would click Next to go to the final step, which is specifying which actions to be taken when the
l
criteria is met. At any time, the user can go back to a previous step to edit the information included
up
in that step. As an example, the user could click Edit on the Rule Definition step to change the
name of the rule.
D
ot
N
o
D
Uempty
Report dashboard
e
ut
ib
tr
is
D
IBM Guardium: User interface
Report dashboard
or © Copyright IBM Corporation 2016
e
Viewing reports is an important part of monitoring data security. You can use Guardium to create
multiple dashboards to contain reports. Each dashboard contains one or more reports, and the
at
same report can appear on more than dashboard. You can use the Customize option on the user
pull-down menu on the top banner to set a dashboard to appear as the home page of the Guardium
ic
interface.
l
up
D
ot
N
o
D
Uempty
Exercise introduction
Complete the following exercise in the Course Exercises book
• Exploring the IBM Guardium interface
e
ut
ib
tr
is
D
IBM Guardium: User interface
Exercise information
or © Copyright IBM Corporation 2016
e
Perform the exercise for this lesson.
at
Uempty
Lesson 2 Using the command line interface
(CLI)
e
ut
Lesson: Using the command line
ib
interface (CLI)
tr
is
D
or
e
at
In this lesson, you learn how to use the command line interface to perform Guardium management
functions.
l
up
D
ot
N
o
D
Uempty
CLI overview
The CLI commands are arranged in nine different categories
1. Network configuration commands
2. Aggregator commands
e
3. Alerter configuration commands
ut
4. Configuration and control commands
5. File-handling commands
ib
6. Diagnostic commands
7. Inspection engine commands
tr
8. User account, password, and authentication commands
is
9. Certificate commands
D
IBM Guardium: User interface
CLI overview
or © Copyright IBM Corporation 2016
e
The CLI commands are grouped into nine different categories.
at
• Network configuration
• Aggregation configuration
ic
• Alerter configuration
l
• File handling
• Diagnostics
D
Uempty
CLI users
• Default user accounts
cli
guardcli1 through guardcli5
• cli logs on directly
e
• Using guardcli1 through guardcli5
ut
requires a second Guardium user
ID, entered with the set guiuser
ib
command
set guiuser example
tr
is
D
IBM Guardium: User interface
CLI users
or © Copyright IBM Corporation 2016
e
Access to the CLI and its commands is limited to a small group of Guardium users. The main
administrator for the Guardium appliance utilizes the cli user ID. Additionally, Guardium includes
at
five other user accounts, guardcli1, guardcli2, guardcli3, guardcli4, and guardcli5,
which can be assigned to different users. These additional accounts provide for separate
ic
Logging on to the CLI as the main administrative user cli requires only the appropriate password.
up
Logging on to the CLI as one of the additional CLI accounts requires the appropriate password
AND an additional user ID and password. Enter the additional user ID and password using the set
D
guiuser command.
As an example, follow these steps to use one of the additional CLI user IDs:
ot
2. Issue the set guiuser command, passing in a second Guardium user ID and password.
N
The second Guardium user ID must have either admin or cli as one of its roles to be able to use
o
Uempty
e
Password Validation
í Minimum of eight characters in length
ut
í Contain at least one character from three of the following four classes
• Any uppercase letter
• Any lowercase letter
ib
• Any numeric (0,1,2,...)
• Any nonalphanumeric (special) character
tr
• CLI users cannot be authenticated through LDAP
is
• The CLI user must either login locally or login manually with a secure network protocol such as SSH
D
IBM Guardium: User interface
guardcli5).
• An expiration period for CLI passwords is enforced by the system. The default expiration period
is 90 days. When a password expires, a required change of password will be invoked during the
l
up
CLI users cannot be authenticated through LDAP because these are considered administrative
accounts that should be able to log in regardless of connectivity to an LDAP server.
o
As mentioned earlier, the special CLI accounts guardcli1 through guardcli5 require use of an
D
additional user ID The CLI audit trail will show the CLI account (CLI_USER) and the additional
account (GUI_USER) in all entries generated for the user.
You log in to one of the CLI accounts through a secure connection. If you have physical access to
the Guardium appliance, you can log in through the system console or through a terminal
connected through the serial port. You can also log in through a secure connection using an ssh
(secure shell) client such as PuTTY or SecureCRT.
Uempty
e
• Commands and keywords are not case sensitive, but element names are
ut
• Quotation marks are used around words or phrases to precisely define search terms
ib
tr
is
D
IBM Guardium: User interface
• You can save typing if you enter only enough characters to differentiate the command from
other commands. As an example, show system hostname can be abbreviated to sh sys host.
ic
This is useful with frequently used commands, but should not be used when writing scripts,
because the abbreviations would be confusing to those maintaining the scripts.
l
• Most Guardium CLI commands consist of one of a few possible command words followed by
up
one or more arguments. With practice, you will learn most of the common command words and
arguments, as well as which abbreviations work for those command words and arguments.
D
• Commands and keywords are not case sensitive. SHOW works the same as show. Element
names are case sensitive.
ot
• You might need to include spaces in search terms. In this case, use quotation marks around the
phrase.
N
o
D
Uempty
Listing commands
To generate a list of all available commands for a given
topic, type command (or comm) plus a keyword or part of
a keyword
For example, comm file returns all file-handling
e
commands
ut
ib
tr
is
D
IBM Guardium: User interface
Listing commands
or © Copyright IBM Corporation 2016
e
To generate a list of all available commands for a given category, type command or comm, plus a
keyword or part of a keyword at the command prompt. As an example, comm agg returns all
at
aggregation related commands, comm net returns all network related commands, and comm file
returns all file-handling commands.
l ic
up
D
ot
N
o
D
Uempty
e
command
ut
ib
tr
is
D
IBM Guardium: User interface
agg list ?
ic
supp show ?
show ?
l
up
An alternate method of getting all possible arguments for a command is to enter the first word or
words of the command at the command prompt. These examples are also valid commands:
agg list
D
supp show
show
ot
N
o
D
Uempty
e
argument
ut
ib
tr
is
D
IBM Guardium: User interface
Uempty
e
• Identify a connector on
ut
the back of the
appliance
ib
• Reset networking
after installing or
moving a network card
tr
• Set IP addresses
is
• Enable or disable high-availability
• Configure the network card if the switch it attaches to will not autonegotiate the settings
D
IBM Guardium: User interface
After the configuration has been completed, you must issue a restart system command.
ot
After the system has rebooted, you can confirm connectivity with the following commands:
ping <default_router_ip>
N
ping <resolver_1_ip>
o
D
Uempty
Aggregator commands
Use the aggregator CLI commands to
accomplish the following tasks
• Back up the shared secret keys file to a
specified location
e
• Define the amount of collector data that the
ut
aggregator UI will work with
• Set the system-shared secret key to null
ib
• Start or stop writing debug information related
to aggregator activities
tr
• Move or rename failed import files
is
D
IBM Guardium: User interface
Aggregator commands
or © Copyright IBM Corporation 2016
e
Aggregation is the process by which export files are sent from each collector to an aggregator,
where the data from all of the collectors is merged and stored in a single database. This provides a
at
Uempty
e
• Specify that the alerter will be
ut
started automatically when the
system is rebooted
ib
• Set the polling interval for the
alerter
tr
• Set the alerter’s SMTP
authentication password
is
• Set the alerter’s SMTP email
authentication username
D
IBM Guardium: User interface
• Correlation alerts that have been queued by the Anomaly Detection subsystem
ic
The alerter subsystem can be configured to send messages to both SMTP and SNMP servers.
up
Alerts can also be sent to syslog or custom alerting classes, but no special configuration is required
for those two options beyond starting the alerter.
D
The Alerter can also be configured in the control center under Setup > Tools and Views > Alerter.
ot
N
o
D
Uempty
e
• Check the installed
ut
licenses
• Ping remote systems
ib
• Restart the GUI interface
• Reboot the Guardium
tr
appliance
• Set the user timeout
is
value
D
IBM Guardium: User interface
Uempty
File-handling commands
Use the file-handling CLI commands
to accomplish the following tasks
• Back up and restore configuration
information
e
• Back up and restore the Guardium
ut
database
• Back up and restore profile
ib
information
• Export and import audit data
tr
• Display exported audit data files
is
D
IBM Guardium: User interface
File-handling commands
or © Copyright IBM Corporation 2016
e
You use the file-handling commands to work with the Guardium files, including the configuration
files, the database files, the profiles, and auditing files.
at
l ic
up
D
ot
N
o
D
Uempty
Diagnostic commands
• The diag command opens a menu-
driven window that you use to
perform a number of diagnostic
functions
e
• You do not perform any functions
ut
with the diag command on a regular
basis
ib
• Generally, you use this command
only as directed by technical support
tr
is
D
IBM Guardium: User interface
Diagnostic commands
or © Copyright IBM Corporation 2016
e
Use the diagnostic commands only under the direction of Technical Support.
at
l ic
up
D
ot
N
o
D
Uempty
e
• List inspection engines
ut
• Stop and restart an inspection engine
ib
tr
is
D
IBM Guardium: User interface
• Compiles parse trees that identify sentences, requests, commands, objects, and fields
up
Uempty
e
will be disabled
ut
• Define when a password must be
changed
ib
• Lock out users after failed login
attempts
tr
• Enable and disable password
validation
is
D
IBM Guardium: User interface
Uempty
Certificate commands
Use the certificate CLI commands to
accomplish the following tasks
• Create a certificate signing request
(CSR)
e
• Store a certificate authority (CA) or
ut
intermediate trusted path certificate on
the Guardium appliance
ib
• Store a server certificate on the
Guardium appliance
tr
• Create a CSR in PEM format
is
D
IBM Guardium: User interface
Certificate commands
or © Copyright IBM Corporation 2016
e
You use the certificate commands to create certificate signing requests (CSRs) and to install server,
certificate authority (CA), or trusted path certificates on the Guardium appliance.
at
ic
Note: Guardium does not provide CA services and will not ship systems with certificates that
l
differ from the one installed by default. Customers who want their own certificate must contact a
up
Uempty
GuardAPI
• GuardAPI is a set of CLI commands that provide
access to Guardium functionality from the
command line
Allows for the automation or scripting of repetitive tasks
e
• GuardAPI covers the following functions
ut
CAS
Catalog Entry
Datasource
ib
Datasource Reference
Group
tr
Role
S-TAP
is
Process control
D
IBM Guardium: User interface
GuardAPI
or © Copyright IBM Corporation 2016
e
GuardAPI commands provides access to Guardium functionality from the command line or from
scripted files. This allows for the automation of repetitive tasks, which is especially valuable in
at
larger implementations. Calling these GuardAPI functions enables a user to quickly perform
operations such as creating datasources, maintaining user hierarchies, or maintaining Guardium
ic
Uempty
Exercise introduction
Complete the following exercise in the Course Exercises book
• Using the Guardium Command Line Interface
e
ut
ib
tr
is
D
IBM Guardium: User interface
Exercise introduction
or © Copyright IBM Corporation 2016
e
Use the following link to view a demonstration of this exercise:
at
Uempty
Unit summary
• Navigate the Guardium control center
• Use the command line interface to update system parameters
e
ut
ib
tr
is
D
IBM Guardium: User interface
Unit summary
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
e
ut
ib
tr
is
IBM Guardium: Access management
D
or
e
at
l ic
up
You can leverage the power of IBM Guardium related to individuals who are responsible for
D
performing data security functions and use the built-in user roles including admin and accessmgr to
assign and delete roles to new users. In this unit, you learn to use the Access Manager interface to
ot
Uempty
Unit objectives
• Create new users
• Assign roles to new users
e
ut
ib
tr
is
D
IBM Guardium: Access management
Unit objectives
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
Uempty
Lesson 1 User management
e
Lesson: User management
ut
ib
tr
is
D
or
e
IBM Guardium: Access management © Copyright IBM Corporation 2016
at
Data security includes many functions. In an enterprise, these functions are delegated to
individuals or teams. Generally, any individual involved with data security is responsible for
ic
performing a set of different functions, some of which might be related. Individuals performing data
security functions are represented by Guardium users. The sets of functionality are represented by
l
roles. Users are mapped to one or more roles. This lesson describes how to manage users and
up
roles in Guardium.
D
ot
N
o
D
Uempty
accessmgr characteristics
• Is a built-in user
• Is automatically in the access management role
• Cannot be deleted
e
• Can create and maintain user accounts and roles
ut
• Provides for separation of duties
ib
tr
is
D
IBM Guardium: Access management
accessmgr characteristics
or © Copyright IBM Corporation 2011, 2013
e
Guardium has several built-in users, including admin and accessmgr. The accessmgr role is for use
by the access manager. The access manager’s primary functions are to create and maintain user
at
Access management functions, such as creating users and changing passwords, are performed by
users in the access management role. The accessmgr user is automatically part of the access
l
management role. Other users can include the access management role as well.
up
The admin user is not automatically part of the access management role. This allows for the
separation of system duties between the administrator (admin) and the access manager
D
(accessmgr). Users cannot have both the access and admin roles assigned to them.
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Access management
applications
– User & Role Reports: Reports that show how many roles a user is associated with
l
up
– User Hierarchy
– User-DB Association
o
Access management is described in this module. Data Security is an advanced topic and is not
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Access management
• User Browser
ic
Uempty
User Browser
Use the User Browser
link to create, modify, and
delete Guardium user
accounts
e
ut
ib
tr
is
D
IBM Guardium: Access management
User Browser
or © Copyright IBM Corporation 2011, 2013
e
The user browser function creates, modifies, and deletes Guardium user accounts. Anyone in the
access management role has access to this panel, and can work with users. The panel has options
at
to filter and search users, add users, edit users, change a user’s roles, and delete users.
l ic
Note: You cannot delete the privileged users accessmgr and admin.
up
D
ot
N
o
D
Uempty
Adding a user
e
ut
ib
tr
is
D
IBM Guardium: Access management
Adding a user
or © Copyright IBM Corporation 2016
e
Each new user requires a user name, password, first name, last name, and email address.
at
You can enable or disable users. Clear the Disabled check box to have the user become
immediately active.
ic
Guardium adds all newly created users to the user role by default. You can add additional roles
l
Uempty
Editing a user
• Use the Edit link to update
an existing user
• You can change any
attribute except the user
e
name
ut
ib
tr
is
D
IBM Guardium: Access management
Editing a user
or © Copyright IBM Corporation 2016
e
You can modify all of an existing user’s settings except the Username.
at
To modify an existing user, select the user browser and then click Edit next to the user to be
modified. If the list of users is too long, you can narrow it down by using a filter, which includes a
ic
filter string and the field it applies to, such as Username or Email address.
l
up
D
ot
N
o
D
Uempty
e
• The user does not become a member
ut
of any role that is not selected
ib
tr
is
D
IBM Guardium: Access management
user role.
ic
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Access management
You assign the cli role to users who will execute commands through the command line interface
ic
(CLI) by means of the set guiuser <gui_user> command. You must run this command when
logging on through the CLI with one of the default CLI accounts, guardcli1 through guardcli5, before
l
any Guardium API commands will work. This authentication prevents users with limited roles in the
up
Uempty
Deleting users
• Use the Delete link to delete
a Guardium user account
• Required users cannot be
deleted, and the Delete link
e
will not show next to their
ut
entry
ib
tr
is
D
IBM Guardium: Access management
Deleting users
or © Copyright IBM Corporation 2016
e
You can delete users by using the Delete link. You cannot delete required users, such as admin
and accessmgr. These users do not display the Delete link.
at
All objects owned by a user, such as queries and policies, are reassigned to the admin user when
ic
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Access management
Uempty
Exercise introduction
Complete the following exercise in the Course Exercises book
• Creating Guardium users
e
ut
ib
tr
is
D
IBM Guardium: Access management
Exercise introduction
or © Copyright IBM Corporation 2016
e
Perform the exercise for this lesson.
at
Uempty
Lesson 2 Role management
e
Lesson: Role management
ut
ib
tr
is
D
or
e
IBM Guardium: Access management © Copyright IBM Corporation 2016
at
You must control which functions individual users have access to. Sets of functionality are called
roles, and are linked with users. Roles also define the look of a user’s GUI when the user logs in to
ic
Guardium. You have already seen how the accessmgr user’s GUI appears different from the admin
user’s GUI. In this lesson, you learn how to create new roles, configure the default layout for a role,
l
Note: You must associate a user with at least one role. You can associate a role with more than
one user.
ot
N
o
D
Uempty
User roles
e
ut
ib
tr
is
D
IBM Guardium: Access management
User roles
or © Copyright IBM Corporation 2016
e
You use security roles to grant access to the following resources:
at
assessments
l
By default, when a resource is initially defined, only the user who defined the resource and the
up
You can give other users access to these resources by assigning security roles. For example, if you
D
assign a security role named DBA to an audit process, all users assigned the DBA role can access
that audit process.
ot
Many roles are configured by default. Others can be added through the Role Browser tool. There
are several predefined, default roles that you cannot delete. The following list shows some of these
N
default roles:
• user: Provides the default layout and access for all common users.
o
• admin: Provides the default layout and access for Guardium administrators.
D
• accessmgr: Provides the default layout and access for the access manager.
• cli: Provides access to the CLI. The admin user has default access to the CLI, but other users
must have this role added explicitly.
• diag: See the “diag CLI Command” topic in the online help for information about managing the
diag role.
Uempty
• inv: Provides the default layout and access for investigation users.
• datasec-exempt: Activated when Data level security is enabled. If the user has this role, a
Show-all check box will appear in all reports.
• review-only: Allows users specified by this role to only view results (Audit, Assessment,
Classifier) Audit Results and the To Do List.
e
ut
Note: A user must belong to at least one of these roles: user, admin, or accessmgr. A user cannot
belong to both the admin and accessmgr roles.
ib
The following sample roles are also provided when you install Guardium, but you can delete them if
tr
you need to:
is
• dba: Provides access for users who have a database-centric view of security.
• infosec: Provides access for users who have an information security focus.
D
• netadm: Provides access for users who have a network-centric view.
or
• appdev: Provides access for application developers, architects, and QA personnel who have an
application-centric focus.
• audit: Provides access for auditors and others who need to view audit reports.
e
• audit-delete: Role used to track or log when an audit process result has been deleted.
at
• admin-console-only: This role can only access the admin console tab.
ic
Accelerator and module-based roles are available if the system license includes the associated
software function:
l
up
Securitization Framework around financial information and estimate the associated operational
risk. Cannot be deleted.
o
real-time alerts, and audit reports that are specifically tailored to the challenges of identify theft
and based on industry best practices. Cannot be deleted.
Uempty
e
ut
You can create a new role or copy
an existing role
ib
tr
is
D
IBM Guardium: Access management
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Access management
Navigation pane. Additional custom folders can be created in the navigation menu as well.
l ic
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Access management
to the Accessible applications list. You can filter to find specific applications.
l ic
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Access management
• User - Role: Lists all users with the number of roles each belongs to. You can drill down to list
the actual roles. Double-click any user and choose Record Details to drill down. The report
ic
might not show dormant users who have not logged in since the start date of the report.
• All Roles - User: Lists all roles with the number of users belonging to each role. You view
l
actual users by drilling down into the report. Double-click any role and choose Record Details
up
to drill down.
D
ot
N
o
D
Uempty
Exercise introduction
Complete the following exercise in the Course Exercises book
• Creating Guardium roles
e
ut
ib
tr
is
D
IBM Guardium: Access management
Exercise introduction
or © Copyright IBM Corporation 2016
e
Perform the exercise for this lesson.
at
Uempty
Unit summary
• Create new users
• Assign roles to new users
e
ut
ib
tr
is
D
IBM Guardium: Access management
Unit summary
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
e
ut
ib
tr
is
IBM Guardium: System view and data
management
D
or
e
at
l ic
up
You use the version 10 IBM Guardium interface to perform system administration tasks. This unit
D
teaches you to manage, configure, and monitor the system. In addition to viewing the system, this
unit teaches you to manage and archive data. Finally, this unit showcases crucial methods to
ot
archive, perform system backup, and use the catalog archive function to prevent running out of disk
space, and to allow recovery from a loss of the Guardium system.
N
o
D
Uempty
Unit objectives
• Use the Administration Console to perform basic IBM Guardium system configuration
• Manage IBM Guardium system data
e
ut
ib
tr
is
D
IBM Guardium: System view and data management
Unit objectives
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
Uempty
Lesson 1 System view and configuration
e
Lesson: System view and
ut
configuration
ib
tr
is
D
or
e
IBM Guardium: System view and data management © Copyright IBM Corporation 2016
at
The new IBM Guardium user interface makes it easier to access components for performing
system administration. This lesson teaches you how to manage the system by using the system
ic
configuration dialog to configure system information. This lesson provides information about how to
use the command line interface to configure settings. You also learn to use the dashboard to view
l
Uempty
e
ut
ib
tr
is
Suboptions
D
Suboptions
through the GUI are grouped under the Setup and Manage options in the navigation menu.
ic
• Central Management
• Custom Classes
D
• Reports
• System View
N
• Activity Monitoring
• Data Management
o
• Module Installation
D
• Unit Utilization
• Maintenance
• Reports
Uempty
System configuration
e
ut
ib
tr
is
D
IBM Guardium: System view and data management
System configuration
or © Copyright IBM Corporation 2016
e
You can find the system configuration dialog at Setup > Tools and Views > System. You use the
system configuration dialog to configure system information regarding security and networking.
at
The Unique global identifier is used for collation and aggregation of data. The default value is a
ic
unique value derived from the MAC address of the machine. It is strongly recommended that you
do not change this value after the system begins monitoring operations.
l
up
The System Shared Secret is used for archive, export, and restore operations, and for central
management and aggregation operations. In a multiaggregator system, its value must be the same
for all units that will communicate with it. This value is null at installation time, and can change over
D
time.
• When secure connections are being established between a Central Manager and a managed
unit
N
• When an aggregated unit signs and encrypts data for export to the aggregator
o
Depending on your company’s security practices, you might be required to change the system
shared secret from time to time. Because the shared secret can change, each system maintains a
shared secret keys file, containing a historical record of all shared secrets defined on that system.
Uempty
Having this record allows an exported, or archived, file from a system with an older shared secret to
be imported, or restored, by a system on which that same shared secret has been replaced with a
newer one.
Note: When used, be sure to save the shared secret value in a safe location. If you lose the
value, you will not be able to access archived data.
e
ut
Licensing information is displayed, but cannot be modified in this panel. You use the command line
interface (CLI) to modify licensing information.
ib
The hostname, network address, secondary management interface, and routing settings are
tr
displayed, but are not configurable in this panel. The command line interface is used to configure
these settings. Use the following commands to change these settings:
is
• Hostname: store system hostname <value>
D
• Network address: store network interface ip <ip address>
• Secondary management interface: store network interface secondary [on <NIC> <ip>
<mask> <gateway> | off ] or
Additional networking commands are available at the Guardium knowledge center.
e
The remaining fields allow you to change the DNS resolvers used by the Guardium system.
at
l ic
up
D
ot
N
o
D
Uempty
System Monitor
e
ut
ib
tr
is
D
IBM Guardium: System view and data management
System Monitor
or © Copyright IBM Corporation 2016
e
To find the System Monitor dashboard, navigate to Manage > System View > System Monitor.
The dashboard contains the following reports about aspects of system performance:
at
• DB Utilization: Shows how much of the Guardium database is in use. This database is the one
ic
• Request Rate: Shows a chart highlighting the number of SQL requests logged over a period of
time.
ot
maintains a list of all modules for each instance of S-TAP agent. That is, a monitored system
might have multiple modules for various databases, as well as for file access monitoring.
o
Uempty
IP-to-Hostname Aliasing
• This feature accesses the DNS server
to define hostname aliases for client
and server IP addresses
• When IP-to-Hostname Aliasing is
e
enabled, alias names replace IPs
ut
within Guardium
• Select Update Existing Hostname
ib
Aliases to update a previously defined
alias
tr
Defines a schedule for
running this task
is
D
IBM Guardium: System view and data management
IP-to-Hostname Aliasing
or © Copyright IBM Corporation 2016
e
To find the IP-to-Hostname Aliasing function, navigate to Protect > Database Intrusion
Detection > IP-to-Hostname Aliasing. This function accesses the Domain Name System (DNS)
at
server to define hostname aliases. When IP-to-hostname aliasing is enabled, alias names replace
IPs within Guardium where appropriate.
ic
Select Generate Hostname Aliases for Client and Server IPs (when available) to enable
l
hostname aliasing.
up
Select Update existing Hostname Aliases if rediscovered to update a previously defined alias
that does not match the current DNS hostname, which usually indicates that the hostname for that
D
IP address has changed. You might not want to do this if you have assigned some aliases
manually.
ot
As an example, assume that the DNS hostname for a given IP address is dbserver204.ibm.com,
but that server is commonly known as the QA Sybase Server. If QA Sybase Server has been
N
defined manually as an alias for that IP address, and Update existing Hostname Aliases if
rediscovered is selected, that alias will be overwritten by the DNS hostname.
o
• Click the Run Once Now button to generate the aliases immediately.
• Click the Define Schedule button to define a schedule for running this task.
Uempty
e
command to the agent
ut
ib
tr
is
D
IBM Guardium: System view and data management
Uempty
Inspection engines
e
ut
ib
tr
is
D
IBM Guardium: System view and data management
Inspection engines
or © Copyright IBM Corporation 2016
e
Inspection engines monitor the traffic between a set of one or more servers and a set of one or
more clients using a specific database protocol, such as DB2 or Informix. Each inspection engine
at
monitors traffic between one or more client and server IP addresses. In an inspection engine
definition, these are defined using an IP address and a mask.
ic
The inspection engine extracts SQL from network packets, then parses the SQL commands to
l
identify sentences, requests, commands, objects, and fields. The engine then logs detailed
up
The slide shows examples of inspection engines that are configured for various databases.
D
Normally, the collector has an inspection engine for each instance of a database on a given
database server.
ot
Inspection engines run on the collector, but can also be defined on S-TAP agents.
N
o
D
Uempty
Parameters to be
applied to all
inspection engines on
a collector
e
ut
ib
tr
Option to add new
inspection engines
is
D
IBM Guardium: System view and data management
The applied changes do not take effect until the inspection engines are restarted. After applying
ic
inspection engine configuration changes, click the Restart button to stop and restart the system.
l
You can also add new inspection engines. You must define the following fields:
up
The choices are Cassandra, CouchDB, DB2, DB2 Exit, exclude IE, FTP, GreenPlumDB,
Hadoop, HTTP, ISERIES, Informix, KERBEROS, MongoDB, MS SQL, Mysql, Named Pipes,
Netezza, Oracle, PostgreSQL, SAP Hana, Sybase, Teradata, or Windows File Share.
ot
Uempty
e
ut
ib
tr
is
D
IBM Guardium: System view and data management
status. Green indicates an inspection engine has been configured and is running for the S-TAP.
l ic
Note: Several other reports also provide information about S-TAP status.
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: System view and data management
To find reports on module status, navigate to Manage > Reports > Install Management > GIM
Installed Modules.
l
up
D
ot
N
o
D
Uempty
Alerter
• Enables use of email, SNMP traps, and alert-related
Syslog messages
• SMTP options allow email notifications
e
• SNMP options enable SNMP traps to be sent
ut
ib
tr
is
D
IBM Guardium: System view and data management
Alerter
or © Copyright IBM Corporation 2016
e
The alerter manages email messages, SNMP traps, and alert-related Syslog messages.
at
No email messages, SNMP traps, or alert-related Syslog messages are sent until the Alerter is
configured and activated. Other components create and queue messages for the alerter. The
ic
alerter checks for and sends messages based on the polling interval that has been configured for it.
l
The alerter configuration panel is available at Setup > Tools and Views > Alerter and contains the
up
following settings:
• Active on startup: If selected, the alerter will be activated automatically every time the
appliance restarts.
D
• Polling: Sets the frequency that the Alerter checks for and sends messages. The polling
interval is measured in seconds. You typically leave this setting at the default frequency, which
ot
is every 60 seconds.
N
• SMTP: The SMTP section is used to configure the Alerter to send SMTP (email) messages.
You can configure the SMTP connections as follows:
o
– IP Address/Host Name: Enter the IP address or hostname for the SMTP gateway.
D
– Port: Enter the SMTP port number, which is usually set to port 25.
– Test Connection: Verifies the SMTP address and port. This only tests that access to
specified host and port is available. It does not verify that this is a working SMTP server.
– User Name: Enter a valid user name for your mail server, if your SMTP server uses
authentication.
Uempty
– Password: Enter the password for the above user if your SMTP server uses authentication.
– Return E-mail Address: Enter the return address for email sent by the system; this
address is usually an administrative account that is checked often.
– Authentication Method: Use Auth if your SMTP server uses authentication; otherwise,
use None. When Auth is selected, specify the user name and password to be used for
authentication.
e
• The SNMP section of the configuration pane is used to configure the Alerter to send SNMP
ut
traps. You configure the SNMP connections as follows:
– IP Address: Enter the IP address/hostname where the SNMP trap will be sent.
ib
– Test Connection (Optional): Verifies the SNMP address and port (22). This only tests that
access to specified host and port is available. It does not verify that this is a working SNMP
tr
server.
is
– “Trap” Community: Enter the community name for the trap. Retype the community name
in the Retype Community box.
D
Click Apply to save the configuration.
Uempty
Alerts
• Alerts provide immediate notification of
events, based on queries of logged data
• There is a set of predefined alerts
e
• You can also define your own alerts
ut
ib
tr
is
D
IBM Guardium: System view and data management
Alerts
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
Uempty
Anomaly Detection
• Defines which alerts are enabled
• Alerts are defined in policies
• Options include the examples
e
Active on startup
Polling Interval
ut
ib
tr
is
D
IBM Guardium: System view and data management
Anomaly Detection
or © Copyright IBM Corporation 2016
e
Alerts are triggered in two ways:
at
• Correlation alerts are triggered by a query that looks back over a specified time period to
determine if the alert threshold has been met, for example, an excessive number of failed logins
ic
component runs the security policy as it collects and analyzes database traffic in real time.
up
Regardless of how it is triggered, alert information is logged in the Guardium internal database.
D
The Guardium Anomaly Detection Engine runs correlation queries on a scheduled basis. By
default, correlation alerts do not log policy violations, but they can be configured to do that. To
display the anomaly detection configuration panel, navigate to Setup > Tools and Views >
ot
Anomaly Detection.
N
In a multicollector environment, the Anomaly Detection panel is used to turn off correlation alerts
that are not appropriate for a particular appliance. Correlation alerts are defined on the Central
o
Uempty
To disable an alert, select it from the Active Alerts list, and click the arrow to move it to the Locally
Disabled Alerts list.
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
Global Profile
e
Message template customizes the
ut
message format used to generate
alerts
ib
• No wrap allows you to see where the line breaks appear
• Named template defines message templates
tr
Use HTML left/right to
change the text displayed
is
D
IBM Guardium: System view and data management
Global Profile
or © Copyright IBM Corporation 2016
e
To find the global profile panel, navigate to Setup > Tools and Views > Global Profile. This panel
defines the defaults that apply to all users:
at
• Use aliases in reports unless otherwise specified: Enables the display of aliases by default
ic
on all reports. This function is especially helpful with displaying hostnames instead of IP
addresses.
l
• PDF Footer Text: Changes the text displayed at the bottom of each page for each PDF
up
often changed to enable integration with an external security incident event manager (SIEM)
system.
ot
Uempty
e
responsible for
ut
Set the size of the database table that
Guardium uses to store information
ib
Change the ports that can be used to send
tr
files over SCP and FTP
is
D
IBM Guardium: System view and data management
• Concurrent login from different IP not allowed: Constrains each Guardium user to log in
from only one IP address at a time.
ic
• Data level security filtering: Filters results, systemwide, so that each user only sees
information from those databases that the user is granted access to.
l
up
• Default filtering: Permits logged-in users to see all the rows in the result regardless of who
these rows belong to. When used with the datasec-exempt role, permits an override of the
data-level security filtering.
D
• Include indirect records: Permits the logged-in viewer to see the rows that belong to the
logged-in user, but also all rows that belong to users below the logged-in user in the user
ot
hierarchy.
• Escalate result to all users: Escalates audit process results and PDF versions to all users,
N
• Custom database maximum size: Sets the size of the database table.
D
• SCP and FTP files via different ports: Specifies ports that can be used to send files over SCP
and FTP. For Global Profile, export and patch backup ports can be changed.
Uempty
Note: The default port for ssh/scp/sftp is 22. The default port for FTP is 21. A setting of 0 as the
port indicates that the default port is being used and that no change is needed.
e
• Check for Guardium updates: Checks for updates to Guardium software.
ut
• Upload logo image: Adds a graphic to right of the Guardium top banner.
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
Exercise introduction
Complete the following exercises in the Course Exercises book
• Setting the system shared secret and DNS resolver
• Enabling IP-to-hostname aliasing
e
ut
ib
tr
is
D
IBM Guardium: System view and data management
Exercise introduction
or © Copyright IBM Corporation 2016
e
Perform the exercises for this lesson.
at
Uempty
Lesson 2 Data management
e
Lesson: Data management
ut
ib
tr
is
D
or
e
IBM Guardium: System view and data management © Copyright IBM Corporation 2016
at
In addition to configuring the settings in IBM Guardium, you must also manage the data generated
by the implementation. You might need to archive this data to prevent the IBM Guardium system
ic
from running out of disk space, while still retaining data for future auditing and reporting.
Additionally, you need to back up the Guardium configuration information for recovery from a
l
Uempty
System backup
• Supports different storage protocols
SCP
FTP
Cloud: Amazon S3 or SoftLayer
e
• Configuration options depend on
ut
storage protocol
ib
tr
is
D
IBM Guardium: System view and data management
System backup
or © Copyright IBM Corporation 2016
e
Periodically backing up the Guardium configuration and data is an important task. The storage type
determines how and where the data will be transferred:
at
• SCP: Indicates a secure copy. This setting transfers the data to a target host using the secure
ic
copy protocol. Requires a user name and password. If you leave Port at 0, the default SCP port
will be used.
l
• FTP: Transfers data to a target host using file transfer protocol (FTP). Requires a user name
up
and password. If you leave Port at 0, the default FTP port will be used.
• Amazon S3: Transfers data to a storage cloud hosted on Amazon S3.
D
Each protocol has its own set of credentials required to connect to the target storage system.
After system backup has been configured, it can be scheduled or run as a unique job.
N
o
D
Uempty
Data Archive
• Run archive and purge operations on a scheduled basis
• Data Archive backs up data captured by the appliance
within a given time period
• If data is not purged, the database will become full
e
ut
ib
tr
is
D
IBM Guardium: System view and data management
Data Archive
or © Copyright IBM Corporation 2016
e
The data archival function is available at Manage > Data Management > Data Archive.
at
Data archival is similar to, but different from, system backup. The purpose of system backup is to
allow recovery from disaster or catastrophic hardware failure. The purpose of data archival is to
ic
keep old but potentially valuable data from filling up the Guardium database, while still maintaining
the data in a place where it can be accessed.
l
up
You typically run archive and purge operations on a scheduled basis. Data Archive backs up the
data that has been captured by the appliance within a given time period. You can also enable data
purging.
D
Typically, you archive data at the end of the day when it is captured, so in the event of a
catastrophe, only the data of that day is lost. Data purging depends on the application and is highly
ot
In an environment with collectors and aggregators, it is recommended that you archive from the
collectors and, if backup space allows, the aggregator.
o
It is important to configure the purge process. If data is not purged from the system, the database
D
will eventually become full and logging will stop. Purge data older than indicates the maximum
number of days the data will be kept on the appliance. You can allow data to be purged before it is
archived or exported if, for example, you are archiving data from your collectors but not your
aggregators.
Uempty
Select Archive Values to include values from SQL strings in the archived data. If unselected,
values are replaced with question mark characters on the archive, and therefore the values will not
be available following a restore operation.
The storage method determines how and where the data will be transferred:
• SCP: Indicates a secure copy. This setting transfers the data to a target host using the secure
copy protocol. Requires a user name and password. If you leave Port at 0, the default SCP port
e
will be used.
ut
• FTP: Transfers data to a target host using file transfer protocol (FTP). Requires a user name
and password. If you leave Port at 0, the default FTP port will be used.
ib
• Amazon S3: Transfers data to a storage cloud hosted on Amazon S3.
• SoftLayer: Transfers data to a storage cloud hosted on IBM SoftLayer.
tr
Each protocol has its own set of credentials required to connect to the target storage system.
is
After system backup has been configured, it can be scheduled or run as a unique job.
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
Catalog Archive
• Guardium catalog tracks archive files
• Can be manually updated if the physical location of the archive file changes
e
ut
ib
tr
is
D
IBM Guardium: System view and data management
Catalog Archive
or © Copyright IBM Corporation 2016
e
To find the catalog archive function, navigate to Manage > Data Management > Catalog Archive.
at
The Guardium catalog tracks where every archive file is sent, so that it can be retrieved and
restored on the system with minimal effort, at any point in the future. A separate catalog is
ic
maintained on each appliance, and a new record is added to the catalog when the appliance
archives data or results.
l
up
If archive files are moved to another location after the Guardium archive operation, the Guardium
software cannot determine what happened to those files. For these situations, you can maintain the
archive catalog manually using the catalog archive function to add or remove archive entries.
D
Uempty
Results Export
• Guardium can store the results of certain functions as
CSV, CEF, and PDF files
• Supports secure copy (SCP) and file transfer protocol
(FTP)
e
• Can run on demand or schedule to run automatically
ut
ib
tr
is
D
IBM Guardium: System view and data management
Results Export
or © Copyright IBM Corporation 2016
e
Guardium can store the results of certain functions as CSV, CEF, and PDF files. As part of the
archive process, you might want to export these files.
at
Access the results export function at Manage > Data Management > Results Export (Files). The
ic
two protocols for exporting results are secure copy (SCP) and file transfer protocol (FTP). After you
have configured the export of results, you can run the export or schedule it to automatically run.
l
up
D
ot
N
o
D
Uempty
Exercise introduction
Complete the following exercise in the Course Exercises book
• Archiving Guardium data
e
ut
ib
tr
is
D
IBM Guardium: System view and data management
Exercise introduction
or © Copyright IBM Corporation 2016
e
Perform the exercise for this lesson.
at
Uempty
Unit summary
• Use the Administration Console to perform basic IBM Guardium system configuration
• Manage IBM Guardium system data
e
ut
ib
tr
is
D
IBM Guardium: System view and data management
Unit summary
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
e
ut
ib
IBM Guardium: Groups
tr
is
D
or
e
at
ic
Guardium groups offer a powerful method to facilitate the creation of queries and policy rules. In
fact, without the use of groups, you might have to rely on conditional statements for queries and
policy rules. Groups can have one or many attributes and members can belong to multiple groups.
D
In this unit, you learn to how to build and populate the Guardium groups.
ot
N
o
D
Uempty
Unit objectives
• Use Group Builder to create, modify, and populate Guardium groups
• Create and populate Guardium groups
e
ut
ib
tr
is
D
IBM Guardium: Groups
Unit objectives
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
Uempty
Lesson 1 Building groups
e
Lesson: Building groups
ut
ib
tr
is
D
or
e
IBM Guardium: Groups © Copyright IBM Corporation 2016
at
In this lesson, you learn how groups help perform data security functions by grouping like members
for automation of tasks, simplification of queries, and collection of environment configuration data.
ic
Uempty
e
reports
Test policy rules against group members
ut
• Eases maintenance
A query without groups would require many
‘OR’ conditions; the same query using a
ib
group requires only one condition
• Allows membership in multiple groups
tr
• Allows members to have single or
multiple attributes
is
• Can specify type of data contained and
type of application to be associated with
D
• Can be hierarchical
• Uses group category and classification
to filter and group like members
IBM Guardium: Groups
Without groups, queries and policy rules might require the use of many ‘OR’ conditions. As an
example, when checking to see who the database user is, a query might check user IDs using the
ic
OR DB USER NAME = sa
If a group named -Privileged Users is created, and the user IDs scott, a8000, a4902, a4949, a5710,
N
a9449, and sa are added to that group, the query needs only to use the following simplified SQL
command:
o
For policy rule definitions, the rule can be applied against members of a group. This eases
maintenance of policy rule definitions and report queries. You only need to update the group, rather
than having to update each rule or query. This is especially useful when more than one rule or
query uses the same group.
Uempty
Groups are typed. That is, the members of a group can be constrained to match certain data
requirements. Additionally, you can specify what type of application a group can be used with.
Guardium provides predefined groups. You can also define custom groups. Groups members can
be part of more than one group.
Tuple groups are groups whose members can combine multiple attributes in a single member.
Examples of tuple groups include those shown in the following list:
e
• Object/Command: Combines two attributes in a single member
ut
• DB User/Object/Privilege: Combines three attributes in a single member
ib
• Client IP/Source Program/DB User/Server IP/Service Instance: Combines five attributes in a
single member
tr
By default, predefined groups of group type DB User/DB Password are allowed only to users with
the role of admin.
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
e
4. Populate from query
ut
5. Classifier
6. GrdAPI command
ib
tr
is
D
IBM Guardium: Groups
1. Manual Entry: You can manually add members to a group by entering the name of a new
member.
ic
2. Manual Entry by selecting members from a drop-down list: You can also manually add
members to a group by selecting from a list. When you create a group, you provide a group
l
up
type. Guardium then provides a drop-down list that contains potential members of that type. As
an example, when you create a group of type user, Guardium lists potential members of type
user.
D
3. LDAP: You can import data from an LDAP server to create group members. As an example,
you can maintain a list of database users in a LDAP directory. You can import this list of users to
ot
4. Populate From Query: You can run a query on the Guardium database and use the results to
N
5. Classifier: You can configure Guardium to determine group membership by the use of a policy.
D
6. GrdAPI: You can use the command line to automate the creation of group members. As an
example, you might want to add a large number of members to a group. You can use a batch
file to do so. You can also use the command line to integrate with other applications that might
control the member list of a group.
Uempty
e
Displays existing groups
ut
Modify, clone, delete, create group
Options to populate group
Special options for hierarchical
ib
groups
tr
is
D
IBM Guardium: Groups
Group Builder. The first window that is displayed is the Group Filter window. This allows you to
narrow the list of groups that are displayed in the Group Builder.
ic
From the group filter window, click Next to reach the Group Builder. Optionally, you can choose to
l
filter the list of groups displayed in the Group Builder by choosing filter options. For example, if you
up
Uempty
e
Select a group and
click the Edit icon
ut
ib
tr
is
D
IBM Guardium: Groups
data definition language (DDL), and data manipulation (DML) groups. Others are placeholders,
such as the Sensitive Objects group, that allow you to enable built-in reports by simply populating
ic
In both cases, you can edit the groups by selecting the pencil icon .
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Groups
As an example, some companies consider the truncate command to be data definition language
(DDL), which is not included in the built-in DDL commands group. To add the command to the DDL
ic
commands group, highlight the group name and click the pencil icon. Enter the new group member
name in the Create & add a new Member named field and click Add.
l
up
You rename existing members by highlighting the member, typing the new name in the Rename
select Member to field, and clicking Update.
D
To delete members, highlight the member and click the Delete button.
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Groups
• Application Type: This list shows which applications can access this group, with Public
indicating all applications.
l
up
• Group Description This field shows the name of the group. It is recommended that you start
the group name with a character or characters to distinguish the custom groups from the built-in
groups. This example uses a dash (-), which also causes the group to appear at the top of the
D
list of groups.
• Group Type Description: This field shows the data element you are basing your group on,
ot
reporting
D
• Classification: Another optional label used for policy violations and groups
• Hierarchical: A check box that causes the group to be defined as a “group of groups”
This option is discussed later in this unit.
Uempty
Group reports
e
ut
ib
tr
is
D
IBM Guardium: Groups
Group reports
or © Copyright IBM Corporation 2016
e
Two reports provide details on all of the groups in the system:
at
• Groups Usage Report: Details which applications use each group. Not every group is listed in
this report. Only groups associated with a Guardium module or application are listed.
ic
• Guardium Group Details: Lists all of the groups that can be filtered by description and group
type, and lists which members belong to which groups.
l
up
D
ot
N
o
D
Uempty
Lesson 2 Populating groups
e
Lesson: Populating groups
ut
ib
tr
is
D
or
e
IBM Guardium: Groups © Copyright IBM Corporation 2016
at
In this lesson, you learn how to populate groups by using drop-down lists, queries, and other
methods.
l ic
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Groups
Add. This is the simplest way to add a new member, and is useful for adding a small number of
members to a small number of groups.
l ic
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Groups
This list is based on data logged by Guardium and is available for groups where the size of the list
ic
is limited. For example, the number of users that has been detected by Guardium and added to the
list of potential members could be in the hundreds or thousands and, therefore, will have the
l
drop-down list available. However, there are likely millions of other fields logged, making a
up
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Groups
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Groups
import from the list or you can choose to schedule the process. If you choose to schedule the
process, Guardium imports all of the users found. It is important for a Guardium group populated by
ic
LDAP to remain synchronized with changes that might be made to a LDAP server. How often to
schedule the process depends on how frequently the associated LDAP directory might change
l
up
members.
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Groups
To populate from a query, on the Modify Existing Groups window, highlight the group that you are
interested in and click Populate from Query.
l
up
You cannot populate from a query in the Manage Members for Selected Group window. Therefore,
if you are creating a new group, when the Manage Members for Selected Group window appears,
click Back to return to the Modify Existing Groups window.
D
ot
N
o
D
Uempty
e
ut
Use a specific date
ib
Use a relative date
tr
is
D
IBM Guardium: Groups
• Query: Choose the query that contains records you are interested in. This query can be based
on observed traffic or based on a customer query originating from an external source.
ic
• Fetch Member From Column: Choose the field from the report that will be used to populate
the group. This field must be compatible with the group type. As an example, if the group type is
l
USERS, a field that contained IP addresses would not be compatible, and would produce an
up
means that the starting time of the query is one week from this moment. You can specify a date
or use a relative time and date. In either case, a dialog box is displayed to help you select the
ot
correct time. In the above example, the dialog box has been configured to show a start time of
one week before the query is run.
N
• To Date: Enter the ending point in time for this query. In the example, NOW means the present
time. You can specify a date or use a relative time and date. In either case, a dialog is displayed
o
to help you select the correct time. In this example, the dialog box has been configured to show
an end time of the time when the query is run.
D
• Remote Source: If you are running the population operation from a central manager in a
distributed environment multicollector environment, you can choose to run the query against
data on a managed collector or aggregator.
• Run time parameters: Based on the query, you might have the option to provide run-time
parameters. if you have any run-time parameters, enter the appropriate values or enter a
Uempty
percent sign (%) as a wildcard to return everything. In the example above, Enter Value for
Server IP is a run-time parameter. Leaving the field blank also returns everything.
• Clear existing group members before importing: Select this check box to purge all existing
group members before importing from the query.
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Groups
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Groups
clicking Modify Schedule. Selecting this option imports all returned results. Because it is
unattended, there is no option to pick specific values to import.
l ic
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Groups
You find this option at Discover > Classifications > Classification Policy Builder. Classification
ic
Uempty
GuardAPI
• You can use GuardAPI to create and populate groups
• You can add a member from the CLI manually
e
grd01.guard.swg.usma.ibm.com> grdapi create_member_to_group_by_desc desc="- Privileged
Users" member=a9940
ut
• GuardAPI is most effectively used in a batch file
ib
tr
is
D
IBM Guardium: Groups
GuardAPI
or © Copyright IBM Corporation 2011, 2013©
Copyright IBM Corporation 2011, 2013
e
The final method of populating a group is by using the command line. The grdapi command
provides access to Guardium functionality from the command line or from a batch file. This allows
at
for the automation of repetitive tasks, which is especially valuable in larger implementations.
ic
GuardAPI commands, including those to create and populate groups, can be scripted and run in
batch files. Follow these steps to create and run a batch file:
l
up
1. Create a file with the individual commands repeated for each group member.
dbserver01:~ # cat group-upload.txt
grdapi create_member_to_group_by_desc desc="- Privileged Users" member=a2342
D
ssh cli@collector-or-central-manager-ip<file-name-created-above
Uempty
See the following example:
dbserver01:~ # ssh cli@192.168.169.9<group-upload.txt
Pseudo-terminal will not be allocated because stdin is not a terminal.
cli@192.168.169.9's password:
Welcome cli - your last login was Tue Sep 28 08:45:29 2010
grd01.guard.swg.usma.ibm.com> ok
ID=1000008
e
grd01.guard.swg.usma.ibm.com> ok
ut
ID=1000009 …
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
Hierarchical groups
• Grouping of groups
• Allows lists to be merged from several subgroups, rather than redefining them
e
ut
ib
tr
is
Specifies that members
will be other groups
D
IBM Guardium: Groups
Hierarchical groups
or © Copyright IBM Corporation 2016
e
The Hierarchical check box allows a group to be defined as a “group of groups.” As an example, if
you have three groups of users who are also considered to be privileged users, such as DBAs,
at
SAs, and Developers, you could create a group called Privileged Users that would contain the
members of all three groups. Specifying hierarchies allows you to be specific when necessary, as
ic
when you are concerned with all DBA activity. For example, you can allow for fewer steps when you
have broader requirements, such as all privileged user activity.
l
up
In the above example, a hierarchal group of type COMMANDS has been defined to contain a list of
monitored commands. These monitored commands will consist of the union of two sets of
D
commands, specifically those in the DDL Commands group and those in the DML Commands
group. Rather than explicitly adding each of these commands to the new group, make the new
group hierarchical and set the two groups as members.
ot
groups.
D
2. Select Hierarchical.
3. Click Add.
Uempty
e
Group added as member
ut
ib
tr
is
Group to be added as
D
member
4. From Add existing Group to Group list, select DDL Commands and click Add.
l
up
5. From Add existing Group to Group list, select DML Commands and click Add.
6. Click Back when you are done to return to the Group Builder.
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Groups
From the Group Builder, click Run Once Now in the Flatten All Hierarchical Groups Scheduling
pane.
l
up
The group of groups now encompasses all of the members of the DDL Commands group and the
DML Commands group. As well as running the flattening process to initially populate this group,
you should also schedule this process using Modify Schedule, so that any changes made to either
D
To see the list of individual members in the hierarchal group, view the Guardium group details
ot
report, as shown in Group reports. The Group Builder membership management list does not show
the individual members. In the example above, flattening group hierarchy causes commands in the
N
DDL Commands and DML commands groups to be displayed as members of the - Monitored
Commands group.
o
D
Uempty
Exercise introduction
Complete the following exercise in the Course Exercises book
• Creating and populating Guardium groups
e
ut
ib
tr
is
D
IBM Guardium: Groups
Exercise introduction
or © Copyright IBM Corporation 2016
e
Perform the exercise for this lesson.
at
Uempty
Unit summary
• Use Group builder to create, modify, and populate Guardium groups
• Create and populate Guardium groups
e
ut
ib
tr
is
D
IBM Guardium: Groups
Unit summary
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
e
ut
ib
tr
IBM Guardium: Policy management
is
D
or
e
at
l ic
up
IBM Guardium gathers a large amount of information about data access from database and file
D
servers. This information is parsed and logged, yet this is not enough. You must provide Guardium
with a set of rules describing what should be done with the information. These rules, or policies, tell
ot
Guardium what information S-TAP agents should send to the collectors and what action to take
when certain types of information are received. In this unit, you learn how to configure the rules that
tell Guardium how to process the information it receives from database and file servers.
N
o
D
Uempty
Unit objectives
• Describe how IBM Guardium logs traffic and the concept of a construct
• Create and install a policy or set of policies to meet business requirements
• Add access rules to a policy
e
• Use exception and extrusion rules to evaluate data
ut
• Install and manage the Selective Audit Trail policy
• Describe the correct order of execution for policy rules
ib
• Describe how to control a session
• Use policies to classify sensitive data
tr
is
D
IBM Guardium: Policy management
Unit objectives
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
Uempty
Lesson 1 Policy overview
e
Lesson: Policy overview
ut
ib
tr
is
D
or
e
IBM Guardium: Policy management © Copyright IBM Corporation 2016
at
Before learning how to write rules, you must understand how Guardium collects information. In a
typical environment, databases might process millions of database requests in a single hour. That
ic
means the S-TAP agents are sending a great deal of information to the Guardium collectors, which
in turn must parse and store that information. Efficient policy rules can be written with these
l
requirements in mind. As an example, you might want to ignore certain database queries or even
up
entire sessions. Other queries might need some sort of immediate response. In this lesson, you are
introduced to Guardium policies.
D
ot
N
o
D
Uempty
Policy review
• Ensuring data security requires policies
• A policy is an ordered set of rules applied by the sniffer against each request received
• Rule types
e
− Access
− Exception
ut
− Extrusion
ib
tr
is
D
IBM Guardium: Policy management
Policy review
or © Copyright IBM Corporation 2016
e
Effective data security requires the creation, maintenance, and implementation of policies. Policies
define, through a set of rules, the following elements:
at
• What is permitted: Policies determine who has what level of access to which data, on which
ic
servers. As an example, a policy might specify that high-level database administrators are not
allowed to view the data in certain tables, even though those administrators will need to
l
• What is monitored: Policies determine which actions are monitored and logged. As an
example, a policy might determine that any attempt to access a file will be logged.
D
• What actions are to be taken in the case of certain events: As an example, an attempt in an
RDBMS management session to view restricted data results in termination of the session,
ot
logging of the action, and creation of an event that is sent to an event console.
Each rule can apply to a request from a client or to a response from a server. The following rule
N
• Exception: SQL errors and failed login messages from the server to the client
D
Each rule contains conditions and one or more actions. When all of the rule’s conditions have been
met, the actions are triggered. The rules are applied sequentially.
A policy must be installed to be in effect. After any change to a policy, including group member
updates, the policy must be reinstalled.
Uempty
e
ut
ib
tr
is
Network connections
Sessions
SQL commands
D
SQL errors
SQL result sets
After S-TAP has been installed and the inspection engines have been configured, S-TAP starts
ic
forwarding all database traffic to the collector. This traffic is analyzed, parsed, and logged by the
sniffer process on the collector, as follows:
l
up
SQL errors
D
Result sets
Uempty
• Traffic analyzed, parsed, and logged by the sniffer
– Database Client -> Database Server
Client/server network connections
Sessions (logins/logouts)
SQL requests (commands)
e
– Database Server-> Database Client
ut
Failed login messages
SQL errors
ib
• Traffic ignored and discarded by the sniffer
tr
Result sets
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
Network connections
Sessions
SQL commands
D
SQL errors
SQL result sets
SQL command components
2. It parses the data for easy reporting. For example, parse the SQL string ‘insert into
ic
The sniffer logs the sentence with question marks instead of the actual values entered by the user.
This is done for two reasons:
o
1. These values can be highly sensitive and Guardium should not log this information
D
2. Masking the values allows Guardium to greatly increase the data retention on the collectors and
aggregators. The next few slides explain the concept of constructs and how masking values
increases data retention.
Uempty
Constructs
e
ut
ib
tr
is
When Collector receives this SQL request again
• Does not log SQL String again
D
• Refers back to original construct ID
Constructs
or © Copyright IBM Corporation 2016
e
When the sniffer encounters an SQL request that it has not previously seen, it logs the request as a
construct with an associated primary key. Constructs are basically prototypes of requests that
at
Guardium detects in the traffic. The combinations of commands, objects, and fields included in a
construct can be very complex, but each construct basically represents a very specific type of
ic
access request.
l
Constructs are logged with the values replaced by question marks, which makes most SQL
up
requests less unique. For example, the following statements appear to be unique to each other:
select * from employee_table where employee_id = 48 and hire_date = ‘8/2/09’
D
However, if you replace the values with questions marks, you see that they are the same basic
ot
request:
select * from employee_table where employee_id = ? and hire_date = ?
N
example of a construct. When the sniffer first encounters this SQL request, it logs the request with
D
an associated construct ID. When the sniffer encounters it again, it will not log the request a second
time. Instead, the sniffer will refer back to the construct it had logged earlier.
Uempty
e
SQL made 844 times in two
different sessions within same
access period (usually one hour)
ut
ib
tr
is
Count of
D
Most recent occurrence
within latest access period occurrences
updates the access period timestamp to the time of the last request. Therefore, in reporting the
finest level of detail, you see that the construct was run x number of times within an hour, with a
ic
When the sniffer receives the same construct multiple times over an extended time period, it makes
up
access period timestamp and counter. All further occurrences of this construct within this
session will update this record’s access period timestamp and counter until a new access
period begins.
ot
2. When a new access period begins within the same session. The default access period is one
N
hour (9:00 to 9:59, 10:00 to 10:59, and so on.). When a new access period begins, the next
occurrence is entered as a new line with its own access period timestamp and counter.
o
This method of logging saves a tremendous amount of space. As shown in the two examples
D
above, thousands of requests can be collapsed into just a few lines. If each line is written
separately, the disk will be filled up very quickly. In a production environment, millions of lines per
hour can be saved in this manner.
Uempty
From a user perspective, these are the most important things to remember about constructs:
• You see a masked SQL string (question marks instead of values)
• If the collector logs same construct within an hour from the same session, the following actions
occur:
a. It counts the number of times the construct occurred.
b. It updates the access period timestamp with the time of the most recent occurrence. This
e
will be the most precise timestamp under these circumstances.
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
Lesson 2 Installing and creating policies
e
Lesson: Installing and creating
ut
policies
ib
tr
is
D
or
e
IBM Guardium: Policy management © Copyright IBM Corporation 2016
at
Groups of rules are policies. You must wisely manage these policies to make the most of Guardium
collector resources and to make sure your organization's data security requirements are being
ic
properly implemented. In this lesson, you learn how to install and create a basic policy.
l
up
D
ot
N
o
D
Uempty
Installing a policy
Multiple installed policies are allowed
• Run sequentially
• Cannot mix selective audit and other policies
e
• After modifying policy, must reinstall for changes to take effect
ut
• Reinstallation can be automated
ib
tr
is
D
IBM Guardium: Policy management
Installing a policy
or © Copyright IBM Corporation 2016
e
The remainder of this unit focuses on creating policies and configuring policy rules. However, for a
policy, or any changes to a policy, to take effect, it must be installed.
at
To install a policy, go to Setup > Tools and Views > Policy Installation or Protect > Security
ic
Policies > Policy Installation. Highlight the policy that you want to install and choose Install &
Override from the drop-down list
l
up
If the groups contained within the policy are updated regularly, the installation should be scheduled
by clicking Modify Schedule to open the general-purpose scheduling utility. For example, if you are
using the populate from query method to update a group of privileged users nightly, the policy
D
More than one installed policy is permitted at the same time. All installed policies are available for
ot
action and are run sequentially. The only limitation is that policies defined as selective audit policies
cannot be mixed with policies that are not defined as selective audit policies. If you try to mix
N
policies, an error message will result when you install these mixed policies. The order of
appearance can be controlled during the policy installation, but the order of appearance cannot be
o
Remember, in all of the following examples, the policy must be installed after any modifications for
the changes to take effect.
Uempty
e
ut
Edit policy
ib
tr
is
Uninstall policy
D
IBM Guardium: Policy management
You can directly access the policy by clicking the pencil icon. You can uninstall the policy by clicking
the uninstall icon.
l
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
Under the Policy Builder window, you find the
Policy Finder, which lists the existing policies
D
accessible by the user who is currently logged in
Note: In this example, these policies are owned by
the admin user and are built into the system
IBM Guardium: Policy management
There are also special policy builders for file and classification policies. These are covered in
ic
separate modules.
l
Under the Policy Builder window is the Policy Finder, which lists the existing policies accessible by
up
the user who is currently logged in. For access to an existing policy, you must either be the creator
of the policy or belong to a role that has been granted access to it. In this example, these are the
policies owned by the admin user and built into the system:
D
• The Allow-all policy contains no rules. If you need to go back to the collector’s default behavior,
as described earlier in this unit, install the Allow-all policy to get there.
ot
• The remaining built-in policies, including Basel II, Data Privacy, and SOX, provide example
rules to help users build their own policies. If you choose to use one of these policies in your
N
environment, make sure that you understand what each rule does.
o
D
Uempty
You can perform the following functions:
• Create a new policy.
• Clone an existing policy, allowing you to save it with a new name. Several predefined policies
with predefined access, exception, and extrusion values are available for policy cloning. This
allows you to use the predefined policy as a template.
• Modify a policy definition.
e
• Delete a policy.
ut
• Edit Rules the rules of a policy.
ib
• Attach comments to a policy, allowing you to leave notes for yourself or other users.
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
Policy Definition
e
ut
ib
tr
is
D
IBM Guardium: Policy management
Policy Definition
or © Copyright IBM Corporation 2016
e
To create a new policy, you must enter a policy description. You should name the policy something
that differentiates it from the built-in policies. In the example above, the dash (-) helps to show that
at
it is not a built-in policy and causes the policy to appear at the top of the list.
ic
Field Description
up
Policy category An optional label that can be used to group policy violations for
reporting purposes. The category specified here is used as the default
D
category for each rule, and it can be overridden in the rule definition.
Policy baseline If you have created a baseline, you can create a policy based on it.
ot
• The flat logs can be seen on a designated Flat Log List report.
D
To configure the offline process to parse the data and merge to the
standard access domains, go to Manage > Activity Monitoring > Flat
Log Process.
Uempty
Field Description
Rules on flat Selecting this option results in the following behavior:
• Session-level rules are examined in real time.
• No rules are evaluated when the offline processing does takes
place.
When Rules on flat is NOT selected, policy rules fire at processing
e
time using the currently installed policy at processing time.
ut
Selective audit trail Selecting this option causes a special type of policy to be created that
results in all SQL requests being dropped by the sniffer. Only SQL
ib
requests defined in the Audit Pattern or in individual rules are logged.
Failed logins, SQL errors, and session-level information are logged.
Creating and installing a policy with this check box selected changes
tr
the default behavior, even with no rules defined. This is covered as a
is
separate topic within this unit.
Audit pattern Use this field in conjunction with the Selective audit trail check box,
D
as described above.
Roles Use this feature to grant access to other users.
Back
Edit Rules
or
Use this button to return to the previous window.
Use this button to add rules, which is the next step in creating your
e
policy.
at
Uempty
Policy Rules
Add rules to the policy; choose from three
rule types
1. Access rule
e
2. Exception rule
ut
3. Extrusion
ib
tr
is
D
IBM Guardium: Policy management
Policy Rules
or © Copyright IBM Corporation 2016
e
Next, you start adding your rules to the policy. You can choose from three types of rules:
at
2. Exception Rule: SQL Errors and Failed login messages returned by the database server to the
ic
client
l
Start with access rules, followed by exception and extrusion rules. To create a new access rule,
click Add Rules > Add Access Rule.
D
ot
N
o
D
Uempty
Lesson 3 Access rules
e
Lesson: Access rules
ut
ib
tr
is
D
or
e
IBM Guardium: Policy management © Copyright IBM Corporation 2016
at
Many data security requirements pertain to the database users and administrators accessing
database tables. Access rules focus on evaluating access operations and then taking the correct
ic
actions such as ignoring the operation or terminating the session. In this lesson, you learn how to
build access rules.
l
up
D
ot
N
o
D
Uempty
e
ut
Criteria: Defines fields
and options that trigger
ib
the rule
tr
is
D
Actions: The activity
that is performed when
a rule is triggered Save or discard the
policy rule
IBM Guardium: Policy management
2. Criteria: Defines the fields and options that trigger the rule.
ic
3. Action: Describes the activity that the appliance performs when a rule is triggered.
l
up
Uempty
e
• Classification: Optionally enter a classification in the Classification field; like Category, these are
logged with exceptions and can be used for grouping and reporting purposes
ut
• Severity: Select a severity code: Info, Low, Med, or High (Info is the default)
ib
tr
is
D
IBM Guardium: Policy management
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Policy management
If you choose fields in separate rows, both conditions must be satisfied for the rule to trigger (AND
Conditions). In the example above, the user must be in the Privileged Users group and the object
l
If you choose two fields within the same row, a match for either satisfies that criterion (OR
Condition).
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Policy management
Category Description
ic
Alerts/Policy • ALERT DAILY: Send notifications to one or more recipients only the
Violations first time the rule is matched each day.
l
satisfied.
• ALERT PER TIME GRANULARITY: Send notifications once per
o
• FAM ALERT AND AUDIT: Trigger an alert and log the construct that
triggered the rule.
• FAM AUDIT ONLY: Log the construct that triggered the rule.
• FAM IGNORE: Do not log this event.
Uempty
Category Description
Alerts/Policy • FAM LOG ONLY ACCESS VIOLATIONS: Log FAM access
Violations (continued) violations.
• LOG ONLY: Log the policy violation only.
Filters • IGNORE RESPONSES PER SESSION: Ignore responses for the
remainder of the session.
e
• IGNORE SESSION: Ignore the current request and the remainder of
ut
the session.
• IGNORE S-TAP SESSION: Ignore the current request and the
ib
remainder of the S-TAP session. This is a “hard” ignore and cannot
be revoked.
tr
• IGNORE STAP SESSION (REVOCABLE): Ignore the current
request and the remainder of the S-TAP session. This is a “soft”
is
ignore, and this rule action can enable the session traffic to be sent
again without requiring a new connection to the database.
D
• IGNORE SQL PER SESSION: Do not log SQL for the remainder of
the session. Exceptions will continue to be logged, but the system
or
might not capture the SQL strings that correspond to the exceptions.
• SKIP LOGGING: Do not log a policy violation, and stop logging
constructs.
e
Logging Rules • LOG MASKED DETAILS: Log the full SQL for this request, replacing
at
session.
• LOG FULL DETAILS WITH VALUES PER SESSION: Combine the
ot
• LOG FULL DETAILS WITH REPLACED VALUES: Use only for DB2
on z/OS and iSeries. Replace literal markers such as :1, :2 (for
static sql) or ? (for dynamic prepare) in SQL statements with bind
o
Uempty
Category Description
Firewall/Blocking • QUARANTINE: Prevent the same user from logging in to the same
server for a certain period of time.
• S-GATE TERMINATE: Terminate a database connection, or
session, and prevent additional requests on that session.
• S-GATE ATTACH: S-TAP is in firewall mode for that session, holding
e
the database requests and waiting for a verdict on each request
before releasing its responses. In this mode, there will be latency.
ut
• S-GATE DETACH: S-TAP is in normal monitoring mode for that
session; it passes requests to the database server without any
ib
delay. In this mode, latency is not expected.
• S-TAP TERMINATE: Terminate a database connection or session
tr
and prevent additional requests on that session. This action is
is
available in S-TAP, regardless of whether S-GATE is used.
Other Logging Rules • ALLOW: Do not log a policy violation. If ALLOW action is selected,
D
no other actions can be added to the rule. Constructs are logged.
• NO PARSE: Do not parse the SQL statement.
or
• QUICK PARSE NO FIELDS: Do not parse fields in the SQL
statement.
• QUICK PARSE NATIVE: Use only for Guardium S-TAP for DB2 on
e
z/OS to improve performance in a heavy traffic environment.
at
• QUICK PARSE: For the remainder of the session, do not parse the
SQL statement.
ic
transactions.
• MARK AS AUTO-COMMIT ON/ MARK AS AUTO-COMMIT OFF:
Use in the Replay function due to various auto-commit models for
D
different databases.
• ADD DATA SINK: Do not use this rule.
ot
N
o
D
Uempty
e
ut
ib
tr
Alert Once Per Session
AND
is
Log Full Details
D
AND
Object is in the Sensitive Objects Group
Uempty
Alert rules
e
ut
ib
tr
is
D
IBM Guardium: Policy management
Alert rules
or © Copyright IBM Corporation 2016
e
Alert rules send notification to designated receivers at a defined frequency, depending on the action
chosen.
at
• Actions
ic
– Alert Daily sends notifications only the first time the rule is matched each day.
– Alert Once Per Session sends notifications only once for each session in which the rule is
l
up
matched.
– Alert Per Match sends notifications each time the rule is satisfied.
D
– Alert Per Time Granularity sends notifications once per logging granularity period. For
example, if the logging granularity is set to one hour, notifications will be sent for only the
first match for the rule during each hour.
ot
• Receivers
N
– Email messages are addressed to Guardium users, and are sent via the SMTP server
configured for Guardium.
o
– SNMP traps are sent to the trap community configured for the Guardium appliance.
D
– Syslog messages are written to syslog. Custom notifications, which are user-written
notification handlers, are implemented as Java classes.
• Rec. Vals.: The record values check box indicates whether the full, unmasked, SQL string is
included with the alert.
• Message Template: The template used for the message might be modified.
Uempty
Alert example
e
ut
ib
tr
is
D
IBM Guardium: Policy management
Alert example
or © Copyright IBM Corporation 2016
e
This is an example of a triggered alert going to syslog. Note that the alert contains the policy rule
name and it includes the full SQL statement because the record values check box was selected.
at
When an alert rule is triggered, the appliance also logs a policy violation.
l ic
up
D
ot
N
o
D
Uempty
Allow
With multiple rules in a policy, the rules
are processed from top to bottom
e
ut
ib
tr
is
D
The Allow action helps control this flow
The Allow rule informs the sniffer to log the traffic
normally and not continue to the next rule
IBM Guardium: Policy management
Allow
or © Copyright IBM Corporation 2016
e
With multiple rules in a policy, the rules are processed from top to bottom. When a rule is triggered,
the default behavior is to stop processing subsequent rules, unless the Continue to next rule
at
The Allow action helps control this flow. The Allow rule informs the sniffer to log the traffic
normally; that is, log the construct and access period timestamp, and do not continue to the next
l
rule. Note that the Continue to next rule check box is grayed out and unavailable. This is
up
commonly used when you want to prevent certain activity from reaching specific rules further down
in the policy.
D
A real-world example of when this rule is used is when a customer requirement is to log activity by
privileged users only for MS SQL Server 2005 or 2008 database servers. To meet such a
ot
requirement, you usually create a rule specifying if the user is NOT in the Privileged User group,
ignore session. With most database types, this rule is sufficient. However, with MS SQL Server
N
2005/2008, many login packets are encrypted and it takes Guardium a few seconds to resolve the
encrypted login to the actual user name. While the resolution is taking place, the user name
appears as an empty string and, being empty, it is not in the Privileged User group and is therefore
o
ignored. To prevent privileged user sessions from being ignored incorrectly, you add an Allow rule
D
with a special guardium://empty flag in the DB User field before the Ignore Session rule. While
the user name is empty, the traffic is logged normally. When the user name is resolved, this rule is
not triggered because it will no longer be empty, allowing the session to be evaluated by the ignore
session rule.
Uempty
e
The performance of each collector
ut
Data retention
• Connection information always logged
ib
tr
is
D
IBM Guardium: Policy management
sniffer. Connection (login/logout) information is always logged, even if the session is ignored.
ic
Ignored session rules can positively affect the performance of the collector and data retentions. If
you log privileged user activity only, you need fewer collectors than a “comprehensive”
l
Choosing which sessions to be ignored depends on the size of Guardium implementation. Some
implementations might ignore sessions where the user is not a member of a group of privileged
D
Most implementations fall somewhere in between. That is, more than just privileged users are
ot
logged but many trusted sessions, such as applications, backups, and scheduled processes, are
ignored.
N
o
D
Uempty
e
ut
ib
tr
is
Network connections
Sessions
SQL commands
D
SQL errors
SQL result sets
2. S-TAP sends the connection information, along with the first few commands, to the sniffer.
ic
3. Based on the policy rule, the sniffer determines that the session should be ignored.
l
up
4. The sniffer sends a signal to S-TAP to stop sending traffic from that session.
8. If S-TAP continues to send traffic from a session that should be ignored, the sniffer continues to
N
The process described above is repeated for every connection; this keeps resource utilization as
o
low as possible on the database server. All policy logic is maintained by the collector while S-TAP
D
If you have an S-TAP-only environment, use the Ignore S-TAP Session rule, not Ignore Session,
to completely ignore a session. Ignore Session only sends the “ignore” signal to S-TAP once and is
not as robust as Ignore S-TAP Session. However, if you use a SPAN Port or Network TAP, you
need to use Ignore Session rules for network traffic.
Uempty
e
group
ut
ib
tr
is
D
IBM Guardium: Policy management
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Policy management
server using a specific application can be ignored, but if the connection does not meet all three
criteria, the activity should be logged.
ic
The Client IP/Src App./DB User/Server IP/Svc. Name group contains five attributes that should
l
1. Attributive 1 = Client IP
3. Attributive 3 = DB User
ot
4. Attributive 4 = Server IP
N
In the above example, a group named -Trusted Connections has been created, and members
representing three connections have been added. The percent sign (%) is used to represent a
wildcard. Therefore, in the example, any session by database user hr will be ignored.
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Policy management
Uempty
e
ut
ib
tr
is
Network connections
Sessions
SQL commands
D
SQL errors
SQL result sets
server to the client. Responses include SQL errors and result sets.
l ic
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
Network connections
Sessions
SQL commands
D
SQL errors
SQL result sets
Uempty
e
ut
ib
tr
is
Network connections
Sessions
SQL commands
D
SQL errors
SQL result sets
Uempty
e
• The Log Full Details policy action is appropriate under the following circumstances
ut
Exact timestamp is required
Values entered are of interest
ib
tr
is
D
IBM Guardium: Policy management
With some variation, the Log Full Details actions perform the following steps:
ic
1. Log the exact timestamp for each occurrence matching the rule criteria
l
When the Log Full Details action is triggered, each individual SQL request is logged in to the Full
SQL entity with the exact time the command was issued and the full, unmasked SQL string. The
D
constructs and Access Period timestamps are also still logged normally.
Because each SQL request is now going to be logged, rather than just updating the construct
ot
counter, Log Full Details rules can potentially fill the Guardium internal database very quickly.
N
Uempty
e
• Quick parse
ut
• Quick parse native
• Quick parse no fields
ib
• Skip logging
tr
is
D
IBM Guardium: Policy management
Log Masked Details logs the full SQL timestamp but continues to mask the SQL string. This is
ic
used in instances where the exact time of the SQL request is important, but the values should not
be exposed.
l
up
The Log Only rule can be thought of as Log (policy violation) Only. It is similar to an alert in that
any time the rule is triggered, a policy violation is created. This is useful when you need to report on
specific policy violations, but do not require an alert.
D
When a Quick Parse rule is triggered for the remainder of the session, WHERE clauses will not be
parsed. This reduces parsing time. In this mode, all objects accessed can be determined, because
ot
objects appear before the WHERE clause, but the exact object instances affected will be unknown,
because that is determined by the WHERE clause
N
Use Quick Parse Native only for Guardium S-TAP for DB2 on z/OS to improve performance in a
o
Use the Quick Parse No Fields option to prevent parsing fields in the SQL statement.
The Skip Logging option, when matched, indicates that policy violations should not be logged, and
logging constructs should be stopped. This action is used to eliminate the logging of constructs for
requests that are known to be of no interest. As an example, this is commonly used with temp
tables (object beginning with a pound sign (#)) in MS SQL Server. This feature also applies for
exception rules concerning database error code only, allowing users to not log errors when an
Uempty
application generates large numbers of errors and the user can do nothing to stop the application
errors.
These SQL requests or SQL errors are still sent by S-TAP and are still processed by the sniffer. It
helps in data retention and eases reporting, but does not provide the same performance benefit as
Ignore S-TAP Session. It is only meant to be used when ignoring a small number of SQL requests.
If you cannot use Ignore S-TAP Session but want to ignore many types of requests, for example,
log DDL and DML but ignore everything else, a selective audit trail policy is more effective.
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
Exercise introduction
Complete the following exercise in the Course Exercises book
• Creating and installing a policy
e
ut
ib
tr
is
D
IBM Guardium: Policy management
Exercise introduction
or © Copyright IBM Corporation 2016
e
Perform the exercise for this lesson.
at
Uempty
Lesson 4 Exception and extrusion rules
e
Lesson: Exception and extrusion
ut
rules
ib
tr
is
D
or
e
IBM Guardium: Policy management © Copyright IBM Corporation 2016
at
Some data security requirements focus on the data that is generated by an operation. Exception
rules focus on errors generated by the database, such as an error caused by a database user
ic
attempting to log in with the wrong password. Extrusion rules consider the data returned by an
operation and take appropriate actions. In this lesson, you learn the differences between exception
l
Uempty
e
following choices
ut
LOGIN_FAILED
SESSION_ERROR
SQL_ERROR
ib
tr
is
D
IBM Guardium: Policy management
• LOGIN_FAILED: Failed login messages from the database server to the database client
• SESSION_ERROR: Errors related to connection information
l
up
• SQL_ERROR: Error messages returned from the database server to the database client
For example, executing a SELECT command against a table that does not exist in DB2 returns
this error:
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Policy management
Uempty
e
within y minutes
ut
Example: 3 failed
login attempts within 5
minutes
ib
tr
is
D
IBM Guardium: Policy management
• DB User: . <period> Placing a period in DB User causes the system to place a counter on DB
User, so that you will only receive an alert when the same user attempts to log in three times
ic
within five minutes. Otherwise, it will alert when three failed logins from any three users occur
within five minutes, which could result in a great deal of false positives.
l
• Minimum Count: 3
• Reset Interval: 5
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Policy management
numbers.
ic
3. Click Apply.
D
ot
N
o
D
Uempty
Redact
e
ut
ib
tr
is
D
IBM Guardium: Policy management
Redact
or © Copyright IBM Corporation 2016
e
For extrusion rules only, redact masks sensitive data returned to the user from the database server.
This is done by changing the data pattern in the extrusion rule. Place parentheses around those
at
elements you want masked. The next few slides provide an example of this process.
l ic
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Policy management
When a rule name begins with guardium://CREDIT_CARD, and a valid credit card number
pattern is in the Data Pattern field, the policy uses the Luhn algorithm, in addition to standard
l
pattern matching. The Luhn algorithm is a widely used algorithm for validating identification
up
numbers such as credit card numbers and performs an additional check that does not replace
the pattern check. A valid credit card number is a string of 16 digits or four sets of four digits,
D
with each set separated by a blank. There is a requirement to have both the
guardium://CREDIT_CARD rule name and a valid [0-9]{16} number in the Search Expression
field in order to have the Luhn algorithm involved in this pattern matching.
ot
with each set separated by a blank or a dash. The parentheses surround the portion of the
D
string that will be masked when logged by Guardium. In this case, only the last four digits of the
credit card numbers will be logged.
To receive help in building a regular expression, click the RE button, which brings up the build
regular expression dialog where you can test your regular expression.
Uempty
• Replacement Character: * (asterisk)
If you want to use something other than an asterisk to mask the string, enter it here.
• Action: Write to the policy violation domain
Extrusion rules can write to the policy violations domain through Alert or Log Only rules, or to
the access domain through Log Full Details rules. In the example above, the rule will write to the
policy violation domain, which is visible on the Incident Management tab.
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Policy management
of groups of characters, each group of a certain length, separated by dashes or spaces, and
containing characters of a certain type, such as letters or numbers.
ic
The IBM Guardium implementation of regular expressions conforms with POSIX 1003.2. For more
l
detailed information, see the Open Group website: www.opengroup.org. IBM provides a set of
up
predefined regular expressions for common types of sensitive information, such as credit cards or
personal identification numbers. The regular expression builder provides access to these
D
predefined regular expressions, as well as a tool for building and testing your own custom regular
expression.
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Policy management
Uempty
Lesson 5 Selective Audit Trail policy
e
Lesson: Selective Audit Trail policy
ut
ib
tr
is
D
or
e
IBM Guardium: Policy management © Copyright IBM Corporation 2016
at
In some cases, your data security requirements might focus on only a small set of commands. By
setting your policy wisely, you can reduce the overhead on your network and your Guardium
ic
collectors. In this lesson, you learn about Selective Audit Trail policy best practices.
l
up
D
ot
N
o
D
Uempty
e
only or DML and DDL activity only
ut
• The Selective Audit Trail policy can
provide tremendous benefits both in
collector performance and data
ib
retention
tr
is
D
IBM Guardium: Policy management
Uempty
e
ut
ib
tr
is
Network connections
Sessions
SQL commands
D
SQL errors
SQL result sets
Sessions (logins/logouts)
up
SQL errors
Result sets
N
Sessions (logins/logouts)
– Database Server-> Database Client
Failed login messages
SQL errors
Uempty
• Traffic ignored and discarded by the sniffer
– SQL Requests: In this case, the policy must contain a rule to log specific SQL requests,
otherwise they will be discarded. Alternately, you can enter a regular expression in the Audit
Pattern field. However, this is not commonly used.
– Result sets
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
e
(constructs with masked
SQL and Access Period
ut
timestamp)
• To log the full SQL string,
ib
Log Full Details rules will
work the same as in a
tr
nonselective audit trail
policy and ignore session
is
rules can be used in a
selective audit to provide
performance benefits
D
IBM Guardium: Policy management
full SQL string, Log Full Details rules will work the same as in a nonselective audit trail policy. Also,
ignore session rules can be used in a selective audit and still provide tremendous performance
ic
benefits.
l
up
D
ot
N
o
D
Uempty
Lesson 6 Guardium policy rule order and logic
e
Lesson: Guardium policy rule order
ut
and logic
ib
tr
is
D
or
e
IBM Guardium: Policy management © Copyright IBM Corporation 2016
at
Generally, an implementation includes multiple rules. These rules can all be in one policy or in
multiple policies. In either case, you should carefully structure your rules so that they are properly
ic
applied. Incorrect rule order logic can result in unnecessarily high overhead, or even worse, a data
security vulnerability. In this lesson, you learn about rule order default behavior and policy logic.
l
up
D
ot
N
o
D
Uempty
e
Continue to next rule
Ignore session rules
ut
Exception versus access rules
ib
tr
is
D
IBM Guardium: Policy management
• Multiple actions: If you require two actions for the same criteria, use multiple actions.
Example, Alert Per Match AND Log Masked Details for DML on Sensitive Objects
ic
• Continue to Next Rule: If you have two requirements that do not have the same criteria but do
have some overlap, use the Continue to next rule check box.
l
up
• Ignore session rules: In general, ignore session rules should be the first access rules.
An Exception to this rule of thumb is a “catch-all” rule at the end of your policy that ignores all
D
sessions that did not match the previous. Also, as described on the Allow slide, sometimes you
might need to temporarily prevent an ignore session rule from being fired by placing it after an
Allow rule.
ot
N
Note: Remember, after a session is ignored, no activity within that session will be processed.
o
D
Exceptions and access rules are generally mutually exclusive because they are examining different
sides of the traffic flow. Usually, these rules types do not have much affect on each other.
Uempty
Policy logic
e
ut
ib
tr
is
D
IBM Guardium: Policy management
Policy logic
or © Copyright IBM Corporation 2016
e
In the example above, the incoming database traffic will be evaluated as follows:
at
1. Have there been 3 failed logins within 5 minutes from a single user? If yes, alert. If no, go to the
next rule.
ic
Because this rule is an exception rule and the remaining rules are access rules, this rule could
have been placed anywhere.
l
up
2. Does the session information match the Trusted Connection group? If yes, use Ignore S-TAP
Session. If no, go to the next rule.
This should be the first access rule because all of the trusted connections should be ignored. If
D
placed lower in the rule order, some rules might fire inappropriately.
3. Is the user in the Privileged User group? If yes, use Log Full Details and Continue to next rule.
ot
If the Continue to next rule check box is not selected, the policy stops at this rule for all
privileged user activity. Therefore, in order to ensure that rule number 4 is processed for
N
4. Is the object in the Sensitive Objects group and is the command in the DML Commands group?
If yes, log masked details and alert per match.
D
If the user is a privileged user, the log full details action from rule number 3 will take precedence.
Uempty
Lesson 7 S-GATE
e
Lesson: S-GATE
ut
ib
tr
is
D
or
e
IBM Guardium: Policy management © Copyright IBM Corporation 2016
at
With Guardium, not only can you send events or alerts, you can also control the session itself. You
can set up rules that automatically terminate sessions when Guardium detects improper data
ic
Uempty
S-GATE overview
e
ut
ib
tr
is
D
IBM Guardium: Policy management
S-GATE overview
or © Copyright IBM Corporation 2016
e
In addition to monitoring, S-TAP can also be configured to work in firewall mode.
at
l ic
up
D
ot
N
o
D
Uempty
e
• Allow known application server
ut
session activity
(S-TAP/open mode)
ib
tr
is
DB admin attempts
access to forbidden data
D
Session is terminated
Session Terminated
Other actions could be taken as well. As an example, when a session is terminated due to a policy
rule violation, it is important to log that incident. Data security requires not only hardening your
ot
environment to make penetration and exploitation more difficult, but also reducing the time it takes
to become aware of potential security breaches. Therefore, it is generally a good idea to send an
N
event to an external event console, or an email to a security administrator in the case of an access
policy violation.
o
D
Uempty
e
firewall_fail_close=0
firewall_default_state=0
ut
firewall_timeout=10
ib
tr
is
D
IBM Guardium: Policy management
the installed policy happens, 1=start in firewall mode enabled regardless of a triggering event
• firewall_timeout: Time (in seconds) to wait on a verdict from the appliance; if timed out, look at
firewall_fail_close value to know whether to block or allow the connection
D
If the firewall_default_state is set to 0, to put the user in firewall mode you must apply the rule
ot
If the firewall_default_state is set to 1, all users will be attached by default. This can cause some
N
latency, so applications should never be left in firewall mode. In this case, use S-GATE DETACH to
take applications out of firewall mode.
o
The S-GATE terminate action blocks the SQL command from reaching the database server and
D
Uempty
Lesson 8 Classification policy
e
Lesson: Classification Policy
ut
ib
tr
is
D
or
e
IBM Guardium: Policy management © Copyright IBM Corporation 2016
at
Another important type of policy is the classification policy, which operates directly upon data,
rather than on the database network and session traffic. This means that a classification policy
ic
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Policy management
processes consist of classification policies that are associated with one or more datasources.
Classification processes can run once or be scheduled to run on a periodic basis.
ic
Classification policies consist of classification rules and classification rule actions designed to find
l
and tag sensitive data in specified datasources. Classification rules use regular expressions, Luhn
up
algorithms, and other criteria to define rules for matching content when applying a classification
policy. Classification rule actions specify a set of actions to take for each rule in a classification
D
policy. For example, an action might generate an email alert or add an object to a Guardium group.
Each time a rule is satisfied, that event is logged, and can be reported upon.
ot
N
o
D
Uempty
e
ut
ib
Regular expression used to
characterize sensitive information
tr
is
D
IBM Guardium: Policy management
• Catalog search: Classifies data based on characteristics of the table and column name
ic
• Search for data: Classifies data based on format of data, as well as table and column name
• Search for unstructured data: Classifies data based on format of data
l
up
You can specify one or more actions to take when the classification policy rule is triggered by a
match.
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Policy management
• Process description
ic
• Configuration policy
• One or more datasources
l
up
Uempty
Exercise introduction
Complete the following exercise in the Course Exercises book
• Modifying a policy
e
ut
ib
tr
is
D
IBM Guardium: Policy management
Exercise introduction
or © Copyright IBM Corporation 2016
e
Perform the exercise for this lesson.
at
Uempty
Unit summary
• Describe how IBM Guardium logs traffic and the concept of a construct
• Create and install a policy or set of policies to meet business requirements
• Add access rules to a policy
e
• Use exception and extrusion rules to evaluate data
ut
• Install and manage the Selective Audit Trail policy
• Describe the correct order of execution for policy rules
ib
• Describe how to control a session
• Use policies to classify sensitive data
tr
is
D
IBM Guardium: Policy management
Unit summary
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
e
discovery
ut
ib
tr
is
D
IBM Guardium: Auditing, vulnerability
assessment, and discovery
or
e
at
l ic
up
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Guardium includes several tools you can use to perform data security tasks such as auditing,
ot
discovering vulnerabilities, and discovering databases. In this unit, you learn how to use the built-in
tools in Guardium, including the configuration auditing system (CAS), Vulnerability Assessment
N
application, and Database Discovery to manage the systems, applications, and databases that are
included in your business environment.
o
D
Uempty
Unit objectives
• List the major components of the Guardium configuration auditing system (CAS)
• Perform a vulnerability assessment
• Describe why Database Discovery is needed
e
ut
ib
tr
is
D
IBM Guardium: Auditing, vulnerability assessment, and discovery
Unit objectives
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
Uempty
Lesson 1 Using the configuration auditing
system (CAS)
e
ut
Lesson: Using the configuration
ib
auditing system (CAS)
tr
is
D
or
e
at
IBM Guardium: Auditing, vulnerability assessment, and discovery © Copyright IBM Corporation 2016
ic
The configuration auditing system (CAS) tracks changes to your server environment. In this lesson,
you learn how to use the CAS agent, including CAS templates, hosts, reporting, and status.
l
up
D
ot
N
o
D
Uempty
e
• Checks the following types of items
ut
Database configurations
File permissions
ib
Directory existence
• Uses CAS Agent running on database server
tr
is
D
IBM Guardium: Auditing, vulnerability assessment, and discovery
components. Such components might include executables or scripts used by the database
management system or the operating system. CAS tracks such changes and reports on them. The
ic
data is available on the Guardium appliance and can be used for reports and alerts.
l
up
D
ot
N
o
D
Uempty
CAS agent
• Installed on database server
• Runs independently from S-TAP
Shares configuration information with S-TAP
e
• Has auditing functions that are configured through the Guardium portal
ut
ib
tr
is
D
IBM Guardium: Auditing, vulnerability assessment, and discovery
CAS agent
or © Copyright IBM Corporation 2016
e
CAS uses an agent that is installed on the database server and reports to the Guardium appliance
when a monitored entity is changed, either in content, ownership, or permissions. You install a CAS
at
client on the database server system, using the same utility that is used to install S-TAP. CAS
shares configuration information with S-TAP, although each component runs independently of the
ic
other. After the CAS client has been installed on the host, you configure the actual change audit
functions from the Guardium portal.
l
up
D
ot
N
o
D
Uempty
CAS templates
• Define items to monitor
• Can be operating system only or database templates
• Can use existing preconfigured default templates
e
• Can create custom templates
ut
ib
tr
is
D
IBM Guardium: Auditing, vulnerability assessment, and discovery
CAS templates
or © Copyright IBM Corporation 2016
e
A CAS template set contains a list of item templates that share a common purpose such as
monitoring a particular type of database (Oracle on Unix, for example), and is one of two types:
at
A database template set is always specific to both the database type and the operating system
up
type.
For each operating system and database type supported, Guardium provides a preconfigured,
D
default template set for monitoring a variety of databases on either Unix or Windows platforms. A
default template set is one that will be used as a starting point for any new template set defined for
ot
that template-set type. A template-set type is either an operating system alone (Unix or Windows),
or a database management system (DB2, Informix, Oracle), which is always qualified by an
operating system type, for example, UNIX-Oracle, or Windows-Oracle. Many of the preconfigured,
N
default template sets are used within the Guardium Vulnerability Assessments where, for example,
known parameters, file locations, and file permissions can be checked.
o
You cannot modify a Guardium default template set, but you can clone it and modify the cloned
D
version. Each of the Guardium default template sets defines a set of items to be monitored. Make
sure that you understand the function and use of each of the items monitored by that default
template set and use the ones that are relevant to your environment. After defining a template set
of your own, you can designate that template set as the default template set for that template-set
type. After that, any new template sets defined for that operating system and database type will be
Uempty
defined using your new default template set as a starting point. The Guardium default template set
for that type will not be removed. It will remain defined, but will not be marked as the default.
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
e
Environment or registry variable
ut
Output of a script
List of users
ib
• Entity definition
• How often to monitor
tr
• How to detect changes
is
D
IBM Guardium: Auditing, vulnerability assessment, and discovery
templates for each OS and each database type, optionally modifying the template to meet specific
database monitoring requirements.
ic
A template item is a specific file or file pattern, an environment or registry variable, the output of an
l
OS or SQL script, or the list of logged-in users. The state of any of these items is reflected by raw
up
data, that is, the contents of a file or the value of a registry variable. CAS detects changes by
checking the size of the raw data or computing a checksum of the raw data. For files, CAS can also
D
check for system-level changes such as ownership, access permission, and path for a file.
In a federated environment, where all units, both collectors and aggregators, are managed by one
ot
manager, all templates are shared by both collectors and aggregators and CAS data can be used in
reporting or vulnerability assessments. Sometimes the host where archived data is restored is not
N
part of the same management cluster. When that happens, the templates are not shared and
therefore CAS data cannot be used by vulnerability assessments even when the data is present. To
remedy this type of situation, use export/import of definitions to copy the templates to the restore
o
target.
D
A monitored entity is the actual entity being monitored. It can be defined any of these ways:
• A file or file pattern
• Value of an environment variable or windows registry
• Output of an OS command or script or SQL statement
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Auditing, vulnerability assessment, and discovery
CAS instances.
ic
Each CAS instance specifies a CAS template set and a datasource. A datasource defines any
parameters needed to connect to the database. For each database server where CAS is installed,
l
there is a single CAS host configuration, which typically contains multiple CAS instances. As an
up
example, there might be one CAS instance to monitor operating system items and additional CAS
instances to monitor individual database instances.
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Auditing, vulnerability assessment, and discovery
You can find the CAS status window at Harden > Reports > CAS Status.
l
For each database server where CAS is installed and running, and where this Guardium appliance
up
is configured as the active Guardium host, this panel displays the CAS status. The panel also
displays the status of each CAS instance configured for that database server.
D
ot
N
o
D
Uempty
Exercise introduction
Complete the following exercise in the Course Exercises book
• Configuring CAS
e
ut
ib
tr
is
D
IBM Guardium: Auditing, vulnerability assessment, and discovery
Exercise introduction
or © Copyright IBM Corporation 2016
e
Perform the exercise for this lesson.
at
l ic
up
D
ot
N
o
D
Uempty
Lesson 2 Performing vulnerability assessment
e
Lesson: Performing vulnerability
ut
assessment
ib
tr
is
D
or
e
IBM Guardium: Auditing, vulnerability assessment, and discovery © Copyright IBM Corporation 2016
at
You can use the Guardium Vulnerability Assessment application to evaluate the health of your
database environment. In this lesson, you learn how to use Security Assessment Builder to create
ic
configurations that determine what to test and what datasources are used to perform the tests. You
also learn how vulnerability assessment tests are integrated with CAS.
l
up
D
ot
N
o
D
Uempty
Vulnerability Assessments
• Testing process
Runs a series of tests
Gives you a rating of the percentage
of tests that were passed
e
• Essential security testing methods
ut
Agent-based
Passive
Scanning
ib
tr
is
D
IBM Guardium: Auditing, vulnerability assessment, and discovery
Vulnerability Assessments
or © Copyright IBM Corporation 2016
e
The Guardium Vulnerability Assessment application enables organizations to identify and address
database vulnerabilities in a consistent and automated fashion. The assessment process in
at
Guardium evaluates the health of your database environment and recommends improvement using
these methods:
ic
• Assessing system configuration against best practices and finding vulnerabilities or potential
l
threats to database resources, including configuration and behavioral risks. Some examples
up
include identifying all default accounts that haven’t been disabled, and checking public
privileges and authentication methods chosen.
D
• Finding any inherent vulnerabilities present in the IT environment, such as missing security
patches.
ot
• Recommending and prioritizing an action plan based on discovered areas of most critical risks
and vulnerabilities.
N
Uempty
The Guardium vulnerability assessment combines three essential testing methods to guarantee full
depth and breadth of coverage. It leverages multiple sources of information to compile a full picture
of the security health of the database and data environment.
1. Agent-based: Use software installed on each endpoint, such as a database server. The agent
can determine aspects of the endpoint that cannot be determined remotely, such as
administrator’s access to sensitive data directly from the database console.
e
2. Passive detection: Discover vulnerabilities by observing network traffic.
ut
3. Scanning: Interrogate an endpoint over the network through credentialed access. The
credentials are defined by a Guardium resource called a datasource.
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Auditing, vulnerability assessment, and discovery
The Guardium Vulnerability Assessment application requires access to the databases it evaluates.
ic
To do this, Guardium provides a set of SQL scripts (one script for each database type) that creates
users and roles in the database to be used by Guardium.
l
up
D
ot
N
o
D
Uempty
e
Privileges, authentication, database and system level parameters, patch and versions
ut
• Query based
Missing patches, weak passwords, misconfigured privileges, and so on
ib
• CAS based
Configuration database- and system-level parameters
tr
• CVE tests
• APAR tests
is
• Rated by Severity
D
IBM Guardium: Auditing, vulnerability assessment, and discovery
• Predefined Assessment Tests: Predefined tests illustrate common vulnerability issues that
ic
or situations, some of these tests might be suitable for certain databases but totally
up
inappropriate for others, even within the same company. Most of the predefined tests can be
customized to meet the requirements of your organization. Additionally, to keep your
assessments current with industry best practices and protect against newly discovered
D
vulnerabilities, Guardium distributes new assessment tests and updates on a quarterly basis as
part of its Database Protection Subscription Service. The following predefined tests are
ot
included:
– Behavioral Tests: This set of tests assesses the security health of the database environment
N
these examples:
D
Uempty
After hours logins
Excessive administrator logins
Checks for calls to extended stored procedures
Checks that user IDs are not accessed from multiple IP addresses
– Configuration Vulnerability Tests: This set of assessments checks the security-related
configuration settings of target databases, looking for common mistakes or flaws in
e
configuration create vulnerabilities. The current categories for configuration vulnerabilities,
ut
with some high-level tests, are shown in the following list:
Privilege - Object creation / usage rights, Privilege grants to DBA and individual users,
ib
System level rights
tr
Authentication - User account usage, Remote login usage, Password regulations
Configuration - Database-specific and system-level parameter settings
is
Version - Database versions, Database patch levels
D
Object - Installed sample databases, Recommended database layouts, Database
ownership
or
• Query Based Tests: Query-based tests are user-defined tests that can be quickly and easily
created by defining or modifying an SQL query, which will be run against a database datasource
and results compared to a predefined test value. This allows the user to define custom tests to
e
check items such as database internals, structures, parameters, or application data.
at
• CAS-based tests: These tests work with data returned by the CAS agent. CAS-based tests are
listed in italics in the security assessment test selection window. These tests are discussed in
ic
• CVE Tests: Guardium constantly monitors the common vulnerabilities and exposures (CVE)
up
from the MITRE Corporation and add these tests for the relevant database-related
vulnerabilities.
D
• APAR Tests: An Authorized Program Analysis Report, or APAR, is a formal report from IBM
development to customers that have notified IBM of a problem or suspected defect. Guardium
ot
can test against these APARS and add the tests for the relevant database-related
vulnerabilities.
N
When the tests have completed, Guardium presents an overall report card along with details about
each result, including recommendations for resolving any issues.
o
D
Uempty
e
• These tests can be seen through the CAS Template Set Definition panel and have the word
ut
Assessment in their name
ib
tr
is
D
IBM Guardium: Auditing, vulnerability assessment, and discovery
Users can specify the template item and test against the content of the CAS results.
ic
Guardium also comes preconfigured with some CAS template items of type OS Script that can be
l
used for creating a CAS-based test. These tests can be seen through the CAS Template Set
up
Definition panel. Additionally, any template that is added that involves file permissions will also be
used for permission and ownership checking.
D
Whether using a Guardium preconfigured test or defining your own, once defined, these tests will
appear for selection during the creation or modification of CAS-based tests.
ot
N
o
D
Uempty
Exercise introduction
Complete the following exercise in the Course Exercises book
• Running a Vulnerability Assessment
e
ut
ib
tr
is
D
IBM Guardium: Auditing, vulnerability assessment, and discovery
Exercise introduction
or © Copyright IBM Corporation 2016
e
Perform the exercise for this lesson.
at
l ic
up
D
ot
N
o
D
Uempty
Lesson 3 Using database discovery
e
Lesson: Using database discovery
ut
ib
tr
is
D
or
e
IBM Guardium: Auditing, vulnerability assessment, and discovery © Copyright IBM Corporation 2016
at
You can use scan jobs and probe jobs to automatically discover and report on the databases in
your environment. In this lesson, you learn about configuring the Auto-discovery Process Builder to
ic
Uempty
Database discovery
• The Guardium autodiscovery application can be configured to probe the network, searching for and
reporting on all databases discovered
• After an autodiscovery process is defined, it can be run on demand or scheduled to be run on a
e
periodic basis
ut
• Two job types can be scheduled for each process
ib
• Scans each specified host or hosts in a • Uses the list of open ports compiled during the
specified subnet latest completed scan only
tr
• Compiles a list of open ports from the list of • Determines if database services are running
ports specified for that host on those ports
Note: A scan job must be run before running the • View job results on the predefined Databases
is
second type of job Discovered report
D
IBM Guardium: Auditing, vulnerability assessment, and discovery
Database discovery
or © Copyright IBM Corporation 2016
e
Sometimes a new database is introduced into a production environment outside the normal control
mechanisms. For example, the new database might be part of an application package from a
at
software vendor. In older installations, some databases might have been left unmonitored and
“forgotten,” because the data was not seen as a risk when the database was implemented. Another
ic
example is that a rogue DBA might create a new instance of the database to avoid being
monitored.
l
up
The two jobs can be scheduled individually, or the autodiscovery process can be defined to run the
probe job as soon as the scan job completes. Because the processes of scanning and probing
D
ports can take time, the progress of an autodiscovery process can be displayed at any time by
clicking the Progress/Summary button.
ot
After the jobs have been completed, the results can be viewed using predefined reports.
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Auditing, vulnerability assessment, and discovery
where all of their sensitive data resides. Database Discovery probes a network to identify servers
running database services. Data Classification scans databases to find and classify any objects or
ic
With the auto-discovery process builder, you specify which hosts and ports to scan. Scanning is a
up
two-step process. In the first step, Guardium scans the specified port range on the hosts. The
second step probes the ports discovered in the first step to determine if database services are
D
The scan can be run once or scheduled. You can monitor the process. After the process has
ot
Uempty
Unit summary
• List the major components of the Guardium configuration auditing system (CAS)
• Perform a vulnerability assessment
• Describe why Database Discovery is needed
e
ut
ib
tr
is
D
IBM Guardium: Auditing, vulnerability assessment, and discovery
Unit summary
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
e
ut
ib
tr
is
IBM Guardium: Custom queries and
reports
D
or
e
at
l ic
up
The ability to generate reports that reflect the data collected in Guardium is necessary to examine
D
trends and gather data for management. Guardium receives and processes a great deal of data.
Policies specify which data the collector receives from endpoints. Queries specify which data is
ot
displayed. Reports specify how and where the data is displayed. In this unit, you learn how to
create these queries and reports.
N
Uempty
Unit objectives
• Use domains, entities, and attributes to create queries
• Create, display, and share reports
e
ut
ib
tr
is
D
IBM Guardium: Custom queries and reports
Unit objectives
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Custom queries and reports
security environment.
ic
IBM Guardium provides sophisticated reporting tools that include these examples:
• Over six hundred predefined reports
l
up
• Query and report building tools to create and customize reports to meet unique company
requirements
D
Uempty
Predefined reports
• 600 predefined Guardium reports are available
• Clone and customize predefined reports to meet your business requirements
e
ut
ib
tr
is
D
IBM Guardium: Custom queries and reports
Predefined reports
or © Copyright IBM Corporation 2016
e
Over 600 predefined reports are already available from the Guardium application. These
predefined reports can be cloned and customized to the needs of the user.
at
Using the Guardium predefined reports is a best practice recommendation, enabling organizations
ic
to quickly and easily identify security risks, such as inappropriately exposed objects, users with
excessive rights, and unauthorized administrative actions. The following list shows some examples
l
Uempty
Query Builder
• Before creating a report, build a query that retrieves the report
data from the Guardium database
• Query Builder defines fields to display in a report and any
conditions used to select the data
e
ut
ib
tr
is
D
IBM Guardium: Custom queries and reports
Query Builder
or © Copyright IBM Corporation 2016
e
Before you create a report, you must build the query that retrieves the data to be displayed by the
report. The data is retrieved from the Guardium database. The query defines the fields that will be
at
displayed in the report and the conditions that will be used to select the data.
ic
As an example, you might want to have a report that lists sessions by trusted users. You would
want to display the name of the user in the fields, as well as the IP addresses of the client and
l
server. You are also interested in setting up the criteria for selecting which records are displayed.
up
Specifically, you want the query to retrieve only the records for trusted users.
Your first decision when building a query is to determine which domain to use.
D
ot
N
o
D
Uempty
Domain
A domain is a view of the data
• Standard domains, for example
Access (all monitored SQL requests)
Exceptions (from database servers or appliance components)
e
Alerts and policy violations
ut
• Administrator domains, for example
Aggregation/archive (examples are archive, backup, restore)
ib
Logins and activity
• Optional product domains, for example
tr
Classifier results
CAS changes (database server configuration file changes, for example)
is
D
IBM Guardium: Custom queries and reports
Domain
or © Copyright IBM Corporation 2016
e
A domain provides a view of the stored data and has the following characteristics:
at
• Each domain contains a set of data related to a specific purpose or function, including the
following examples:
ic
– Data access
– Exceptions
l
up
– Policy violations
• Each domain contains one or more entities. An entity is a set of related attributes. An attribute
D
specifies which fields will be included in the report, and also sets conditions for which data will
be returned.
ot
• A query returns data from one domain only. When the query is defined, one entity within that
domain is designated as the main entity of the query. Each row of data returned by a query
N
contains a count of occurrences of the main entity matching the values returned for the selected
attributes, for the requested time period. This allows for the creation of two-dimensional reports
from entities that do not have a one-to-one relationship.
o
D
Uempty
e
locate an existing
query
ut
ib
tr
New and Search icons
is
D
IBM Guardium: Custom queries and reports
Alternatively, choose to search for an existing query by using the Search icon. An existing custom
ic
query can be modified directly or cloned and saved as a new query. Existing built-in queries cannot
be modified directly. To change a built-in query, you must clone it.
l
up
D
ot
N
o
D
Uempty
e
ut
To create a query, type
ib
a Query Name and
select the Main Entity
tr
is
Note: Use a naming convention to differentiate custom queries from the built-in Guardium queries
D
IBM Guardium: Custom queries and reports
2. Choose a main entity, which will be explained in the next few pages.
l ic
up
Note: You should use a naming a convention to differentiate your custom queries from the built-in
queries. Conventionally, you do this by prefixing the name with a a dash (-). Using this type of
prefix also causes the query to appear at the top of the list.
D
ot
N
o
D
Uempty
Entity overview
• Domains contain one or
more entities
• Entity: Set of related
attributes SQL entity
e
attributes
• Attribute: Field value
ut
ib
tr
is
Command
D
entity attributes Client/Server
Session entity entity attributes
attributes
IBM Guardium: Custom queries and reports
Entity overview
or © Copyright IBM Corporation 2016
e
Each domain contains one or more entities. An entity is a set of related attributes. An attribute is
basically a field value.
at
Below are the entities within the Access domain. The Access domain is where all SQL requests
ic
are logged.
l
Client/Server Client and database server connection info (for example, IPs and
operating systems)
D
Uempty
Access entity Definition
Object SQL object
Join Used to join tables in a SELECT SQL statement
Field SQL Value Field value logged separately for faster search
Object/Field Field detected in object
e
Field Field
Qualified Object The fields Server IP, Service name, DB name, DB user, and Object
ut
are combined
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
Network connections
Sessions
SQL commands
D
SQL command
components
Uempty
Entity hierarchy
Entity Description
1 Client /Server Session Each client / server connect has one or more sessions
Each session has one or more requests
e
2 Application Events Each request has some combination of this entity
ut
3 Full SQL Values Each request has some combination of these entities
Full SQL
SQL Access Period
ib
4 Command Each request can contain commands
5 Object Each command can contain objects
tr
6 Object-Command Each object can contain these entities
is
Field
Field SQL Value
D
Object-Field
Entity hierarchy
or © Copyright IBM Corporation 2016
e
The data within the Guardium database is logged in a hierarchical manner. Entities higher in the
entity structure can contain multiple instances of entities lower in the hierarchy. These examples
at
This is important because when creating a query, you must choose one entity as the main entity
and what you choose as the main entity affects how the data is presented.
ot
N
o
D
Uempty
e
The time fields against which the Period From and Period To run-time parameters are compared
ut
ib
tr
is
D
IBM Guardium: Custom queries and reports
represents a unique instance of the main entity, and a count of occurrences for that instance.
ic
The location of the main entity within the hierarchy of entities is important in terms of what
values can be displayed. The attributes for any entities below the main entity can be counted,
but not displayed, because there might be many occurrences for each row.
D
• The total count, which is added as the last column of the report and is a count of instances of
the main entity included on that row of the report.
ot
• The time fields against which the Period From and Period To run-time parameters are
compared to select the rows of the report. When defining a query in the query builder, the
N
system uses the main entity among other parameters to determine which time fields are to be
used when defining the Period From and Period To of the report or alert using this query.
o
When applicable, the Period Start/Period End from the Access Period entity is usually used,
but in other cases it will choose period values according to the main entity.
D
Uempty
e
1
ut
3
ib
tr
4
is
D
5
2. Select a domain.
ic
5. Click Next.
D
ot
N
o
D
Uempty
e
the query report
ut
Query conditions
ib
define what data is
selected
tr
is
D
IBM Guardium: Custom queries and reports
1. Entity List allows you to select attributes to add the to query, either as fields in the report or
query conditions.
ic
2. Query Fields are the fields that will appear in the report. This section defines these elements:
– The order in which the attributes appear
l
up
3. Query Conditions define which data is to be selected. It uses entities, linked by AND or OR, to
ot
define the WHERE clause of the query. Parentheses and HAVING provide options for building
more complex statements.
N
o
D
Uempty
e
• Drag the field to Query Fields or
ut
Query Conditions and drop it
ib
tr
is
D
IBM Guardium: Custom queries and reports
2. Drag-and-drop method:
up
b. Drag the field to the query fields list and release it.
D
Regardless of the method used, the field is added to the end of the list.
ot
2. Use the arrow icons to move the field to the desired location.
o
1. Mark the check box in the left-most column for the field.
Uempty
e
ordered as the attributes appear in the query
ut
• Sort Rank: When the Order-by option is selected, enter a number to indicate the rank by which the
field will be sorted relative to the other sorted fields
ib
tr
is
D
IBM Guardium: Custom queries and reports
• Field Mode: Indicates what to print for the field, such as its value, or the count (count is a count
of distinct values), Min, Max, Average (AVG) or Sum for the row. The value option is not
ic
available for attributes from entities lower than the main entity in the entity hierarchy for the
domain. This is one reason you must choose the main entity wisely.
l
• Order-by: Select the corresponding check box to sort by a specific field. By default, query data
up
is sorted in ascending order by attribute value, with the sort keys ordered as the attributes
appear in the query. If aliases are being used, they are ignored for sorting purposes; the actual
D
data values are always used for sorting. Some attributes have values that are computed by the
query, such as count, minimum, maximum, and average. These attributes cannot be sorted.
ot
• Sort Rank: When the order-by box is selected, enter a number here to indicate the rank by
which the field will be sorted, relative to the other sorted fields.
N
• Descend: Optional. Controls whether the field sorts in ascending or descending order.
• Add Count: Adds a count of distinct instances as the last column of the report.
o
• Add Distinct: Adds or drops the ability to display one-row-per-value in the report.
D
Uempty
e
• Reports can be added to
special dashboard My
ut
Custom Reports
• Regenerate the report after
ib
changing a query
tr
is
D
IBM Guardium: Custom queries and reports
You can also use the query builder to clone an existing report. This is useful if you want a new
ic
report that is slightly different from an existing custom report, or if you want to use a pre-existing
report as a guideline for a new report.
l
up
You can add a report to a special dashboard called My Custom Reports. You can also create a
dashboard to group reports.
D
After creating a report, if you change the query, you have to regenerate the report.
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Custom queries and reports
After creating the dashboard, you can access it through the GUI. You can also make a given report
ic
the home page for your portal, so that when you log in, it is the first thing you see.
l
up
D
ot
N
o
D
Uempty
e
• Email a report
ut
• Open report in new window
ib
• Configure report
tr
• Configure report columns
is
• Edit runtime parameters
D
IBM Guardium: Custom queries and reports
• Edit query: Opens the query builder for the query associated with the report.
• Data mart builder: A data mart is a subset of a Data Warehouse. A Data Warehouse
ic
aggregates and organizes the data in a generic fashion that can be used later for analysis and
reports. This icon allows you to specify the parameters for a data mart.
l
up
• Configure report: Allows you to configure the look and feel of the report.
• Configure report columns: Selects which columns to display. This does not change the
underlying query, nor the underlying report. It just allows you to hide one or more columns.
D
• Edit runtime parameters: Allows you to edit report configurations that are displayed at
runtime.
ot
N
o
D
Uempty
e
Enter Period From
ut
Enter Period To
Remote Data Source
Refresh Rate
ib
tr
is
D
IBM Guardium: Custom queries and reports
A runtime parameter provides a value to be used in a query condition. There is a default set of
ic
runtime parameters for all queries and any number of custom runtime parameters can be defined in
the query used by the report. Custom runtime parameters are covered later in this unit.
l
up
unit by selecting that Guardium appliance from the Remote Data Source list.
• Refresh Rate: The number of seconds after which the data is to be refreshed. Zero means that
N
Uempty
Report customization
Use the Configure report icon to modify the report look and feel
e
ut
ib
tr
is
D
IBM Guardium: Custom queries and reports
Report customization
or © Copyright IBM Corporation 2016
e
You can customize the look and feel of the report by clicking the Configure report icon. A series of
four windows is displayed:
at
1. Report Columns: Allows you to change name of report and column descriptions
ic
2. Report Attributes: Allows you to choose whether to use a tabular or chart view of the data
Some types of data make better sense when presented as a chart. As an example, a report that
l
up
provides a count of sessions by source program might be better presented as a chart. If the
chart option is chosen, an additional window that allows you to choose the type of chart is
displayed.
D
add green, yellow, and red colors when the session count falls within certain parameters.
N
4. Submit Report: Allows you to add comments, assign roles, change the title, and save
o
D
Uempty
Customizing charts
If the report is presented in
chart form, you can use the
Customize Chart window to
change the look of the
e
chart, including the labels,
type, style, and color
ut
scheme.
ib
tr
is
D
IBM Guardium: Custom queries and reports
Customizing charts
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
Uempty
Exporting a report
• Multiple formats exist for export and printing reports
• Save the results or select an application to view them in
e
ut
ib
tr
is
D
IBM Guardium: Custom queries and reports
Exporting a report
or © Copyright IBM Corporation 2016
e
You can export or print report data in a number of different formats, including an HTML file, a
portable document format (PDF) file, or a file of comma-separated values (CSV).
at
If the report has a lot of data to export, it will generate a large PDF file, and can cause the UI to time
ic
out. If you plan to generate large PDF files, consider doing so as part of an audit process, or
increasing the UI timeout value to avoid this problem.
l
up
You can also export the contents of a report to a CSV file. You can export either all the records (the
entire report) in the report, or only the display records (the data currently displayed).
D
In the report toolbar, click Export > Download all records or Export > Download display
records. You can save the results or select an application to view them in.
ot
If editing a report and removing a column, when the report is exported as a PDF file, the report will
show the original columns.
N
o
D
Uempty
Query conditions
• Use query conditions to narrow the scope of the query
• One or more entity attributes can be used to filter which results are returned
e
ut
ib
tr
is
D
IBM Guardium: Custom queries and reports
Query conditions
or © Copyright IBM Corporation 2016
e
Besides specifying which entity attributes will be considered, a set of parameters must be specified
to define the bounds that the attribute must fall between. As an example, if filtering on DB User
at
Name, you might want to retrieve only those records that correspond to a set of database users
that are specified by a Guardium group, such as Privileged Users.
ic
The following table shows the definitions of the available query conditions.
l
up
= Equal to
> Greater than
N
selected
CLASSIFIED AS Member of a group belonging to the classification selected from the
drop-down list to the right, which appears when a group operator is
selected
Uempty
Query condition Definition
IN DYNAMIC GROUP Member of a group that will be selected from the drop-down list in the
runtime parameter column to the right, which appears when a group
operator is selected
IN DYNAMIC Works on a group of the same type as IN DYNAMIC GROUP, but
ALIASES GROUP assumes that the members of that group are aliases
e
IN GROUP Member of the group selected from the drop-down list in the runtime
ut
parameter column to the right, which appears when a group operator is
selected
ib
Cannot be used with IN ALIASES GROUP
IN ALIASES GROUP Works on a group of the same type as IN GROUP, but assumes that the
tr
members of that group are aliases
Note that the IN GROUP and IN ALIASES GROUP operators expect
is
the group to contain actual values or aliases respectively. An alias
provides a synonym that substitutes for a stored value of a specific
D
attribute type. It is commonly used to display a meaningful or
user-friendly name for a data value. For example, Financial Server
all or part of the value. Alphabetic characters are not case sensitive. For
example, %tea% would match tea, TeA, tEam, and steam. If no percent
l
operation (=).
LIKE GROUP Matches any member of a group that can contain wildcard member
names
D
NOT IN DYNAMIC Not equal to any member of a group; selected from the drop-down list
GROUP in the runtime parameter column to the right, which appears when a
N
ALIASES GROUP assumes that the members of that group are aliases
D
NOT IN GROUP Not equal to any member of the specified group; selected from the
drop-down list in the runtime parameter column to the right, which
appears when a group operator is selected
NOT IN ALIASES Works on a group of the same type as NOT IN GROUP, but assumes
GROUP that the members of that group are aliases
Uempty
Query condition Definition
NOT IN PERIOD For a timestamp only, not within the selected time period
NOT LIKE Not like the specified value (see the description of LIKE, above)
NOT REGEXP Not matched by the specified regular expression.
REGEXP Matched by the specified regular expression, conforming with POSIX
1003.2. specification
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
e
the query
ut
ib
tr
is
D
IBM Guardium: Custom queries and reports
Uempty
e
count of attribute Client
ut
IP is greater than 1 are
selected
ib
tr
is
D
IBM Guardium: Custom queries and reports
Uempty
Parenthesis
To create complex
queries, use the
parenthesis buttons
e
ut
ib
tr
is
D
IBM Guardium: Custom queries and reports
Parenthesis
or © Copyright IBM Corporation 2016
e
The parenthesis buttons provide the ability to add parenthesis buttons to the query, allowing for
complex queries. In the above example, the query selects one of the following types of records:
at
• The object name contains the letters cc AND the SQL verb is select AND the DB user name is
ic
Commands group.
up
D
ot
N
o
D
Uempty
e
• Choose a parameter in
ut
the Runtime Parameter
column to create a
parameter based on a
ib
single value
tr
is
D
IBM Guardium: Custom queries and reports
single value. Generally, you should use LIKE as your operator when creating runtime parameters.
Instead of entering a value in the query field, you will be entering the name of the parameter. In the
ic
To create a runtime parameter based on group membership, choose IN DYNAMIC GROUP as the
up
operator and enter the name of the parameter. In this example, Command is the name of the
parameter.
D
ot
N
o
D
Uempty
e
modification language (DML)
commands group
ut
ib
tr
is
D
IBM Guardium: Custom queries and reports
wildcard (%) to return all data. For dynamic groups, you must choose a value from the pull-down
list.
ic
In the example above, %s% matches any DB user name that has an s or S in it. The dynamic group
l
Uempty
Drill-down reports
Adding
runtime
parameters
to reports
e
also makes
them
ut
available as
drill-down
ib
reports
tr
is
D
IBM Guardium: Custom queries and reports
Drill-down reports
or © Copyright IBM Corporation 2016
e
The example above shows runtime parameters for a database user name and client IP. Therefore,
any report containing these two fields will have this report available as a drill-down report, as shown
at
Uempty
e
ut
ib
tr
• Double click a report row to invoke a
drill-down report
is
• When you drill down, Guardium feeds
data from the selected row to the
D
runtime parameters and displays the
result
IBM Guardium: Custom queries and reports
invoked by double-clicking a row on a report. When you choose a drill down, it feeds data from the
row that you click to the runtime parameters and displays the result.
l ic
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Custom queries and reports
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Custom queries and reports
table shows the options that are available from this window.
ic
Option Description
l
Delete Delete a report. This does not delete the associated query, but you must
delete the report before you can delete any associated queries.
ot
Roles Grant access to the report other users based on their roles. To grant
access to a report, you must grant the roles to the underlying query first.
N
Reports
D
API Assignment Link additional API functions to predefined Guardium reports or custom
reports.
Drilldown Control Remove drill-down entries for this report.
Uempty
Exercise introduction
Complete the following exercises in the Course Exercises book:
• Creating a simple query and report
• Creating a query and report with drill-down capabilities
e
• Creating multiple queries and assigning them to roles
ut
ib
tr
is
D
IBM Guardium: Custom queries and reports
Exercise introduction
or © Copyright IBM Corporation 2016
e
Perform the exercises for this unit.
at
l ic
up
D
ot
N
o
D
Uempty
Unit summary
• Use domains, entities, and attributes to create queries
• Create, display, and share reports
e
ut
ib
tr
is
D
IBM Guardium: Custom queries and reports
Unit summary
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
e
ut
ib
tr
is
IBM Guardium: Compliance workflow
automation
D
or
e
at
l ic
up
You can use Guardium compliance workflow automation tools to consolidate database activity
D
monitoring tasks and streamline your compliance process. In this unit, you learn how to automate
the processes involved with preparing compliance information for distribution and review. This
ot
process includes creating a compliance workflow, distributing the workflow to designated reviewers,
and creating a report.
N
o
D
Uempty
Unit objectives
• Consolidate and automate audit activities into a compliance workflow
• Manage the audit results
e
ut
ib
tr
is
D
IBM Guardium: Compliance workflow automation
Unit objectives
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
Uempty
Lesson 1 Creating a compliance workflow
e
Lesson: Creating a compliance
ut
workflow
ib
tr
is
D
or
e
IBM Guardium: Compliance workflow automation © Copyright IBM Corporation 2016
at
Guardium compliance workflow automation tools can transform database security management
from a time-consuming manual process to an automated process that supports company privacy
ic
and governance requirements. In this lesson, you learn how to create a compliance workflow that
includes name/archive, tasks, receivers, and schedule.
l
up
D
ot
N
o
D
Uempty
e
• Assign the process to its originator for viewing
ut
• Assign the process to other users, or to a group of users or a role
• Create the requirement that the assignees sign off on the result
ib
• Allow users to add comments and notations
• Allow escalation of the results
tr
is
D
IBM Guardium: Compliance workflow automation
a continuous, automated process that supports company privacy and governance requirements,
such as PCI-DSS, SOX, Data Privacy, and HIPAA. These tools include the following capabilities:
ic
• Streamline the compliance workflow process by consolidating, in one spot, the following types
l
– Asset discovery
– Vulnerability assessment and hardening reports
D
by key stakeholders.
N
– Syslog
– CSV/CEF files
– External feeds
Uempty
e
• Set of tasks
ut
Reports
Security assessments
Entity audit trails
ib
Privacy sets
Classification processes
tr
External feeds
Schedule
is
• The audit process can be run immediately, or a schedule can be defined to run the process on a
regular basis
D
IBM Guardium: Compliance workflow automation
A workflow process can contain any number of audit tasks, including the tasks shown here:
up
• Security assessment report: The security database assessment scans the database
infrastructure for vulnerabilities, and provides an evaluation of database and data security
ot
health, with both real-time and historical measurements. It compares the current environment
against preconfigured vulnerability tests based on known flaws and vulnerabilities. These tests
N
are grouped using common database security best practices such as STIG and CIG1, and they
incorporate custom tests. The application generates a Security Health Report Card, with
weighted metrics based on best practices and recommends action plans to help strengthen
o
database security.
D
• An entity audit trail: This detailed report of activity relates to a specific entity, such as a client
IP address or a group of addresses.
Uempty
• A privacy set: This report detailing access to a group of object-field pairs, such as a Social
Security number and a date of birth is produced during a specified time period.
• A classification process: The existing database metadata and data are scanned, reporting on
information that might be sensitive, such as Social Security numbers or credit card numbers.
• An external feed: Data can be exported to an external specialized application for further
forensic analysis.
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
• Compliance Workflow Automation includes a detailed activity log for all tasks, which includes task start and end
times
• A report of information in the activity log, called the Audit Process Log, is available to view or clone
IBM Guardium: Compliance workflow automation
Uempty
e
Schedule
ut
• Use a fifth section, Run audit process, to run the process manually
ib
tr
is
D
IBM Guardium: Compliance workflow automation
3. Receivers: Those roles or users who need to see and review the information
l
up
Each section is discussed on the upcoming pages. A fifth section in the builder allows you to run the
D
process manually.
ot
N
o
D
Uempty
e
options
ut
• Email subject line
• Roles
ib
tr
is
D
IBM Guardium: Compliance workflow automation
process.
• Allow results to be purged prior to review: Select this check box to allow process results to
l
up
• CSV/CEF File name: If one or more tasks create CSV or CEF files, you can optionally enter a
label to be included in all file names, in the CSV/CEF file name field.
ot
• Zip CSV for email: Select this check box to compress, or zip, the named CSV file.
N
• Email Subject: Enter a subject to be used in the emails for all receivers for that audit process.
The subject can contain one or more of the following variables that will be replaced at run time:
o
– %%ExecutionStart includes the start date and time of the first task.
– %%ExecutionEnd includes the end date and time of the last task.
• Roles: Set the roles that have access to the audit process. This selection does not define which
roles can receive the process. That is defined in the Receivers section.
Uempty
Audit tasks
Audit tasks control what is delivered to the receivers
Task types
• Report
e
• Security Assessment
• Entity Audit Trail
ut
• Privacy Set
• Classification
Process
ib
tr
is
D
IBM Guardium: Compliance workflow automation
Audit tasks
or © Copyright IBM Corporation 2016
e
The audit tasks section controls what is delivered to the receivers:
at
• Task Type: Contains Report, Security Assessment, Entity Audit Trail, Privacy Set, and
Classification Process choices. In this example, you choose a report.
ic
• Export as:
– CSV: Exports the report results to a CSV file. The CSV export process must also be
ot
– PDF: Exports a PDF file. A PDF file with a similar name as a CSV Export file for this Audit
Task is created and exported with the CSV/CEF files.
o
• PDF Content:
D
Uempty
Note: Selecting PDF Content applies to both PDF attachments and PDF export files. The Diff
result applies only after the first time this task is run. There is no Diff with a previous result if there
is no previous result. The maximum number of rows that can be compared at one time is 5000. If
the number of result rows exceeds the maximum, the message “(compare first 5000 rows only)”
appears in the diff result.
e
ut
• Write to Syslog: If Export as CEF was selected, writes the CEF records to syslog, if the
remote syslog facility is enabled.
ib
• Named Template To Use: Allows selection of a custom message template, if any are defined.
tr
• Compress: If selected, the CSV/CEF files to be exported will be compressed.
is
D
or
e
at
l ic
up
D
ot
N
o
D
Uempty
Audit receivers
• Receiver types
Role
Email
User Group
User
e
• Receivers review or sign the reports
ut
• Distribution of the results can be simultaneous or sequential
ib
tr
Controls how the distribution
The to-do list of the of the results occurs when
is
receiver is updated to the results are empty
display the report
D
IBM Guardium: Compliance workflow automation
Audit receivers
or © Copyright IBM Corporation 2016
e
The audit receiver section determines who gets the audit workflow results, when they get the
workflow results, and what they must do with the workflow results.
at
• Role: A set of users that have a certain role. If a role is specified, any one of the users assigned
to that role can sign off the workflow. All of the users assigned to the role can view the workflow.
l
up
• Email: An email address. This type is useful for sending the workflow results to someone who is
not defined as an IBM Guardium user.
D
You can define the order in which receivers are distributed the workflow results. This could be done
simultaneously, where a set of receivers all receive workflow results at the same time, or
N
sequentially, where one receiver receives workflow results only after another receiver has signed
off on the workflow results.
o
The audit receiver section controls who receives the workflow, the order in which users receive it,
D
and the user’s required action upon receipt. Complete the following options for a new receiver:
• Receiver Type: Select the Role, Email, User Group, or User type.
• Role: Select from a drop-down list of Guardium individual users or roles. If a role is selected, all
users with that role will receive the results. However, if signing is required, only one user will
need to sign the results.
Uempty
• Action: Select actions the receiver is required to take.
– Review: Indicates that the receiver does not need to sign the results.
– Sign off: Indicates that the receiver must sign the results electronically, by clicking the Sign
Results button when viewing the results online.
• Approve if empty: Controls how the distribution of results takes place when the results are
empty.
e
– Selected: If all the reports of the task are empty, the system automatically signs the result
ut
(and/or marks it as viewed) and continues, if relevant. The system does not notify the
recipient via either the To Do list or email. It does not generate any PDF/CSV/CEF files.
ib
– Cleared: When this check box is not selected, all normal processing takes place even when
the results are empty.
tr
• Add to to-do list: Select to notify the receiver of the report’s delivery via the user’s To Do List.
is
• Email format: Specifies what information is sent in an email.
D
– None: Sends no email.
– Links Only: Sends a link to the report.
– Full results: Includes the report in the email. or
• Distribution sequence: Controls whether distribution of results continues to the next receiver
e
or stops until this receiver has taken the appropriate action.
at
– Simultaneous: The results will immediately be released to the next receiver on the list.
– Sequential: If the receiver is an individual user, that user must take the indicated action
ic
before the results continue to the next receiver in the list. If the receiver is a group or a role,
one member of that group or role must take the indicated action before the results continue
l
up
Uempty
Exercise introduction
Complete the following exercise in the Course Exercises book
• Creating an audit process definition
e
ut
ib
tr
is
D
IBM Guardium: Compliance workflow automation
Exercise introduction
or © Copyright IBM Corporation 2016
e
Perform the exercise for this lesson.
at
l ic
up
D
ot
N
o
D
Uempty
Lesson 2 Managing audit results
e
Lesson: Managing audit results
ut
ib
tr
is
D
or
e
IBM Guardium: Compliance workflow automation © Copyright IBM Corporation 2016
at
After a compliance workflow is established, schedule an audit process that involves engaging the
information receivers. In this lesson, you learn how to distribute the workflow to designated
ic
receivers and create a report that contains configured tasks, workflow status, distribution status,
and receiver comments.
l
up
D
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: Compliance workflow automation
Uempty
To-do lists
If the role is receiver, the task shows for all users who are members of that role
e
ut
ib
tr
is
D
IBM Guardium: Compliance workflow automation
To-do lists
or © Copyright IBM Corporation 2016
e
After an audit process is run, receivers are notified of new results by email or through a link after
logging into the appliance. To view an audit process, click the link and then click the View button.
at
l ic
up
D
ot
N
o
D
Uempty
Report delivery
Workflow results contain each of the tasks configured and the status of the
workflow, including the distribution status and any comments made by
other receivers
e
ut
ib
tr
is
D
IBM Guardium: Compliance workflow automation
Report delivery
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
Uempty
Workflow results
Workflow results include the following information
• Distribution Status
• Comments
e
ut
ib
tr
is
D
IBM Guardium: Compliance workflow automation
Workflow results
or © Copyright IBM Corporation 2016
e
This is an example of a completed audit process. All of the receivers have completed their task,
whether that requires review or a signature.
at
l ic
up
D
ot
N
o
D
Uempty
Exercise introduction
Complete the following exercise in the Course Exercises book
• Managing audit results
e
ut
ib
tr
is
D
IBM Guardium: Compliance workflow automation
Exercise introduction
or © Copyright IBM Corporation 2016
e
Perform the exercise for this lesson.
at
l ic
up
D
ot
N
o
D
Uempty
Unit summary
• Consolidate and automate audit activities into a compliance workflow
• Manage the audit results
e
ut
ib
tr
is
D
IBM Guardium: Compliance workflow automation
Unit summary
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
e
ut
ib
tr
IBM Guardium: File activity
is
monitoring
D
or
e
at
l ic
up
You can use Guardium file activity monitoring (FAM) to keep track of the files on your servers. FAM
D
capabilities include finding files, which is known as discovery, classifying the files, and monitoring
the activity of files. You can use security policy rules to monitor and collect file-related information.
ot
In this unit, you learn how to locate file entitlements and classification data. You also create policies
that log file activity and block access to a file.
N
Uempty
Unit objectives
• Describe the components of file access monitoring (FAM)
• Discover and classify files
• Implement policies that monitor and control access to files
e
ut
ib
tr
is
D
IBM Guardium: File activity monitoring
Unit objectives
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
Uempty
Lesson 1 File activity monitoring components
e
Lesson: File activity monitoring
ut
components
ib
tr
is
D
or
e
IBM Guardium: File activity monitoring © Copyright IBM Corporation 2016
at
File activity monitoring (FAM) helps manage unstructured data that might contain sensitive data and
can help identity abnormal behavior. In this lesson, you learn about components and agents used
ic
Uempty
e
• Gain visibility into entitlements and activity through custom reports and advanced search
ut
Collector
ib
tr
Host-based probes (FS-TAP)
is
D
Host-based probes (S-TAP)
File activity monitoring (FAM) helps you manage access to your unstructured data containing
critical and sensitive information. FAM provides complete visibility into activity by providing
ic
extensive compliance and audit capabilities. With these capabilities, you can identify normal and
abnormal behavior and drill into the details
l
up
Guardium FAM includes tools that help you perform these tasks:
• Find and classify your sensitive data
D
FAM helps you gain the enterprise visibility to file activity and couple it with your structured data
activity to build a robust solution and real-time data protection strategy.
N
o
D
Uempty
FAM components
e
Discover File Crawler
ut
ICM
Classification Analysis Engine (Classification
Server)
ib
Activity
tr
Universal Feed Guardium
Monitoring
is
D
IBM Guardium: File activity monitoring
FAM components
or © Copyright IBM Corporation 2016
e
FAM components:
at
• Discovery: Locates folders and files, then extracts the following types of metadata to a secure
central repository:
ic
– File name
– Path
l
up
– Size
– Last modified date
D
– Owner
– Privileges
ot
• Classification: Categorizes files according to their content, by searching for the following types
of personal identity information:
N
– Other sensitive data that can be characterized by a pattern of numbers, letters, and symbols
• Activity Monitoring: Audits file activity according to policy, alerts on improper access, or
selectively blocks access to files to prevent data leakage.
Uempty
FAM architecture
e
ut
ib
tr
is
Note: Guardium uses two special agents, FS-TAP and FAM Crawler, that work with S-TAP
D
IBM Guardium: File activity monitoring
FAM architecture
or © Copyright IBM Corporation 2016
e
FAM policies are pushed to the monitoring agent in the file server. FAM Discovery on the file server
performs file discovery and classification. The basic scan includes owner, size, last change, and
at
access privileges to user or group. For classification, use sets of classifier rules known as decision
plans. You can create your own customized decision plans using IBM Content Classification
ic
Workbench.
l
up
Uempty
FAM agents
Two agents on the file server implement FAM functionality
• FS-TAP implements policy and sends results of policy actions to the collector
• FAM Crawler inventories files on each server and identifies sensitive data within the files
e
ut
ib
tr
is
FS-TAP
D
FAM Crawler
FAM agents
or © Copyright IBM Corporation 2016
e
The file system monitoring agent is included in the same bundle as the regular S-TAP database. It
is distinguished in the Guardium UI with a :FAM suffix appended to the S-TAP Host name. It
at
implements policy and sends results of policy actions back to the collector.
ic
FAM uses a discovery agent called a file crawler to inventory the files on each server and identify
sensitive data within the files. The file crawler gathers the list of folders and files, their owner,
l
access permissions, size, and the date and time of the last update. The discovery agent is
up
Uempty
e
ut
ib
tr
is
Notes:
• FS-TAP and FAM Crawler agent parameters are configured in the same window
D
• For detailed information on configuring each of the parameters, see the Guardium Knowledge Center
Center provides detailed information about configuration, but the following list provides a summary:
ic
information.
up
• FAM_SOURCE_DIRECTORIES tell the FAM Agent where to search for files to classify and
monitor. You can also specify directories, extensions, and specific files to exclude.
D
• FAM_SCHEDULER parameters specify how often the FAM crawler will run. In the example
above, the time interval is 0 hours and 5 minutes. While this is satisfactory for a laboratory
ot
environment, a production environment will have the FAM crawler run much less frequently.
For more information, refer to the FAM configuration with GIM Parameters documentation at
N
http://ibm.co/2dugQro.
o
D
Uempty
Lesson 2 Organizing files
e
Lesson: Organizing files
ut
ib
tr
is
D
or
e
IBM Guardium: File activity monitoring © Copyright IBM Corporation 2016
at
Discovery includes finding files, their associated permissions, and additional metadata.
Classification rules can be used to identify any files that contain sensitive data. You can use
ic
classification to look through files for potentially sensitive data, such as credit card information or
personally identifiable information (PII). In this lesson, you learn how to use Search to locate file
l
entitlements and classification data. You also learn how to filter search results and create
up
Uempty
e
PCI
ut
HIPPA
Source code
• Results available through
ib
search and reports
• Ability to build policies from
tr
results
is
D
IBM Guardium: File activity monitoring
PCI, HIPAA, and source code. You can create your own decision plans, and you can activate and
deactivate decision plans to focus on the types of sensitive data you are concerned about. Think of
ic
this as analogous to the classification process used with databases. Decision plans are analogous
to classification policies.
l
up
Most common data file types, including PDF, Text, Word, PowerPoint, Excel, XML, CSV, logs,
source code, and configuration files, are supported. You can create custom decision plans in a
D
standalone Windows application called ICM Workbench that is available for IBM customers.
Entitlements and classification are available via the Search feature using the files option. The FAM
Discovery Agent must be configured to scan and send data to Search.
ot
You can even automatically add discovered files to a security policy rule to set up monitoring,
N
Uempty
Using Search
• Search enables quick access to some Guardium functions
• To view entitlements and classification data for files in Search, select File in the search list in the
banner; this action opens the Search function and displays file data
e
ut
ib
tr
Note: You configure the FAM discovery agent to scan and send data to Search by running the following
command on the Guardium collector: grdapi enable_fam_crawler
is
D
IBM Guardium: File activity monitoring
Using Search
or © Copyright IBM Corporation 2016
e
The file crawler sends file metadata and data from its classification process to the Guardium
system. You can view that data in reports or in the file version of the enterprise search function.
at
To view entitlements and classification data for files in the Search function, choose File in the
ic
search drop-down list in the banner. This action opens the Search function and displays file data.
The FAM discovery agent must be configured to scan and send data to Search. You do that by
l
grdapi enable_fam_crawler
D
ot
N
o
D
Uempty
e
• Server
ut
• Owner
• Classification
ib
• Entity
• Date
tr
is
D
IBM Guardium: File activity monitoring
You can create a new rule from the list of enterprise search results, or from the FAM policy builder,
and use values from the results to populate rule values.
ot
N
o
D
Uempty
e
ut
ib
tr
is
D
IBM Guardium: File activity monitoring
the entitlements; that is, it shows which users are authorized to do what on that file.
ic
The classification tells you if the content of that file matches one of FAM’s decision plans, such as
these examples:
l
up
• Source code
• HIPAA
D
• SOX
• PCI
ot
Uempty
e
• FAM_Classification: Information about how
Guardium classifies the file
ut
ib
tr
is
D
IBM Guardium: File activity monitoring
Uempty
Exercise introduction
Complete the following exercises in the Course Exercises book
• Verifying settings for file access monitoring
• Creating a file access monitoring dashboard and report
e
• Running discovery and classification
ut
ib
tr
is
D
IBM Guardium: File activity monitoring
Exercise introduction
or © Copyright IBM Corporation 2016
e
Perform the exercises for this lesson.
at
l ic
up
D
ot
N
o
D
Uempty
Lesson 3 Creating policies that manage files
e
Lesson: Creating policies that
ut
manage files
ib
tr
is
D
or
e
IBM Guardium: File activity monitoring © Copyright IBM Corporation 2016
at
File activity monitoring includes using security policy rules to monitor and collect information. In this
lesson, you learn how to use the Build Rule wizard to create a policy that logs file activity. You also
ic
Uempty
e
ut
ib
tr
is
D
IBM Guardium: File activity monitoring
Uempty
e
operation on the system is matched
ut
against every rule
ib
tr
is
D
IBM Guardium: File activity monitoring
Having more than one rule for a file is very inefficient. The performance of FAM is critical. After FAM
ic
is enabled, every single file operation on the entire system has to be matched against every rule,
regardless of whether the operation is to a monitored file. Therefore, having three rules has three
l
You choose which operations to apply the policy to. You can choose such operations as read, write,
execute, delete, and fileop,
D
ot
N
o
D
Uempty
e
datasources are populated based on
Rule actions include the
ut
the selected entry values following options
3. Select a Rule action • Alert and Audit
• Audit only
ib
4. Select a Notification Type • Ignore
• Log as Violation and Audit
• Block, Log as Violation and
tr
Audit
is
D
IBM Guardium: File activity monitoring
Action Description
ic
Uempty
e
9. Click Save
ut
ib
Rule criteria
tr
is
D
IBM Guardium: File activity monitoring
Uempty
Exercise introduction
Complete the following exercises in the Course Exercises book
• Creating a policy from the file access monitoring discovery and classification results
• Creating a policy to log file activity
e
• Blocking access to a file
ut
ib
tr
is
D
IBM Guardium: File activity monitoring
Exercise introduction
or © Copyright IBM Corporation 2016
e
Perform the exercises for this lesson.
at
l ic
up
D
ot
N
o
D
Uempty
Unit summary
• Describe the components of file access monitoring (FAM)
• Discover and classify files
• Implement policies that monitor and control access to files
e
ut
ib
tr
is
D
IBM Guardium: File activity monitoring
Unit summary
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
Uempty
IBM Training
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D