Guardium IBM

®
Course Guide
IBM Guardium Foundations
e
ut
Course code 8G100 ERC 1.3
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
IBM Training
October 2016 edition
NOTICES
This information was developed for products and services offered in the USA.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
e
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
ut
IBM Director of Licensing
IBM Corporation
North Castle Drive, MD-NC119
Armonk, NY 10504-1785
ib
United States of America
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local
law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF
tr
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of
express or implied warranties in certain transactions, therefore, this statement may not apply to you.
is
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
D
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
or
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other
e
claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those
products.
at
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to
the names and addresses used by an actual business enterprise is entirely coincidental.
ic
TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
l
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
up
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.

Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States, and/or other countries.
D
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used
under license therefrom.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
ot
IT Infrastructure Library is a Registered Trade Mark of AXELOS Limited.

ITIL is a Registered Trade Mark of AXELOS Limited.
N
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and
o
other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
D
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
© Copyright International Business Machines Corporation 2016.

This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
e
About this course . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
ut
Course objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
ib
Agenda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Course description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
tr
Unit 1 IBM Guardium: Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
is
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Lesson 1 IBM Guardium functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
D
Guardium supports the whole data protection journey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
IBM Guardium - Data Security and Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
or
Main Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
The need for database access monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Native auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
e
Database access monitoring with IBM Guardium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Transparent, noninvasive, real-time Data Activity Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
at
Scalable, multitier architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Monitoring at the network level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
ic
Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Lesson 2 IBM Guardium components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
l
Guardium components overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

up
Guardium V10 user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Quick Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Rules and policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
D
Real-time monitoring to control access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Protecting databases with fine-grained access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
ot
Built-in and custom reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Compliance automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Configuration Auditing System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
N
Vulnerability assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Database discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
o
Data classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

File activity monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
D
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Unit 2 IBM Guardium: Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Lesson 1 IBM Guardium architectural components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Data center infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
© Copyright IBM Corp. 2016 iii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Contents
Uempty
Guardium architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Lesson 2 Capturing database traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Database activity monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Collector architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Port mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Network tap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Software tap (S-TAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
e
S-TAP architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
ut
CAS architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Lesson 3 Using aggregation and central management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
ib
Multicollector environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Aggregators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
The Central Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
tr
Lesson 4 IBM Guardium hardware and software configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
is
Aggregator and Central Manager scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Dedicated aggregator scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
D
Dedicated Central Manager scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Enterprise load balancing using Central Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Lesson 5 Integrating IBM Guardium with other tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
or
Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
e
Unit 3 IBM Guardium: User interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
at
Lesson 1 Navigating the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Guardium V10 web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
ic
Top banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Navigation menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
l
Search bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

up
Guided processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66

Report dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Exercise information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
D
Lesson 2 Using the command line interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

CLI overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
ot
CLI users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71

CLI account requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
N
Navigating the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

Listing commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Displaying command syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
o
Show and store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

D
Network configuration commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

Aggregator commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Alerter configuration commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Configuration and control commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
File-handling commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Diagnostic commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Inspection engine commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
© Copyright IBM Corp. 2016 iv

V7.0
Contents
Uempty
User account, password, and authentication commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Certificate commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
GuardAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Unit 4 IBM Guardium: Access management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
e
Lesson 1 User management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
ut
accessmgr characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Access management user navigation menu options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
ib
Access Management tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
User Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Adding a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
tr
Editing a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
is
User Browser - modifying roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Assigning user roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Deleting users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
D
Importing users from LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
or
Lesson 2 Role management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
User roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Creating a new role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
e
Customizing the navigation menu for a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Setting role permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
at
User and role reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109

ic
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111

l
Unit 5 IBM Guardium: System view and data management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

up
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

Lesson 1 System view and configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Managing the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
D
System configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116

System Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
ot
IP-to-Hostname Aliasing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119

S-TAP Control and status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
N
Inspection engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121

Inspection engine configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
S-TAP Status Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
o
Agent Module setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124

D
Alerter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Anomaly Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Global Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Lesson 2 Data management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
System backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
© Copyright IBM Corp. 2016 v

V7.0
Contents
Uempty
Data Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Catalog Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Results Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141
Unit 6 IBM Guardium: Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
e
Lesson 1 Building groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
ut
What a Guardium Group is . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Methods to build groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
ib
Accessing the Group Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
Modifying existing groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Modifying existing group members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
tr
Creating a new group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
is
Group reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Lesson 2 Populating groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Adding members using manual entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
D
Adding members from a drop-down list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Group population by LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
or
LDAP group population setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Populating from a query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Populate from query options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
e
Populate from query results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Scheduling a population by query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
at
Adding group members by classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163

GuardAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
ic
Hierarchical groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166

Hierarchal group membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
l
Flattening hierarchical groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168

up

Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
D
Unit 7 IBM Guardium: Policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
ot
Lesson 1 Policy overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Policy review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
N
Default behavior: Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175

Default behavior: Parsing and logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Constructs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
o
Constructs received multiple times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179

D
Lesson 2 Installing and creating policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Installing a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Viewing currently installed policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
Accessing the Policy Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
Policy Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
© Copyright IBM Corp. 2016 vi

V7.0
Contents
Uempty
Lesson 3 Access rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Access rule overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
Access rule description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Access rule criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Access rule actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
Access rule example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Alert rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Alert example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
e
Allow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
ut
Ignore session rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Ignore S-TAP Session action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
ib
Ignore Session example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
Ignore S-TAP Session rule: Trusted connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
Ignore Session criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
tr
Ignore Responses Per Session action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
is
Ignore SQL Per Session action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Ignore Session action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
D
Log Full Details policy action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208
Other logging options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
or
Lesson 4 Exception and extrusion rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Exception rule definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
Exception rules: Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
e
Failed login alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
at
Extrusion rules and inspection engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216

Redact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
Extrusion rule example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
ic
Regular expression builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220

Extrusion rule example results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
l
up
Lesson 5 Selective Audit Trail policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Creating a Selective Audit Trail policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Selective Audit Trail default behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
D
Audit only rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226

Lesson 6 Guardium policy rule order and logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Rule order and policy logic overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
ot
Policy logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229

Lesson 7 S-GATE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
N
S-GATE overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

Real-time monitoring to control access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232
S-GATE S-TAP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
o
Lesson 8 Classification policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

D
Classification policies and processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235

Classification policy definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
Classification process definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239
© Copyright IBM Corp. 2016 vii

V7.0
Contents
Uempty
Unit 8 IBM Guardium: Auditing, vulnerability assessment, and discovery . . . . . . . . . . . . . . . . . 240
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241
Lesson 1 Using the configuration auditing system (CAS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Configuration auditing system (CAS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243
CAS agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
CAS templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Monitored Item Template Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
CAS hosts and instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
e
CAS reporting and status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249
ut
Lesson 2 Performing vulnerability assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
ib
Vulnerability Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Security Assessment Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254
Vulnerability assessment tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
tr
Vulnerability Assessment integration with CAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257
is
Lesson 3 Using database discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
D
Database discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260
Database discovery configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
or
Unit 9 IBM Guardium: Custom queries and reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264
e
Query and reporting overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265
Predefined reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266
at
Query Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267

Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
ic
Query Builder: New query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269

Choosing the query name and main entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270
l
Entity overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271

up
Logging and parsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273

Entity hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274
The main entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
D
New query steps summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276

Query Builder: Customizing a query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
ot
Adding fields and conditions to a query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278

Changing query fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
N
Saving queries and generating reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280

Creating a dashboard and adding a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281
Report toolbar icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
o
Runtime parameter configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283

D
Report customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284

Customizing charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Exporting a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286
Query conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287
Addition mode: AND/OR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
Having: Querying aggregate values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Parenthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
© Copyright IBM Corp. 2016 viii

V7.0
Contents
Uempty
Runtime Parameters / Dynamic groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
Runtime Parameters / Dynamic groups: Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Drill-down reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
Drill-down report example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Searching for a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297
Report builder buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
e
ut
Unit 10 IBM Guardium: Compliance workflow automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
ib
Lesson 1 Creating a compliance workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Compliance Workflow Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Compliance Workflow Automation elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
tr
Compliance Workflow Automation log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
is
Compliance automation process components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Audit process name and archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
Audit tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310
D
Audit receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
or
Lesson 2 Managing audit results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Activating and running an audit process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316
To-do lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317
e
Report delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318
Workflow results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
at

Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
ic
Unit 11 IBM Guardium: File activity monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

l
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323

up
Lesson 1 File activity monitoring components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

File activity monitoring overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
FAM components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
D
FAM architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327

FAM agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328
ot
FAM agent parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329

Lesson 2 Organizing files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
N
Discovery and classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331

Using Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332
Filtering search results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
o
Discovery and classification reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334

D
Custom FAM queries and reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335

Lesson 3 Creating policies that manage files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Monitoring file activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338
Creating policies for files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
FAM policy rule building . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340
© Copyright IBM Corp. 2016 ix

V7.0
Contents
Uempty
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
© Copyright IBM Corp. 2016 x

About this course
e
ut
ib
tr
is
D
or
e
at
ic
© Copyright IBM Corporation 2016

l
up
D
ot
N
o
D
© Copyright IBM Corp. 2016 xi

V7.0
About this course
Uempty
IBM® Guardium® is a comprehensive data security platform that can help you support compliance
initiatives, privacy initiatives, big data security projects, and comprehensive data protection. You
can use the Guardium platform to analyze your data risk, protect critical data, and adapt data
security to the changes in your environment.
This course introduces students to the IBM Guardium product. It provides processes, procedures,
and practices necessary to configure Guardium to discover, classify, analyze, protect, monitor
access to, and control access to sensitive data. This includes performing vulnerability assessment,
e
data and file activity monitoring, masking, encryption, alerting, and quarantining functions. The
ut
following topics are among those included in this course:
• Use Guardium components
ib
• Navigate the administration console and use the command line interface to manage Guardium
functions
tr
• Create users and roles to manage Guardium user access
is
• Use the administration console to manage, configure, and monitor Guardium components
D
• Create and manage Guardium groups that facilitate queries and policy rules
• Create policy rules that process the information Guardium receives from databases and file
servers or
• Use Guardium tools to manage the systems, applications, and databases in a business
e
environment
at
• Build queries and create reports to gather data and examine trends
• Consolidate database activity monitoring tasks and streamline compliance processes
ic
• Use file activity monitoring to track files on your servers

l
Students learn through hands-on lab exercises and lab videos how to use the IBM Guardium
up
application. The lab environment for this course uses virtual machines hosted by IBM Remote Lab
Platform (IRLP).
D
Details
ot
Delivery method Classroom and Instructor-led online (ILO)

Course level ERC 1.3
N
This is a new course.

Product and version IBM Guardium V10.0
o
Recommended 3 days
D
duration
Skill level Intermediate
© Copyright IBM Corp. 2016 xii

V7.0
About this course
Course objectives
Uempty
Course objectives
• Identify the primary functions of IBM Security Guardium
• Apply key Guardium architecture components
• Navigate the Guardium user interface and command line interface
e
• Manage user access to Guardium
ut
• Use the administration console to manage Guardium components
• Build and populate Guardium groups
ib
• Configure policy rules that process the information gathered from database and file servers
• Use the configuration auditing system, Vulnerability Assessment application, and Database Discovery
tr
to perform data security tasks
• Create queries and reports to examine trends and gather data
is
• Automate compliance workflow processes
D
• Use file access monitoring to keep track of the files on your servers
Course objectives
or © Copyright IBM Corporation 2016
e
at
l ic
up
D
ot
N
o
D
© Copyright IBM Corp. 2016 xiii

V7.0
About this course
Audience
Uempty
Audience
This course is designed for database administrators, security administrators, security analysts,
security technical architects, and professional services using IBM Guardium.
e
Prerequisites
ut
Before taking this course, make sure that you have the following skills:
ib
• Working knowledge of SQL queries for IBM DB2 and other databases
• Working knowledge of NoSQL type databases
tr
• Working knowledge of UNIX commands
is
• Ability to use a UNIX text editor such as vi
D
• Familiarity with data protection standards such as HIPAA and CPI
or
e
at
l ic
up
D
ot
N
o
D
© Copyright IBM Corp. 2016 xiv

V7.0
About this course
Agenda
Uempty
Agenda
• IBM Guardium: Overview
• IBM Guardium: Architecture
• IBM Guardium: User interface
e
• IBM Guardium: Access management
ut
• IBM Guardium: System view and data management
• IBM Guardium: Groups
ib
• IBM Guardium: Policy management
• IBM Guardium: Auditing, vulnerability assessment, and discovery
tr
• IBM Guardium: Custom queries and reports
is
• IBM Guardium: Compliance workflow automation
• IBM Guardium: File activity monitoring
D
Agenda
e
at
l ic
up
D
ot
N
o
D
© Copyright IBM Corp. 2016 xv

V7.0
About this course
Course description
Uempty
Course description
The course contains the following content:
1. IBM Guardium: Overview
IBM® Guardium® version 10 takes a major step forward with intelligence and automation to
safeguard data, enterprise-ready features, and increased breadth of data sources. This unit
e
introduces the capabilities of Guardium including activity monitoring and auditing. This unit also
ut
describes the components of Guardium.
2. IBM Guardium: Architecture
ib
In this unit, you learn about how the components of IBM® Guardium® work together to provide
a holistic solution to discover, harden, monitor, and protect sensitive data.
tr
3. IBM Guardium: User interface
is
The IBM® Guardium® V10 release has many new features and enhancements. This updated
D
version provides a new and intuitive interface, making it very easy to navigate. The updated
menu includes a Guardium security lifecycle view, making navigation options easy to
understand and use. The new UI can be customized based upon the tools you need most. This
or
new release allows you to create and use dashboards to organize and manage your reports.
The configuration and control commands cover a large number of configuration settings within
e
the Guardium appliance. In this unit, you learn to navigate the Guardium interface, customize
dashboards, and use the search feature. You also learn to use the command line interface (CLI)
at
to perform basic system functions.

ic
4. IBM Guardium: Access management

You can leverage the power of IBM Guardium related to individuals who are responsible for
l
up
performing data security functions and use the built-in user roles including admin and
accessmgr to assign and delete roles to new users. In this unit, you learn to use the Access
Manager interface to create and maintain user accounts and roles.
D
5. IBM Guardium: System view and data management

You use the version 10 IBM Guardium interface to perform system administration tasks. This
ot
unit teaches you to manage, configure, and monitor the system. In addition to viewing the
system, this unit teaches you to manage and archive data. Finally, this unit showcases crucial
N
methods to archive, perform system backup, and use the catalog archive function to prevent
running out of disk space, and to allow recovery from a loss of the Guardium system.
o
6. IBM Guardium: Groups

D
Guardium groups offer a powerful method to facilitate the creation of queries and policy rules. In
fact, without the use of groups, you might have to rely on conditional statements for queries and
policy rules. Groups can have one or many attributes and members can belong to multiple
groups. In this unit, you learn to how to build and populate the Guardium groups.
© Copyright IBM Corp. 2016 xvi

V7.0
About this course
Course description
Uempty
7. IBM Guardium: Policy management
IBM Guardium gathers a large amount of information about data access from database and file
servers. This information is parsed and logged, yet this is not enough. You must provide
Guardium with a set of rules describing what should be done with the information. These rules,
or policies, tell Guardium what information S-TAP agents should send to the collectors and what
action to take when certain types of information are received. In this unit, you learn how to
configure the rules that tell Guardium how to process the information it receives from database
e
and file servers.
ut
8. IBM Guardium: Auditing, vulnerability assessment, and discovery
Guardium includes several tools you can use to perform data security tasks such as auditing,
ib
discovering vulnerabilities, and discovering databases. In this unit, you learn how to use the
built-in tools in Guardium, including the configuration auditing system (CAS), Vulnerability
tr
Assessment application, and Database Discovery to manage the systems, applications, and
is
databases that are included in your business environment.
9. IBM Guardium: Custom queries and reports
D
The ability to generate reports that reflect the data collected in Guardium is necessary to
examine trends and gather data for management. Guardium receives and processes a great
or
deal of data. Policies specify which data the collector receives from endpoints. Queries specify
which data is displayed. Reports specify how and where the data is displayed. In this unit, you
learn how to create these queries and reports.
e
at
10. IBM Guardium: Compliance workflow automation

You can use Guardium compliance workflow automation tools to consolidate database activity
ic
monitoring tasks and streamline your compliance process. In this unit, you learn how to
automate the processes involved with preparing compliance information for distribution and
l
review. This process includes creating a compliance workflow, distributing the workflow to
up
designated reviewers, and creating a report.
11. IBM Guardium: File activity monitoring

D
You can use Guardium file activity monitoring (FAM) to keep track of the files on your servers.
FAM capabilities include finding files, which is known as discovery, classifying the files, and
ot
monitoring the activity of files. You can use security policy rules to monitor and collect
file-related information. In this unit, you learn how to locate file entitlements and classification
N
data. You also create policies that log file activity and block access to a file.
o
D
© Copyright IBM Corp. 2016 xvii

Unit 1 IBM Guardium: Overview
e
ut
ib
IBM Guardium: Overview
tr
is
D
or
e
at
ic

l
up
IBM® Guardium® version 10 takes a major step forward with intelligence and automation to
safeguard data, enterprise-ready features, and increased breadth of data sources. This unit
introduces the capabilities of Guardium including activity monitoring and auditing. This unit also
D
describes the components of Guardium.

ot
N
o
D
© Copyright IBM Corp. 2016 1

V7.0
Unit objectives
Uempty
Unit objectives
• Identify the primary functions of IBM Guardium
• Describe the key components of the IBM Guardium solution
e
ut
ib
tr
is
D
Unit objectives
e
at
l ic
up
D
ot
N
o
D

V7.0
Lesson 1 IBM Guardium functionality
Uempty
e
Lesson: IBM Guardium functionality
ut
ib
tr
is
D
or
e
IBM Guardium: Overview © Copyright IBM Corporation 2016
at
Activity monitoring for databases is the flagship offering in the Guardium portfolio. In this lesson,
you learn about the importance of IBM Guardium monitoring and logging.
l ic
up
D
ot
N
o
D

V7.0
Uempty
Guardium supports the whole data protection journey
Comprehensive Dynamic blocking, alerting, quarantine, encryption,

data protection and integration with security intelligence
e
Sensitive Perform vulnerability assessment, discovery,
data discovery and classification
ut
Address Find and address personally identifiable information
ib
data privacy (PII), determine who is reading data, leverage masking
tr
Expand Big data platforms, file systems, or other platforms
platform coverage also require monitoring, blocking, reporting
is
Acute
compliance Database monitoring focused on changed data and
need automated reporting
D
Guardium supports the whole data protection journey

e
Guardium is a complete and powerful data security and compliance solution that supports a staged
implementation. This allows customers to implement increasing functionality, starting with the most
at
urgent issues and growing to expand coverage.

ic
Customers can start with basic and acute compliance needs, such as data access reports required
by auditors or regulation. Then they can expand coverage to other sensitive platforms, control and
l
monitor the access of privileged administrators, seek out sensitive data throughout the enterprise,
up
and create a comprehensive strategy to protect that data.

D
ot
N
o
D

V7.0
Uempty
IBM Guardium - Data Security and Privacy

• Protect all data against unauthorized access
• Enable organizations to comply with government regulations and industry standards
e
1 Prevent data breaches
Prevent disclosure or leakages of sensitive data
ut
2 Ensure data privacy On Premise On Cloud
Prevent unauthorized changes to data
ib
Data at Rest Data in Motion
3
Reduce the cost of compliance
Automate and centralize controls across diverse regulations
tr
and heterogeneous environments Stored
(Databases, File Servers, Big Data, Data Over Network
Warehouses, Application Servers, (SQL, HTTP, SSH, FTP, email,. …)
Cloud/Virtual ..)
4 Identify Risk
is
Discover sensitive information, identify dormant data,
assess configuration gaps and vulnerabilities
D
Data Sensitive
Repositories Documents
IBM Guardium - Data Security and Privacy

e
Companies face the following data security and privacy challenges:
at
• The need to protect sensitive data from improper use

• The need to demonstrate compliance with regulations and standards for data protection
ic
Protection of data encompasses the following considerations:

l
up
1. Prevention of data breaches. Data breaches can originate from internal or external attacks.
These breaches can be due to deliberate attacks or accidental exposure.
2. Ensuring data privacy. Companies must implement safeguards to prevent unauthorized

D
changes to sensitive data. This might be due to intentional fraud or accidental modification.
Additionally, companies must be able to audit sensitive data modification to provide proof of
ot
data integrity.
3. Developing, implementing, and maintaining the policies to protect sensitive data can be
N
expensive in terms of money, time, and human resources.

o
4. Addressing risk through policy requires a thorough understanding of the risks. Companies need
to fully understanding the extent and nature of sensitive data already present within a company,
D
as well as vulnerabilities. This requires tools that are able to detect potentially sensitive data, as
well as gaps in security.

V7.0
Uempty
Main features
Discovery Masking
ki Vulnerability assessment Entitlements reporting Activity Blocking Dynamic data
classification encryption monitoring quarantine masking
Discover Harden Monitor Protect
• Base product • Vulnerability • Standard data activity • Advanced data activity
e
DB and data discovery assessment monitoring monitoring
Data classification Assessment reports
ut
Data Activity Monitoring Blocking access
Data protection
Enterprise integrator subscription Real-time alerts Masking sensitive data
Queries and reports Configuration changes App end-user Users Quarantine
Threshold alerts Entitlement reporting
ib
identification
Compliance workflow • Data redaction
Normalized audit
Group management • Data encryption Redact sensitive
creation
Security integrations File-level encryption documents
tr
Compliance reporting
IT integrations Role-based access
control Compliance workflow • File activity monitoring
Data-level security
File access auditing Federate large Monitor/alert on file activity
is
Incident management
User/Roles management deployment
HR integrations • Optim data masking Central control
Central audit collection
D
Portal management Static masking
Self-monitoring Semantic and format
preserving
Data export options
Data imports options
Main Features
e
IBM Guardium is a database security and monitoring solution that addresses the following aspects
of database protection:
at
• Database access monitoring

ic
• Real-time monitoring
• Built-in and custom reporting
l
up
• Compliance workflow automation

• Configuration auditing
D
• Vulnerability assessment
• Database discovery and data classification
ot
IBM Guardium features are based around four capabilities:

N
• Discover: Find and categorize sensitive data

• Harden: Assess where vulnerabilities might exist and control how data is encrypted and
o
displayed
D
• Monitor: Collect and distribute information about how sensitive data is being accessed and
modified
• Protect: Block or mask data, quarantine users, and monitor file activity

V7.0
Uempty
The need for database access monitoring

• Regulations and industry standards
SOX - Sarbanes Oxley
PCI - Payment Card Industry
HIPAA - Health Insurance Portability and Accountability Act
e
• Many corporations are required to monitor activity performed against their databases
ut
PCI requires that all access to credit card information is logged
SOX requires that all privileged user activity is monitored
ib
• Other corporations choose to monitor database activity for these reasons
To meet their own internal security requirements
To protect sensitive and valuable data
tr
is
D
The need for database access monitoring

e
Every company has its own reasons for monitoring database access. In many cases, monitoring is
required by industry standards or regulations. In other cases, monitoring is needed to conform to
at
local business rules.

ic
The following list shows where you can find some of the regulations and industry standards:
• Sarbanes Oxley (SOX): a United States federal government regulation intended to reduce
l
up
accounting fraud
• Payment Card Industry (PCI): an industry standard managed by the Payment Card Industry
Data Security Standard (PCI DSS) and intended to protect consumer credit card data and
D
reduce fraud associated with credit card transactions

• Health Insurance Portability and Accountability Act (HIPAA): a United States federal
ot
government regulation that includes provisions to protect the privacy of an individual’s health
and medical records
N
Corporations following these regulations and standards must enact policies and procedures to
meet the requirements of these regulations and standards. Additionally, a corporation might have
o
additional internal security requirements in order to protect data from unauthorized use and theft.
D

V7.0
Uempty
Native auditing
• Without a solution such as Guardium, companies must rely on built-in auditing methods, also known
as native auditing, within each of their database platforms to meet monitoring requirements
• Native database auditing is not appropriate in many organizations for the following reasons
High resource utilization
e
Native auditing often consumes 10 to 12% of a server’s CPU
No separation of duties
ut

Because native auditing must be configured from within the database, DBAs have the ability to turn it off and
manipulate the log files
ib
These same DBAs and other privileged users often require the highest levels of monitoring because they have
open access to the database
Inconsistent auditing features
tr
Each database management system has a different method of logging and reporting on database activity,
making unified reporting difficult if not impossible
is
D
Native auditing
e
Guardium can provide the ideal solution to the database monitoring needs of companies. Many
companies try to perform their monitoring using the native auditing capabilities of the database
at
management systems they work with. However, native monitoring has many drawbacks, including
the impact on the database system, the ability of users with high-level access such as database
ic
administrators to bypass native monitoring, and the difficulties of integrating the native monitoring
features of multiple database environments.
l
up
Creating and maintaining these native monitoring solutions can be a burden on the corporation, as
is ensuring that the native monitoring solutions conform to regulations and standards the
D
corporation is required to follow.

ot
N
o
D

V7.0
Uempty
Database access monitoring with IBM Guardium

IBM Guardium provides a complete monitoring solution that, in most cases, provides greater detail than
native auditing methods while addressing these deficiencies
• Minimal resource utilization (3 to 5% CPU utilization)
e
• DBAs have no access to Guardium, unless provided by a Guardium administrator
ut
• Guardium collects database traffic from heterogeneous environments and standardizes it, allowing
one system to monitor multiple database types
ib
tr
is
D
Database access monitoring with IBM Guardium

e
IBM Guardium provides a complete solution to a company’s monitoring needs. It uses few system
resources, typically 3 to 5% CPU utilization, reducing the impact on the database system
at
operations. Guardium is implemented outside the database environment. Database administrators

with high levels of access to the database itself have no access to Guardium. Because Guardium
ic
intercepts database queries before they reach the database, and intercept query results before they
are passed to the requester, access can be blocked or reported, and data can be masked.
l
up
Guardium works consistently in heterogeneous database environments. This allows for

standardization of policies, procedures, and data collected and reported on. Additionally, a single
D
Guardium system can monitor and manage the security of different vendor database products.
ot
N
o
D

V7.0
Uempty
Transparent, noninvasive, real-time Data Activity Monitoring

Application Servers
Guardium
Collector Appliance
Data Servers
e
(DB, Warehouses, Files, Big Data)
• DISCOVER
ut
• MONITOR
• PROTECT
Guardium
host-based probes • AUTOMATE
ib
• Single integrated appliance • 100% visibility including local privileged access
• Noninvasive/disruptive, cross-platform architecture • Minimal performance impact
tr
• Dynamically scalable • Does not rely on resident logs that can easily be erased by
attackers or rogue insiders
• SOD enforcement for privileged access
is
• No environment changes
• Autodiscover sensitive resources and data
• Prepackaged vulnerability knowledge base and compliance
• Detect or block unauthorized and suspicious activity reports for SOX, PCI, and similar regulations
D
• Granular, real-time policies and normalized audit: who, • Growing integration with broader security and compliance
what, when, how management vision
Transparent, noninvasive, real-time Data Activity Monitoring

e
To provide heterogeneous support for databases and applications, Guardium uses host-based
probes based on S-TAP agents. This provides lightweight cross-platform support. Because S-TAP
at
runs at a level below the database and application, no changes to the database or applications are
required.
ic
Separate collector appliances provide most of the resource-intensive processing, allowing the
l
database servers themselves to run with a minimum of interference. Alerts happen in real time.
up
Because the S-TAP agent runs on the server, at a low level below the databases and applications,
all access is monitored, unlike network monitoring, which does not detect activity running solely on
D
the database server. As an example, a privileged user working on the server console won’t be
detected by any solution that only monitors network traffic, but would be detected and could be
monitored or even blocked by Guardium.
ot
N
o
D

V7.0
Uempty
Scalable, multitier architecture

ecture
Cloud Environments IBM z/OS Mainframe
Guardium
LOB Marketing Big Collector
Guardium
Data Analytics Collector
e
Asia Pacific data centers
ut
Europe data centers Guardium
Americas data centers Central Manager
and Aggregator
ib
.
Integration with LDAP/AD, IAM, change
management, SIEM, and archiving
tr
Guardium
Collector
is
• Central management: Policies pushed to collectors from central manager
• Central aggregation: Collectors aggregate data to central audit repository
D
• Unified solution for both distributed and IBM System z: Enterprise-wide compliance reporting, analytics, and forensics
• Enforcement (S-GATE): Prevents privileged users from accessing sensitive information
• Heterogeneous data source support: Databases, Data Warehouses, Files, Big Data
Scalable, multitier architecture

e
Guardium architecture incorporates the following principles:
at
• Central management to provide uniformity of policies, which can be created once and
distributed to many diverse endpoints
ic
• Central aggregation to gather data security information from distributed sources for unified
processing, storage, and reporting
l
up
• Unified solutions for diverse architectures

• Enforcement through an agent that serves as gatekeeper to all data access requests, including
those from privileged users such as high-level database administrators
D
• Heterogeneous data source support to provide similar security capabilities for different sorts of
data repositories
ot
Guardium uses a tiered hierarchy of collectors, aggregators, and central managers:

N
• Collectors gather activity about sensitive data from data repositories, provide real-time analysis,
and store it for further processing. A Guardium implementation has at least one, and generally
o
many more than one, collector.

D
• Aggregators collect and merge information from multiple collectors. This provides an enterprise
view of sensitive data operations. Guardium implementations with multiple collectors have one
or more aggregators.
• A Guardium environment has one central management system, which controls and monitors all
collectors and aggregators in that environment and provides a holistic view through a single
console.

V7.0
Uempty
Monitoring at the network level
e
ut
ib
tr
is
D
Monitoring at the network level

e
Guardium collects traffic at the kernel level and off-loads the processing to a network appliance.
This process greatly reduces the resource utilization at the database level, and minimizes any
at
impact on the normal database operations. The Guardium software tapping agent (S-TAP) forwards
network packets to a network appliance for processing.
l ic
up
D
ot
N
o
D

V7.0
Uempty
Logging
• Real-time
• Strings parsed into smaller data elements
e
ut
ib
tr
is
D
Logging
e
All defined and monitored database activity is logged in to the Guardium database in real time.
When a user issues a command or statement against a monitored database, it is immediately
at
logged in to the Guardium database and is immediately available for alerting or reporting.
Additionally, the strings are parsed into smaller data elements, so that data is easier to categorize
ic
and build reports on.

l
up
D
ot
N
o
D

V7.0
Lesson 2 IBM Guardium components
Uempty
e
Lesson: IBM Guardium components
ut
ib
tr
is
D
or
e
IBM Guardium: Overview © Copyright IBM Corporation 2016
at
In this lesson, you learn about IBM Guardium components, such as quick search, reporting,
workflow automation, and file activity monitoring.
l ic
up
D
ot
N
o
D

V7.0
Uempty
Guardium components overview

The following list shows some of the Guardium components
• New user interface with quick search
• Real-time monitoring
e
• Built-in and custom reporting
ut
• Compliance workflow automation
• Configuration auditing system
ib
• Vulnerability assessment
• Database discovery and data classification
tr
• File activity monitoring
is
D
Guardium components overview

e
Guardium has several components, some of which are built into the product and some are add-ons.
at
The base product includes components for doing real-time database access monitoring, including
options to filter what is being monitored, to generate an alert whenever specific access is
ic
attempted, and to terminate access when needed. The base product also includes built-in and
customized reporting and compliance workflow, which automatically routes reports to the
l
appropriate users.
up
Additional add-on components support the following features:

• Configuration auditing to monitor access and changes to supporting database objects
D
• Vulnerability assessment to locate and classify potential areas of risk

ot
• Database discovery and data classification to automatically detect database existence and
locate data artifacts
N
• File access monitoring

o
D

V7.0
Uempty
Guardium V10 user interface
Enterprise-wide quick
search
e
Customizable
reports
ut
ib
tr
At-a-glance operational
Guided processes
is
dashboard
Drill-down analytics
D
Guardium V10 user interface

e
The version 10 Guardium user interface places an emphasis on completing tasks over performing
functions. The left navigational menu is task based, and each task can be assigned to different
at
stakeholders.
ic
The focus of the new user interface is to make navigation simple, especially for everyday tasks. An
example is the search bar on the top right side. It provides a number of functions, including those
l
shown in the following list:

up
• Searching for data content

• Searching for objects across the implementation, such as reports, policies, tasks, and panels
D
To use the search bar, start typing what you are looking for and choices start appearing in a
drop-down list. You can define the scope of where you want that search to go.
ot
The Guardium user interface also places emphasis on guiding you through key end-to-end
N
processes, such as providing a wizard to perform key tasks.
The user interface also emphasizes visibility, including the following features:
o
• Easy-to-read status dashboards

D
• Customizable reports
• The ability to drill down on the new tools such as the investigative dashboard or the outlier
detection tool

V7.0
Uempty
Quick Search
• Automatically discover and classify sensitive data to
expose compliance risks
• Analyze data usage patterns to uncover and
remediate risks
e
• Understand who is accessing data, spot anomalies,
ut
and stop data loss in real time
• Use the convenient graphical interface for identifying
ib
and responding to outliers detected by the algorithm
tr
is
D
Quick Search
e
You cannot protect what you do not understand or know about. You must have the tools to easily
understand your data environment and help you make quick decisions about the risk on that data.
at
Therefore, Guardium focuses on the following types of capabilities:

ic
• Discovering uncatalogued data repositories

• Classifying the sensitive data within these data repositories as well as their access privileges
l
up
• Tracking activity against sensitive data and maintaining security on a continuous basis by
monitoring all transactions
• Discovering misconfiguration and vulnerabilities on the database setup
D
• Analyzing access and behavioral patterns on the fly or from audit data
ot
• Protecting against threats and data loss by automating controls to protect sensitive data with
real-time policy assessment and appropriate remediation
N
• Developing a picture of the security/risk posture and hardening the data environment
o
D

V7.0
Uempty
Rules and policies

Guardium uses rules and policies to perform real-time filtering, alerting, and prevention
• Rule - A set of filtering criteria and actions
• Policy - A set of rules to be enforced
e
• Filtering - Criteria specifying what is to be monitored
ut
• Alerting - Notification when specific actions occur
• Prevention - Blocking actions before they are processed
ib
tr
is
D
Rules and policies

e
Guardium does not simply log database activity. Using policies and rules defined by the Guardium
administrators, it can automatically perform specific actions such as blocking and alerting in real
at
time.
ic
A rule specifies the criteria to use to decide the action’s context and which action to take.
l
A policy is set of rules applied against the database traffic as it is being monitored and logged into
up
the Guardium appliance database. Each rule contains a set of criteria and one or more actions.
A filter is a set of criteria that specifies when action is to be taken. As an example, a filter might
D
specify that an action be taken when a certain user attempts to access data in a certain table of a
specific database. The filter does not specify which action is to be taken, but is associated with a
rule that applies the filter and then, if the criteria in the filter are met, implements an action.
ot
An alert is a notification that a specific action has been taken. The alert specifies which action has
N
been taken, why that action was initiated, and the results of that action.
A preventive action is one that blocks an action before it is processed. As an example, a certain
o
SQL query might be intercepted, determined to be inappropriate, and blocked before it ever
D
reaches the database.

V7.0
Uempty
Real-time monitoring to control access

Session-based monitoring
• Hold and check privilege user sessions activity
1
(S-GATE/closed mode)
2
e
• Allow known application server session activity
(S-TAP/open mode)
ut
3
4
ib
tr
is
Monitoring and
prevention of
unauthorized access
by privileged users
D
Privileged user
Session Terminated

e
In this example, Guardium will block anyone in the developer group from accessing cardholder data
on production servers. It will also terminate the user’s connection and send an alert to the
at
Guardium administrators via SNMP.

ic
The following results occur after the rule is triggered:

• The command does not reach the database server.
l
up
• The user’s session is terminated.

• An alert is sent.
D
ot
N
o
D

V7.0
Uempty
Protecting databases with fine-grained access control

• Is also called query rewrite Column-level masking (only dept #)
• Intercepts and rewrites queryy

before it reaches database
e
• Applies filters
Add WHERE clause
ut
Change SELECT clause
Rewrite entire query Row-level masking (only dept #20)
ib
Change target table
• Has several benefits
tr
Dynamic masking
Restrict data access
is
Keeps original database intact
No involvement by database Note: There is Dynamic masking and fine-grained
administrator
D
access control for databases such as DB2, MSSQL,
Centralized policy control and Oracle
Protecting databases with fine-grained access control

e
Guardium includes a feature known as fine-grained access control or query rewrite. This feature
can prevent over-exposure of sensitive or private data to people who should not be able or allowed
at
to see that data, without completely blocking access.

ic
As an example, you might want database administrators to test queries against a table containing
sensitive data, such as a personal identification number. However, you want to allow them to only
l
view as much information as necessary to verify that the query is working. You might determine that
up
you want the database administrators to only be able to see the last four digits. This will allow them
to verify that data is being returned while still retaining a reasonable amount of privacy and
D
preventing fraudulent use of the personal identification numbers.
Guardium is able to intercept the query before it is sent to the database and rewrite the query by
ot
applying the following types of filters:

• Adding a WHERE clause, which creates row-level masking
N
In the example in the slide, it only returns rows from department 20.
• Changing the SELECT clause, which creates column-level masking to change which columns
o
are returned
D
• Changing the SQL command itself

• Changing the target table so that instead of selecting against the table with the sensitive data,
the query selects against a test table

V7.0
Uempty
This functionality provides many benefits, including those shown in the following list:
• Dynamic data masking with real-time response
• Restricting who can access what data, as well as when and how
• Fine-grained access control to sensitive data to complement and expand database controls
• Keeping the original data in the physical production databases intact
e
• No impact to database controls, nor involvement of the database administrator
ut
• Centralized policy control over diverse database formats
Fine-grained access control is used for the following reasons:
ib
• Prevent data breaches
tr
• Ensure data privacy
• Reduce the cost of compliance
is
• Identify security risks
D
• Enable safe sharing of data.
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Built-in and custom reporting
e
ut
Query Builder for
custom reports
ib
tr
is
Built-in reports
D
Built-in and custom reporting

e
After the database traffic has been logged in to the Guardium appliance database, users can
access many prebuilt reports for an overview of the database activity. The Guardium solution also
at
includes a flexible query builder, allowing users to create custom reports that meet specific needs.
l ic
up
D
ot
N
o
D

V7.0
Uempty
Compliance automation
• Guided task flow to define an audit process
• Automated scheduled tasks and reports distribution
• Comments, review, sign-off
e
• Advanced workflow process (multiple states and transitions)
ut
ib
tr
is
D
Compliance automation
e
The Guardium solution also includes Compliance Workflow Automation. This feature can be
configured to deliver reports, vulnerability assessments, and classification results to the appropriate
at
end users on a periodic basis. This process also tracks who has viewed or signed any process, and
also maintains a trail of any comments made by reviewers.
l ic
up
D
ot
N
o
D

V7.0
Uempty
Configuration Auditing System

The Configuration Auditing System (CAS) tracks changes to the following elements
• Security and access control objects
• Database structures
e
• Critical data values
ut
• Database configuration files
ib
tr
is
D
Configuration Auditing System

e
Not all database-related activity can be tracked using Database Access Monitoring. As an example,
changes to database configuration files, such as the listener.ora file in Oracle, are made at the
at
operating system level. The Configuration Auditing System (CAS) in Guardium monitors changes to
these OS database files, as well as changes to environmental variables and actual values within
ic
the database itself.

l
With the Guardium CAS, organizations can track all changes to the following objects:
up
• Security and access control objects such as users, roles, and permissions
• Database structures such as tables, triggers, and stored procedures
D
CAS can also detect accidental deletions or insertions of critical tables that can impact data
governance.
ot
• Critical data values such as data that affects the integrity of financial transactions
• The following types of database configuration objects that can affect security posture:
N
– OS and database configuration files such as sqlnet.ora

o
– Environment and registry variables

D
– Executables such as shell scripts, Java, and XML programs

V7.0
Uempty
Vulnerability assessment
A vulnerability assessment
evaluates the security of the
database environment
• Query-based tests
e
Result history
Patches, passwords, privileges,
ut
defaults
Summary
• Behavioral tests outlining
ib
Exceeding thresholds, executing results Filters and
sort controls
administrative commands
• CAS-based tests
tr
Operating system configuration
vulnerabilities
is
Detailed
Detailed test
description of
results
fixes
D
Vulnerability assessment
e
The Guardium Vulnerability Assessment tool evaluates the security of your database environment.
It uses three different kinds of tests:
at
• Query-based tests check for vulnerabilities such as missing patches, weak passwords, poorly
ic
configured privileges, and default accounts.

• Behavioral tests are based on data gathered by Data Access Monitoring and look for items such
l
as excessive failed logins, clients executing administrative commands, and after-hours logins.
up
• CAS-based tests look for OS-level configuration vulnerabilities.

D
After running the selected tests, Guardium presents an overall report card along with details about
each result, including recommendations about resolving any issues it identifies as problem areas.
ot
N
o
D

V7.0
Uempty
Database discovery
• Probes the network
• Locates servers running database services
• Reports on its findings
e
ut
ib
tr
is
D
Database discovery
e
Due to the complexity of some environments and other factors, such as mergers and acquisitions,
some companies do not have a full inventory of their database servers. Database discovery probes
at
a network to identify servers running database services.

l ic
up
D
ot
N
o
D

V7.0
Uempty
Data classification
• Scans databases
• Locates objects matching certain patterns
• Reports on its findings
e
ut
ib
tr
is
D
Data classification
e
Additionally, also due to the complexity of some environments and other factors, such as mergers
and acquisitions, some companies do not know where all of their sensitive data resides. Data
at
classification scans databases to find and classify any objects or fields containing sensitive data. In
the example shown above, data classification has located two tables that might contain sensitive
ic
credit card data and listed the column name where the data resides.
l
up
D
ot
N
o
D

V7.0
Uempty
File activity monitoring

• Manages access to unstructured data containing critical and sensitive information
• Reports for Activity, Discovery, and Entitlements
• Provides extensive compliance and audit capabilities
e
ut
ib
tr
is
D
File activity monitoring

e
File activity monitoring (FAM) is new to version 10. Guardium uses file activity monitoring to provide
insight to data that might be stored in files rather than databases. It includes processes to discover
at
and classify sensitive information contained in files, as well as control and monitor access to these
files.
ic
The slide illustrates one of the file activity monitoring reports that shows the result of the Discovery
l
and Classification process. It scans a directory, drive, USB, or any mounted drive and gives a list of
up
all files it contains, with the entitlements; that is, which users are authorized to do what on that file.
The classification tells you if the content of that file matches one of FAM’s decision plans, for
D
example, source code, HIPAA, SOX, or PCI.

ot
N
o
D

V7.0
Unit summary
Uempty
Unit summary
• Identify the primary functions of IBM Guardium
• Describe the key components of the IBM Guardium solution
e
ut
ib
tr
is
D
Unit summary
e
at
l ic
up
D
ot
N
o
D

Unit 2 IBM Guardium: Architecture
e
ut
ib
IBM Guardium: Architecture
tr
is
D
or
e
at
ic

l
up
In this unit, you learn about how the components of IBM® Guardium® work together to provide a
holistic solution to discover, harden, monitor, and protect sensitive data.
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Unit objectives
• Describe the basic architectural components of IBM Guardium implementation
• Identify the methods Guardium uses to capture database traffic
• Describe the functions of aggregation and central management
e
• Identify Guardium hardware and software configurations for various environments
ut
• List the tools that can integrate with Guardium
ib
tr
is
D
Unit objectives
e
at
l ic
up
D
ot
N
o
D

V7.0
Lesson 1 IBM Guardium architectural components
Uempty
Lesson 1 IBM Guardium architectural
components
e
ut
Lesson: IBM Guardium architectural
ib
components
tr
is
D
or
e
at
IBM Guardium: Architecture © Copyright IBM Corporation 2016

ic
In this lesson, you learn the functions of IBM Guardium architectural components and how they
communicate.
l
up
D
ot
N
o
D

V7.0
Uempty
Data center infrastructure
Local
e
access Guardium
collector
ut
ib
Data servers Application servers
tr
Network
switch
is
Network
access
Internet
D
Client
Data center infrastructure

e
The physical infrastructure of a datacenter that hosts a Guardium implementation includes the
following components:
at
• Database servers: These servers run the database, and generally will have an agent installed
ic
that resides below the database server and intercepts SQL queries and other calls to the
database server.
l
• Application servers: These servers might also have an agent installed, depending on their role.
up
• Network switches: Network switches route traffic and are a potential point for Guardium to
intercept database queries.
D
• Guardium collector: One or more Guardium systems gather and process information about data
access and security.
ot
• Client: Clients are used to access application and database servers.

N
o
D

V7.0
Uempty
Guardium architecture overview

• S-TAP is a lightweight agent/probe that S-TAP makes a copy of the
Guardium
copies information to the Guardium information and sends it to
collector
the Guardium appliance
collector
• The Guardium collector performs the Sniffer
e
S-TAP
resource-intensive processing of this Sniffer can send Guardium Analysis Engine
ut
Database
• Additionally, a sniffer can send control control signals to analyzes, parses, and logs
server
STAP the appropriate data to the
signals to the S-TAP agent internal repository
ib
• The database client can communicate
with the database server, but all
communications are intercepted by the DB Server responds with
tr
appropriate information
S-TAP agent Client requests
information from
is
DB Server
D
Database client
Guardium architecture overview

e
The S-TAP agent sends information to the Guardium collector. It can also receive control signals for
the following functions:
at
• Filtering information before sending to the collector to reduce network traffic and Guardium
ic
collector processing load

• Blocking connections based on policy from Guardium collector
l
up
• Masking or redacting information in the result set based on policy from the Guardium collector
S-TAP can filter out unwanted result sets or authorized sessions and not send this information to
D
the Guardium collector.

ot
N
o
D

V7.0
Lesson 2 Capturing database traffic
Uempty
e
Lesson: Capturing database traffic
ut
ib
tr
is
D
or
e
at
In this lesson, you learn how Guardium collects information about sensitive data access and
forwards that information for processing, logging, and other action.
l ic
up
D
ot
N
o
D

V7.0
Uempty
Database activity monitoring

Database activity needs to be captured to File activity might also need to be captured
perform parsing, analysis, and auditing • File name
• Session information • Directory where file is located
e
• Failed login attempts • User attempting to access file
ut
• SQL commands • Type of file activity
• SQL errors Monitoring options
ib
• Returned data • Port mirroring
Mechanisms that access the data • Network tap
tr
• Network access • Software tap
• Local access
is
• Encrypted connection
D
Database activity monitoring

e
Many different activities have the potential to compromise sensitive data, and therefore must be
monitored. Some examples are shown in the following list:
at
• Database activity:
ic
– Session information: Information about active sessions on a database server. As an

example, duration of the session or time of day when the session is active might indicate
l
suspicious patterns of access.

up
– Failed login attempts: Information about unsuccessful attempts to create an active session.
As an example, multiple attempts to log in to a session during nonworking hours might
D
indicate an attempt to compromise the system.

– SQL commands: Guardium can modify and block SQL commands as well as monitor and
ot
log them.
– SQL errors: Improperly formatted SQL commands can indicate an attempt to access
N
sensitive data by users not familiar with the structure of the database, and might indicate
illicit activity.
o
– Returned data: Guardium can redact or modify data returned.

D

V7.0
Uempty
• File activity information:
– File name and type
– File location
– User accessing file
– What sort of file activity is being performed
e
Has there been an attempt to read the file? Copy the file to another location? Delete,
ut
rename, or modify the file?
It is also necessary to understand the mechanisms by which the data is accessed. As an example,
ib
is the access done by a remote user session, or by a user logged directly on to the server? Is the
connection encrypted or unencrypted? What protocol is used?
tr
When monitoring, several options can be used. These options are addressed in later slides.
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Collector
• Hardware specification
Form factor: 1U rack server
Processor: 4x quad core
Storage: 2x 300GB - RAID-1
e
• Network configuration
ut
Gigabit network adapter with 4 network interfaces
eth0 port: Management port and S-TAP communication
other ports: Monitoring port for N-TAP/SPAN connection
ib

Network adaptor expansion option for additional N-TAP/SPAN
• Software configuration
tr
Kernel: Hardened Linux kernel (limited command line access)
Storage: Relational database (not directly accessible to users); an option is available for logging to flat files
is
stored on the collector
Interface: Secure web server providing graphical web interface
D
Collector
e
The central component of the Guardium solution is a network appliance called a collector.
at
The IBM Security Guardium solution is available as either a hardware or software offering:
• Hardware offering. There are two versions of the hardware configuration:
ic
– The x2000 has dual Intel Xeon E5-2630 v2 6C 2.6GHz 15MB cache processors and a
l
ServeRAID M5200 Series 1GB Cache/RAID 5 upgrade.

up
– The x3000 has dual Intel Xeon E5-2667 v2 8C 3.3GHz 25MB cache processors and a
ServeRAID M5200 Series 2GB Flash/RAID 5 upgrade.
D
Both versions of the hardware offering are based around a IBM x3550 M4 1U form factor
rack server and include the following features:
ot
 64 GB of RAM
 Two 300 GB hard drives
N
 Four 1 Gb Ethernet ports

o
 Two 10 Gb Ethernet ports

D
• Software offering. The solution can be delivered as software images to be deployed by the
customers on their own hardware either directly or as virtual appliances.

V7.0
Uempty
Collector architecture
• Collector receives raw activity
data from S-TAP Alert
Security policy
• Database activity data is parsed ,QYHQWRU\GDWDĺ/RJ64/
Log
and evaluated on the collector construct
e
Data Collector
Terminate 6DOHVGDWDĺ/RJIXOO64/ database
server
• Inspection Engine applies action
ut
6HQVLWLYHGDWDĺ$OHUW
based on installed Security S-TAP LOGIN USER ...
SELECT... FROM ... 8QDXWKRUL]HGXVHUĺ7HUPLQDWH
Policy CREATE TABLE …
INSERT …
ib
DELETE ....
• Logging stored in normalized
relational database
tr
• Alerts sent based on notification
configuration
is
• Control signal sent to S-TAP for
filtering control and termination
D
actions
Collector architecture
e
The collector performs the following functions:
at
• Receives database, file, and application data from S-TAP agents

• Parses and evaluates this data
ic
• Applies security policies to this evaluated data to determine which actions should be applied
l
• Logs the data in an RDBMS on the collector

up
• Sends alerts as specified by policy and notification configuration

• Controls and configures the S-TAP agents
D
ot
N
o
D

V7.0
Uempty
Port mirroring
• Copy of network packets observed on the switch port
connected to data server is sent to collector
• Does not impact data server performance
Mirrored Guardium
e
• Requires network switch with port mirroring database collector
traffic
Switched Port Analyzer (SPAN)
ut
Collector
Roving Analysis Port (RAP) access
• Requires direct connection to the collector
ib
Network
• Existing switch might not be able to accommodate multiple data switch
servers connected to that switch
tr
Database
• Adds the cost of a network switch with port mirroring feature traffic
is
• Encrypted and local connections will not be monitored
Data server
• Only recommended if network hardware already exists and
D
data server cannot handle any additional software load
Port mirroring
e
Guardium can use several methods to gather data, including port mirroring, network tapping, and
software tapping (S-TAP). While S-TAP has become the primary method of data capture, it is still
at
important to understand port mirroring and network taps.

ic
When the Guardium solution was first developed, the goal was to provide a completely passive
method (that is, zero impact on the database server) to monitor database activity by capturing the
l
database activity from the network.

up
Most modern network switches contain one or two ports, called span ports or mirroring ports,
designated to monitor traffic on the switch. These ports can be configured to forward a copy of all
D
traffic to and from a database server to one of the promiscuous ports on the Guardium collector.
Guardium receives an exact copy of all database traffic that it can digest and log in its own internal
ot
database.
Some advantages of port mirroring:

N
• No database downtime required

o
• Zero impact on the database server

D

V7.0
Uempty
Some disadvantages of port mirroring:
• Local traffic is not captured
• Most switch vendors provide a limited number of SPAN ports
• Network administrators do not want to give up their available span ports
• If spanning several servers, extraneous traffic might be captured
e
• Encrypted traffic requires key management to be logged
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Network tap
• Dedicated network tap hardware sends a copy of data server
traffic to the collector (similar to port mirroring)
• Is not dependent on existing network hardware
Guardium
e
• Does not impact data server performance Mirrored collector
database
ut
• Adds the cost of the network tap for each data server traffic
Collector
access
• Requires direct connection to the collector
ib
• Data server has to be taken offline for installation Network
switch
• Encrypted and local connections will not be monitored
tr
Network
• Only recommended if data server has a high load and cannot tap
handle any additional software load
is
Database
traffic
Data server
D
Network tap
e
Another common hardware solution is a network tap. The database server’s network cable is
connected to the network tap, not directly into the switch. The tap is then connected to the switch
at
and to one or possibly two of the promiscuous ports on the Guardium collector. The network tap
acts as a Y connector; all traffic going to and from the database server also goes to the collector.
ic
Some advantages of network tapping:

l
up
• No network reconfiguration needed

• Zero impact on the database server
D
Some disadvantages of network tapping:

• Server downtime is required
ot
• Local activity is not captured

• Additional hardware cost
N
• Failover contingency is difficult, if not impossible, to configure

o
• Encrypted traffic requires key management to be logged

D

V7.0
Uempty
Software tap (S-TAP)

• Is a host-based DBMS-independent software agent that sends
network and local traffic to the collector
• Monitors all database activities at the OS level
Guardium
TCP, Shared Memory, Named Pipes, Bequeath Collector
e
access collector
• Handles encrypted traffic +
ut
Mirrored
SSH/IPSEC, Oracle ASO, SQL Server SSL database
traffic
• Does not require any changes to database environment
ib
• Installed only once on every system regardless of how many Database Network
traffic switch
database instances and types are running +
tr
Mirrored
• No additional hardware is required and has a lower database
implementation cost traffic
is
(filtered)
• Specific traffic can be filtered so that not all traffic is sent to the S-TAP
Data server
collector, which reduces the network load significantly
D
S-TAP is the recommended
• Has less than 5% performance impact on the data server data activity monitoring option
Software tap (S-TAP)

e
Of all the disadvantages with span ports and network taps, the lack of local host monitoring is the
most critical. To close this hole, Guardium developed a software agent, called an S-TAP, to forward
at
local database activity to the collector. Local activity includes users directly accessing the system
from a physically attached device, as well as those connecting via SSH (secure shell) or remote
ic
desktop.
l
Initially, S-TAP was meant to complement the hardware solutions. A span port or network tap would
up
be used for network traffic, while S-TAP would be used for monitoring local traffic only. However,
S-TAP always included the ability to forward network traffic as well, eliminating the need for a
D
hardware solution.
Because of the ease in using a software solution, as compared to hardware solutions, and the great
ot
increases in S-TAP’s efficiency and sophistication, S-TAP has become the primary method of data
capture for Guardium customers. Only a small percentage of customers still use span ports or
N
network taps. However, it is still important to understand the hardware options, because S-TAP is
basically a software implementation of the span port and network tap solution; S-TAP forwards
network packets to the collector for logging.
o
D
S-TAP features:
• Lightweight agent running on the data server that forwards traffic, in the form of network
packets, to a Guardium collector
• Minimal resource utilization - 3 to 5% CPU, 10 MB memory mapped file
• Encrypted database traffic - handles most forms of database encryption (SSL, ASO, Kerberos,
and so on)

V7.0
Uempty
• Redundancy - sends traffic to more than one collector
• Failover - provides failover to one or more collectors
• Load balancing - sends traffic across multiple collectors
• Prevention - blocks activity or terminate connection
• Clusters - supports migrating, floating, unavailable databases
e
• Encryption - communicates over an encrypted channel to the collector (TLS)
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
S-TAP architecture
• K-TAP (Kernel Tap) Data server
Kernel module hooks into Application/User level
client/server communication
Monitors DBMS network port Local
e
application/User
Different modules for versions of
Linux/Unix kernels
ut
• A-TAP (Application Tap) S-TAP DBMS
Monitors communication at
ib
application level K-TAP A-TAP
DB2, Informix, Oracle ASO
tr
Dependent on K-TAP
Shared
memory
is
o
Collector
Network layer
Kernel level
D
Network Application/User
S-TAP architecture
e
The S-TAP is a user space daemon that collects data from various sources in order to send it to the
Guardium system for analysis and logging. It works with two submodules, K-TAP and A-TAP.
at
The kernel tap (K-TAP) is a kernel module that can intercept all client-server communication. It
ic
monitors the database management system network port. There are different versions of K-TAP for
different versions of Linux and Unix kernels.
l
up
The application tap (A-TAP) module monitors communications on an application level between
internal components of the database server. This allows Guardium to capture traffic that can only
be tapped at the database server application level. A-TAP uses K-TAP as a proxy to pass data to
D
S-TAP.
Two other, less-important components are Tee and PCAP. Tee is a proxy mechanism that reads
ot
and forwards traffic from local clients to a database server. Tee is an alternative to K-TAP. Tee and
K-TAP are almost mutually exclusive. Packet Capture, or PCAP, is seldom used on Unix systems,
N
but has limited use on Windows and Linux systems.

o
D

V7.0
Uempty
CAS architecture
• Is a Java module that monitors changes in Data server
baseline configuration Application/User level
Environment variables
Local
Configuration files application/User
e
Script outputs
Config file
ut
CAS
• Is an optional component
• Requires Java VM installed
ib
S-TAP
• Does not require S-TAP DBMS
K-TAP A-TAP
tr
is
Shared memory
D
Network layer
Kernel level
Collector
CAS architecture
e
Independent of the S-TAP is the Configuration Audit System (CAS) module.
at
The CAS module is a Java module that monitors configuration information and sends this data to
the collector. It enables the CAS functionality, and is not required except for CAS. It does require a
ic
Java VM.
l
up
D
ot
N
o
D

V7.0
Lesson 3 Using aggregation and central management
Uempty
Lesson 3 Using aggregation and central
management
e
ut
Lesson: Using aggregation and
ib
central management
tr
is
D
or
e
at

ic
In this lesson, you learn how Guardium aggregates information from multiple collectors to facilitate
a holistic view of data security in the enterprise. You also learn how Guardium centrally manages
l
data access policies and reporting.

up
D
ot
N
o
D

V7.0
Uempty
Multicollector environment
e
Collector
Collector
ut
ib
Aggregator &
Central Manager
tr
Collector
Collector
is
D
Remote locations
Multicollector environment
e
There are limits to the amount of traffic that a single collector can log effectively. Because
exceeding this limit can result in a loss of data, in many implementations, multiple collectors are
at
required. The number of required collectors is usually a factor of the number of CPUs on each
database server and the type and quantity of traffic to be monitored.
ic
Centralized management and aggregation are required in an environment with multiple collectors.
l
These functions can be combined on a single server, or split onto different servers.
up
D
ot
N
o
D

V7.0
Uempty
Aggregators
• An aggregator is an appliance dedicated to serve as the central repository of filtered/summarized
audit data from multiple collectors
• It has a similar hardware and software configuration as a collector
e
• Collectors send data to the aggregator on a scheduled basis
ut
• A centralized repository allows for enterprise-wide auditing
• Querying for reports is performed on the aggregator, which relieves collectors from the performance
impact of running complex reports
ib
• The aggregator allows collectors to be dedicated to monitoring and policy enforcement tasks
tr
is
D
Aggregators
e
When two or more collectors are used, one or more aggregators are included in the solution. An
aggregator is a separate type of appliance. It does not collect traffic directly from database servers.
at
Instead, each collector sends its data to an aggregator on a periodic basis, which is usually nightly.
The aggregator then merges the data from all of the collectors into its own internal database. This
ic
enables users to view all of the data from multiple collectors in a central location.
l
As with collectors, aggregators are available in the following configurations:

up
• A hardware solution, built around an IBM x3550 server, with similar configuration
• A software solution that clients can install on their own hardware or in a set of virtual machines
D
Central management supports enterprise-wide control and auditing. The aggregators can perform
the querying on the centralized repository, reducing the load on collectors. This enables collectors
ot
to dedicate all of their resources to other monitoring and policy enforcement tasks.
N
o
D

V7.0
Uempty
The Central Manager

Centralized management provides these features
• Status of managed collectors and aggregators
• Detailed enterprise S-TAP view
e
• Central patch management
ut
• Centralized policy management - Unified security policy pushed out to all managed collectors
• Centralized users/roles/permissions and groups management
ib
• Centralized report definition and audit process definition
Implementation scenarios
tr
• Dedicated aggregator
is
• Dedicated Central Manager
• Aggregator and Central Manager
D
The Central Manager

e
The Central Manager stores most definitions, including queries, reports, policies, and alerts. If a
report is created on one collector, it is immediately available on all of the other appliances, including
at
the Central Manager itself.

ic
An aggregator can also function as a Central Manager. The Central Manager can also reside on its
own server, separate from aggregators and collectors.
l
up
Central Managers provide the following functionality:

• They allow viewing of the status of distributed collectors and aggregators.
D
• They display the status of S-TAP agents on the managed servers across the enterprise.
• They centralize patch and policy management.
ot
• They centralize management of users, roles, permissions, and groups.

• They centralize reports and audit processes.
N
o
D

V7.0
Lesson 4 IBM Guardium hardware and software configurations
Uempty
Lesson 4 IBM Guardium hardware and
software configurations
e
ut
Lesson: IBM Guardium hardware and
ib
software configurations
tr
is
D
or
e
at

ic
In this lesson, you learn how a Guardium environment can be implemented to support small,
medium, and large enterprises. This lesson examines several implementation scenarios:
l
• Combined aggregator and central management

up
• A combined aggregator and Central Manager with an additional dedicated aggregator

• A dedicated Central Manager managing multiple dedicated aggregators
D
ot
N
o
D

V7.0
Uempty
Aggregator and Central Manager scenario
Aggregate
Aggregator and Central Manager
Manages
e
ut
ib
tr
Collector 1 Collector 2 Collector 3 Collector 4
is
D
Aggregator and Central Manager scenario

e
A small environment might include just one aggregator, which also acts as a Central Manager, that
handles all aggregation, definitions, and user management.
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Dedicated aggregator scenario
Aggregate Aggregator and Central Manager
Manages Aggregator
e
ut
ib
Collector H1 Collector H4
tr
Collector S1 Collector S3
Collector S2
is
Sales databases
Human resources databases
D
Dedicated aggregator scenario

e
In a medium-sized environment, which is usually 10 to 15 collectors, a Central Manager continues
to function as an aggregator for a subset of collectors and perform central management functions
at
for all of the managed units, which are collectors and aggregators.
l ic
up
D
ot
N
o
D

V7.0
Uempty
Dedicated Central Manager scenario
Central Manager
Aggregate
Manages
e
Aggregator
Aggregator
ut
ib
tr
Collector S1
is
Collector S3
Collector S2 Collector H2 Collector H3
D
Sales databases Human resources databases
Dedicated Central Manager scenario

e
In an enterprise-sized deployment, which is usually more than 10 to 15 collectors, the Central
Manager does not function as an aggregator. Instead, it is dedicated to central management
at
functions only.
l ic
up
D
ot
N
o
D

V7.0
Uempty
Enterprise load balancing using Central Manager

• Dynamic load balancing is available in centrally
managed environments
• Reduces workload on Guardium administrators
by automating tasks that previously required
e
manual tracking and intervention
ut
• Eliminates the need to perform the following
tasks
ib
Manually evaluate the load of managed units
before assigning to an S-TAP agent
Define failover managed units as part of a post-
tr
installation S-TAP configuration
Manually relocate S-TAP agents to less-loaded
is
managed units
D
Enterprise load balancing using Central Manager

e
An additional advantage of using multiple collectors and aggregators is the capability to load
balance.
at
The dynamic load balancer performs load collection periodically, which entails getting a snapshot of
ic
the current activity load for all active managed units and storing it in a load map. This load collection
does not affect other activity on the Central Manager.
l
up
You can specify the load collection using a fixed interval or dynamically. Dynamic collection is the
default and recommended setting. With dynamic collection, intervals are determined by the number
of managed units. You can plan one additional hour for every ten managed units. Dynamic intervals
D
guarantee a more accurate load map without overloading the Central Manager.
ot
N
o
D

V7.0
Lesson 5 Integrating IBM Guardium with other tools
Uempty
Lesson 5 Integrating IBM Guardium with other
tools
e
ut
Lesson: Integrating IBM Guardium
ib
with other tools
tr
is
D
or
e
at

ic
In this lesson, you learn how Guardium integrates with other tools.
l
up
D
ot
N
o
D

V7.0
Lesson 5 Integrating IBM Guardium with other tools
Uempty
Integration
Guardium appliances interact with

other servers in the network
environment FTP server
File server (Windows) Backup server (SCP, FTP, TSM, or Centura)
e
• Database servers
• File servers
ut
• FTP servers
ib
• Backup servers File server (Unix/Linux) Email server
• Email servers
tr
• Other servers
is
Database server SIEM
D
SNMP server LDAP/Active Directory
Integration
e
Guardium interacts with many other software servers in a corporate environment, including those
at
• Database servers
ic
– Data Access Monitoring via S-TAP, SPAN port, or Network TAP

– Change Access Control (CAS)
l
up
– Enterprise Data Correlation; Guardium can upload data from external databases and
integrate it into its internal database
D
• File and FTP servers

• Backup servers such as SCP, FTP, TSM, and Centera
ot
• Email servers
• Security information and event management (SIEM) servers such as IBM QRadar
N
• LDAP/Active Directory servers

o
• SNMP servers
D
IBM Guardium can be integrated with IBM InfoSphere BigInsights to monitor Hadoop environments.
IBM InfoSphere BigInsights includes an integrated capability called the Guardium Proxy to read and
send log messages to InfoSphere Guardium for analysis and reporting. With the proxy, BigInsights
sends messages from Hadoop logs to the InfoSphere Guardium collector.

V7.0
Unit summary
Uempty
Unit summary
• Describe the basic architectural components of IBM Guardium implementation
• Identify the methods Guardium uses to capture database traffic
• Describe the functions of aggregation and central management
e
• Identify Guardium hardware and software configurations for various environments
ut
• List the tools that can integrate with Guardium
ib
tr
is
D
Unit summary
e
at
l ic
up
D
ot
N
o
D

Unit 3 IBM Guardium: User interface
e
ut
ib
IBM Guardium: User interface
tr
is
D
or
e
at
ic

l
up
The IBM® Guardium® V10 release has many new features and enhancements. This updated
version provides a new and intuitive interface, making it very easy to navigate. The updated menu
includes a Guardium security lifecycle view, making navigation options easy to understand and use.
D
The new UI can be customized based upon the tools you need most. This new release allows you
to create and use dashboards to organize and manage your reports.
ot
The configuration and control commands cover a large number of configuration settings within the
Guardium appliance. In this unit, you learn to navigate the Guardium interface, customize
N
dashboards, and use the search feature. You also learn to use the command line interface (CLI) to
perform basic system functions.
o
References:
D
• Exploring the IBM Guardium interface: http://bit.ly/1XLk85f

• Using the Guardium Command Line Interface: http://bit.ly/1QqCIdc

V7.0
Unit objectives
Uempty
Unit objectives
• Navigate the Guardium control center
• Use the command line interface to update system parameters
e
ut
ib
tr
is
D
Unit objectives
e
at
l ic
up
D
ot
N
o
D

V7.0
Lesson 1 Navigating the user interface
Uempty
e
Lesson: Navigating the user interface
ut
ib
tr
is
D
or
e
IBM Guardium: User interface © Copyright IBM Corporation 2016
at
In this lesson, you learn how to navigate and configure the Guardium control center web-based
user interface.
l ic
up
D
ot
N
o
D

V7.0
Uempty
Guardium V10 web interface
e
ut
ib
tr
is
D
Guardium V10 web Interface

e
The Guardium V10 user interface is task focused, rather than functionality focused. The interface
has been redesigned to make navigation simple, especially for everyday tasks. The Guardium V10
at
user experience focuses on guiding the user through key end-to-end processes such as
discovering sensitive data.
ic
The Guardium V10 control center optimizes the Guardium experience through the following
l
features:
up
• Operational dashboard
• New user interface
D
• Easy navigation with advanced portal search

ot
• End-to-end scenarios with in-context action

• Customizable reports
N
• Drill-down capabilities
• Streamlined processes, including quick navigation
o
D

V7.0
Uempty
Top banner
e
ut
Shows or hides left Notifications, Tasks, Search bar User pull-down menu
navigation menu and Help
ib
tr
is
D
Top banner
e
The top banner has the following features:
at
• Notifications: Lists notices relevant to the user

• Tasks: Lists to-do items on a per user basis
ic
• Help: Links to help files, version information, and functions enabled

l
• Search bar: Allows search of data activity, file activity, and user interface objects and resources
up
• User pull-down menu: Allows customization of user interface, editing of account information,
and signout
D
ot
N
o
D

V7.0
Uempty
Navigation menu
e
ut
Navigation menu with Navigation menu with
icons and labels icons only
ib
tr
is
D
Navigation menu
e
The navigation menu groups objects and resources by function. You can display this menu with or
without labels by clicking the >> or << icon on top of the navigation menu.
at
Many resources are available through more than one path. As an example, you can access a
ic
resource called the Group Builder by going to Setup > Tools and Views > Group Builder or
Protect > Security Policies > Group Builder.
l
up
You can create new groups in the navigation menu, and add items to these new groups.
D
ot
N
o
D

V7.0
Uempty
Search bar
e
ut
ib
tr
is
D
Search bar
e
The Guardium interface top banner contains a search field. You can use the search field to search
within three separate contexts:
at
• Data: This context opens a window that lists database activity, errors, and policy violations.
ic
• File: This context opens a window that lists file activities, errors, policy violations, and
entitlements.
l
up
• User Interface: As you enter terms, Guardium resources and objects appear as options. In the
example above, typing report returns a list of reports and where in the navigation menu you
can find the reports.
D
In the Data and File contexts, leave the search box blank to get all audit data, or specify terms to
narrow the entries returned. As an example, if searching with the File context, entering csv returns
ot
files that contain that term in their name. In the new window, you can add filters to the results by
using either of these methods:
N
• Clicking a value in the results area or from one of the facets to the left of the audit results
• Entering search terms manually in the search field that appears in the new window
o
D

V7.0
Uempty
Guided processes
e
ut
ib
tr
is
D
Guided processes
e
Guardium V10 eases tasks by providing guided processes. These processes list the steps required
to complete a task. You can complete each step in or out of sequence.
at
In the example above, the user has completed the first step, providing a name to the rule, and is in
ic
the middle of the second step, defining the rule criteria. After defining the rule criteria, the user
would click Next to go to the final step, which is specifying which actions to be taken when the
l
criteria is met. At any time, the user can go back to a previous step to edit the information included
up
in that step. As an example, the user could click Edit on the Rule Definition step to change the
name of the rule.
D
ot
N
o
D

V7.0
Uempty
Report dashboard
e
ut
ib
tr
is
D
Report dashboard
e
Viewing reports is an important part of monitoring data security. You can use Guardium to create
multiple dashboards to contain reports. Each dashboard contains one or more reports, and the
at
same report can appear on more than dashboard. You can use the Customize option on the user
pull-down menu on the top banner to set a dashboard to appear as the home page of the Guardium
ic
interface.
l
up
D
ot
N
o
D

V7.0
Uempty
Exercise introduction
Complete the following exercise in the Course Exercises book
• Exploring the IBM Guardium interface
e
ut
ib
tr
is
D
Exercise information
e
Perform the exercise for this lesson.
at
Use the following link to view a demonstration of this exercise:.

• Exploring the IBM Guardium interface: https://vimeo.com/163739906
l ic
up
D
ot
N
o
D

V7.0
Lesson 2 Using the command line interface (CLI)
Uempty
Lesson 2 Using the command line interface
(CLI)
e
ut
Lesson: Using the command line
ib
interface (CLI)
tr
is
D
or
e
at
IBM Guardium: User interface © Copyright IBM Corporation 2016

ic
In this lesson, you learn how to use the command line interface to perform Guardium management
functions.
l
up
D
ot
N
o
D

V7.0
Uempty
CLI overview
The CLI commands are arranged in nine different categories
1. Network configuration commands
2. Aggregator commands
e
3. Alerter configuration commands
ut
4. Configuration and control commands
5. File-handling commands
ib
6. Diagnostic commands
7. Inspection engine commands
tr
8. User account, password, and authentication commands
is
9. Certificate commands
D
CLI overview
e
The CLI commands are grouped into nine different categories.
at
• Network configuration
• Aggregation configuration
ic
• Alerter configuration
l
• System configuration and control

up
• File handling
• Diagnostics
D
• Inspection engine management

ot
• User account, password, and authentication management

• Certificate
N
These categories are summarized throughout this unit.

o
D

V7.0
Uempty
CLI users
• Default user accounts
cli
guardcli1 through guardcli5
• cli logs on directly
e
• Using guardcli1 through guardcli5
ut
requires a second Guardium user
ID, entered with the set guiuser
ib
command
set guiuser example
tr
is
D
CLI users
e
Access to the CLI and its commands is limited to a small group of Guardium users. The main
administrator for the Guardium appliance utilizes the cli user ID. Additionally, Guardium includes
at
five other user accounts, guardcli1, guardcli2, guardcli3, guardcli4, and guardcli5,
which can be assigned to different users. These additional accounts provide for separate
ic
administration and better accountability.

l
Logging on to the CLI as the main administrative user cli requires only the appropriate password.
up
Logging on to the CLI as one of the additional CLI accounts requires the appropriate password
AND an additional user ID and password. Enter the additional user ID and password using the set
D
guiuser command.
As an example, follow these steps to use one of the additional CLI user IDs:
ot
1. Log in via ssh as guardcli1.
2. Issue the set guiuser command, passing in a second Guardium user ID and password.
N
The second Guardium user ID must have either admin or cli as one of its roles to be able to use
o
the CLI. Role setting is covered in another unit.

D
All activity performed by this login is tracked as CLI_USER+GUI_USER (for example,

guardcli+polly) within the Guardium internal audit trail.

V7.0
Uempty
CLI account requirements

• All CLI accounts have the following password requirements
Password Expiration
í Enforced expiration periods (default = 90 days)
í Required password change at next login
e
Password Validation
í Minimum of eight characters in length
ut
í Contain at least one character from three of the following four classes
• Any uppercase letter
• Any lowercase letter
ib
• Any numeric (0,1,2,...)
• Any nonalphanumeric (special) character
tr
• CLI users cannot be authenticated through LDAP
is
• The CLI user must either login locally or login manually with a secure network protocol such as SSH
D
CLI account requirements

e
Guardium enforces password hardening on each of the CLI accounts (cli and guardcli1 through
at
guardcli5).
All CLI accounts must abide by the following regulations:

ic
• An expiration period for CLI passwords is enforced by the system. The default expiration period
is 90 days. When a password expires, a required change of password will be invoked during the
l
up
next login process.

• Passwords must be a minimum of eight characters in length, and must contain at least one
character from three of the following four classes:
D
– Any uppercase letter

– Any lowercase letter
ot
– Any numeric digit (0,1,2,...)

– Any nonalphanumeric (special) character (#, !, %, …)
N
CLI users cannot be authenticated through LDAP because these are considered administrative
accounts that should be able to log in regardless of connectivity to an LDAP server.
o
As mentioned earlier, the special CLI accounts guardcli1 through guardcli5 require use of an
D
additional user ID The CLI audit trail will show the CLI account (CLI_USER) and the additional
account (GUI_USER) in all entries generated for the user.
You log in to one of the CLI accounts through a secure connection. If you have physical access to
the Guardium appliance, you can log in through the system console or through a terminal
connected through the serial port. You can also log in through a secure connection using an ssh
(secure shell) client such as PuTTY or SecureCRT.

V7.0
Uempty
Navigating the CLI

• Commands and keywords can be abbreviated by entering enough characters to make the commands
unambiguous
• Most Guardium CLI commands consist of a command word followed by one or more arguments; the
argument can be a keyword or a keyword followed by a variable value
e
• Commands and keywords are not case sensitive, but element names are
ut
• Quotation marks are used around words or phrases to precisely define search terms
ib
tr
is
D
Navigating the CLI

e
CLI commands follow some standard usage conventions:
at
• You can save typing if you enter only enough characters to differentiate the command from
other commands. As an example, show system hostname can be abbreviated to sh sys host.
ic
This is useful with frequently used commands, but should not be used when writing scripts,
because the abbreviations would be confusing to those maintaining the scripts.
l
• Most Guardium CLI commands consist of one of a few possible command words followed by
up
one or more arguments. With practice, you will learn most of the common command words and
arguments, as well as which abbreviations work for those command words and arguments.
D
• Commands and keywords are not case sensitive. SHOW works the same as show. Element
names are case sensitive.
ot
• You might need to include spaces in search terms. In this case, use quotation marks around the
phrase.
N
o
D

V7.0
Uempty
Listing commands
To generate a list of all available commands for a given
topic, type command (or comm) plus a keyword or part of
a keyword
For example, comm file returns all file-handling
e
commands
ut
ib
tr
is
D
Listing commands
e
To generate a list of all available commands for a given category, type command or comm, plus a
keyword or part of a keyword at the command prompt. As an example, comm agg returns all
at
aggregation related commands, comm net returns all network related commands, and comm file
returns all file-handling commands.
l ic
up
D
ot
N
o
D

V7.0
Uempty
Displaying command syntax

• To display command syntax and usage options, enter a question mark (?) as an argument following
the command word
For example, supp show ? displays all of the options for the support show command
• Another way of getting all possible arguments for a command is to enter the first word or words of the
e
command
ut
ib
tr
is
D
Displaying command syntax

e
To display command syntax and usage options, enter a question mark (?) as an argument following
the command word or words. These examples are valid commands:
at
agg list ?
ic
supp show ?
show ?
l
up
An alternate method of getting all possible arguments for a command is to enter the first word or
words of the command at the command prompt. These examples are also valid commands:
agg list
D
supp show
show
ot
N
o
D

V7.0
Uempty
Show and store

• The show command displays the
value of the indicated argument
• The store command changes
the value of the indicated
e
argument
ut
ib
tr
is
D
Show and store

e
The show command displays the value of the indicated argument, and the store command
changes the value of the indicated argument.
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Network configuration commands

Use the network
configuration CLI
commands to accomplish
the following tasks
e
• Identify a connector on
ut
the back of the
appliance
ib
• Reset networking
after installing or
moving a network card
tr
• Set IP addresses
is
• Enable or disable high-availability
• Configure the network card if the switch it attaches to will not autonegotiate the settings
D
Network configuration commands

e
You can use the following commands to configure to configure the network:
at
store network interface ip <ip_address>

store network interface mask <subnet_mask>
ic
store network routes def <default_router_ip>

store network resolver 1 <resolver_1_ip>
l

up

store system hostname <host_name>
store system domain <domain_name>
D
After the configuration has been completed, you must issue a restart system command.
ot
After the system has rebooted, you can confirm connectivity with the following commands:
ping <default_router_ip>
N
ping <resolver_1_ip>
o
D

V7.0
Uempty
Aggregator commands
Use the aggregator CLI commands to
accomplish the following tasks
• Back up the shared secret keys file to a
specified location
e
• Define the amount of collector data that the
ut
aggregator UI will work with
• Set the system-shared secret key to null
ib
• Start or stop writing debug information related
to aggregator activities
tr
• Move or rename failed import files
is
D
Aggregator commands
e
Aggregation is the process by which export files are sent from each collector to an aggregator,
where the data from all of the collectors is merged and stored in a single database. This provides a
at
single reporting source for all of the monitored data.

l ic
up
D
ot
N
o
D

V7.0
Uempty
Alerter configuration commands

Use the alerter configuration CLI
commands to accomplish the
following tasks
• Stop or restart the alerter
e
• Specify that the alerter will be
ut
started automatically when the
system is rebooted
ib
• Set the polling interval for the
alerter
tr
• Set the alerter’s SMTP
authentication password
is
• Set the alerter’s SMTP email
authentication username
D
Alerter configuration commands

e
The alerter subsystem transmits messages that have been queued by other components. These
examples show some of the alerts you might see:
at
• Correlation alerts that have been queued by the Anomaly Detection subsystem
ic
• Run-time alerts that have been generated by security policies

l
The alerter subsystem can be configured to send messages to both SMTP and SNMP servers.
up
Alerts can also be sent to syslog or custom alerting classes, but no special configuration is required
for those two options beyond starting the alerter.
D
The Alerter can also be configured in the control center under Setup > Tools and Views > Alerter.
ot
N
o
D

V7.0
Uempty
Configuration and control commands

Use the configuration and
control CLI commands to
accomplish the following
tasks
e
• Check the installed
ut
licenses
• Ping remote systems
ib
• Restart the GUI interface
• Reboot the Guardium
tr
appliance
• Set the user timeout
is
value
D
Configuration and control commands

e
The configuration and control commands cover a large number of configuration settings within the
Guardium appliance. Remember that you use the store command to set a configuration setting
at
and the show command to display a current configuration setting.

l ic
up
D
ot
N
o
D

V7.0
Uempty
File-handling commands
Use the file-handling CLI commands
to accomplish the following tasks
• Back up and restore configuration
information
e
• Back up and restore the Guardium
ut
database
• Back up and restore profile
ib
information
• Export and import audit data
tr
• Display exported audit data files
is
D
File-handling commands
e
You use the file-handling commands to work with the Guardium files, including the configuration
files, the database files, the profiles, and auditing files.
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Diagnostic commands
• The diag command opens a menu-
driven window that you use to
perform a number of diagnostic
functions
e
• You do not perform any functions
ut
with the diag command on a regular
basis
ib
• Generally, you use this command
only as directed by technical support
tr
is
D
Diagnostic commands
e
Use the diagnostic commands only under the direction of Technical Support.
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Inspection engine commands

Use the inspection engine CLI commands to accomplish the following tasks
• Add an inspection engine
• Delete an inspection engine
e
• List inspection engines
ut
• Stop and restart an inspection engine
ib
tr
is
D
Inspection engine commands

e
An inspection engine monitors the traffic between a set of one or more servers and a set of one or
more clients using a specific database protocol such as DB2, Oracle, or Sybase.
at
The inspection engine performs the following tasks:

ic
• Extracts SQL from network packets

l
• Compiles parse trees that identify sentences, requests, commands, objects, and fields
up
• Logs detailed information about that traffic to an internal database

D
ot
N
o
D

V7.0
Uempty
User account, password, and authentication commands

Use the user account, password, and
authentication CLI commands to
• Define when an inactive user account
e
will be disabled
ut
• Define when a password must be
changed
ib
• Lock out users after failed login
attempts
tr
• Enable and disable password
validation
is
D
User account, password, and authentication commands

e
The user account, password, and authentication commands work with user account information.
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Certificate commands
Use the certificate CLI commands to
• Create a certificate signing request
(CSR)
e
• Store a certificate authority (CA) or
ut
intermediate trusted path certificate on
the Guardium appliance
ib
• Store a server certificate on the
Guardium appliance
tr
• Create a CSR in PEM format
is
D
Certificate commands
e
You use the certificate commands to create certificate signing requests (CSRs) and to install server,
certificate authority (CA), or trusted path certificates on the Guardium appliance.
at
ic
Note: Guardium does not provide CA services and will not ship systems with certificates that
l
differ from the one installed by default. Customers who want their own certificate must contact a
up
third-party CA such as VeriSign or Entrust.

D
ot
N
o
D

V7.0
Uempty
GuardAPI
• GuardAPI is a set of CLI commands that provide
access to Guardium functionality from the
command line
Allows for the automation or scripting of repetitive tasks
e
• GuardAPI covers the following functions
ut
CAS
Catalog Entry
Datasource
ib
Datasource Reference
Group
tr
Role
S-TAP
is
Process control
D
GuardAPI
e
GuardAPI commands provides access to Guardium functionality from the command line or from
scripted files. This allows for the automation of repetitive tasks, which is especially valuable in
at
larger implementations. Calling these GuardAPI functions enables a user to quickly perform
operations such as creating datasources, maintaining user hierarchies, or maintaining Guardium
ic
features such as S-TAP.

l
up
D
ot
N
o
D

V7.0
Uempty
• Using the Guardium Command Line Interface
e
ut
ib
tr
is
D
e
Use the following link to view a demonstration of this exercise:
at
• Using the Guardium Command Line Interface: https://vimeo.com/163740772

l ic
up
D
ot
N
o
D

V7.0
Unit summary
Uempty
Unit summary
• Navigate the Guardium control center
• Use the command line interface to update system parameters
e
ut
ib
tr
is
D
Unit summary
e
at
l ic
up
D
ot
N
o
D

Unit 4 IBM Guardium: Access
management
e
ut
ib
tr
is
IBM Guardium: Access management
D
or
e
at
l ic
up

You can leverage the power of IBM Guardium related to individuals who are responsible for
D
performing data security functions and use the built-in user roles including admin and accessmgr to
assign and delete roles to new users. In this unit, you learn to use the Access Manager interface to
ot
create and maintain user accounts and roles.

N
o
D

V7.0
Unit 4 IBM Guardium: Access management
Unit objectives
Uempty
Unit objectives
• Create new users
• Assign roles to new users
e
ut
ib
tr
is
D
Unit objectives
e
at
l ic
up
D
ot
N
o
D

V7.0
Lesson 1 User management
Uempty
e
Lesson: User management
ut
ib
tr
is
D
or
e
IBM Guardium: Access management © Copyright IBM Corporation 2016
at
Data security includes many functions. In an enterprise, these functions are delegated to
individuals or teams. Generally, any individual involved with data security is responsible for
ic
performing a set of different functions, some of which might be related. Individuals performing data
security functions are represented by Guardium users. The sets of functionality are represented by
l
roles. Users are mapped to one or more roles. This lesson describes how to manage users and
up
roles in Guardium.
D
ot
N
o
D

V7.0
Uempty
accessmgr characteristics
• Is a built-in user
• Is automatically in the access management role
• Cannot be deleted
e
• Can create and maintain user accounts and roles
ut
• Provides for separation of duties
ib
tr
is
D
accessmgr characteristics
or © Copyright IBM Corporation 2011, 2013
e
Guardium has several built-in users, including admin and accessmgr. The accessmgr role is for use
by the access manager. The access manager’s primary functions are to create and maintain user
at
accounts and roles.

ic
Access management functions, such as creating users and changing passwords, are performed by
users in the access management role. The accessmgr user is automatically part of the access
l
management role. Other users can include the access management role as well.
up
The admin user is not automatically part of the access management role. This allows for the
separation of system duties between the administrator (admin) and the access manager
D
(accessmgr). Users cannot have both the access and admin roles assigned to them.
ot
N
o
D

V7.0
Uempty
Access management user navigation menu options

Access Management Data Security
e
ut
ib
tr
is
D
Access management user navigation menu options

e
The accessmgr user and the access management role include two options in the navigation menu:
at
• Access Management contains the following tools and reports:

– Access Management: Contains tools required to manage users, roles, and access to
ic
applications
– User & Role Reports: Reports that show how many roles a user is associated with
l
up
• Data Security contains the following tools and reports:

– Datasources Associated
D
– Datasources Not Associated

– Servers Associated
ot
– Servers Not Associated

N
– User Hierarchy
– User-DB Association
o
Access management is described in this module. Data Security is an advanced topic and is not
D
covered in this module.

V7.0
Uempty
Access Management tool
e
ut
ib
tr
is
D
Access Management tool

e
The Access Management tool contains links to manage users, roles, and access to applications.
Access Management contains the following menu items:
at
• User Browser
ic
• User Role Browser

• User Role Permissions
l
up
• User LDAP Import

D
ot
N
o
D

V7.0
Uempty
User Browser
Use the User Browser
link to create, modify, and
delete Guardium user
accounts
e
ut
ib
tr
is
D
User Browser
or © Copyright IBM Corporation 2011, 2013
e
The user browser function creates, modifies, and deletes Guardium user accounts. Anyone in the
access management role has access to this panel, and can work with users. The panel has options
at
to filter and search users, add users, edit users, change a user’s roles, and delete users.
l ic
Note: You cannot delete the privileged users accessmgr and admin.
up
D
ot
N
o
D

V7.0
Uempty
Adding a user
e
ut
ib
tr
is
D
Adding a user
e
Each new user requires a user name, password, first name, last name, and email address.
at
You can enable or disable users. Clear the Disabled check box to have the user become
immediately active.
ic
Guardium adds all newly created users to the user role by default. You can add additional roles
l
after the user is created.

up
D
ot
N
o
D

V7.0
Uempty
Editing a user
• Use the Edit link to update
an existing user
• You can change any
attribute except the user
e
name
ut
ib
tr
is
D
Editing a user
e
You can modify all of an existing user’s settings except the Username.
at
To modify an existing user, select the user browser and then click Edit next to the user to be
modified. If the list of users is too long, you can narrow it down by using a filter, which includes a
ic
filter string and the field it applies to, such as Username or Email address.
l
up
D
ot
N
o
D

V7.0
Uempty
User browser - modifying roles

• Use the Roles link to modify a user’s
role membership
• The user becomes a member of any
role that is selected
e
• The user does not become a member
ut
of any role that is not selected
ib
tr
is
D
User Browser - modifying roles

e
The Access Management tool is also used to assign users to roles. A user must belong to at least
one of the following roles: accessmgr, admin, or user. By default, every new user is added to the
at
user role.
ic
Roles are discussed more fully in an upcoming lesson.

l
up
D
ot
N
o
D

V7.0
Uempty
Assigning user roles

• Use the Roles link to modify a
user’s role membership
• The user becomes a member of
any role that is selected
e
ut
ib
tr
is
D
Assigning user roles

e
Users are assigned the user role by default. To assign additional roles, click the Roles link next to
the user in the user browser.
at
You assign the cli role to users who will execute commands through the command line interface
ic
(CLI) by means of the set guiuser <gui_user> command. You must run this command when
logging on through the CLI with one of the default CLI accounts, guardcli1 through guardcli5, before
l
any Guardium API commands will work. This authentication prevents users with limited roles in the
up
GUI from gaining unauthorized access to Guardium API commands.

D
ot
N
o
D

V7.0
Uempty
Deleting users
• Use the Delete link to delete
a Guardium user account
• Required users cannot be
deleted, and the Delete link
e
will not show next to their
ut
entry
ib
tr
is
D
Deleting users
e
You can delete users by using the Delete link. You cannot delete required users, such as admin
and accessmgr. These users do not display the Delete link.
at
All objects owned by a user, such as queries and policies, are reassigned to the admin user when
ic
you delete the user who owns them.

l
up
D
ot
N
o
D

V7.0
Uempty
Importing users from LDAP
e
ut
ib
tr
is
D
Importing users from LDAP

e
You can import user definitions from an LDAP/Active Directory server. To configure LDAP user
import, you must assign the accessmgr user the privilege to run the Group Builder.
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
• Creating Guardium users
e
ut
ib
tr
is
D
e
at
Use the following link to view a demonstration of the exercise:

• Creating Guardium users: https://vimeo.com/169620912
l ic
up
D
ot
N
o
D

V7.0
Lesson 2 Role management
Uempty
e
Lesson: Role management
ut
ib
tr
is
D
or
e
IBM Guardium: Access management © Copyright IBM Corporation 2016
at
You must control which functions individual users have access to. Sets of functionality are called
roles, and are linked with users. Roles also define the look of a user’s GUI when the user logs in to
ic
Guardium. You have already seen how the accessmgr user’s GUI appears different from the admin
user’s GUI. In this lesson, you learn how to create new roles, configure the default layout for a role,
l
and assign permissions for the role.

up
D
Note: You must associate a user with at least one role. You can associate a role with more than
one user.
ot
N
o
D

V7.0
Uempty
User roles
e
ut
ib
tr
is
D
User roles
e
You use security roles to grant access to the following resources:
at
• Guardium resources, such as groups, queries, and reports

• Applications, such as the Group Builder, Report Builder, Policy Builder, and Security
ic
assessments
l
By default, when a resource is initially defined, only the user who defined the resource and the
up
admin user can access or modify that resource.
You can give other users access to these resources by assigning security roles. For example, if you
D
assign a security role named DBA to an audit process, all users assigned the DBA role can access
that audit process.
ot
Many roles are configured by default. Others can be added through the Role Browser tool. There
are several predefined, default roles that you cannot delete. The following list shows some of these
N
default roles:
• user: Provides the default layout and access for all common users.
o
• admin: Provides the default layout and access for Guardium administrators.
D
• accessmgr: Provides the default layout and access for the access manager.
• cli: Provides access to the CLI. The admin user has default access to the CLI, but other users
must have this role added explicitly.
• diag: See the “diag CLI Command” topic in the online help for information about managing the
diag role.

V7.0
Uempty
• inv: Provides the default layout and access for investigation users.
• datasec-exempt: Activated when Data level security is enabled. If the user has this role, a
Show-all check box will appear in all reports.
• review-only: Allows users specified by this role to only view results (Audit, Assessment,
Classifier) Audit Results and the To Do List.
e
ut
Note: A user must belong to at least one of these roles: user, admin, or accessmgr. A user cannot
belong to both the admin and accessmgr roles.
ib
The following sample roles are also provided when you install Guardium, but you can delete them if
tr
you need to:
is
• dba: Provides access for users who have a database-centric view of security.
• infosec: Provides access for users who have an information security focus.
D
• netadm: Provides access for users who have a network-centric view.
or
• appdev: Provides access for application developers, architects, and QA personnel who have an
application-centric focus.
• audit: Provides access for auditors and others who need to view audit reports.
e
• audit-delete: Role used to track or log when an audit process result has been deleted.
at
• admin-console-only: This role can only access the admin console tab.
ic
Accelerator and module-based roles are available if the system license includes the associated
software function:
l
up
• cas: Configuration Auditing System (CAS).

• pci: Database Activity Monitor - PCI Solution Kit. Cannot be deleted.
D
• sox: Database Activity Monitor - SOX Solution Kit. Cannot be deleted.

• fam: Use this role to define and modify the File Activity Monitor functions.
ot
• vulnerability-assess: Use this role to view vulnerability results.

• BaselII: Basel II Part 2 Sections 4 and 5 require that banking institutions must define a
N
Securitization Framework around financial information and estimate the associated operational
risk. Cannot be deleted.
o
• DataPrivacy: The Data Privacy Accelerator delivers a portfolio of preconfigured policies,

D
real-time alerts, and audit reports that are specifically tailored to the challenges of identify theft
and based on industry best practices. Cannot be deleted.

V7.0
Uempty
Creating a new role
e
ut
You can create a new role or copy
an existing role
ib
tr
is
D
Creating a new role

e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Customizing the navigation menu for a role
e
ut
ib
tr
is
D
Customizing the navigation menu for a role

e
You can also customize the navigation menu for each role. The left panel shows the available tools
and reports. You can select them, then move them under one of the folders or subfolders of the
at
Navigation pane. Additional custom folders can be created in the navigation menu as well.
l ic
up
D
ot
N
o
D

V7.0
Uempty
Setting role permissions
e
ut
ib
tr
is
D
Setting role permissions

e
Access to each application or Guardium function is determined by privileges based on roles. You
can assign roles to an application by moving applications from the Inaccessible applications list
at
to the Accessible applications list. You can filter to find specific applications.
l ic
up
D
ot
N
o
D

V7.0
Uempty
User and role reports
e
ut
ib
tr
is
D
User and role reports

e
The User & Role Reports link contains two reports:
at
• User - Role: Lists all users with the number of roles each belongs to. You can drill down to list
the actual roles. Double-click any user and choose Record Details to drill down. The report
ic
might not show dormant users who have not logged in since the start date of the report.
• All Roles - User: Lists all roles with the number of users belonging to each role. You view
l
actual users by drilling down into the report. Double-click any role and choose Record Details
up
to drill down.
D
ot
N
o
D

V7.0
Uempty
• Creating Guardium roles
e
ut
ib
tr
is
D
e
at

• Creating Guardium roles: https://vimeo.com/169620437
l ic
up
D
ot
N
o
D

V7.0
Unit summary
Uempty
Unit summary
• Create new users
• Assign roles to new users
e
ut
ib
tr
is
D
Unit summary
e
at
l ic
up
D
ot
N
o
D

Unit 5 IBM Guardium: System view and
data management
e
ut
ib
tr
is
IBM Guardium: System view and data
management
D
or
e
at
l ic
up

You use the version 10 IBM Guardium interface to perform system administration tasks. This unit
D
teaches you to manage, configure, and monitor the system. In addition to viewing the system, this
unit teaches you to manage and archive data. Finally, this unit showcases crucial methods to
ot
archive, perform system backup, and use the catalog archive function to prevent running out of disk
space, and to allow recovery from a loss of the Guardium system.
N
o
D

V7.0
Unit 5 IBM Guardium: System view and data management
Unit objectives
Uempty
Unit objectives
• Use the Administration Console to perform basic IBM Guardium system configuration
• Manage IBM Guardium system data
e
ut
ib
tr
is
D
IBM Guardium: System view and data management
Unit objectives
e
at
l ic
up
D
ot
N
o
D

V7.0
Lesson 1 System view and configuration
Uempty
e
Lesson: System view and
ut
configuration
ib
tr
is
D
or
e
IBM Guardium: System view and data management © Copyright IBM Corporation 2016
at
The new IBM Guardium user interface makes it easier to access components for performing
system administration. This lesson teaches you how to manage the system by using the system
ic
configuration dialog to configure system information. This lesson provides information about how to
use the command line interface to configure settings. You also learn to use the dashboard to view
l
reports about system performance.

up
D
ot
N
o
D

V7.0
Uempty
Managing the system
e
ut
ib
tr
is
Suboptions
D
Suboptions
Managing the system

e
Use the IBM Guardium user interface to more easily find and use the various components
necessary for system administration. Most components for system administration that are available
at
through the GUI are grouped under the Setup and Manage options in the navigation menu.
ic
Suboptions for Setup:

• Tools and Views
l
up
• Central Management
• Custom Classes
D
• Reports
Suboptions for Manage:

ot
• System View
N
• Activity Monitoring
• Data Management
o
• Module Installation
D
• Unit Utilization
• Maintenance
• Reports

V7.0
Uempty
System configuration
e
ut
ib
tr
is
D
System configuration
e
You can find the system configuration dialog at Setup > Tools and Views > System. You use the
system configuration dialog to configure system information regarding security and networking.
at
The Unique global identifier is used for collation and aggregation of data. The default value is a
ic
unique value derived from the MAC address of the machine. It is strongly recommended that you
do not change this value after the system begins monitoring operations.
l
up
The System Shared Secret is used for archive, export, and restore operations, and for central
management and aggregation operations. In a multiaggregator system, its value must be the same
for all units that will communicate with it. This value is null at installation time, and can change over
D
time.
The system shared secret is used in the following situations:

ot
• When secure connections are being established between a Central Manager and a managed
unit
N
• When an aggregated unit signs and encrypts data for export to the aggregator
o
• When any unit signs and encrypts data for archiving

D
• When an aggregator imports data from an aggregated unit

• When any unit restores archived data
Depending on your company’s security practices, you might be required to change the system
shared secret from time to time. Because the shared secret can change, each system maintains a
shared secret keys file, containing a historical record of all shared secrets defined on that system.

V7.0
Uempty
Having this record allows an exported, or archived, file from a system with an older shared secret to
be imported, or restored, by a system on which that same shared secret has been replaced with a
newer one.
Note: When used, be sure to save the shared secret value in a safe location. If you lose the
value, you will not be able to access archived data.
e
ut
Licensing information is displayed, but cannot be modified in this panel. You use the command line
interface (CLI) to modify licensing information.
ib
The hostname, network address, secondary management interface, and routing settings are
tr
displayed, but are not configurable in this panel. The command line interface is used to configure
these settings. Use the following commands to change these settings:
is
• Hostname: store system hostname <value>
D
• Network address: store network interface ip <ip address>
• Secondary management interface: store network interface secondary [on <NIC> <ip>
<mask> <gateway> | off ] or
Additional networking commands are available at the Guardium knowledge center.
e
The remaining fields allow you to change the DNS resolvers used by the Guardium system.
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
System Monitor
e
ut
ib
tr
is
D
System Monitor
e
To find the System Monitor dashboard, navigate to Manage > System View > System Monitor.
The dashboard contains the following reports about aspects of system performance:
at
• DB Utilization: Shows how much of the Guardium database is in use. This database is the one
ic
that Guardium uses to store data.

• Hard Disk Usage: Shows how much disk space the Guardium system is using.
l
up
• Inspection Engines: Shows the status of inspection engines.

• CPU Usage: Shows how much CPU the Guardium system is using.
D
• Request Rate: Shows a chart highlighting the number of SQL requests logged over a period of
time.
ot
• Guardium Logins: Shows the active users.

• S-TAP Status Monitor: Shows the status of S-TAP agents. The S-TAP Status Monitor
N
maintains a list of all modules for each instance of S-TAP agent. That is, a monitored system
might have multiple modules for various databases, as well as for file access monitoring.
o
• Scheduled Job Exceptions: Lists recent issues with scheduled jobs.

D

V7.0
Uempty
IP-to-Hostname Aliasing
• This feature accesses the DNS server
to define hostname aliases for client
and server IP addresses
• When IP-to-Hostname Aliasing is
e
enabled, alias names replace IPs
ut
within Guardium
• Select Update Existing Hostname
ib
Aliases to update a previously defined
alias
tr
Defines a schedule for
running this task
is
D
IP-to-Hostname Aliasing
e
To find the IP-to-Hostname Aliasing function, navigate to Protect > Database Intrusion
Detection > IP-to-Hostname Aliasing. This function accesses the Domain Name System (DNS)
at
server to define hostname aliases. When IP-to-hostname aliasing is enabled, alias names replace
IPs within Guardium where appropriate.
ic
Select Generate Hostname Aliases for Client and Server IPs (when available) to enable
l
hostname aliasing.
up
Select Update existing Hostname Aliases if rediscovered to update a previously defined alias
that does not match the current DNS hostname, which usually indicates that the hostname for that
D
IP address has changed. You might not want to do this if you have assigned some aliases
manually.
ot
As an example, assume that the DNS hostname for a given IP address is dbserver204.ibm.com,
but that server is commonly known as the QA Sybase Server. If QA Sybase Server has been
N
defined manually as an alias for that IP address, and Update existing Hostname Aliases if
rediscovered is selected, that alias will be overwritten by the DNS hostname.
o
Choose one of the following options:

D
• Click the Run Once Now button to generate the aliases immediately.
• Click the Define Schedule button to define a schedule for running this task.

V7.0
Uempty
S-TAP Control and status

• Displays S-TAP agent status,
logs, and configuration
information
• Use this function to send a
e
command to the agent
ut
ib
tr
is
D
S-TAP Control and status

e
To find the S-TAP Control page, navigate to Manage > Activity Monitoring > S-TAP Control.
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Inspection engines
e
ut
ib
tr
is
D
Inspection engines
e
Inspection engines monitor the traffic between a set of one or more servers and a set of one or
more clients using a specific database protocol, such as DB2 or Informix. Each inspection engine
at
monitors traffic between one or more client and server IP addresses. In an inspection engine
definition, these are defined using an IP address and a mask.
ic
The inspection engine extracts SQL from network packets, then parses the SQL commands to
l
identify sentences, requests, commands, objects, and fields. The engine then logs detailed
up
information about that traffic to an internal database.
The slide shows examples of inspection engines that are configured for various databases.
D
Normally, the collector has an inspection engine for each instance of a database on a given
database server.
ot
Inspection engines run on the collector, but can also be defined on S-TAP agents.
N
o
D

V7.0
Uempty
Inspection engine configuration
Parameters to be
applied to all
inspection engines on
a collector
e
ut
ib
tr
Option to add new
inspection engines
is
D
Inspection engine configuration

e
You can use the Guardium UI to configure parameters affecting logging and other functions of the
inspection engines.
at
The applied changes do not take effect until the inspection engines are restarted. After applying
ic
inspection engine configuration changes, click the Restart button to stop and restart the system.
l
You can also add new inspection engines. You must define the following fields:
up
• Name: The name of the inspection engine

• Protocol: What type of database will be monitored
D
The choices are Cassandra, CouchDB, DB2, DB2 Exit, exclude IE, FTP, GreenPlumDB,
Hadoop, HTTP, ISERIES, Informix, KERBEROS, MongoDB, MS SQL, Mysql, Named Pipes,
Netezza, Oracle, PostgreSQL, SAP Hana, Sybase, Teradata, or Windows File Share.
ot
• DB Client IP/Mask: A list of clients to be monitored, or excluded if the Exclude DB Client IP

N
check box is selected, identified by IP addresses and subnet masks

• Port: A port or range of ports over which traffic between the specified clients and database
o
servers will be monitored

D
• DB Server IP/Mask: A list of database servers to be monitored, identified by IP addresses and

subnet masks

V7.0
Uempty
S-TAP Status Monitor
e
ut
ib
tr
is
D
S-TAP Status Monitor

e
To find the S-TAP Status Monitor, navigate to Manage > System View > S-TAP Status Monitor.
This page shows a report listing each of the S-TAPs directed to this appliance, along with its current
at
status. Green indicates an inspection engine has been configured and is running for the S-TAP.
l ic
Note: Several other reports also provide information about S-TAP status.
up
D
ot
N
o
D

V7.0
Uempty
Agent Module setup
e
ut
ib
tr
is
D
Agent Module setup

e
Modules can be added to S-TAP agents to enable additional functionality. Navigate to Manage >
Module Installation > Setup by Module or Manage > Module Installation > Setup by Client to
at
set up the module.

ic
To find reports on module status, navigate to Manage > Reports > Install Management > GIM
Installed Modules.
l
up
D
ot
N
o
D

V7.0
Uempty
Alerter
• Enables use of email, SNMP traps, and alert-related
Syslog messages
• SMTP options allow email notifications
e
• SNMP options enable SNMP traps to be sent
ut
ib
tr
is
D
Alerter
e
The alerter manages email messages, SNMP traps, and alert-related Syslog messages.
at
No email messages, SNMP traps, or alert-related Syslog messages are sent until the Alerter is
configured and activated. Other components create and queue messages for the alerter. The
ic
alerter checks for and sends messages based on the polling interval that has been configured for it.
l
The alerter configuration panel is available at Setup > Tools and Views > Alerter and contains the
up
following settings:
• Active on startup: If selected, the alerter will be activated automatically every time the
appliance restarts.
D
• Polling: Sets the frequency that the Alerter checks for and sends messages. The polling
interval is measured in seconds. You typically leave this setting at the default frequency, which
ot
is every 60 seconds.
N
• SMTP: The SMTP section is used to configure the Alerter to send SMTP (email) messages.
You can configure the SMTP connections as follows:
o
– IP Address/Host Name: Enter the IP address or hostname for the SMTP gateway.
D
– Port: Enter the SMTP port number, which is usually set to port 25.
– Test Connection: Verifies the SMTP address and port. This only tests that access to
specified host and port is available. It does not verify that this is a working SMTP server.
– User Name: Enter a valid user name for your mail server, if your SMTP server uses
authentication.

V7.0
Uempty
– Password: Enter the password for the above user if your SMTP server uses authentication.
– Return E-mail Address: Enter the return address for email sent by the system; this
address is usually an administrative account that is checked often.
– Authentication Method: Use Auth if your SMTP server uses authentication; otherwise,
use None. When Auth is selected, specify the user name and password to be used for
authentication.
e
• The SNMP section of the configuration pane is used to configure the Alerter to send SNMP
ut
traps. You configure the SNMP connections as follows:
– IP Address: Enter the IP address/hostname where the SNMP trap will be sent.
ib
– Test Connection (Optional): Verifies the SNMP address and port (22). This only tests that
access to specified host and port is available. It does not verify that this is a working SNMP
tr
server.
is
– “Trap” Community: Enter the community name for the trap. Retype the community name
in the Retype Community box.
D
Click Apply to save the configuration.
Click Restart to restart the Alerter with the new configuration. or

e
Note: The Alerter does not begin using a new configuration until it is restarted.
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Alerts
• Alerts provide immediate notification of
events, based on queries of logged data
• There is a set of predefined alerts
e
• You can also define your own alerts
ut
ib
tr
is
D
Alerts
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Anomaly Detection
• Defines which alerts are enabled
• Alerts are defined in policies
• Options include the examples
e
Active on startup
Polling Interval
ut
ib
tr
is
D
Anomaly Detection
e
Alerts are triggered in two ways:
at
• Correlation alerts are triggered by a query that looks back over a specified time period to
determine if the alert threshold has been met, for example, an excessive number of failed logins
ic
for a single user.

• Real-time alerts are triggered by a security policy rule. The Guardium Inspection Engine
l
component runs the security policy as it collects and analyzes database traffic in real time.
up
Regardless of how it is triggered, alert information is logged in the Guardium internal database.
D
The Guardium Anomaly Detection Engine runs correlation queries on a scheduled basis. By
default, correlation alerts do not log policy violations, but they can be configured to do that. To
display the anomaly detection configuration panel, navigate to Setup > Tools and Views >
ot
Anomaly Detection.
N
In a multicollector environment, the Anomaly Detection panel is used to turn off correlation alerts
that are not appropriate for a particular appliance. Correlation alerts are defined on the Central
o
Manager, and when activated, are activated on all appliances by default.

D
You can configure the following Anomaly Detection options:

• Active on startup: Automatically starts Anomaly Detection on startup.
• Polling interval: Sets the frequency that Anomaly Detection checks for appliance issues. Do
not change this setting without consulting with Guardium support because increasing the
frequency can cause performance issues.

V7.0
Uempty
To disable an alert, select it from the Active Alerts list, and click the arrow to move it to the Locally
Disabled Alerts list.
To enable an alert, reverse the process.
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Global Profile
Displays aliases by default

on all reports
e
Message template customizes the
ut
message format used to generate
alerts
ib
• No wrap allows you to see where the line breaks appear
• Named template defines message templates
tr
Use HTML left/right to
change the text displayed
is
D
Global Profile
e
To find the global profile panel, navigate to Setup > Tools and Views > Global Profile. This panel
defines the defaults that apply to all users:
at
• Use aliases in reports unless otherwise specified: Enables the display of aliases by default
ic
on all reports. This function is especially helpful with displaying hostnames instead of IP
addresses.
l
• PDF Footer Text: Changes the text displayed at the bottom of each page for each PDF
up
document generated by the appliance.

• Message Template: Customizes the message format used to generate alerts. This setting is
D
often changed to enable integration with an external security incident event manager (SIEM)
system.
ot
• No wrap: Shows where the line breaks appear in the message.

• Named template: Defines multiple message templates and facilitates the use of different
N
templates on different rules.

• CVS Separator: Defines a separator to be used in audit processes when exporting data.
o
• HTML left / right: Specifies text that is displayed on the UI.

D

V7.0
Uempty
Global Profile (continued)

Display a message to
users upon login
Filter results, systemwide, so each user sees

information from those databases that the user is
e
responsible for
ut
Set the size of the database table that
Guardium uses to store information
ib
Change the ports that can be used to send
tr
files over SCP and FTP
is
D
Global Profile (continued)

e
• Login message / Show login message: Displays a message to users upon login.
at
• Concurrent login from different IP not allowed: Constrains each Guardium user to log in
from only one IP address at a time.
ic
• Data level security filtering: Filters results, systemwide, so that each user only sees
information from those databases that the user is granted access to.
l
up
• Default filtering: Permits logged-in users to see all the rows in the result regardless of who
these rows belong to. When used with the datasec-exempt role, permits an override of the
data-level security filtering.
D
• Include indirect records: Permits the logged-in viewer to see the rows that belong to the
logged-in user, but also all rows that belong to users below the logged-in user in the user
ot
hierarchy.
• Escalate result to all users: Escalates audit process results and PDF versions to all users,
N
even if data-level security at the observed data level is enabled.

o
• Custom database maximum size: Sets the size of the database table.
D
• SCP and FTP files via different ports: Specifies ports that can be used to send files over SCP
and FTP. For Global Profile, export and patch backup ports can be changed.

V7.0
Uempty
Note: The default port for ssh/scp/sftp is 22. The default port for FTP is 21. A setting of 0 as the
port indicates that the default port is being used and that no change is needed.
• Encrypt Must Gather output: Encrypts output.
e
• Check for Guardium updates: Checks for updates to Guardium software.
ut
• Upload logo image: Adds a graphic to right of the Guardium top banner.
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Complete the following exercises in the Course Exercises book
• Setting the system shared secret and DNS resolver
• Enabling IP-to-hostname aliasing
e
ut
ib
tr
is
D
e
Perform the exercises for this lesson.
at
Use the following links to view demonstrations of the exercises:

• Setting the system shared secret and DNS resolver: https://vimeo.com/169620435
ic
• Enabling IP-to-hostname aliasing: https://vimeo.com/169620434

l
up
D
ot
N
o
D

V7.0
Lesson 2 Data management
Uempty
e
Lesson: Data management
ut
ib
tr
is
D
or
e
IBM Guardium: System view and data management © Copyright IBM Corporation 2016
at
In addition to configuring the settings in IBM Guardium, you must also manage the data generated
by the implementation. You might need to archive this data to prevent the IBM Guardium system
ic
from running out of disk space, while still retaining data for future auditing and reporting.
Additionally, you need to back up the Guardium configuration information for recovery from a
l
catastrophic loss of the Guardium system.

up
D
ot
N
o
D

V7.0
Uempty
System backup
• Supports different storage protocols
SCP
FTP
Cloud: Amazon S3 or SoftLayer
e
• Configuration options depend on
ut
storage protocol
ib
tr
is
D
System backup
e
Periodically backing up the Guardium configuration and data is an important task. The storage type
determines how and where the data will be transferred:
at
• SCP: Indicates a secure copy. This setting transfers the data to a target host using the secure
ic
copy protocol. Requires a user name and password. If you leave Port at 0, the default SCP port
will be used.
l
• FTP: Transfers data to a target host using file transfer protocol (FTP). Requires a user name
up
and password. If you leave Port at 0, the default FTP port will be used.
• Amazon S3: Transfers data to a storage cloud hosted on Amazon S3.
D
• SoftLayer: Transfers data to a storage cloud hosted on IBM Softlayer®.

ot
Each protocol has its own set of credentials required to connect to the target storage system.
After system backup has been configured, it can be scheduled or run as a unique job.
N
o
D

V7.0
Uempty
Data Archive
• Run archive and purge operations on a scheduled basis
• Data Archive backs up data captured by the appliance
within a given time period
• If data is not purged, the database will become full
e
ut
ib
tr
is
D
Data Archive
e
The data archival function is available at Manage > Data Management > Data Archive.
at
Data archival is similar to, but different from, system backup. The purpose of system backup is to
allow recovery from disaster or catastrophic hardware failure. The purpose of data archival is to
ic
keep old but potentially valuable data from filling up the Guardium database, while still maintaining
the data in a place where it can be accessed.
l
up
You typically run archive and purge operations on a scheduled basis. Data Archive backs up the
data that has been captured by the appliance within a given time period. You can also enable data
purging.
D
Typically, you archive data at the end of the day when it is captured, so in the event of a
catastrophe, only the data of that day is lost. Data purging depends on the application and is highly
ot
variable, depending on business and auditing requirements.

N
In an environment with collectors and aggregators, it is recommended that you archive from the
collectors and, if backup space allows, the aggregator.
o
It is important to configure the purge process. If data is not purged from the system, the database
D
will eventually become full and logging will stop. Purge data older than indicates the maximum
number of days the data will be kept on the appliance. You can allow data to be purged before it is
archived or exported if, for example, you are archiving data from your collectors but not your
aggregators.

V7.0
Uempty
Select Archive Values to include values from SQL strings in the archived data. If unselected,
values are replaced with question mark characters on the archive, and therefore the values will not
be available following a restore operation.
The storage method determines how and where the data will be transferred:
• SCP: Indicates a secure copy. This setting transfers the data to a target host using the secure
copy protocol. Requires a user name and password. If you leave Port at 0, the default SCP port
e
will be used.
ut
• FTP: Transfers data to a target host using file transfer protocol (FTP). Requires a user name
and password. If you leave Port at 0, the default FTP port will be used.
ib
• Amazon S3: Transfers data to a storage cloud hosted on Amazon S3.
• SoftLayer: Transfers data to a storage cloud hosted on IBM SoftLayer.
tr
Each protocol has its own set of credentials required to connect to the target storage system.
is
After system backup has been configured, it can be scheduled or run as a unique job.
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Catalog Archive
• Guardium catalog tracks archive files
• Can be manually updated if the physical location of the archive file changes
e
ut
ib
tr
is
D
Catalog Archive
e
To find the catalog archive function, navigate to Manage > Data Management > Catalog Archive.
at
The Guardium catalog tracks where every archive file is sent, so that it can be retrieved and
restored on the system with minimal effort, at any point in the future. A separate catalog is
ic
maintained on each appliance, and a new record is added to the catalog when the appliance
archives data or results.
l
up
If archive files are moved to another location after the Guardium archive operation, the Guardium
software cannot determine what happened to those files. For these situations, you can maintain the
archive catalog manually using the catalog archive function to add or remove archive entries.
D
You can export the catalog or import a previously exported catalog.

ot
N
o
D

V7.0
Uempty
Results Export
• Guardium can store the results of certain functions as
CSV, CEF, and PDF files
• Supports secure copy (SCP) and file transfer protocol
(FTP)
e
• Can run on demand or schedule to run automatically
ut
ib
tr
is
D
Results Export
e
Guardium can store the results of certain functions as CSV, CEF, and PDF files. As part of the
archive process, you might want to export these files.
at
Access the results export function at Manage > Data Management > Results Export (Files). The
ic
two protocols for exporting results are secure copy (SCP) and file transfer protocol (FTP). After you
have configured the export of results, you can run the export or schedule it to automatically run.
l
up
D
ot
N
o
D

V7.0
Uempty
• Archiving Guardium data
e
ut
ib
tr
is
D
e
at

• Archiving Guardium data: https://vimeo.com/169620436
l ic
up
D
ot
N
o
D

V7.0
Unit summary
Uempty
Unit summary
• Use the Administration Console to perform basic IBM Guardium system configuration
• Manage IBM Guardium system data
e
ut
ib
tr
is
D
Unit summary
e
at
l ic
up
D
ot
N
o
D

Unit 6 IBM Guardium: Groups
e
ut
ib
IBM Guardium: Groups
tr
is
D
or
e
at
ic

l
up
Guardium groups offer a powerful method to facilitate the creation of queries and policy rules. In
fact, without the use of groups, you might have to rely on conditional statements for queries and
policy rules. Groups can have one or many attributes and members can belong to multiple groups.
D
In this unit, you learn to how to build and populate the Guardium groups.
ot
N
o
D

V7.0
Unit objectives
Uempty
Unit objectives
• Use Group Builder to create, modify, and populate Guardium groups
• Create and populate Guardium groups
e
ut
ib
tr
is
D
Unit objectives
e
at
l ic
up
D
ot
N
o
D

V7.0
Lesson 1 Building groups
Uempty
e
Lesson: Building groups
ut
ib
tr
is
D
or
e
IBM Guardium: Groups © Copyright IBM Corporation 2016
at
In this lesson, you learn how groups help perform data security functions by grouping like members
for automation of tasks, simplification of queries, and collection of environment configuration data.
ic
In this lesson, you learn how to perform the following tasks:

l
• Describe the characteristics and functions of Guardium groups

up
• Create a Guardium group

• View Guardium group reports
D
ot
N
o
D

V7.0
Uempty
What a Guardium Group is

• Lists data elements
• Facilitates creation of queries and policy
rules
Query against group members to create
e
reports
Test policy rules against group members
ut
• Eases maintenance
A query without groups would require many
‘OR’ conditions; the same query using a
ib
group requires only one condition
• Allows membership in multiple groups
tr
• Allows members to have single or
multiple attributes
is
• Can specify type of data contained and
type of application to be associated with
D
• Can be hierarchical
• Uses group category and classification
to filter and group like members
What a Guardium Group is

e
A group is a list of data elements. As an example, a group might be a list of users, a list of
commands, or a list of objects. You use groups to facilitate the creation of queries and policy rules.
at
Without groups, queries and policy rules might require the use of many ‘OR’ conditions. As an
example, when checking to see who the database user is, a query might check user IDs using the
ic
following SQL command:

l
WHERE DB USER NAME = scott

up
OR DB USER NAME = a8000

D

ot
OR DB USER NAME = sa
If a group named -Privileged Users is created, and the user IDs scott, a8000, a4902, a4949, a5710,
N
a9449, and sa are added to that group, the query needs only to use the following simplified SQL
command:
o
WHERE DB USER NAME IN GROUP –Privileged Users

D
For policy rule definitions, the rule can be applied against members of a group. This eases
maintenance of policy rule definitions and report queries. You only need to update the group, rather
than having to update each rule or query. This is especially useful when more than one rule or
query uses the same group.

V7.0
Uempty
Groups are typed. That is, the members of a group can be constrained to match certain data
requirements. Additionally, you can specify what type of application a group can be used with.
Guardium provides predefined groups. You can also define custom groups. Groups members can
be part of more than one group.
Tuple groups are groups whose members can combine multiple attributes in a single member.
Examples of tuple groups include those shown in the following list:
e
• Object/Command: Combines two attributes in a single member
ut
• DB User/Object/Privilege: Combines three attributes in a single member
ib
• Client IP/Source Program/DB User/Server IP/Service Instance: Combines five attributes in a
single member
tr
By default, predefined groups of group type DB User/DB Password are allowed only to users with
the role of admin.
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Methods to build groups

1. Manual entry
2. Selection from list
3. LDAP
e
4. Populate from query
ut
5. Classifier
6. GrdAPI command
ib
tr
is
D
Methods to build groups

e
You can use six different ways to build and populate groups in Guardium:
at
1. Manual Entry: You can manually add members to a group by entering the name of a new
member.
ic
2. Manual Entry by selecting members from a drop-down list: You can also manually add
members to a group by selecting from a list. When you create a group, you provide a group
l
up
type. Guardium then provides a drop-down list that contains potential members of that type. As
an example, when you create a group of type user, Guardium lists potential members of type
user.
D
3. LDAP: You can import data from an LDAP server to create group members. As an example,
you can maintain a list of database users in a LDAP directory. You can import this list of users to
ot
create a group of database users.
4. Populate From Query: You can run a query on the Guardium database and use the results to
N
define the membership of a group.

o
5. Classifier: You can configure Guardium to determine group membership by the use of a policy.
D
6. GrdAPI: You can use the command line to automate the creation of group members. As an
example, you might want to add a large number of members to a group. You can use a batch
file to do so. You can also use the command line to integrate with other applications that might
control the member list of a group.
Each of these methods is described in the upcoming pages.

V7.0
Uempty
Accessing the Group Builder

• Group Filter
First panel displayed
Narrows set of groups displayed
• Modify Existing Groups
e
Displays existing groups
ut
Modify, clone, delete, create group
Options to populate group
Special options for hierarchical
ib

groups
tr
is
D
Accessing the Group Builder

e
You use the Group Builder application to create new groups and edit existing groups. You access
the Group Builder at Setup > Tools and Views > Group Builder or Protect > Security Policies >
at
Group Builder. The first window that is displayed is the Group Filter window. This allows you to
narrow the list of groups that are displayed in the Group Builder.
ic
From the group filter window, click Next to reach the Group Builder. Optionally, you can choose to
l
filter the list of groups displayed in the Group Builder by choosing filter options. For example, if you
up
only want to see user groups, choose a Group Type of Users.
The Group Builder has three panes:

D
• Modify Existing Groups: Modify, clone, or delete existing groups.

• Flatten All Hierarchical Groups Scheduling: Consolidate subgroups under a hierarchy.
ot
• Create New Group: Create a group.

N
o
D

V7.0
Uempty
Modifying existing groups
e
Select a group and
click the Edit icon
ut
ib
tr
is
D
Modifying existing groups

e
There are a large number of built-in groups. These are provided for user convenience and are the
basis for some of the built-in reports. Some groups are based on industry standards, such as the
at
data definition language (DDL), and data manipulation (DML) groups. Others are placeholders,
such as the Sensitive Objects group, that allow you to enable built-in reports by simply populating
ic
the appropriate groups.

l
In both cases, you can edit the groups by selecting the pencil icon .
up
D
ot
N
o
D

V7.0
Uempty
Modifying existing group members
e
ut
ib
tr
is
D
Modifying existing group members

e
You can add, modify, and delete group members.
at
As an example, some companies consider the truncate command to be data definition language
(DDL), which is not included in the built-in DDL commands group. To add the command to the DDL
ic
commands group, highlight the group name and click the pencil icon. Enter the new group member
name in the Create & add a new Member named field and click Add.
l
up
You rename existing members by highlighting the member, typing the new name in the Rename
select Member to field, and clicking Update.
D
To delete members, highlight the member and click the Delete button.
Click Back when complete to return to the Group Builder.

ot
N
o
D

V7.0
Uempty
Creating a new group
e
ut
ib
tr
is
D
Creating a new group

e
You can create a new group if none of the existing groups match your needs, or to meet the
requirements of company policy.
at
The following fields are required to create a new group:

ic
• Application Type: This list shows which applications can access this group, with Public
indicating all applications.
l
up
• Group Description This field shows the name of the group. It is recommended that you start
the group name with a character or characters to distinguish the custom groups from the built-in
groups. This example uses a dash (-), which also causes the group to appear at the top of the
D
list of groups.
• Group Type Description: This field shows the data element you are basing your group on,
ot
such as users, objects, client IPs, and server IPs.

N
The remaining fields are optional:

• Category: An optional label used to group items such as policy violations and groups for
o
reporting
D
• Classification: Another optional label used for policy violations and groups
• Hierarchical: A check box that causes the group to be defined as a “group of groups”
This option is discussed later in this unit.

V7.0
Uempty
Group reports
e
ut
ib
tr
is
D
Group reports
e
Two reports provide details on all of the groups in the system:
at
• Groups Usage Report: Details which applications use each group. Not every group is listed in
this report. Only groups associated with a Guardium module or application are listed.
ic
• Guardium Group Details: Lists all of the groups that can be filtered by description and group
type, and lists which members belong to which groups.
l
up
D
ot
N
o
D

V7.0
Lesson 2 Populating groups
Uempty
e
Lesson: Populating groups
ut
ib
tr
is
D
or
e
IBM Guardium: Groups © Copyright IBM Corporation 2016
at
In this lesson, you learn how to populate groups by using drop-down lists, queries, and other
methods.
l ic
up
D
ot
N
o
D

V7.0
Uempty
Adding members using manual entry
e
ut
ib
tr
is
D
Adding members using manual entry

e
One way to add new members to a group is to manually enter them. To add new members using
this method, type the member name in the Create & add a new Member named field and click
at
Add. This is the simplest way to add a new member, and is useful for adding a small number of
members to a small number of groups.
l ic
up
D
ot
N
o
D

V7.0
Uempty
Adding members from a drop-down list
e
ut
ib
tr
is
D
Adding members from a drop-down list

e
Some groups also allow you to manually choose from a drop-down list by using the Add an
existing Member to Group field.
at
This list is based on data logged by Guardium and is available for groups where the size of the list
ic
is limited. For example, the number of users that has been detected by Guardium and added to the
list of potential members could be in the hundreds or thousands and, therefore, will have the
l
drop-down list available. However, there are likely millions of other fields logged, making a
up
drop-down list too difficult to navigate.

D
ot
N
o
D

V7.0
Uempty
Group population by LDAP

Groups can be populated from LDAP when you build a new group or modify an existing group
e
ut
ib
tr
is
D
Group population by LDAP

e
A third method of populating a group is through an interaction with LDAP.
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
LDAP group population setup
e
ut
ib
tr
is
D
LDAP group population setup

e
Enter the appropriate information to connect to the LDAP server. Click Run Once Now to
immediately generate a list of users to import. You can pick and choose which users you want to
at
import from the list or you can choose to schedule the process. If you choose to schedule the
process, Guardium imports all of the users found. It is important for a Guardium group populated by
ic
LDAP to remain synchronized with changes that might be made to a LDAP server. How often to
schedule the process depends on how frequently the associated LDAP directory might change
l
up
members.
D
ot
N
o
D

V7.0
Uempty
Populating from a query

Select the group from the Modify Existing Groups window
e
ut
ib
tr
is
D
Populating from a query

e
Use the Populate from Query option to add members to a group using data from the Guardium
database. This data can originate from monitored database traffic or from an external source using
at
external data correlation.

ic
To populate from a query, on the Modify Existing Groups window, highlight the group that you are
interested in and click Populate from Query.
l
up
You cannot populate from a query in the Manage Members for Selected Group window. Therefore,
if you are creating a new group, when the Manage Members for Selected Group window appears,
click Back to return to the Modify Existing Groups window.
D
ot
N
o
D

V7.0
Uempty
Populate from query options
e
ut
Use a specific date
ib
Use a relative date
tr
is
D
Populate from query options

e
Enter the following information on the Populate Group from Query Set Up window:
at
• Query: Choose the query that contains records you are interested in. This query can be based
on observed traffic or based on a customer query originating from an external source.
ic
• Fetch Member From Column: Choose the field from the report that will be used to populate
the group. This field must be compatible with the group type. As an example, if the group type is
l
USERS, a field that contained IP addresses would not be compatible, and would produce an
up
error dialog box.

• From Date: Enter the starting date and time for the query. In this example, NOW -1 WEEK
D
means that the starting time of the query is one week from this moment. You can specify a date
or use a relative time and date. In either case, a dialog box is displayed to help you select the
ot
correct time. In the above example, the dialog box has been configured to show a start time of
one week before the query is run.
N
• To Date: Enter the ending point in time for this query. In the example, NOW means the present
time. You can specify a date or use a relative time and date. In either case, a dialog is displayed
o
to help you select the correct time. In this example, the dialog box has been configured to show
an end time of the time when the query is run.
D
• Remote Source: If you are running the population operation from a central manager in a
distributed environment multicollector environment, you can choose to run the query against
data on a managed collector or aggregator.
• Run time parameters: Based on the query, you might have the option to provide run-time
parameters. if you have any run-time parameters, enter the appropriate values or enter a

V7.0
Uempty
percent sign (%) as a wildcard to return everything. In the example above, Enter Value for
Server IP is a run-time parameter. Leaving the field blank also returns everything.
• Clear existing group members before importing: Select this check box to purge all existing
group members before importing from the query.
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Populate from query results
e
ut
ib
tr
is
D
Populate from query results

e
When you run the query, results display. Select the results you want to import and click the Import
button. In the above example, all results have been selected.
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Scheduling a population by query
e
ut
ib
tr
is
D
Scheduling a population by query

e
Often, the dynamic nature of the managed environment means that you must run the query
periodically to update the group membership. You can import members on a scheduled basis by
at
clicking Modify Schedule. Selecting this option imports all returned results. Because it is
unattended, there is no option to pick specific values to import.
l ic
up
D
ot
N
o
D

V7.0
Uempty
Adding group members by classification

Added as part of a classification process
e
ut
ib
tr
is
D
Adding group members by classification

e
You can also manage group membership by setting up a classification policy. The classifier
searches a database and automatically adds group members matching user-supplied criteria.
at
You find this option at Discover > Classifications > Classification Policy Builder. Classification
ic
is covered more fully in a separate module.

l
up
D
ot
N
o
D

V7.0
Uempty
GuardAPI
• You can use GuardAPI to create and populate groups
• You can add a member from the CLI manually
e
grd01.guard.swg.usma.ibm.com> grdapi create_member_to_group_by_desc desc="- Privileged
Users" member=a9940
ut
• GuardAPI is most effectively used in a batch file
ib
tr
is
D
GuardAPI
or © Copyright IBM Corporation 2011, 2013©
Copyright IBM Corporation 2011, 2013
e
The final method of populating a group is by using the command line. The grdapi command
provides access to Guardium functionality from the command line or from a batch file. This allows
at
for the automation of repetitive tasks, which is especially valuable in larger implementations.
ic
GuardAPI commands, including those to create and populate groups, can be scripted and run in
batch files. Follow these steps to create and run a batch file:
l
up
1. Create a file with the individual commands repeated for each group member.
dbserver01:~ # cat group-upload.txt
grdapi create_member_to_group_by_desc desc="- Privileged Users" member=a2342
D

ot

N

o
2. From a Linux or UNIX server, run the following command:

D
ssh cli@collector-or-central-manager-ip<file-name-created-above

V7.0
Uempty
See the following example:
dbserver01:~ # ssh cli@192.168.169.9<group-upload.txt
Pseudo-terminal will not be allocated because stdin is not a terminal.
cli@192.168.169.9's password:
Welcome cli - your last login was Tue Sep 28 08:45:29 2010
grd01.guard.swg.usma.ibm.com> ok
ID=1000008
e
grd01.guard.swg.usma.ibm.com> ok
ut
ID=1000009 …
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Hierarchical groups
• Grouping of groups
• Allows lists to be merged from several subgroups, rather than redefining them
e
ut
ib
tr
is
Specifies that members
will be other groups
D
Hierarchical groups
e
The Hierarchical check box allows a group to be defined as a “group of groups.” As an example, if
you have three groups of users who are also considered to be privileged users, such as DBAs,
at
SAs, and Developers, you could create a group called Privileged Users that would contain the
members of all three groups. Specifying hierarchies allows you to be specific when necessary, as
ic
when you are concerned with all DBA activity. For example, you can allow for fewer steps when you
have broader requirements, such as all privileged user activity.
l
up
In the above example, a hierarchal group of type COMMANDS has been defined to contain a list of
monitored commands. These monitored commands will consist of the union of two sets of
D
commands, specifically those in the DDL Commands group and those in the DML Commands
group. Rather than explicitly adding each of these commands to the new group, make the new
group hierarchical and set the two groups as members.
ot
Follow these steps to create a hierarchical group:

N
1. Create a new group.

This example shows a group of monitored commands that will contain the DML and DDL
o
groups.
D
2. Select Hierarchical.
3. Click Add.

V7.0
Uempty
Hierarchal group membership

Specifies which type of
groups can be added as
members
e
Group added as member
ut
ib
tr
is
Group to be added as
D
member
Hierarchal group membership

e
For hierarchical groups, there is no option to enter group members. Instead, you must use the
drop-down list that contains all of the groups that match the group type of the hierarchical group.
at
Continuing the example, add the two subgroups:

ic
4. From Add existing Group to Group list, select DDL Commands and click Add.
l
up
5. From Add existing Group to Group list, select DML Commands and click Add.
6. Click Back when you are done to return to the Group Builder.
D
ot
N
o
D

V7.0
Uempty
Flattening hierarchical groups

• Members of the subgroup become members of top-level group
• Not reflected in Group Builder
• Must be viewed in Group Details report
e
ut
ib
tr
is
D
Flattening hierarchical groups

e
A hierarchy of groups can have more than two levels. To consolidate all of the subgroups under the
group of groups, the groups must be flattened. By flattening the groups, members of the subgroup
at
become members of the top-level group.

ic
From the Group Builder, click Run Once Now in the Flatten All Hierarchical Groups Scheduling
pane.
l
up
The group of groups now encompasses all of the members of the DDL Commands group and the
DML Commands group. As well as running the flattening process to initially populate this group,
you should also schedule this process using Modify Schedule, so that any changes made to either
D
subgroup are reflected in the hierarchical group.
To see the list of individual members in the hierarchal group, view the Guardium group details
ot
report, as shown in Group reports. The Group Builder membership management list does not show
the individual members. In the example above, flattening group hierarchy causes commands in the
N
DDL Commands and DML commands groups to be displayed as members of the - Monitored
Commands group.
o
D

V7.0
Uempty
• Creating and populating Guardium groups
e
ut
ib
tr
is
D
e
at
Use the following link to view the demonstration of the exercise:

• Creating and populating Guardium groups: https://vimeo.com/172756077
l ic
up
D
ot
N
o
D

V7.0
Unit summary
Uempty
Unit summary
• Use Group builder to create, modify, and populate Guardium groups
• Create and populate Guardium groups
e
ut
ib
tr
is
D
Unit summary
e
at
l ic
up
D
ot
N
o
D

Unit 7 IBM Guardium: Policy
management
e
ut
ib
tr
IBM Guardium: Policy management
is
D
or
e
at
l ic
up

IBM Guardium gathers a large amount of information about data access from database and file
D
servers. This information is parsed and logged, yet this is not enough. You must provide Guardium
with a set of rules describing what should be done with the information. These rules, or policies, tell
ot
Guardium what information S-TAP agents should send to the collectors and what action to take
when certain types of information are received. In this unit, you learn how to configure the rules that
tell Guardium how to process the information it receives from database and file servers.
N
o
D

V7.0
Unit 7 IBM Guardium: Policy management
Unit objectives
Uempty
Unit objectives
• Describe how IBM Guardium logs traffic and the concept of a construct
• Create and install a policy or set of policies to meet business requirements
• Add access rules to a policy
e
• Use exception and extrusion rules to evaluate data
ut
• Install and manage the Selective Audit Trail policy
• Describe the correct order of execution for policy rules
ib
• Describe how to control a session
• Use policies to classify sensitive data
tr
is
D
Unit objectives
e
at
l ic
up
D
ot
N
o
D

V7.0
Lesson 1 Policy overview
Uempty
e
Lesson: Policy overview
ut
ib
tr
is
D
or
e
IBM Guardium: Policy management © Copyright IBM Corporation 2016
at
Before learning how to write rules, you must understand how Guardium collects information. In a
typical environment, databases might process millions of database requests in a single hour. That
ic
means the S-TAP agents are sending a great deal of information to the Guardium collectors, which
in turn must parse and store that information. Efficient policy rules can be written with these
l
requirements in mind. As an example, you might want to ignore certain database queries or even
up
entire sessions. Other queries might need some sort of immediate response. In this lesson, you are
introduced to Guardium policies.
D
ot
N
o
D

V7.0
Uempty
Policy review
• Ensuring data security requires policies
• A policy is an ordered set of rules applied by the sniffer against each request received
• Rule types
e
− Access
− Exception
ut
− Extrusion
ib
tr
is
D
Policy review
e
Effective data security requires the creation, maintenance, and implementation of policies. Policies
define, through a set of rules, the following elements:
at
• What is permitted: Policies determine who has what level of access to which data, on which
ic
servers. As an example, a policy might specify that high-level database administrators are not
allowed to view the data in certain tables, even though those administrators will need to
l
manage the tables themselves.

up
• What is monitored: Policies determine which actions are monitored and logged. As an
example, a policy might determine that any attempt to access a file will be logged.
D
• What actions are to be taken in the case of certain events: As an example, an attempt in an
RDBMS management session to view restricted data results in termination of the session,
ot
logging of the action, and creation of an event that is sent to an event console.
Each rule can apply to a request from a client or to a response from a server. The following rule
N
types can be defined:

• Access: Requests from the client to the server
o
• Exception: SQL errors and failed login messages from the server to the client
D
• Extrusion: Result sets from the server to the client
Each rule contains conditions and one or more actions. When all of the rule’s conditions have been
met, the actions are triggered. The rules are applied sequentially.
A policy must be installed to be in effect. After any change to a policy, including group member
updates, the policy must be reinstalled.

V7.0
Uempty
Default behavior: Traffic
e
ut
ib
tr
is
Network connections
Sessions
SQL commands
D
SQL errors
SQL result sets
Default behavior: Traffic

e
To understand what a policy does, you must first understand how the system works with no policy
installed, which is the default behavior.
at
After S-TAP has been installed and the inspection engines have been configured, S-TAP starts
ic
forwarding all database traffic to the collector. This traffic is analyzed, parsed, and logged by the
sniffer process on the collector, as follows:
l
up
• Traffic sent by S-TAP

– Database Client -> Database Server

D
Client/server network connections

 Sessions (logins/logouts)
ot
 SQL requests (commands)

– Database Server-> Database Client
N
 Failed login messages

o
 SQL errors
D
 Result sets

V7.0
Uempty
• Traffic analyzed, parsed, and logged by the sniffer
 Client/server network connections
e
ut
 SQL errors
ib
• Traffic ignored and discarded by the sniffer
tr
Result sets
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Default behavior: Parsing and logging
e
ut
ib
tr
is
Network connections
Sessions
SQL commands
D
SQL errors
SQL result sets
SQL command components
Default behavior: Parsing and logging

e
When the sniffer receives the traffic from S-TAP, it performs three functions against the data:
at
1. It analyzes the data to verify that it is valid SQL traffic.
2. It parses the data for easy reporting. For example, parse the SQL string ‘insert into
ic
emp_salary (id, salary), values (2049, 185000)’ as follows:

– Sentence (SQL) = insert into emp_salary (id, salary), values (?, ?)
l
up
– SQL Verb = insert

– Object = emp_salary
D
– Fields = id, salary

– Values = 2049, 185000 (not logged by default)
ot
3. It logs the parsed data into the internal database in Guardium.

N
The sniffer logs the sentence with question marks instead of the actual values entered by the user.
This is done for two reasons:
o
1. These values can be highly sensitive and Guardium should not log this information
D
automatically and risk exposing it to unauthorized users.
2. Masking the values allows Guardium to greatly increase the data retention on the collectors and
aggregators. The next few slides explain the concept of constructs and how masking values
increases data retention.

V7.0
Uempty
Constructs
First time SQL request

encountered by collector
Logged as a construct with
associated ID
e
ut
ib
tr
is
When Collector receives this SQL request again
• Does not log SQL String again
D
• Refers back to original construct ID
Constructs
e
When the sniffer encounters an SQL request that it has not previously seen, it logs the request as a
construct with an associated primary key. Constructs are basically prototypes of requests that
at
Guardium detects in the traffic. The combinations of commands, objects, and fields included in a
construct can be very complex, but each construct basically represents a very specific type of
ic
access request.
l
Constructs are logged with the values replaced by question marks, which makes most SQL
up
requests less unique. For example, the following statements appear to be unique to each other:
select * from employee_table where employee_id = 48 and hire_date = ‘8/2/09’
D
select * from employee_table where employee_id = 4940 and hire_date = ’10/29/01’
However, if you replace the values with questions marks, you see that they are the same basic
ot
request:
select * from employee_table where employee_id = ? and hire_date = ?
N
select * from employee_table where employee_id = ? and hire_date = ?
The string select * from employee_table where employee_id = ? and hire_date = ? is an

o
example of a construct. When the sniffer first encounters this SQL request, it logs the request with
D
an associated construct ID. When the sniffer encounters it again, it will not log the request a second
time. Instead, the sniffer will refer back to the construct it had logged earlier.

V7.0
Uempty
Constructs received multiple times

• Default method of logging saves a tremendous amount of disk space
• In the example below, the sniffer logged three entries; if each occurrence was separately logged,
1266 lines would be logged
e
SQL made 844 times in two
different sessions within same
access period (usually one hour)
ut
ib
tr
is
Count of
D
Most recent occurrence
within latest access period occurrences
Constructs received multiple times

e
If the sniffer receives the same construct multiple times within the defined access period (usually
one hour) and within the same session, it counts the number of times it receives the construct and
at
updates the access period timestamp to the time of the last request. Therefore, in reporting the
finest level of detail, you see that the construct was run x number of times within an hour, with a
ic
timestamp representing the latest occurrence.

l
When the sniffer receives the same construct multiple times over an extended time period, it makes
up
new entries in the database in two cases:

1. The user starts a new session. When a new session starts, a new record is entered with its own
D
access period timestamp and counter. All further occurrences of this construct within this
session will update this record’s access period timestamp and counter until a new access
period begins.
ot
2. When a new access period begins within the same session. The default access period is one
N
hour (9:00 to 9:59, 10:00 to 10:59, and so on.). When a new access period begins, the next
occurrence is entered as a new line with its own access period timestamp and counter.
o
This method of logging saves a tremendous amount of space. As shown in the two examples
D
above, thousands of requests can be collapsed into just a few lines. If each line is written
separately, the disk will be filled up very quickly. In a production environment, millions of lines per
hour can be saved in this manner.

V7.0
Uempty
From a user perspective, these are the most important things to remember about constructs:
• You see a masked SQL string (question marks instead of values)
• If the collector logs same construct within an hour from the same session, the following actions
occur:
a. It counts the number of times the construct occurred.
b. It updates the access period timestamp with the time of the most recent occurrence. This
e
will be the most precise timestamp under these circumstances.
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Lesson 2 Installing and creating policies
Uempty
e
Lesson: Installing and creating
ut
policies
ib
tr
is
D
or
e
at
Groups of rules are policies. You must wisely manage these policies to make the most of Guardium
collector resources and to make sure your organization's data security requirements are being
ic
properly implemented. In this lesson, you learn how to install and create a basic policy.
l
up
D
ot
N
o
D

V7.0
Uempty
Installing a policy
Multiple installed policies are allowed
• Run sequentially
• Cannot mix selective audit and other policies
e
• After modifying policy, must reinstall for changes to take effect
ut
• Reinstallation can be automated
ib
tr
is
D
Installing a policy
e
The remainder of this unit focuses on creating policies and configuring policy rules. However, for a
policy, or any changes to a policy, to take effect, it must be installed.
at
To install a policy, go to Setup > Tools and Views > Policy Installation or Protect > Security
ic
Policies > Policy Installation. Highlight the policy that you want to install and choose Install &
Override from the drop-down list
l
up
If the groups contained within the policy are updated regularly, the installation should be scheduled
by clicking Modify Schedule to open the general-purpose scheduling utility. For example, if you are
using the populate from query method to update a group of privileged users nightly, the policy
D
should be scheduled to be reinstalled after the group update.
More than one installed policy is permitted at the same time. All installed policies are available for
ot
action and are run sequentially. The only limitation is that policies defined as selective audit policies
cannot be mixed with policies that are not defined as selective audit policies. If you try to mix
N
policies, an error message will result when you install these mixed policies. The order of
appearance can be controlled during the policy installation, but the order of appearance cannot be
o
edited at a later date.

D
Remember, in all of the following examples, the policy must be installed after any modifications for
the changes to take effect.

V7.0
Uempty
Viewing currently installed policies
e
ut
Edit policy
ib
tr
is
Uninstall policy
D
Viewing currently installed policies

e
After the policy has been installed, you can view the basic attributes, such as date installed, number
of rules, and so on, from the currently installed policies panel. You can view details of the installed
at
policy by clicking View Details Report.

ic
You can directly access the policy by clicking the pencil icon. You can uninstall the policy by clicking
the uninstall icon.
l
up
D
ot
N
o
D

V7.0
Uempty
Accessing the Policy Builder
e
ut
ib
tr
is
Under the Policy Builder window, you find the
Policy Finder, which lists the existing policies
D
accessible by the user who is currently logged in
Note: In this example, these policies are owned by
the admin user and are built into the system
Accessing the Policy Builder

e
To access the Policy Builder, go to Setup > Tools and Views > Policy Builder for Data &
Applications or Protect > Security Policies > Policy Builder for Data & Applications.
at
There are also special policy builders for file and classification policies. These are covered in
ic
separate modules.
l
Under the Policy Builder window is the Policy Finder, which lists the existing policies accessible by
up
the user who is currently logged in. For access to an existing policy, you must either be the creator
of the policy or belong to a role that has been granted access to it. In this example, these are the
policies owned by the admin user and built into the system:
D
• The Allow-all policy contains no rules. If you need to go back to the collector’s default behavior,
as described earlier in this unit, install the Allow-all policy to get there.
ot
• The remaining built-in policies, including Basel II, Data Privacy, and SOX, provide example
rules to help users build their own policies. If you choose to use one of these policies in your
N
environment, make sure that you understand what each rule does.
o
D

V7.0
Uempty
You can perform the following functions:
• Create a new policy.
• Clone an existing policy, allowing you to save it with a new name. Several predefined policies
with predefined access, exception, and extrusion values are available for policy cloning. This
allows you to use the predefined policy as a template.
• Modify a policy definition.
e
• Delete a policy.
ut
• Edit Rules the rules of a policy.
ib
• Attach comments to a policy, allowing you to leave notes for yourself or other users.
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Policy Definition
e
ut
ib
tr
is
D
Policy Definition
e
To create a new policy, you must enter a policy description. You should name the policy something
that differentiates it from the built-in policies. In the example above, the dash (-) helps to show that
at
it is not a built-in policy and causes the policy to appear at the top of the list.
ic
The remaining fields are optional.

l
Field Description
up
Policy category An optional label that can be used to group policy violations for
reporting purposes. The category specified here is used as the default
D
category for each rule, and it can be overridden in the rule definition.
Policy baseline If you have created a baseline, you can create a policy based on it.
ot
This is outside the scope of this training.

Log flat Use this option in extremely high-volume environments. The following
N
actions occur when this check box is selected:

• Data is not parsed in real time.
o
• The flat logs can be seen on a designated Flat Log List report.
D
To configure the offline process to parse the data and merge to the
standard access domains, go to Manage > Activity Monitoring > Flat
Log Process.

V7.0
Uempty
Field Description
Rules on flat Selecting this option results in the following behavior:
• Session-level rules are examined in real time.
• No rules are evaluated when the offline processing does takes
place.
When Rules on flat is NOT selected, policy rules fire at processing
e
time using the currently installed policy at processing time.
ut
Selective audit trail Selecting this option causes a special type of policy to be created that
results in all SQL requests being dropped by the sniffer. Only SQL
ib
requests defined in the Audit Pattern or in individual rules are logged.
Failed logins, SQL errors, and session-level information are logged.
Creating and installing a policy with this check box selected changes
tr
the default behavior, even with no rules defined. This is covered as a
is
separate topic within this unit.
Audit pattern Use this field in conjunction with the Selective audit trail check box,
D
as described above.
Roles Use this feature to grant access to other users.
Back
Edit Rules
or
Use this button to return to the previous window.
Use this button to add rules, which is the next step in creating your
e
policy.
at
Apply Use this button to save the policy definition.

l ic
up
D
ot
N
o
D

V7.0
Uempty
Policy Rules
Add rules to the policy; choose from three
rule types
1. Access rule
e
2. Exception rule
ut
3. Extrusion
ib
tr
is
D
Policy Rules
e
Next, you start adding your rules to the policy. You can choose from three types of rules:
at
1. Access Rule: SQL requests made by a client against a database server
2. Exception Rule: SQL Errors and Failed login messages returned by the database server to the
ic
client
l
3. Extrusion: Result sets returned by the database server to the client

up
Start with access rules, followed by exception and extrusion rules. To create a new access rule,
click Add Rules > Add Access Rule.
D
ot
N
o
D

V7.0
Lesson 3 Access rules
Uempty
e
Lesson: Access rules
ut
ib
tr
is
D
or
e
at
Many data security requirements pertain to the database users and administrators accessing
database tables. Access rules focus on evaluating access operations and then taking the correct
ic
actions such as ignoring the operation or terminating the session. In this lesson, you learn how to
build access rules.
l
up
D
ot
N
o
D

V7.0
Uempty
Access rule overview

Description: Explains the
purpose of the policy rule
e
ut
Criteria: Defines fields
and options that trigger
ib
the rule
tr
is
D
Actions: The activity
that is performed when
a rule is triggered Save or discard the
policy rule
Access rule overview

e
A policy rule is made up of four sections:
at
1. Rule Description: Explains the purpose of the policy rule.
2. Criteria: Defines the fields and options that trigger the rule.
ic
3. Action: Describes the activity that the appliance performs when a rule is triggered.
l
up
4. Back/Save: Allows you to save or discard the policy rule.
Each of these four sections is described in detail in the following slides.

D
ot
N
o
D

V7.0
Uempty
Access rule description

• Description: Use this field to describe what the rule does; it is displayed in any policy rule violation
• Category: The category is logged with violations and is used for grouping and reporting purposes; if
nothing is entered, the default for the policy is used
e
• Classification: Optionally enter a classification in the Classification field; like Category, these are
logged with exceptions and can be used for grouping and reporting purposes
ut
• Severity: Select a severity code: Info, Low, Med, or High (Info is the default)
ib
tr
is
D
Access rule description

e
at
Note: Description is the only required field.

l ic
up
D
ot
N
o
D

V7.0
Uempty
Access rule criteria
e
ut
ib
tr
is
D
Access rule criteria

e
All of the fields from Server IP through Records Affected Threshold make up the criteria of the
rule. The above example represents a single dialog, but has been broken into two parts in order to
at
be displayed better on the slide.

ic
If you choose fields in separate rows, both conditions must be satisfied for the rule to trigger (AND
Conditions). In the example above, the user must be in the Privileged Users group and the object
l
must be in the Sensitive Objects group for the rule to fire.

up
If you choose two fields within the same row, a match for either satisfies that criterion (OR
Condition).
D
ot
N
o
D

V7.0
Uempty
Access rule actions
e
ut
ib
tr
is
D
Access rule actions

e
Access rules fall into the categories described in the following table.
at
Category Description
ic
Alerts/Policy • ALERT DAILY: Send notifications to one or more recipients only the
Violations first time the rule is matched each day.
l
• ALERT ONCE PER SESSION: Send notifications only once for

up
each session in which the rule is matched.

• ALERT ONLY: Write action to message and message_text tables.
D
This action permits all policy violation notifications to be sent to a

remote destination. It was designed to improve Guardium
integration with other database security solutions. This alerting
ot
action is similar to ALERT PER MATCH.

• ALERT PER MATCH: Send notifications each time the rule is
N
satisfied.
• ALERT PER TIME GRANULARITY: Send notifications once per
o
configured logging granularity period.

D
• FAM ALERT AND AUDIT: Trigger an alert and log the construct that
triggered the rule.
• FAM AUDIT ONLY: Log the construct that triggered the rule.
• FAM IGNORE: Do not log this event.

V7.0
Uempty
Alerts/Policy • FAM LOG ONLY ACCESS VIOLATIONS: Log FAM access
Violations (continued) violations.
• LOG ONLY: Log the policy violation only.
Filters • IGNORE RESPONSES PER SESSION: Ignore responses for the
remainder of the session.
e
• IGNORE SESSION: Ignore the current request and the remainder of
ut
the session.
• IGNORE S-TAP SESSION: Ignore the current request and the
ib
remainder of the S-TAP session. This is a “hard” ignore and cannot
be revoked.
tr
• IGNORE STAP SESSION (REVOCABLE): Ignore the current
request and the remainder of the S-TAP session. This is a “soft”
is
ignore, and this rule action can enable the session traffic to be sent
again without requiring a new connection to the database.
D
• IGNORE SQL PER SESSION: Do not log SQL for the remainder of
the session. Exceptions will continue to be logged, but the system
or
might not capture the SQL strings that correspond to the exceptions.
• SKIP LOGGING: Do not log a policy violation, and stop logging
constructs.
e
Logging Rules • LOG MASKED DETAILS: Log the full SQL for this request, replacing
at
values with question marks (???).

• LOG FULL DETAILS: Log the full SQL string and exact timestamp
ic
for this request.

• LOG FULL DETAILS WITH VALUES: Similar to LOG FULL
l
up
DETAILS, but in addition, store each value as a separate element.

• LOG FULL DETAILS PER SESSION: Log the full SQL string and
exact timestamp for this request and for the remainder of the
D
session.
• LOG FULL DETAILS WITH VALUES PER SESSION: Combine the
ot
actions of LOG FULL DETAILS WITH VALUES and LOG FULL

DETAILS PER SESSION.
N
• LOG FULL DETAILS WITH REPLACED VALUES: Use only for DB2
on z/OS and iSeries. Replace literal markers such as :1, :2 (for
static sql) or ? (for dynamic prepare) in SQL statements with bind
o
variable values before logging to Full SQL. Reduces the amount of

D
logging and improves performance.

V7.0
Uempty
Firewall/Blocking • QUARANTINE: Prevent the same user from logging in to the same
server for a certain period of time.
• S-GATE TERMINATE: Terminate a database connection, or
session, and prevent additional requests on that session.
• S-GATE ATTACH: S-TAP is in firewall mode for that session, holding
e
the database requests and waiting for a verdict on each request
before releasing its responses. In this mode, there will be latency.
ut
• S-GATE DETACH: S-TAP is in normal monitoring mode for that
session; it passes requests to the database server without any
ib
delay. In this mode, latency is not expected.
• S-TAP TERMINATE: Terminate a database connection or session
tr
and prevent additional requests on that session. This action is
is
available in S-TAP, regardless of whether S-GATE is used.
Other Logging Rules • ALLOW: Do not log a policy violation. If ALLOW action is selected,
D
no other actions can be added to the rule. Constructs are logged.
• NO PARSE: Do not parse the SQL statement.
or
• QUICK PARSE NO FIELDS: Do not parse fields in the SQL
statement.
• QUICK PARSE NATIVE: Use only for Guardium S-TAP for DB2 on
e
z/OS to improve performance in a heavy traffic environment.
at
• QUICK PARSE: For the remainder of the session, do not parse the
SQL statement.
ic
• RECORD VALUES SEPARATELY/ Do not RECORD VALUES

SEPARATELY: Use in the Replay function to distinguish between
l
up
transactions.
• MARK AS AUTO-COMMIT ON/ MARK AS AUTO-COMMIT OFF:
Use in the Replay function due to various auto-commit models for
D
different databases.
• ADD DATA SINK: Do not use this rule.
ot
N
o
D

V7.0
Uempty
Access rule example

Privileged users accessing sensitive
objects – Log Full Details
e
ut
ib
tr
Alert Once Per Session
AND
is
Log Full Details
DB User is in the Privileged Users Group
D
AND
Object is in the Sensitive Objects Group
Access rule example

e
This is an example of a complete access rule:
at
• Description: Privileged users accessing sensitive objects - Log Full Details

• Criteria: DB User IN GROUP Privileged Users AND Object IN GROUP Sensitive Objects
ic
• Actions: Alert Once Per Session AND Log Full Details

l
up
D
ot
N
o
D

V7.0
Uempty
Alert rules
e
ut
ib
tr
is
D
Alert rules
e
Alert rules send notification to designated receivers at a defined frequency, depending on the action
chosen.
at
• Actions
ic
– Alert Daily sends notifications only the first time the rule is matched each day.
– Alert Once Per Session sends notifications only once for each session in which the rule is
l
up
matched.
– Alert Per Match sends notifications each time the rule is satisfied.
D
– Alert Per Time Granularity sends notifications once per logging granularity period. For
example, if the logging granularity is set to one hour, notifications will be sent for only the
first match for the rule during each hour.
ot
• Receivers
N
– Email messages are addressed to Guardium users, and are sent via the SMTP server
configured for Guardium.
o
– SNMP traps are sent to the trap community configured for the Guardium appliance.
D
– Syslog messages are written to syslog. Custom notifications, which are user-written
notification handlers, are implemented as Java classes.
• Rec. Vals.: The record values check box indicates whether the full, unmasked, SQL string is
included with the alert.
• Message Template: The template used for the message might be modified.

V7.0
Uempty
Alert example
e
ut
ib
tr
is
D
Alert example
e
This is an example of a triggered alert going to syslog. Note that the alert contains the policy rule
name and it includes the full SQL statement because the record values check box was selected.
at
When an alert rule is triggered, the appliance also logs a policy violation.
l ic
up
D
ot
N
o
D

V7.0
Uempty
Allow
With multiple rules in a policy, the rules
are processed from top to bottom
e
ut
ib
tr
is
D
The Allow action helps control this flow
The Allow rule informs the sniffer to log the traffic
normally and not continue to the next rule
Allow
e
With multiple rules in a policy, the rules are processed from top to bottom. When a rule is triggered,
the default behavior is to stop processing subsequent rules, unless the Continue to next rule
at
check box is selected.

ic
The Allow action helps control this flow. The Allow rule informs the sniffer to log the traffic
normally; that is, log the construct and access period timestamp, and do not continue to the next
l
rule. Note that the Continue to next rule check box is grayed out and unavailable. This is
up
commonly used when you want to prevent certain activity from reaching specific rules further down
in the policy.
D
A real-world example of when this rule is used is when a customer requirement is to log activity by
privileged users only for MS SQL Server 2005 or 2008 database servers. To meet such a
ot
requirement, you usually create a rule specifying if the user is NOT in the Privileged User group,
ignore session. With most database types, this rule is sufficient. However, with MS SQL Server
N
2005/2008, many login packets are encrypted and it takes Guardium a few seconds to resolve the
encrypted login to the actual user name. While the resolution is taking place, the user name
appears as an empty string and, being empty, it is not in the Privileged User group and is therefore
o
ignored. To prevent privileged user sessions from being ignored incorrectly, you add an Allow rule
D
with a special guardium://empty flag in the DB User field before the Ignore Session rule. While
the user name is empty, the traffic is logged normally. When the user name is resolved, this rule is
not triggered because it will no longer be empty, allowing the session to be evaluated by the ignore
session rule.

V7.0
Uempty
Ignore session rules

• Useful to filter traffic
• Ignored session rules can positively affect system
performance, including the following examples
The number of collectors required
e
The performance of each collector
ut
Data retention
• Connection information always logged
ib
tr
is
D

e
Ignored session rules provide the most effective method of filtering traffic. An ignore session rule
causes activity from individual sessions to be dropped by S-TAP or completely ignored by the
at
sniffer. Connection (login/logout) information is always logged, even if the session is ignored.
ic
Ignored session rules can positively affect the performance of the collector and data retentions. If
you log privileged user activity only, you need fewer collectors than a “comprehensive”
l
implementation, in which all traffic is logged.

up
Choosing which sessions to be ignored depends on the size of Guardium implementation. Some
implementations might ignore sessions where the user is not a member of a group of privileged
D
users. Other implementations might log all, or almost all, sessions.
Most implementations fall somewhere in between. That is, more than just privileged users are
ot
logged but many trusted sessions, such as applications, backups, and scheduled processes, are
ignored.
N
o
D

V7.0
Uempty
Ignore S-TAP Session action
e
ut
ib
tr
is
Network connections
Sessions
SQL commands
D
SQL errors
SQL result sets
Ignore S-TAP Session action

e
The Ignore S-TAP Session action follows this process:
at
1. The user logs in to the database server.
2. S-TAP sends the connection information, along with the first few commands, to the sniffer.
ic
3. Based on the policy rule, the sniffer determines that the session should be ignored.
l
up
4. The sniffer sends a signal to S-TAP to stop sending traffic from that session.
5. S-TAP discontinues sending traffic from the session.

D
6. The user logs out of the database.
7. S-TAP sends the logout packet to the sniffer.

ot
8. If S-TAP continues to send traffic from a session that should be ignored, the sniffer continues to
N
send the signal to S-TAP to ignore the session.
The process described above is repeated for every connection; this keeps resource utilization as
o
low as possible on the database server. All policy logic is maintained by the collector while S-TAP
D
only maintains the list of sessions to be ignored.
If you have an S-TAP-only environment, use the Ignore S-TAP Session rule, not Ignore Session,
to completely ignore a session. Ignore Session only sends the “ignore” signal to S-TAP once and is
not as robust as Ignore S-TAP Session. However, if you use a SPAN Port or Network TAP, you
need to use Ignore Session rules for network traffic.

V7.0
Uempty
Ignore Session example

In this example, all NOT in privileged
sessions will be ignored users group
except for those in the

Privileged Users
e
group
ut
ib
tr
is
D
Ignore Session example

e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Ignore S-TAP Session rule: Trusted connections
e
ut
ib
tr
is
D
Ignore S-TAP Session rule: Trusted connections

e
The Client IP/Src App./DB User/Server IP/Svc. Name group allows you to specify the exact
sessions that you want to ignore. For example, activity from a service account on an application
at
server using a specific application can be ignored, but if the connection does not meet all three
criteria, the activity should be logged.
ic
The Client IP/Src App./DB User/Server IP/Svc. Name group contains five attributes that should
l
be added in this order:

up
1. Attributive 1 = Client IP
2. Attributive 2 = Src App

D
3. Attributive 3 = DB User
ot
4. Attributive 4 = Server IP
N
5. Attributive 5 = Svc. Name

o
Note: A wildcard (%) can be added, if a specific attribute is not relevant.

D
In the above example, a group named -Trusted Connections has been created, and members
representing three connections have been added. The percent sign (%) is used to represent a
wildcard. Therefore, in the example, any session by database user hr will be ignored.

V7.0
Uempty
Ignore Session criteria

All Ignore Session actions should only have session-based fields as criteria; otherwise, you can
experience unexpected results
You can use these fields with Ignore Sessions
Do not use these fields with
Ignore Sessions
e
ut
ib
tr
is
D
Ignore Session criteria

e
For all Ignore Session actions, use only session-based fields as criteria. Otherwise, you will
experience unexpected results.
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Ignore Responses Per Session action
e
ut
ib
tr
is
Network connections
Sessions
SQL commands
D
SQL errors
SQL result sets
Ignore Responses Per Session action

e
The Ignore Responses Per Session action causes the collector to continue logging SQL
Requests, but the sniffer instructs S-TAP to discontinue forwarding responses from the database
at
server to the client. Responses include SQL errors and result sets.
l ic
up
D
ot
N
o
D

V7.0
Uempty
Ignore SQL Per Session action
e
ut
ib
tr
is
Network connections
Sessions
SQL commands
D
SQL errors
SQL result sets
Ignore SQL Per Session action

e
The Ignore SQL Per Session action causes the collector to continue logging SQL errors and
Result Sets, but the sniffer instructs S-TAP to discontinue forwarding SQL requests from the client
at
to the database server.

l ic
up
D
ot
N
o
D

V7.0
Uempty
Ignore Session action
e
ut
ib
tr
is
Network connections
Sessions
SQL commands
D
SQL errors
SQL result sets
Ignore Session action

e
Use the Ignore Session rule only when a hardware solution such as span port or network tap is
used to capture traffic. In this instance, all traffic reaches the sniffer, which then discards it. Session
at
begin and end will still be logged.

l ic
up
D
ot
N
o
D

V7.0
Uempty
Log Full Details policy action

• Logs include the exact timestamp and unmasked, full SQL string
• Every individual SQL request is logged
• These logs can fill the Guardium internal database quickly; use with care
e
• The Log Full Details policy action is appropriate under the following circumstances
ut
Exact timestamp is required
Values entered are of interest
ib
tr
is
D
Log Full Details policy action

e
To meet some customer requirements, logging just the construct is not sufficient. For these cases,
Guardium has the ability to log more than the construct, using the Log Full Details policy action.
at
With some variation, the Log Full Details actions perform the following steps:
ic
1. Log the exact timestamp for each occurrence matching the rule criteria
l
2. Log the unmasked, full, SQL string executed by the user

up
When the Log Full Details action is triggered, each individual SQL request is logged in to the Full
SQL entity with the exact time the command was issued and the full, unmasked SQL string. The
D
constructs and Access Period timestamps are also still logged normally.
Because each SQL request is now going to be logged, rather than just updating the construct
ot
counter, Log Full Details rules can potentially fill the Guardium internal database very quickly.
N
Examples of when Log Full Details rules are appropriate:

1. The exact timestamp is required.
o
2. The values entered in an SQL request are of interest.

D

V7.0
Uempty
Other logging options

• Log full details per session
• Log masked details
• Log only
e
• Quick parse
ut
• Quick parse native
• Quick parse no fields
ib
• Skip logging
tr
is
D
Other logging options

e
Log Full Details Per Session logs the full SQL string and timestamp for the request that triggers
the action as well as all subsequent SQL requests made during the remainder of the session.
at
Log Masked Details logs the full SQL timestamp but continues to mask the SQL string. This is
ic
used in instances where the exact time of the SQL request is important, but the values should not
be exposed.
l
up
The Log Only rule can be thought of as Log (policy violation) Only. It is similar to an alert in that
any time the rule is triggered, a policy violation is created. This is useful when you need to report on
specific policy violations, but do not require an alert.
D
When a Quick Parse rule is triggered for the remainder of the session, WHERE clauses will not be
parsed. This reduces parsing time. In this mode, all objects accessed can be determined, because
ot
objects appear before the WHERE clause, but the exact object instances affected will be unknown,
because that is determined by the WHERE clause
N
Use Quick Parse Native only for Guardium S-TAP for DB2 on z/OS to improve performance in a
o
heavy traffic environment. It performs the parse natively.

D
Use the Quick Parse No Fields option to prevent parsing fields in the SQL statement.
The Skip Logging option, when matched, indicates that policy violations should not be logged, and
logging constructs should be stopped. This action is used to eliminate the logging of constructs for
requests that are known to be of no interest. As an example, this is commonly used with temp
tables (object beginning with a pound sign (#)) in MS SQL Server. This feature also applies for
exception rules concerning database error code only, allowing users to not log errors when an

V7.0
Uempty
application generates large numbers of errors and the user can do nothing to stop the application
errors.
These SQL requests or SQL errors are still sent by S-TAP and are still processed by the sniffer. It
helps in data retention and eases reporting, but does not provide the same performance benefit as
Ignore S-TAP Session. It is only meant to be used when ignoring a small number of SQL requests.
If you cannot use Ignore S-TAP Session but want to ignore many types of requests, for example,
log DDL and DML but ignore everything else, a selective audit trail policy is more effective.
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
• Creating and installing a policy
e
ut
ib
tr
is
D
e
at

• Creating and installing a policy: https://vimeo.com/173670423
l ic
up
D
ot
N
o
D

V7.0
Lesson 4 Exception and extrusion rules
Uempty
e
Lesson: Exception and extrusion
ut
rules
ib
tr
is
D
or
e
at
Some data security requirements focus on the data that is generated by an operation. Exception
rules focus on errors generated by the database, such as an error caused by a database user
ic
attempting to log in with the wrong password. Extrusion rules consider the data returned by an
operation and take appropriate actions. In this lesson, you learn the differences between exception
l
and exclusion rules.

up
D
ot
N
o
D

V7.0
Uempty
Exception rule definition

• Exception rules evaluate exceptions such
as failed logins and SQL errors
• Exception rules contain a field for
Exception Type, which can be one of the
e
following choices
ut
LOGIN_FAILED
SESSION_ERROR
SQL_ERROR
ib
tr
is
D
Exception rule definition

e
Exception rules contain session-level criteria, like access rules, but do not have criteria for SQL
requests (command, object, and so on). Instead, Exception rules contain a field for Exception
at
Type, which includes these choices:

ic
• LOGIN_FAILED: Failed login messages from the database server to the database client
• SESSION_ERROR: Errors related to connection information
l
up
• SQL_ERROR: Error messages returned from the database server to the database client
For example, executing a SELECT command against a table that does not exist in DB2 returns
this error:
D
SQL0204N "A8000.TABLC" is an undefined name. SQLSTATE=42704

ot
N
o
D

V7.0
Uempty
Exception rules: Actions

Exception rule actions are a subset of action rules
e
ut
ib
tr
is
D
Exception rules: Actions

e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Failed login alert

The most common
type of exception rule
is to alert on x number
of failed login attempts
e
within y minutes
ut
Example: 3 failed
login attempts within 5
minutes
ib
tr
is
D
Failed login alert

e
To create this alert, create a new exception rule as follows:
at
• DB User: . <period> Placing a period in DB User causes the system to place a counter on DB
User, so that you will only receive an alert when the same user attempts to log in three times
ic
within five minutes. Otherwise, it will alert when three failed logins from any three users occur
within five minutes, which could result in a great deal of false positives.
l
• Exception Type: LOGIN_FAILED

up
• Minimum Count: 3
• Reset Interval: 5
D
• Action: Alert Per Match

ot
N
o
D

V7.0
Uempty
Extrusion rules and inspection engines

• Extrusion rules evaluate data returned by
inspection engines
• Inspection engines are required to return results
e
ut
ib
tr
is
D
Extrusion rules and inspection engines

e
An extrusion rule evaluates data returned by the server in response to requests. For example, it
might test the returned data for numeric patterns that could be social security or credit card
at
numbers.
ic
Before using extrusion rules, they must be enabled as follows:

1. Go to Manage > Activity Monitoring > Inspection Engines.
l
up
2. Select the Inspect Returned Data check box.
3. Click Apply.
D
ot
N
o
D

V7.0
Uempty
Redact
e
ut
ib
tr
is
D
Redact
e
For extrusion rules only, redact masks sensitive data returned to the user from the database server.
This is done by changing the data pattern in the extrusion rule. Place parentheses around those
at
elements you want masked. The next few slides provide an example of this process.
l ic
up
D
ot
N
o
D

V7.0
Uempty
Extrusion rule example

Extrusion rules examine data being
returned from the database server to the
client, based on patterns in the data
matching a regular expression
e
ut
ib
tr
is
D
Extrusion rule example

e
To create an extrusion rule that searches for credit card numbers being returned to privileged users,
populate the fields as follows:
at
• Description: guardium://CREDIT_CARD – Privileged users accessing credit cards

ic
When a rule name begins with guardium://CREDIT_CARD, and a valid credit card number
pattern is in the Data Pattern field, the policy uses the Luhn algorithm, in addition to standard
l
pattern matching. The Luhn algorithm is a widely used algorithm for validating identification
up
numbers such as credit card numbers and performs an additional check that does not replace
the pattern check. A valid credit card number is a string of 16 digits or four sets of four digits,
D
with each set separated by a blank. There is a requirement to have both the
guardium://CREDIT_CARD rule name and a valid [0-9]{16} number in the Search Expression
field in order to have the Luhn algorithm involved in this pattern matching.
ot
• DB User: In the Privileged Users group

N
• Data Pattern: ([0-9]{4}[-, ]?[0-9]{4}[-, ]?[0-9]{4})[-, ]?[0-9]{4}[ ]{0,20}

This is a regular expression that searches for any string of 16 digits or four sets of four digits,
o
with each set separated by a blank or a dash. The parentheses surround the portion of the
D
string that will be masked when logged by Guardium. In this case, only the last four digits of the
credit card numbers will be logged.
To receive help in building a regular expression, click the RE button, which brings up the build
regular expression dialog where you can test your regular expression.

V7.0
Uempty
• Replacement Character: * (asterisk)
If you want to use something other than an asterisk to mask the string, enter it here.
• Action: Write to the policy violation domain
Extrusion rules can write to the policy violations domain through Alert or Log Only rules, or to
the access domain through Log Full Details rules. In the example above, the rule will write to the
policy violation domain, which is visible on the Incident Management tab.
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Regular expression builder

• Guardium regular expressions conform to POSIX 1003.2
• Predefined expressions for common types of sensitive information
e
ut
ib
tr
is
D
Regular expression builder

e
Regular expressions can be used to search traffic for complex patterns in the data. As an example,
credit card numbers and personal identification numbers often follow a set pattern, such as a series
at
of groups of characters, each group of a certain length, separated by dashes or spaces, and
containing characters of a certain type, such as letters or numbers.
ic
The IBM Guardium implementation of regular expressions conforms with POSIX 1003.2. For more
l
detailed information, see the Open Group website: www.opengroup.org. IBM provides a set of
up
predefined regular expressions for common types of sensitive information, such as credit cards or
personal identification numbers. The regular expression builder provides access to these
D
predefined regular expressions, as well as a tool for building and testing your own custom regular
expression.
ot
N
o
D

V7.0
Uempty
Extrusion rule example results

• This example shows how Guardium logs and displays the data resulting from an extrusion rule firing
• The Full SQL String column contains the SQL string that was issued and the masked values that the
database server returned
e
ut
ib
tr
is
D
Extrusion rule example results

e
This example shows how Guardium logs and displays the data resulting from an extrusion rule
firing. The Full SQL String column contains the SQL string that was issued and the masked values
at
that the database server returned.

l ic
up
D
ot
N
o
D

V7.0
Lesson 5 Selective Audit Trail policy
Uempty
e
Lesson: Selective Audit Trail policy
ut
ib
tr
is
D
or
e
at
In some cases, your data security requirements might focus on only a small set of commands. By
setting your policy wisely, you can reduce the overhead on your network and your Guardium
ic
collectors. In this lesson, you learn about Selective Audit Trail policy best practices.
l
up
D
ot
N
o
D

V7.0
Uempty
Creating a Selective Audit Trail policy

• Some implementations require only
a small subset of SQL requests to
be monitored
Example: sensitive object access
e
only or DML and DDL activity only
ut
• The Selective Audit Trail policy can
provide tremendous benefits both in
collector performance and data
ib
retention
tr
is
D
Creating a Selective Audit Trail policy

e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Selective Audit Trail default behavior
e
ut
ib
tr
is
Network connections
Sessions
SQL commands
D
SQL errors
SQL result sets
Selective Audit Trail default behavior

e
This slide describes the default behavior if you were to install a selective audit policy with no rules.
at
• Traffic sent by S-TAP

ic

l
up

D

ot
 SQL errors
 Result sets
N
• Traffic analyzed, parsed, and logged by the sniffer

o

D
 SQL errors

V7.0
Uempty
• Traffic ignored and discarded by the sniffer
– SQL Requests: In this case, the policy must contain a rule to log specific SQL requests,
otherwise they will be discarded. Alternately, you can enter a regular expression in the Audit
Pattern field. However, this is not commonly used.
– Result sets
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Audit only rule

• When an Audit Only rule
fires in a Selective Audit
Trail policy, Guardium logs
the traffic normally
e
(constructs with masked
SQL and Access Period
ut
timestamp)
• To log the full SQL string,
ib
Log Full Details rules will
work the same as in a
tr
nonselective audit trail
policy and ignore session
is
rules can be used in a
selective audit to provide
performance benefits
D
Audit only rule

e
When an Audit Only rule fires in a selective audit trail policy, the appliance will log the traffic
normally, as constructs with masked SQL and the Access Period timestamp. If you need to log the
at
full SQL string, Log Full Details rules will work the same as in a nonselective audit trail policy. Also,
ignore session rules can be used in a selective audit and still provide tremendous performance
ic
benefits.
l
up
D
ot
N
o
D

V7.0
Lesson 6 Guardium policy rule order and logic
Uempty
e
Lesson: Guardium policy rule order
ut
and logic
ib
tr
is
D
or
e
at
Generally, an implementation includes multiple rules. These rules can all be in one policy or in
multiple policies. In either case, you should carefully structure your rules so that they are properly
ic
applied. Incorrect rule order logic can result in unnecessarily high overhead, or even worse, a data
security vulnerability. In this lesson, you learn about rule order default behavior and policy logic.
l
up
D
ot
N
o
D

V7.0
Uempty
Rule order and policy logic overview

• Rule order can affect whether policy rules fire correctly
• Actions and settings that can affect the policy logic
Multiple actions

e
Continue to next rule
ut
Exception versus access rules
ib
tr
is
D
Rule order and policy logic overview

e
This slide describes the default behavior if you were to install a selective audit policy with no rules.
at
• Multiple actions: If you require two actions for the same criteria, use multiple actions.
Example, Alert Per Match AND Log Masked Details for DML on Sensitive Objects
ic
• Continue to Next Rule: If you have two requirements that do not have the same criteria but do
have some overlap, use the Continue to next rule check box.
l
up
• Ignore session rules: In general, ignore session rules should be the first access rules.
An Exception to this rule of thumb is a “catch-all” rule at the end of your policy that ignores all
D
sessions that did not match the previous. Also, as described on the Allow slide, sometimes you
might need to temporarily prevent an ignore session rule from being fired by placing it after an
Allow rule.
ot
N
Note: Remember, after a session is ignored, no activity within that session will be processed.
o
D
Exceptions and access rules are generally mutually exclusive because they are examining different
sides of the traffic flow. Usually, these rules types do not have much affect on each other.

V7.0
Uempty
Policy logic
e
ut
ib
tr
is
D
Policy logic
e
In the example above, the incoming database traffic will be evaluated as follows:
at
1. Have there been 3 failed logins within 5 minutes from a single user? If yes, alert. If no, go to the
next rule.
ic
Because this rule is an exception rule and the remaining rules are access rules, this rule could
have been placed anywhere.
l
up
2. Does the session information match the Trusted Connection group? If yes, use Ignore S-TAP
Session. If no, go to the next rule.
This should be the first access rule because all of the trusted connections should be ignored. If
D
placed lower in the rule order, some rules might fire inappropriately.
3. Is the user in the Privileged User group? If yes, use Log Full Details and Continue to next rule.
ot
If the Continue to next rule check box is not selected, the policy stops at this rule for all
privileged user activity. Therefore, in order to ensure that rule number 4 is processed for
N
privileged users, you must specify to continue to the next rule.

o
4. Is the object in the Sensitive Objects group and is the command in the DML Commands group?
If yes, log masked details and alert per match.
D
If the user is a privileged user, the log full details action from rule number 3 will take precedence.
If none of the above are matched, log traffic normally.

V7.0
Lesson 7 S-GATE
Uempty
Lesson 7 S-GATE
e
Lesson: S-GATE
ut
ib
tr
is
D
or
e
at
With Guardium, not only can you send events or alerts, you can also control the session itself. You
can set up rules that automatically terminate sessions when Guardium detects improper data
ic
access, limiting the damage from hostile attacks on your database.

l
up
D
ot
N
o
D

V7.0
Lesson 7 S-GATE
Uempty
S-GATE overview
e
ut
ib
tr
is
D
S-GATE overview
e
In addition to monitoring, S-TAP can also be configured to work in firewall mode.
at
l ic
up
D
ot
N
o
D

V7.0
Lesson 7 S-GATE
Uempty

Session-based monitoring
• Hold and check privileged user
sessions activity
(S-GATE/closed mode)
e
• Allow known application server
ut
session activity
(S-TAP/open mode)
ib
tr
is
DB admin attempts
access to forbidden data
D
Session is terminated
Session Terminated

e
In this example, Guardium will block anyone in the developer group from accessing cardholder data
on production servers. It will also terminate the user’s connection and send an alert to the
at
Guardium administrators via SNMP.

ic
When the rule is triggered, the following results occur:

• The command does not reach the database server.
l
up
• The user’s session is terminated.

• An alert is sent.
D
Other actions could be taken as well. As an example, when a session is terminated due to a policy
rule violation, it is important to log that incident. Data security requires not only hardening your
ot
environment to make penetration and exploitation more difficult, but also reducing the time it takes
to become aware of potential security breaches. Therefore, it is generally a good idea to send an
N
event to an external event console, or an email to a security administrator in the case of an access
policy violation.
o
D

V7.0
Lesson 7 S-GATE
Uempty
S-GATE S-TAP settings

Enable firewall through configuration file on database server where S-TAP is running
[root@osprey ~]# cat /usr/local/guardium/modules/STAP/current/guard_tap.ini | grep firewall

firewall_installed=1
e
firewall_fail_close=0
firewall_default_state=0
ut
firewall_timeout=10
ib
tr
is
D
S-GATE S-TAP settings

e
S-GATE must be enabled from S-TAP before using S-GATE rules.
at
• firewall_installed: Should the firewall feature be enabled at all? 0=No,1=Yes

• firewall_fail_close: What is the default action when a verdict cannot be set by the policy rules
ic
(for example, timeout reached)? 0=let connection through, 1=block connection

• firewall_default_state: What triggers the start of the firewall mode? 0=event triggering a rule in
l
up
the installed policy happens, 1=start in firewall mode enabled regardless of a triggering event
• firewall_timeout: Time (in seconds) to wait on a verdict from the appliance; if timed out, look at
firewall_fail_close value to know whether to block or allow the connection
D
If the firewall_default_state is set to 0, to put the user in firewall mode you must apply the rule
ot
S-GATE ATTACH. This action should be for privileged users only.
If the firewall_default_state is set to 1, all users will be attached by default. This can cause some
N
latency, so applications should never be left in firewall mode. In this case, use S-GATE DETACH to
take applications out of firewall mode.
o
The S-GATE terminate action blocks the SQL command from reaching the database server and
D
drops the user’s session.
The QUARANTINE action quarantines a user access until a specified date.

V7.0
Lesson 8 Classification policy
Uempty
e
Lesson: Classification Policy
ut
ib
tr
is
D
or
e
at
Another important type of policy is the classification policy, which operates directly upon data,
rather than on the database network and session traffic. This means that a classification policy
ic
involves a datasource that provides access information for target databases.

l
up
D
ot
N
o
D

V7.0
Uempty
Classification policies and processes

• Find and classify sensitive information
• Classification process: Links classification policy to a datasource
• Classification policy: Defines rules and actions to search for sensitive information
e
ut
ib
tr
is
D
Classification policies and processes

e
Classification policies and processes define how IBM Guardium discovers and treats sensitive data
such as credit card numbers, social security numbers, and personal financial data. Classification
at
processes consist of classification policies that are associated with one or more datasources.
Classification processes can run once or be scheduled to run on a periodic basis.
ic
Classification policies consist of classification rules and classification rule actions designed to find
l
and tag sensitive data in specified datasources. Classification rules use regular expressions, Luhn
up
algorithms, and other criteria to define rules for matching content when applying a classification
policy. Classification rule actions specify a set of actions to take for each rule in a classification
D
policy. For example, an action might generate an email alert or add an object to a Guardium group.
Each time a rule is satisfied, that event is logged, and can be reported upon.
ot
N
o
D

V7.0
Uempty
Classification policy definition
e
ut
ib
Regular expression used to
characterize sensitive information
tr
is
D
Classification policy definition

e
Classification policies have a name, category, and classification. They also have a set of one or
more rules. Rules can be of the following types:
at
• Catalog search: Classifies data based on characteristics of the table and column name
ic
• Search for data: Classifies data based on format of data, as well as table and column name
• Search for unstructured data: Classifies data based on format of data
l
up
You can specify one or more actions to take when the classification policy rule is triggered by a
match.
D
ot
N
o
D

V7.0
Uempty
Classification process definition

• Links classification policy to one or more datasources
• Allows scheduling or run-once capability
e
ut
ib
tr
is
D
Classification process definition

e
Use the classification process builder to create, run, and view classification processes. You must
specify the following elements:
at
• Process description
ic
• Configuration policy
• One or more datasources
l
up
There are three ways to run a classification process:

• On demand from the classification process builder
D
• As a task within a compliance workflow automation process

• As part of a discover sensitive data workflow
ot
N
o
D

V7.0
Uempty
• Modifying a policy
e
ut
ib
tr
is
D
e
at

• Modifying a policy: https://vimeo.com/173670424
l ic
up
D
ot
N
o
D

V7.0
Unit summary
Uempty
Unit summary
• Describe how IBM Guardium logs traffic and the concept of a construct
• Create and install a policy or set of policies to meet business requirements
• Add access rules to a policy
e
• Use exception and extrusion rules to evaluate data
ut
• Install and manage the Selective Audit Trail policy
• Describe the correct order of execution for policy rules
ib
• Describe how to control a session
• Use policies to classify sensitive data
tr
is
D
Unit summary
e
at
l ic
up
D
ot
N
o
D

Unit 8 IBM Guardium: Auditing,
vulnerability assessment, and
e
discovery
ut
ib
tr
is
D
IBM Guardium: Auditing, vulnerability
assessment, and discovery
or
e
at
l ic
up

D
Guardium includes several tools you can use to perform data security tasks such as auditing,
ot
discovering vulnerabilities, and discovering databases. In this unit, you learn how to use the built-in
tools in Guardium, including the configuration auditing system (CAS), Vulnerability Assessment
N
application, and Database Discovery to manage the systems, applications, and databases that are
included in your business environment.
o
D

V7.0
Unit 8 IBM Guardium: Auditing, vulnerability assessment, and discovery
Unit objectives
Uempty
Unit objectives
• List the major components of the Guardium configuration auditing system (CAS)
• Perform a vulnerability assessment
• Describe why Database Discovery is needed
e
ut
ib
tr
is
D
IBM Guardium: Auditing, vulnerability assessment, and discovery
Unit objectives
e
at
l ic
up
D
ot
N
o
D

V7.0
Lesson 1 Using the configuration auditing system (CAS)
Uempty
Lesson 1 Using the configuration auditing
system (CAS)
e
ut
Lesson: Using the configuration
ib
auditing system (CAS)
tr
is
D
or
e
at
IBM Guardium: Auditing, vulnerability assessment, and discovery © Copyright IBM Corporation 2016
ic
The configuration auditing system (CAS) tracks changes to your server environment. In this lesson,
you learn how to use the CAS agent, including CAS templates, hosts, reporting, and status.
l
up
D
ot
N
o
D

V7.0
Uempty
Configuration auditing system (CAS)

• Defines and runs tests at the operating system
level on the database server
• Compares results against predefined and expected
values
e
• Checks the following types of items
ut
Database configurations
File permissions
ib
Directory existence
• Uses CAS Agent running on database server
tr
is
D
Configuration auditing system (CAS)

e
Databases can be affected by changes to the server environment. These types of changes could
be to configuration files, environment or registry variables, or other database or operating system
at
components. Such components might include executables or scripts used by the database
management system or the operating system. CAS tracks such changes and reports on them. The
ic
data is available on the Guardium appliance and can be used for reports and alerts.
l
up
D
ot
N
o
D

V7.0
Uempty
CAS agent
• Installed on database server
• Runs independently from S-TAP
Shares configuration information with S-TAP
e
• Has auditing functions that are configured through the Guardium portal
ut
ib
tr
is
D
CAS agent
e
CAS uses an agent that is installed on the database server and reports to the Guardium appliance
when a monitored entity is changed, either in content, ownership, or permissions. You install a CAS
at
client on the database server system, using the same utility that is used to install S-TAP. CAS
shares configuration information with S-TAP, although each component runs independently of the
ic
other. After the CAS client has been installed on the host, you configure the actual change audit
functions from the Guardium portal.
l
up
D
ot
N
o
D

V7.0
Uempty
CAS templates
• Define items to monitor
• Can be operating system only or database templates
• Can use existing preconfigured default templates
e
• Can create custom templates
ut
ib
tr
is
D
CAS templates
e
A CAS template set contains a list of item templates that share a common purpose such as
monitoring a particular type of database (Oracle on Unix, for example), and is one of two types:
at
1. Operating System Only (Unix or Windows)

ic
2. Database (Unix-Oracle, Windows-Oracle, Unix-DB2, Windows-DB2)

l
A database template set is always specific to both the database type and the operating system
up
type.
For each operating system and database type supported, Guardium provides a preconfigured,
D
default template set for monitoring a variety of databases on either Unix or Windows platforms. A
default template set is one that will be used as a starting point for any new template set defined for
ot
that template-set type. A template-set type is either an operating system alone (Unix or Windows),
or a database management system (DB2, Informix, Oracle), which is always qualified by an
operating system type, for example, UNIX-Oracle, or Windows-Oracle. Many of the preconfigured,
N
default template sets are used within the Guardium Vulnerability Assessments where, for example,
known parameters, file locations, and file permissions can be checked.
o
You cannot modify a Guardium default template set, but you can clone it and modify the cloned
D
version. Each of the Guardium default template sets defines a set of items to be monitored. Make
sure that you understand the function and use of each of the items monitored by that default
template set and use the ones that are relevant to your environment. After defining a template set
of your own, you can designate that template set as the default template set for that template-set
type. After that, any new template sets defined for that operating system and database type will be

V7.0
Uempty
defined using your new default template set as a starting point. The Guardium default template set
for that type will not be removed. It will remain defined, but will not be marked as the default.
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Monitored Item Template Definition

Define details about how one entity should be monitored
• Type of entity
File
File pattern
e

Environment or registry variable
ut
Output of a script
List of users
ib
• Entity definition
• How often to monitor
tr
• How to detect changes
is
D
Monitored Item Template Definition

e
CAS Template Item is the definition or set of attributes of a monitoring task over a single Monitored
Entity. Users can define a new CAS test to construct new CAS templates or use predefined
at
templates for each OS and each database type, optionally modifying the template to meet specific
database monitoring requirements.
ic
A template item is a specific file or file pattern, an environment or registry variable, the output of an
l
OS or SQL script, or the list of logged-in users. The state of any of these items is reflected by raw
up
data, that is, the contents of a file or the value of a registry variable. CAS detects changes by
checking the size of the raw data or computing a checksum of the raw data. For files, CAS can also
D
check for system-level changes such as ownership, access permission, and path for a file.
In a federated environment, where all units, both collectors and aggregators, are managed by one
ot
manager, all templates are shared by both collectors and aggregators and CAS data can be used in
reporting or vulnerability assessments. Sometimes the host where archived data is restored is not
N
part of the same management cluster. When that happens, the templates are not shared and
therefore CAS data cannot be used by vulnerability assessments even when the data is present. To
remedy this type of situation, use export/import of definitions to copy the templates to the restore
o
target.
D
A monitored entity is the actual entity being monitored. It can be defined any of these ways:
• A file or file pattern
• Value of an environment variable or windows registry
• Output of an OS command or script or SQL statement

V7.0
Uempty
CAS hosts and instances

• Define what should be monitored where
• Link a specific host with a set of one or more templates
e
ut
ib
tr
is
D
CAS hosts and instances

e
After you have defined one or more CAS template sets, and have installed CAS on a database
server, you are ready to configure CAS on that host. A CAS host configuration defines one or more
at
CAS instances.
ic
Each CAS instance specifies a CAS template set and a datasource. A datasource defines any
parameters needed to connect to the database. For each database server where CAS is installed,
l
there is a single CAS host configuration, which typically contains multiple CAS instances. As an
up
example, there might be one CAS instance to monitor operating system items and additional CAS
instances to monitor individual database instances.
D
ot
N
o
D

V7.0
Uempty
CAS reporting and status

• Default reports
• Use report building tools (query builders) to create custom reports
e
ut
ib
tr
is
D
CAS reporting and status

e
The admin user has access to all query builders and default reports. The admin role allows access
to the default CAS reports, but not to the CAS query builders. The CAS role allows access to both
at
the default CAS reports and the query builders.

ic
You can find the CAS status window at Harden > Reports > CAS Status.
l
For each database server where CAS is installed and running, and where this Guardium appliance
up
is configured as the active Guardium host, this panel displays the CAS status. The panel also
displays the status of each CAS instance configured for that database server.
D
ot
N
o
D

V7.0
Uempty
• Configuring CAS
e
ut
ib
tr
is
D
e
at
l ic
up
D
ot
N
o
D

V7.0
Lesson 2 Performing vulnerability assessment
Uempty
e
Lesson: Performing vulnerability
ut
assessment
ib
tr
is
D
or
e
at
You can use the Guardium Vulnerability Assessment application to evaluate the health of your
database environment. In this lesson, you learn how to use Security Assessment Builder to create
ic
configurations that determine what to test and what datasources are used to perform the tests. You
also learn how vulnerability assessment tests are integrated with CAS.
l
up
D
ot
N
o
D

V7.0
Uempty
Vulnerability Assessments
• Testing process
Runs a series of tests
Gives you a rating of the percentage
of tests that were passed
e
• Essential security testing methods
ut
Agent-based
Passive
Scanning
ib
tr
is
D
Vulnerability Assessments
e
The Guardium Vulnerability Assessment application enables organizations to identify and address
database vulnerabilities in a consistent and automated fashion. The assessment process in
at
Guardium evaluates the health of your database environment and recommends improvement using
these methods:
ic
• Assessing system configuration against best practices and finding vulnerabilities or potential
l
threats to database resources, including configuration and behavioral risks. Some examples
up
include identifying all default accounts that haven’t been disabled, and checking public
privileges and authentication methods chosen.
D
• Finding any inherent vulnerabilities present in the IT environment, such as missing security
patches.
ot
• Recommending and prioritizing an action plan based on discovered areas of most critical risks
and vulnerabilities.
N
• Generating reports and recommendations to provide the following guidelines:

– How to meet compliance changes
o
– Improve security of the database environment

D

V7.0
Uempty
The Guardium vulnerability assessment combines three essential testing methods to guarantee full
depth and breadth of coverage. It leverages multiple sources of information to compile a full picture
of the security health of the database and data environment.
1. Agent-based: Use software installed on each endpoint, such as a database server. The agent
can determine aspects of the endpoint that cannot be determined remotely, such as
administrator’s access to sensitive data directly from the database console.
e
2. Passive detection: Discover vulnerabilities by observing network traffic.
ut
3. Scanning: Interrogate an endpoint over the network through credentialed access. The
credentials are defined by a Guardium resource called a datasource.
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Security Assessment Builder

• Links datasources to a set of tests
• Creates a configuration that can be run to determine security issues
• Uses an iterative process
e
ut
ib
tr
is
D
Security Assessment Builder

e
The Security Assessment Builder is used to create configurations that determine what is to be
tested and what datasources should be used to perform the tests.
at
The Guardium Vulnerability Assessment application requires access to the databases it evaluates.
ic
To do this, Guardium provides a set of SQL scripts (one script for each database type) that creates
users and roles in the database to be used by Guardium.
l
up
D
ot
N
o
D

V7.0
Uempty
Vulnerability assessment tests

• Predefined tests
Behavioral tests
Failed logins, after-hours logins, administrative commands
Configuration tests
e
Privileges, authentication, database and system level parameters, patch and versions
ut
• Query based
Missing patches, weak passwords, misconfigured privileges, and so on
ib
• CAS based
Configuration database- and system-level parameters
tr
• CVE tests
• APAR tests
is
• Rated by Severity
D
Vulnerability assessment tests

e
The Vulnerability Assessment tool uses several types of tests to evaluate the security of your
database.
at
• Predefined Assessment Tests: Predefined tests illustrate common vulnerability issues that
ic
might be encountered in database environments. Because of the highly variable nature of

database applications and the differences in what is deemed acceptable in various companies
l
or situations, some of these tests might be suitable for certain databases but totally
up
inappropriate for others, even within the same company. Most of the predefined tests can be
customized to meet the requirements of your organization. Additionally, to keep your
assessments current with industry best practices and protect against newly discovered
D
vulnerabilities, Guardium distributes new assessment tests and updates on a quarterly basis as
part of its Database Protection Subscription Service. The following predefined tests are
ot
included:
– Behavioral Tests: This set of tests assesses the security health of the database environment
N
by observing database traffic in real-time and discovering vulnerabilities in the way

information is being accessed and manipulated. The behavioral vulnerability tests include
o
these examples:
D
 Default users access

 Access rule violations
 Execution of Admin, DDL, and DBCC commands directly from the database clients
 Excessive login failures
 Excessive SQL errors

V7.0
Uempty
 After hours logins
 Excessive administrator logins
 Checks for calls to extended stored procedures
 Checks that user IDs are not accessed from multiple IP addresses
– Configuration Vulnerability Tests: This set of assessments checks the security-related
configuration settings of target databases, looking for common mistakes or flaws in
e
configuration create vulnerabilities. The current categories for configuration vulnerabilities,
ut
with some high-level tests, are shown in the following list:
 Privilege - Object creation / usage rights, Privilege grants to DBA and individual users,
ib
System level rights
tr
 Authentication - User account usage, Remote login usage, Password regulations
 Configuration - Database-specific and system-level parameter settings
is
 Version - Database versions, Database patch levels
D
 Object - Installed sample databases, Recommended database layouts, Database
ownership
or
• Query Based Tests: Query-based tests are user-defined tests that can be quickly and easily
created by defining or modifying an SQL query, which will be run against a database datasource
and results compared to a predefined test value. This allows the user to define custom tests to
e
check items such as database internals, structures, parameters, or application data.
at
• CAS-based tests: These tests work with data returned by the CAS agent. CAS-based tests are
listed in italics in the security assessment test selection window. These tests are discussed in
ic
more detail in an upcoming slide.

l
• CVE Tests: Guardium constantly monitors the common vulnerabilities and exposures (CVE)
up
from the MITRE Corporation and add these tests for the relevant database-related
vulnerabilities.
D
• APAR Tests: An Authorized Program Analysis Report, or APAR, is a formal report from IBM
development to customers that have notified IBM of a problem or suspected defect. Guardium
ot
can test against these APARS and add the tests for the relevant database-related
vulnerabilities.
N
When the tests have completed, Guardium presents an overall report card along with details about
each result, including recommendations for resolving any issues.
o
D

V7.0
Uempty
Vulnerability Assessment integration with CAS

• Preconfigured and user-defined CAS templates play an important role in the identification of
vulnerabilities and threats
• With CAS, Guardium can identify vulnerabilities to the database in the OS level such as file
permissions, ownership, and environment variables
e
• These tests can be seen through the CAS Template Set Definition panel and have the word
ut
Assessment in their name
ib
tr
is
D
Vulnerability Assessment integration with CAS

e
A CAS-based test is either a predefined or user-defined test that is based on a CAS template item
of type OS Script command. These tests use CAS-collected data.
at
Users can specify the template item and test against the content of the CAS results.
ic
Guardium also comes preconfigured with some CAS template items of type OS Script that can be
l
used for creating a CAS-based test. These tests can be seen through the CAS Template Set
up
Definition panel. Additionally, any template that is added that involves file permissions will also be
used for permission and ownership checking.
D
Whether using a Guardium preconfigured test or defining your own, once defined, these tests will
appear for selection during the creation or modification of CAS-based tests.
ot
N
o
D

V7.0
Uempty
• Running a Vulnerability Assessment
e
ut
ib
tr
is
D
e
at
l ic
up
D
ot
N
o
D

V7.0
Lesson 3 Using database discovery
Uempty
e
Lesson: Using database discovery
ut
ib
tr
is
D
or
e
at
You can use scan jobs and probe jobs to automatically discover and report on the databases in
your environment. In this lesson, you learn about configuring the Auto-discovery Process Builder to
ic
scan for databases.

l
up
D
ot
N
o
D

V7.0
Uempty
Database discovery
• The Guardium autodiscovery application can be configured to probe the network, searching for and
reporting on all databases discovered
• After an autodiscovery process is defined, it can be run on demand or scheduled to be run on a
e
periodic basis
ut
• Two job types can be scheduled for each process
Scan jobs Probe jobs
ib
• Scans each specified host or hosts in a • Uses the list of open ports compiled during the
specified subnet latest completed scan only
tr
• Compiles a list of open ports from the list of • Determines if database services are running
ports specified for that host on those ports
Note: A scan job must be run before running the • View job results on the predefined Databases
is
second type of job Discovered report
D
Database discovery
e
Sometimes a new database is introduced into a production environment outside the normal control
mechanisms. For example, the new database might be part of an application package from a
at
software vendor. In older installations, some databases might have been left unmonitored and
“forgotten,” because the data was not seen as a risk when the database was implemented. Another
ic
example is that a rogue DBA might create a new instance of the database to avoid being
monitored.
l
up
The two jobs can be scheduled individually, or the autodiscovery process can be defined to run the
probe job as soon as the scan job completes. Because the processes of scanning and probing
D
ports can take time, the progress of an autodiscovery process can be displayed at any time by
clicking the Progress/Summary button.
ot
After the jobs have been completed, the results can be viewed using predefined reports.
N
o
D

V7.0
Uempty
Database discovery configuration
e
ut
ib
tr
is
D
Database discovery configuration

e
Due to the complexity of some environments and other factors, such as mergers and acquisitions,
some companies do not have a full inventory of their database servers and do not understand
at
where all of their sensitive data resides. Database Discovery probes a network to identify servers
running database services. Data Classification scans databases to find and classify any objects or
ic
fields containing sensitive data.

l
With the auto-discovery process builder, you specify which hosts and ports to scan. Scanning is a
up
two-step process. In the first step, Guardium scans the specified port range on the hosts. The
second step probes the ports discovered in the first step to determine if database services are
D
running on those ports.
The scan can be run once or scheduled. You can monitor the process. After the process has
ot
completed, the Databases Discovered report will list the results.

N
o
D

V7.0
Unit summary
Uempty
Unit summary
• List the major components of the Guardium configuration auditing system (CAS)
• Perform a vulnerability assessment
• Describe why Database Discovery is needed
e
ut
ib
tr
is
D
Unit summary
e
at
l ic
up
D
ot
N
o
D

Unit 9 IBM Guardium: Custom queries
and reports
e
ut
ib
tr
is
IBM Guardium: Custom queries and
reports
D
or
e
at
l ic
up

The ability to generate reports that reflect the data collected in Guardium is necessary to examine
D
trends and gather data for management. Guardium receives and processes a great deal of data.
Policies specify which data the collector receives from endpoints. Queries specify which data is
ot
displayed. Reports specify how and where the data is displayed. In this unit, you learn how to
create these queries and reports.
N
Reference: POSIX 1003.2 specification: http://www.unix.org/version3/ieee_std.html

o
D

V7.0
Unit 9 IBM Guardium: Custom queries and reports
Unit objectives
Uempty
Unit objectives
• Use domains, entities, and attributes to create queries
• Create, display, and share reports
e
ut
ib
tr
is
D
IBM Guardium: Custom queries and reports
Unit objectives
e
at
l ic
up
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Query and reporting overview
e
ut
ib
tr
is
D
Query and reporting overview

e
Effective data security requires monitoring data and file activity. IBM Guardium gathers a large
amount of data about an environment. Reports are an important tool for understanding your data
at
security environment.
ic
IBM Guardium provides sophisticated reporting tools that include these examples:
• Over six hundred predefined reports
l
up
• Query and report building tools to create and customize reports to meet unique company
requirements
D
• Abilities to display, share, and configure reports

ot
N
o
D

V7.0
Unit objectives
Uempty
Predefined reports
• 600 predefined Guardium reports are available
• Clone and customize predefined reports to meet your business requirements
e
ut
ib
tr
is
D
Predefined reports
e
Over 600 predefined reports are already available from the Guardium application. These
predefined reports can be cloned and customized to the needs of the user.
at
Using the Guardium predefined reports is a best practice recommendation, enabling organizations
ic
to quickly and easily identify security risks, such as inappropriately exposed objects, users with
excessive rights, and unauthorized administrative actions. The following list shows some examples
l
of the many predefined reports:

up
• Accounts with system privileges

• All system and administrator privileges, which are shown by user and role
D
• Object privileges by user

ot
• All objects with PUBLIC access

N
o
D

V7.0
Unit objectives
Uempty
Query Builder
• Before creating a report, build a query that retrieves the report
data from the Guardium database
• Query Builder defines fields to display in a report and any
conditions used to select the data
e
ut
ib
tr
is
D
Query Builder
e
Before you create a report, you must build the query that retrieves the data to be displayed by the
report. The data is retrieved from the Guardium database. The query defines the fields that will be
at
displayed in the report and the conditions that will be used to select the data.
ic
As an example, you might want to have a report that lists sessions by trusted users. You would
want to display the name of the user in the fields, as well as the IP addresses of the client and
l
server. You are also interested in setting up the criteria for selecting which records are displayed.
up
Specifically, you want the query to retrieve only the records for trusted users.
Your first decision when building a query is to determine which domain to use.
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Domain
A domain is a view of the data
• Standard domains, for example
Access (all monitored SQL requests)
Exceptions (from database servers or appliance components)
e

Alerts and policy violations
ut
• Administrator domains, for example
Aggregation/archive (examples are archive, backup, restore)
ib
Logins and activity
• Optional product domains, for example
tr
Classifier results
CAS changes (database server configuration file changes, for example)
is
D
Domain
e
A domain provides a view of the stored data and has the following characteristics:
at
• Each domain contains a set of data related to a specific purpose or function, including the
following examples:
ic
– Data access
– Exceptions
l
up
– Policy violations
• Each domain contains one or more entities. An entity is a set of related attributes. An attribute
D
specifies which fields will be included in the report, and also sets conditions for which data will
be returned.
ot
• A query returns data from one domain only. When the query is defined, one entity within that
domain is designated as the main entity of the query. Each row of data returned by a query
N
contains a count of occurrences of the main entity matching the values returned for the selected
attributes, for the requested time period. This allows for the creation of two-dimensional reports
from entities that do not have a one-to-one relationship.
o
D

V7.0
Unit objectives
Uempty
Query Builder: New query

• Select a Domain
• Click New
• Use Search to
e
locate an existing
query
ut
ib
tr
New and Search icons
is
D
Query Builder: New query

e
After selecting a domain, the Query Builder for that domain opens. This example shows the
Access domain. To create a new query, press the New icon.
at
Alternatively, choose to search for an existing query by using the Search icon. An existing custom
ic
query can be modified directly or cloned and saved as a new query. Existing built-in queries cannot
be modified directly. To change a built-in query, you must clone it.
l
up
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Choosing the query name and main entity
e
ut
To create a query, type
ib
a Query Name and
select the Main Entity
tr
is
Note: Use a naming convention to differentiate custom queries from the built-in Guardium queries
D
Choosing the query name and main entity

e
Follow these steps to create a new query:
at
1. Enter a query name.
2. Choose a main entity, which will be explained in the next few pages.
l ic
up
Note: You should use a naming a convention to differentiate your custom queries from the built-in
queries. Conventionally, you do this by prefixing the name with a a dash (-). Using this type of
prefix also causes the query to appear at the top of the list.
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Entity overview
• Domains contain one or
more entities
• Entity: Set of related
attributes SQL entity
e
attributes
• Attribute: Field value
ut
ib
tr
is
Command
D
entity attributes Client/Server
Session entity entity attributes
attributes
Entity overview
e
Each domain contains one or more entities. An entity is a set of related attributes. An attribute is
basically a field value.
at
Below are the entities within the Access domain. The Access domain is where all SQL requests
ic
are logged.
l
Access entity Definition

up
Client/Server Client and database server connection info (for example, IPs and
operating systems)
D
Session Database name, session start and end times

Server IP/Server Port Describes a server IP-server port entity
ot
Access Period When the event took place

App User Name Displays the user name from the App Event or Construct Instance
N
Full SQL Values Values logged separately for faster search

o
Full SQL The full SQL string (with values)

D
Application Events Events from the Guardium API

SQL The SQL request (no values)
Changed Data Value Used with the IBM InfoSphere Change Data Capture (InfoSphere CDC)
replication solution
Command SQL command
Object/Command Command detected in object

V7.0
Unit objectives
Uempty
Access entity Definition
Object SQL object
Join Used to join tables in a SELECT SQL statement
Field SQL Value Field value logged separately for faster search
Object/Field Field detected in object
e
Field Field
Qualified Object The fields Server IP, Service name, DB name, DB user, and Object
ut
are combined
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Logging and parsing
e
ut
ib
tr
is
Network connections
Sessions
SQL commands
D
SQL command
components
Logging and parsing

e
This slide visualizes the entity structure. Data is parsed by the collector. The parsed data is
associated with various entities. This influences how the query for the report should be structured
at
and which attributes should be selected.

l ic
up
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Entity hierarchy
Entity Description
1 Client /Server Session Each client / server connect has one or more sessions
Each session has one or more requests
e
2 Application Events Each request has some combination of this entity
ut
3 Full SQL Values Each request has some combination of these entities
Full SQL
SQL Access Period
ib
4 Command Each request can contain commands
5 Object Each command can contain objects
tr
6 Object-Command Each object can contain these entities
is
Field
Field SQL Value
D
Object-Field
Entity hierarchy
e
The data within the Guardium database is logged in a hierarchical manner. Entities higher in the
entity structure can contain multiple instances of entities lower in the hierarchy. These examples
at
describe an entity structure:

ic
• One Client/Server connection can contain multiple sessions.

• One SQL request (complete SQL statement) can contain many commands.
l
up
• One command can reference multiple objects.

• A single object contains multiple fields.
D
This is important because when creating a query, you must choose one entity as the main entity
and what you choose as the main entity affects how the data is presented.
ot
N
o
D

V7.0
Unit objectives
Uempty
The main entity

• Selected at time of query creation
• Determines these aspects of the report
The level of detail
The total count
e

The time fields against which the Period From and Period To run-time parameters are compared
ut
ib
tr
is
D
The main entity

e
The main entity controls the level of detail that is available for the query. It is chosen when the query
is first created, and it cannot be changed. Basically, each row of data returned by the query
at
represents a unique instance of the main entity, and a count of occurrences for that instance.
ic
The main entity determines the following aspects of the report:

• The level of detail. The report includes one row of data for each occurrence of the main entity.
l
up
The location of the main entity within the hierarchy of entities is important in terms of what
values can be displayed. The attributes for any entities below the main entity can be counted,
but not displayed, because there might be many occurrences for each row.
D
• The total count, which is added as the last column of the report and is a count of instances of
the main entity included on that row of the report.
ot
• The time fields against which the Period From and Period To run-time parameters are
compared to select the rows of the report. When defining a query in the query builder, the
N
system uses the main entity among other parameters to determine which time fields are to be
used when defining the Period From and Period To of the report or alert using this query.
o
When applicable, the Period Start/Period End from the Access Period entity is usually used,
but in other cases it will choose period values according to the main entity.
D

V7.0
Unit objectives
Uempty
New query steps summary
e
1
ut
3
ib
tr
4
is
D
5
New query steps summary

e
This is a summary of the steps you have taken so far to create a new query:
at
1. Go to Reports > Report Configuration Tools > Query Builder.
2. Select a domain.
ic
3. Click the New icon to create a new report.

l
up
4. Enter a name and choose a main entity.
5. Click Next.
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Query Builder: Customizing a query
Use the Entity

List to add fields Query fields are
and conditions to included in the
e
the query report
ut
Query conditions
ib
define what data is
selected
tr
is
D
Query Builder: Customizing a query

e
Query Builder has three sections:
at
1. Entity List allows you to select attributes to add the to query, either as fields in the report or
query conditions.
ic
2. Query Fields are the fields that will appear in the report. This section defines these elements:
– The order in which the attributes appear
l
up
– How the results are sorted

– Whether to display each instance of identical results, or just display the result once, with a
D
count of how many instances occurred
3. Query Conditions define which data is to be selected. It uses entities, linked by AND or OR, to
ot
define the WHERE clause of the query. Parentheses and HAVING provide options for building
more complex statements.
N
o
D

V7.0
Unit objectives
Uempty
Adding fields and conditions to a query

To add a field or condition to a query
• Click the item in the Entity List and
select Add Field or Add
Condition
e
• Drag the field to Query Fields or
ut
Query Conditions and drop it
ib
tr
is
D
Adding fields and conditions to a query

e
There are two ways to add a field to the query fields section:
at
1. Pop-up menu method:

a. Click the field to be added.
ic
b. From the pop-up menu, select Add Field.

l
2. Drag-and-drop method:
up
a. Click the field.
b. Drag the field to the query fields list and release it.
D
Regardless of the method used, the field is added to the end of the list.
ot
You can move a field in the query fields pane:

1. Mark the check box in the left-most column for the field.
N
2. Use the arrow icons to move the field to the desired location.
o
You can remove a field from the query fields pane:

D
1. Mark the check box in the left-most column for the field.
2. Click the Remove icon to remove the field.

V7.0
Unit objectives
Uempty
Changing query fields

The following fields can modify query settings
• Field Mode: What to print for the field: options include Value, Count, Max, Average (AVG), or Sum
• Order-by: By default, query data is sorted in ascending order by attribute value, with the sort keys
e
ordered as the attributes appear in the query
ut
• Sort Rank: When the Order-by option is selected, enter a number to indicate the rank by which the
field will be sorted relative to the other sorted fields
ib
tr
is
D
Changing query fields

e
The following list shows some of the other Query Field options:
at
• Field Mode: Indicates what to print for the field, such as its value, or the count (count is a count
of distinct values), Min, Max, Average (AVG) or Sum for the row. The value option is not
ic
available for attributes from entities lower than the main entity in the entity hierarchy for the
domain. This is one reason you must choose the main entity wisely.
l
• Order-by: Select the corresponding check box to sort by a specific field. By default, query data
up
is sorted in ascending order by attribute value, with the sort keys ordered as the attributes
appear in the query. If aliases are being used, they are ignored for sorting purposes; the actual
D
data values are always used for sorting. Some attributes have values that are computed by the
query, such as count, minimum, maximum, and average. These attributes cannot be sorted.
ot
• Sort Rank: When the order-by box is selected, enter a number here to indicate the rank by
which the field will be sorted, relative to the other sorted fields.
N
• Descend: Optional. Controls whether the field sorts in ascending or descending order.
• Add Count: Adds a count of distinct instances as the last column of the report.
o
• Add Distinct: Adds or drops the ability to display one-row-per-value in the report.
D
• Sort by count: Causes the report to sort by the count field.

V7.0
Unit objectives
Uempty
Saving queries and generating reports

• Save queries early and often
• One-step process to generate
reports
e
• Reports can be added to
special dashboard My
ut
Custom Reports
• Regenerate the report after
ib
changing a query
tr
is
D
Saving queries and generating reports

e
To avoid losing work, save your queries often. After saving the query, you can create a report that
uses the query. The report will be given the same name as the query.
at
You can also use the query builder to clone an existing report. This is useful if you want a new
ic
report that is slightly different from an existing custom report, or if you want to use a pre-existing
report as a guideline for a new report.
l
up
You can add a report to a special dashboard called My Custom Reports. You can also create a
dashboard to group reports.
D
After creating a report, if you change the query, you have to regenerate the report.
ot
N
o
D

V7.0
Unit objectives
Uempty
Creating a dashboard and adding a report
e
ut
ib
tr
is
D
Creating a dashboard and adding a report

e
You can use dashboards to group reports. As an example, you might create a dashboard that
contains reports pertinent to a role.
at
After creating the dashboard, you can access it through the GUI. You can also make a given report
ic
the home page for your portal, so that when you log in, it is the first thing you see.
l
up
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Report toolbar icons

• Edit query • Add to favorites
• Data mart builder • Refresh
e
• Email a report
ut
• Open report in new window
ib
• Configure report
tr
• Configure report columns
is
• Edit runtime parameters
D
Report toolbar icons

e
Report toolbar functions include a number of icons. Most are self-explanatory.
at
• Edit query: Opens the query builder for the query associated with the report.
• Data mart builder: A data mart is a subset of a Data Warehouse. A Data Warehouse
ic
aggregates and organizes the data in a generic fashion that can be used later for analysis and
reports. This icon allows you to specify the parameters for a data mart.
l
up
• Configure report: Allows you to configure the look and feel of the report.
• Configure report columns: Selects which columns to display. This does not change the
underlying query, nor the underlying report. It just allows you to hide one or more columns.
D
• Edit runtime parameters: Allows you to edit report configurations that are displayed at
runtime.
ot
N
o
D

V7.0
Unit objectives
Uempty
Runtime parameter configuration

• Runtime parameters provide a value used in
a query condition.
• Standard runtime parameters include the
following fields
e
Enter Period From
ut
Enter Period To
Remote Data Source
Refresh Rate
ib
tr
is
D
Runtime parameter configuration

e
Use the runtime parameter configuration window to change runtime parameters. Access this
window by clicking the icon.
at
A runtime parameter provides a value to be used in a query condition. There is a default set of
ic
runtime parameters for all queries and any number of custom runtime parameters can be defined in
the query used by the report. Custom runtime parameters are covered later in this unit.
l
up
Standard runtime parameters include those shown in the following list:

• Enter Period From: The starting date and time for the report.
D
• Enter Period To: The ending date for the report.

• Remote Data Source: In a Central Manager environment, you can run a report on a managed
ot
unit by selecting that Guardium appliance from the Remote Data Source list.
• Refresh Rate: The number of seconds after which the data is to be refreshed. Zero means that
N
the data will not be refreshed.

o
D

V7.0
Unit objectives
Uempty
Report customization
Use the Configure report icon to modify the report look and feel
e
ut
ib
tr
is
D
Report customization
e
You can customize the look and feel of the report by clicking the Configure report icon. A series of
four windows is displayed:
at
1. Report Columns: Allows you to change name of report and column descriptions
ic
2. Report Attributes: Allows you to choose whether to use a tabular or chart view of the data
Some types of data make better sense when presented as a chart. As an example, a report that
l
up
provides a count of sessions by source program might be better presented as a chart. If the
chart option is chosen, an additional window that allows you to choose the type of chart is
displayed.
D
3. Report Color Mapping: Allows you to conditionally add color to a chart

This allows users to quickly identify records that meet certain criteria. As an example, you might
ot
add green, yellow, and red colors when the session count falls within certain parameters.
N
4. Submit Report: Allows you to add comments, assign roles, change the title, and save
o
D

V7.0
Unit objectives
Uempty
Customizing charts
If the report is presented in
chart form, you can use the
Customize Chart window to
change the look of the
e
chart, including the labels,
type, style, and color
ut
scheme.
ib
tr
is
D
Customizing charts
e
at
l ic
up
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Exporting a report
• Multiple formats exist for export and printing reports
• Save the results or select an application to view them in
e
ut
ib
tr
is
D
Exporting a report
e
You can export or print report data in a number of different formats, including an HTML file, a
portable document format (PDF) file, or a file of comma-separated values (CSV).
at
If the report has a lot of data to export, it will generate a large PDF file, and can cause the UI to time
ic
out. If you plan to generate large PDF files, consider doing so as part of an audit process, or
increasing the UI timeout value to avoid this problem.
l
up
You can also export the contents of a report to a CSV file. You can export either all the records (the
entire report) in the report, or only the display records (the data currently displayed).
D
In the report toolbar, click Export > Download all records or Export > Download display
records. You can save the results or select an application to view them in.
ot
If editing a report and removing a column, when the report is exported as a PDF file, the report will
show the original columns.
N
o
D

V7.0
Unit objectives
Uempty
Query conditions
• Use query conditions to narrow the scope of the query
• One or more entity attributes can be used to filter which results are returned
e
ut
ib
tr
is
D
Query conditions
e
Besides specifying which entity attributes will be considered, a set of parameters must be specified
to define the bounds that the attribute must fall between. As an example, if filtering on DB User
at
Name, you might want to retrieve only those records that correspond to a set of database users
that are specified by a Guardium group, such as Privileged Users.
ic
The following table shows the definitions of the available query conditions.
l
up
Query condition Definition

< Less than
D
<= Less than or equal to

<> Not equal to
ot
= Equal to
> Greater than
N
>= Greater than or equal to

o
CATEGORIZED AS Member of a group belonging to the category selected from the

drop-down list to the right, which appears when a group operator is
D
selected
CLASSIFIED AS Member of a group belonging to the classification selected from the
drop-down list to the right, which appears when a group operator is
selected

V7.0
Unit objectives
Uempty
IN DYNAMIC GROUP Member of a group that will be selected from the drop-down list in the
runtime parameter column to the right, which appears when a group
operator is selected
IN DYNAMIC Works on a group of the same type as IN DYNAMIC GROUP, but
ALIASES GROUP assumes that the members of that group are aliases
e
IN GROUP Member of the group selected from the drop-down list in the runtime
ut
parameter column to the right, which appears when a group operator is
selected
ib
Cannot be used with IN ALIASES GROUP
IN ALIASES GROUP Works on a group of the same type as IN GROUP, but assumes that the
tr
members of that group are aliases
Note that the IN GROUP and IN ALIASES GROUP operators expect
is
the group to contain actual values or aliases respectively. An alias
provides a synonym that substitutes for a stored value of a specific
D
attribute type. It is commonly used to display a meaningful or
user-friendly name for a data value. For example, Financial Server
IS NULL Empty attribute

or
might be defined as an alias for IP address 192.168.2.18.
e
IN PERIOD For a timestamp only within the selected time period
at
LIKE Matches a like value specified in the boxes to the right

A like value uses the percent sign as a wildcard character, and matches
ic
all or part of the value. Alphabetic characters are not case sensitive. For
example, %tea% would match tea, TeA, tEam, and steam. If no percent
l
signs are included, the comparison operation will be an equality

up
operation (=).
LIKE GROUP Matches any member of a group that can contain wildcard member
names
D
For example, if the group contained a member named %tea%, it would

match tea, TeA, tEam, and steam.
ot
NOT IN DYNAMIC Not equal to any member of a group; selected from the drop-down list
GROUP in the runtime parameter column to the right, which appears when a
N
group operator is selected.

NOT IN DYNAMIC Works on a group of the same type as NOT IN DYNAMIC GROUP, but
o
ALIASES GROUP assumes that the members of that group are aliases
D
NOT IN GROUP Not equal to any member of the specified group; selected from the
drop-down list in the runtime parameter column to the right, which
appears when a group operator is selected
NOT IN ALIASES Works on a group of the same type as NOT IN GROUP, but assumes
GROUP that the members of that group are aliases

V7.0
Unit objectives
Uempty
NOT IN PERIOD For a timestamp only, not within the selected time period
NOT LIKE Not like the specified value (see the description of LIKE, above)
NOT REGEXP Not matched by the specified regular expression.
REGEXP Matched by the specified regular expression, conforming with POSIX
1003.2. specification
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Addition mode: AND/OR
The AND and OR

options control how
conditions are added to
e
the query
ut
ib
tr
is
D
Addition mode: AND/OR

e
at
l ic
up
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Having: Querying aggregate values

• Use HAVING to query
against aggregate values
• In this example, only
records in which the
e
count of attribute Client
ut
IP is greater than 1 are
selected
ib
tr
is
D
Having: Querying aggregate values

e
at
l ic
up
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Parenthesis
To create complex
queries, use the
parenthesis buttons
e
ut
ib
tr
is
D
Parenthesis
e
The parenthesis buttons provide the ability to add parenthesis buttons to the query, allowing for
complex queries. In the above example, the query selects one of the following types of records:
at
• The object name contains the letters cc AND the SQL verb is select AND the DB user name is
ic
in the Lab Privileged Users group.

• The DB user name is not in the Lab Trusted User group AND the command is in the DDL
l
Commands group.
up
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Runtime Parameters / Dynamic groups

• Runtime parameters and
dynamic groups supply
query conditions each
time you run the report
e
• Choose a parameter in
ut
the Runtime Parameter
column to create a
parameter based on a
ib
single value
tr
is
D
Runtime Parameters / Dynamic groups

e
Use runtime parameters and dynamic groups to supply query conditions each time you run the
report. Choose a parameter in the runtime parameter column to create a parameter based on a
at
single value. Generally, you should use LIKE as your operator when creating runtime parameters.
Instead of entering a value in the query field, you will be entering the name of the parameter. In the
ic
example above, DBUser is the name of the parameter.

l
To create a runtime parameter based on group membership, choose IN DYNAMIC GROUP as the
up
operator and enter the name of the parameter. In this example, Command is the name of the
parameter.
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Runtime Parameters / Dynamic groups: Results

This query returns any DB user
whose name includes an s or S,
and who executed an SQL
command that is in the data
e
modification language (DML)
commands group
ut
ib
tr
is
D
Runtime Parameters / Dynamic groups: Results

e
The example above demonstrates how runtime parameters work. You enter the values you are
interested in and the report returns only data related to those values. Alternatively, you can enter a
at
wildcard (%) to return all data. For dynamic groups, you must choose a value from the pull-down
list.
ic
In the example above, %s% matches any DB user name that has an s or S in it. The dynamic group
l
has been chosen to be DML commands.

up
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Drill-down reports
Adding
runtime
parameters
to reports
e
also makes
them
ut
available as
drill-down
ib
reports
tr
is
D
Drill-down reports
e
The example above shows runtime parameters for a database user name and client IP. Therefore,
any report containing these two fields will have this report available as a drill-down report, as shown
at
on the following page.

l ic
up
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Drill-down report example
e
ut
ib
tr
• Double click a report row to invoke a
drill-down report
is
• When you drill down, Guardium feeds
data from the selected row to the
D
runtime parameters and displays the
result
Drill-down report example

e
The built-in Details Sessions List report contains DB User Name and Client IP as fields, so the new
report you created on the previous page is now available as a drill down. Drill-down reports are
at
invoked by double-clicking a row on a report. When you choose a drill down, it feeds data from the
row that you click to the runtime parameters and displays the result.
l ic
up
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Searching for a report

• Use the Query, Report Title, or Chart Type fields to search for a report
• For a list of all reports, leave the field blank and click Search
e
ut
ib
tr
is
D
Searching for a report

e
To find a specific report, you can select its name from the Query or Report Title or Chart Type
pull-down menus and press the search icon. You can also run a search with no parameters to
at
return all reports.

l ic
up
D
ot
N
o
D

V7.0
Unit objectives
Uempty
Report builder buttons

The Report Search Results page displays all of
the reports found based on search criteria
Note: Deleting a report does not delete the New, Modify, Clone, and Delete a report
query
e
ut
ib
tr
is
D
Report builder buttons

e
The Report Search Results page displays all of the reports found based on your search criteria.
Because you left the criteria blank on the previous window, all reports are presented. The following
at
table shows the options that are available from this window.
ic
Option Description
l
New Create a new report based on previously created query.

up
Clone Copy an existing report and save with a new name.

Modify Make changes to an existing report.
D
Delete Delete a report. This does not delete the associated query, but you must
delete the report before you can delete any associated queries.
ot
Roles Grant access to the report other users based on their roles. To grant
access to a report, you must grant the roles to the underlying query first.
N
Comment Make notes on a report for reference.

Add to My Custom Publish the report to the My New Reports tab.
o
Reports
D
API Assignment Link additional API functions to predefined Guardium reports or custom
reports.
Drilldown Control Remove drill-down entries for this report.

V7.0
Unit objectives
Uempty
Complete the following exercises in the Course Exercises book:
• Creating a simple query and report
• Creating a query and report with drill-down capabilities
e
• Creating multiple queries and assigning them to roles
ut
ib
tr
is
D
e
Perform the exercises for this unit.
at
l ic
up
D
ot
N
o
D

V7.0
Unit summary
Uempty
Unit summary
• Use domains, entities, and attributes to create queries
• Create, display, and share reports
e
ut
ib
tr
is
D
Unit summary
e
at
l ic
up
D
ot
N
o
D

Unit 10 IBM Guardium: Compliance
workflow automation
e
ut
ib
tr
is
IBM Guardium: Compliance workflow
automation
D
or
e
at
l ic
up

You can use Guardium compliance workflow automation tools to consolidate database activity
D
monitoring tasks and streamline your compliance process. In this unit, you learn how to automate
the processes involved with preparing compliance information for distribution and review. This
ot
process includes creating a compliance workflow, distributing the workflow to designated reviewers,
and creating a report.
N
o
D

V7.0
Unit 10 IBM Guardium: Compliance workflow automation
Unit objectives
Uempty
Unit objectives
• Consolidate and automate audit activities into a compliance workflow
• Manage the audit results
e
ut
ib
tr
is
D
IBM Guardium: Compliance workflow automation
Unit objectives
e
at
l ic
up
D
ot
N
o
D

V7.0
Lesson 1 Creating a compliance workflow
Uempty
e
Lesson: Creating a compliance
ut
workflow
ib
tr
is
D
or
e
IBM Guardium: Compliance workflow automation © Copyright IBM Corporation 2016
at
Guardium compliance workflow automation tools can transform database security management
from a time-consuming manual process to an automated process that supports company privacy
ic
and governance requirements. In this lesson, you learn how to create a compliance workflow that
includes name/archive, tasks, receivers, and schedule.
l
up
D
ot
N
o
D

V7.0
Uempty
Compliance Workflow Automation

Provides facilities to automate and integrate audit activities into a compliance workflow
• Group multiple audit tasks, such as reports and vulnerability assessments, into a single process
• Schedule the process to run on a regular basis, in background mode
e
• Assign the process to its originator for viewing
ut
• Assign the process to other users, or to a group of users or a role
• Create the requirement that the assignees sign off on the result
ib
• Allow users to add comments and notations
• Allow escalation of the results
tr
is
D
Compliance Workflow Automation

e
The compliance workflow automation tools in Guardium provide the ability to transform the
management of database security from time-consuming manual activities performed periodically to
at
a continuous, automated process that supports company privacy and governance requirements,
such as PCI-DSS, SOX, Data Privacy, and HIPAA. These tools include the following capabilities:
ic
• Streamline the compliance workflow process by consolidating, in one spot, the following types
l
of database activity monitoring tasks:

up
– Asset discovery
– Vulnerability assessment and hardening reports
D
– Database audit reports

• Distribute reports to a specific list of recipients in a specific order, and optionally require sign-off
ot
by key stakeholders.
N
• Allow recipients to escalate delivery of reports following specified criteria.

• Export audit results to external repositories for additional forensic analysis, such as what is
o

D
– Syslog
– CSV/CEF files
– External feeds

V7.0
Uempty
Compliance Workflow Automation elements

• Distribution plan
Defines receivers, which can be individual users, user groups, or roles
Defines the review/sign responsibility for each receiver
Defines the distribution sequence
e
• Set of tasks
ut
Reports
Security assessments
Entity audit trails
ib

Privacy sets
Classification processes
tr
External feeds
Schedule
is
• The audit process can be run immediately, or a schedule can be defined to run the process on a
regular basis
D
Compliance Workflow Automation elements

e
A compliance workflow automation process answers the following questions:
at
• What type of report, assessment, audit trail, or classification is needed?

• Who should receive this information and how are signoffs handled?
ic
• What is the schedule for delivery?

l
A workflow process can contain any number of audit tasks, including the tasks shown here:
up
• Reports, custom or predefined: Guardium provides hundreds of predefined reports, with

more than 100 regulation-specific reports.
D
• Security assessment report: The security database assessment scans the database
infrastructure for vulnerabilities, and provides an evaluation of database and data security
ot
health, with both real-time and historical measurements. It compares the current environment
against preconfigured vulnerability tests based on known flaws and vulnerabilities. These tests
N
are grouped using common database security best practices such as STIG and CIG1, and they
incorporate custom tests. The application generates a Security Health Report Card, with
weighted metrics based on best practices and recommends action plans to help strengthen
o
database security.
D
• An entity audit trail: This detailed report of activity relates to a specific entity, such as a client
IP address or a group of addresses.

V7.0
Uempty
• A privacy set: This report detailing access to a group of object-field pairs, such as a Social
Security number and a date of birth is produced during a specified time period.
• A classification process: The existing database metadata and data are scanned, reporting on
information that might be sensitive, such as Social Security numbers or credit card numbers.
• An external feed: Data can be exported to an external specialized application for further
forensic analysis.
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Compliance Workflow Automation log
e
ut
ib
tr
is
D
• Compliance Workflow Automation includes a detailed activity log for all tasks, which includes task start and end
times
• A report of information in the activity log, called the Audit Process Log, is available to view or clone
Compliance Workflow Automation log

e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Compliance automation process components

• A new compliance automation process consists of four parts
Name and archive
Tasks
Receivers
e
Schedule
ut
• Use a fifth section, Run audit process, to run the process manually
ib
tr
is
D
Compliance automation process components

e
The audit process has four parts:
at
1. Name: Name and advanced information about the process
2. Tasks: Which reports or other information will be processed for review

ic
3. Receivers: Those roles or users who need to see and review the information
l
up
4. Schedule: When the process will be run
Each section is discussed on the upcoming pages. A fifth section in the builder allows you to run the
D
process manually.
ot
N
o
D

V7.0
Uempty
Audit process name and archive

• Name
• Archiving results and retention
• File label and compression
e
options
ut
• Email subject line
• Roles
ib
tr
is
D
Audit process name and archive

e
The Audit Process Definition menu includes the following general options for the process:
at
• Name: Enter a name of the audit process.

• Archive: Select this check box to include this audit process’s results in the Results Archive
ic
process.
• Allow results to be purged prior to review: Select this check box to allow process results to
l
up
be purged before the review by the receivers is complete.

• Keep for a minimum of x days x runs: Enter a number in either of these fields to control the
purge schedule for this process’s results.
D
• CSV/CEF File name: If one or more tasks create CSV or CEF files, you can optionally enter a
label to be included in all file names, in the CSV/CEF file name field.
ot
• Zip CSV for email: Select this check box to compress, or zip, the named CSV file.
N
• Email Subject: Enter a subject to be used in the emails for all receivers for that audit process.
The subject can contain one or more of the following variables that will be replaced at run time:
o
– %%ProcessName includes the audit process description.

D
– %%ExecutionStart includes the start date and time of the first task.
– %%ExecutionEnd includes the end date and time of the last task.
• Roles: Set the roles that have access to the audit process. This selection does not define which
roles can receive the process. That is defined in the Receivers section.

V7.0
Uempty
Audit tasks
Audit tasks control what is delivered to the receivers
Task types
• Report
e
• Security Assessment
• Entity Audit Trail
ut
• Privacy Set
• Classification
Process
ib
tr
is
D
Audit tasks
e
The audit tasks section controls what is delivered to the receivers:
at
• Task Type: Contains Report, Security Assessment, Entity Audit Trail, Privacy Set, and
Classification Process choices. In this example, you choose a report.
ic
• Name: Shows the user-defined description of the task.

• Report: Select the report that you would like to send from the pull-down list. You can choose
l
up
either predefined reports or custom reports that you have created.

• CSV/CEF File Label: Shows the optional label for the file in the CSV/CEF file name field.
D
• Export as:
– CSV: Exports the report results to a CSV file. The CSV export process must also be
ot
configured from Administration Console.

– CEF: Exports the report results to an ArcSight Common Event Format (CEF) file.
N
– PDF: Exports a PDF file. A PDF file with a similar name as a CSV Export file for this Audit
Task is created and exported with the CSV/CEF files.
o
• PDF Content:
D
– Report: Includes the current results in the PDF.

– Diff: Includes the difference between one earlier report and a new report in the PDF.
– Reports and Diff: Includes both types of information in the PDF.

V7.0
Uempty
Note: Selecting PDF Content applies to both PDF attachments and PDF export files. The Diff
result applies only after the first time this task is run. There is no Diff with a previous result if there
is no previous result. The maximum number of rows that can be compared at one time is 5000. If
the number of result rows exceeds the maximum, the message “(compare first 5000 rows only)”
appears in the diff result.
e
ut
• Write to Syslog: If Export as CEF was selected, writes the CEF records to syslog, if the
remote syslog facility is enabled.
ib
• Named Template To Use: Allows selection of a custom message template, if any are defined.
tr
• Compress: If selected, the CSV/CEF files to be exported will be compressed.
is
D
or
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Audit receivers
• Receiver types
Role
Email
User Group
User
e
• Receivers review or sign the reports
ut
• Distribution of the results can be simultaneous or sequential
ib
tr
Controls how the distribution
The to-do list of the of the results occurs when
is
receiver is updated to the results are empty
display the report
D
Audit receivers
e
The audit receiver section determines who gets the audit workflow results, when they get the
workflow results, and what they must do with the workflow results.
at
A receivers can be of several different types:

ic
• Role: A set of users that have a certain role. If a role is specified, any one of the users assigned
to that role can sign off the workflow. All of the users assigned to the role can view the workflow.
l
up
• Email: An email address. This type is useful for sending the workflow results to someone who is
not defined as an IBM Guardium user.
D
• User group: A set of users defined in a Guardium group.

• User: An individual user.
ot
You can define the order in which receivers are distributed the workflow results. This could be done
simultaneously, where a set of receivers all receive workflow results at the same time, or
N
sequentially, where one receiver receives workflow results only after another receiver has signed
off on the workflow results.
o
The audit receiver section controls who receives the workflow, the order in which users receive it,
D
and the user’s required action upon receipt. Complete the following options for a new receiver:
• Receiver Type: Select the Role, Email, User Group, or User type.
• Role: Select from a drop-down list of Guardium individual users or roles. If a role is selected, all
users with that role will receive the results. However, if signing is required, only one user will
need to sign the results.

V7.0
Uempty
• Action: Select actions the receiver is required to take.
– Review: Indicates that the receiver does not need to sign the results.
– Sign off: Indicates that the receiver must sign the results electronically, by clicking the Sign
Results button when viewing the results online.
• Approve if empty: Controls how the distribution of results takes place when the results are
empty.
e
– Selected: If all the reports of the task are empty, the system automatically signs the result
ut
(and/or marks it as viewed) and continues, if relevant. The system does not notify the
recipient via either the To Do list or email. It does not generate any PDF/CSV/CEF files.
ib
– Cleared: When this check box is not selected, all normal processing takes place even when
the results are empty.
tr
• Add to to-do list: Select to notify the receiver of the report’s delivery via the user’s To Do List.
is
• Email format: Specifies what information is sent in an email.
D
– None: Sends no email.
– Links Only: Sends a link to the report.
– Full results: Includes the report in the email. or
• Distribution sequence: Controls whether distribution of results continues to the next receiver
e
or stops until this receiver has taken the appropriate action.
at
– Simultaneous: The results will immediately be released to the next receiver on the list.
– Sequential: If the receiver is an individual user, that user must take the indicated action
ic
before the results continue to the next receiver in the list. If the receiver is a group or a role,
one member of that group or role must take the indicated action before the results continue
l
up
to the next receiver in the list.

D
ot
N
o
D

V7.0
Uempty
• Creating an audit process definition
e
ut
ib
tr
is
D
e
at
l ic
up
D
ot
N
o
D

V7.0
Lesson 2 Managing audit results
Uempty
e
Lesson: Managing audit results
ut
ib
tr
is
D
or
e
IBM Guardium: Compliance workflow automation © Copyright IBM Corporation 2016
at
After a compliance workflow is established, schedule an audit process that involves engaging the
information receivers. In this lesson, you learn how to distribute the workflow to designated
ic
receivers and create a report that contains configured tasks, workflow status, distribution status,
and receiver comments.
l
up
D
ot
N
o
D

V7.0
Uempty
Activating and running an audit process

The audit process can be scheduled or run manually
e
ut
ib
tr
is
D
Activating and running an audit process

e
After the process receivers and tasks are complete, you can schedule the audit process. You can
also click Run Once Now to execute the audit process immediately.
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
To-do lists
If the role is receiver, the task shows for all users who are members of that role
e
ut
ib
tr
is
D
To-do lists
e
After an audit process is run, receivers are notified of new results by email or through a link after
logging into the appliance. To view an audit process, click the link and then click the View button.
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Report delivery
Workflow results contain each of the tasks configured and the status of the
workflow, including the distribution status and any comments made by
other receivers
e
ut
ib
tr
is
D
Report delivery
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
Workflow results
Workflow results include the following information
• Distribution Status
• Comments
e
ut
ib
tr
is
D
Workflow results
e
This is an example of a completed audit process. All of the receivers have completed their task,
whether that requires review or a signature.
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
• Managing audit results
e
ut
ib
tr
is
D
e
at
l ic
up
D
ot
N
o
D

V7.0
Unit summary
Uempty
Unit summary
• Consolidate and automate audit activities into a compliance workflow
• Manage the audit results
e
ut
ib
tr
is
D
Unit summary
e
at
l ic
up
D
ot
N
o
D

Unit 11 IBM Guardium: File activity
monitoring
e
ut
ib
tr
IBM Guardium: File activity
is
monitoring
D
or
e
at
l ic
up

You can use Guardium file activity monitoring (FAM) to keep track of the files on your servers. FAM
D
capabilities include finding files, which is known as discovery, classifying the files, and monitoring
the activity of files. You can use security policy rules to monitor and collect file-related information.
ot
In this unit, you learn how to locate file entitlements and classification data. You also create policies
that log file activity and block access to a file.
N
Reference: FAM configuration with GIM Parameters: http://ibm.co/2dugQro

o
D

V7.0
Unit 11 IBM Guardium: File activity monitoring
Unit objectives
Uempty
Unit objectives
• Describe the components of file access monitoring (FAM)
• Discover and classify files
• Implement policies that monitor and control access to files
e
ut
ib
tr
is
D
IBM Guardium: File activity monitoring
Unit objectives
e
at
l ic
up
D
ot
N
o
D

V7.0
Lesson 1 File activity monitoring components
Uempty
e
Lesson: File activity monitoring
ut
components
ib
tr
is
D
or
e
IBM Guardium: File activity monitoring © Copyright IBM Corporation 2016
at
File activity monitoring (FAM) helps manage unstructured data that might contain sensitive data and
can help identity abnormal behavior. In this lesson, you learn about components and agents used
ic
to monitor file activity.

l
up
D
ot
N
o
D

V7.0
Uempty
File activity monitoring overview

• Understand your sensitive data exposure
• Get a full picture of ownership and access for your files
• Control access to critical files through blocking and alerting
e
• Gain visibility into entitlements and activity through custom reports and advanced search
ut
Collector
ib
tr
Host-based probes (FS-TAP)
is
D
Host-based probes (S-TAP)
File activity monitoring overview

e
Guardium has added the market-leading capability of activity monitoring to unstructured data.
at
File activity monitoring (FAM) helps you manage access to your unstructured data containing
critical and sensitive information. FAM provides complete visibility into activity by providing
ic
extensive compliance and audit capabilities. With these capabilities, you can identify normal and
abnormal behavior and drill into the details
l
up
Guardium FAM includes tools that help you perform these tasks:
• Find and classify your sensitive data
D
• Understand the ownership and entitlements of the files

• Control access, report, alert, and block access to critical files
ot
FAM helps you gain the enterprise visibility to file activity and couple it with your structured data
activity to build a robust solution and real-time data protection strategy.
N
o
D

V7.0
Uempty
FAM components
e
Discover File Crawler
ut
ICM
Classification Analysis Engine (Classification
Server)
ib
Activity
tr
Universal Feed Guardium
Monitoring
is
D
FAM components
e
FAM components:
at
• Discovery: Locates folders and files, then extracts the following types of metadata to a secure
central repository:
ic
– File name
– Path
l
up
– Size
– Last modified date
D
– Owner
– Privileges
ot
• Classification: Categorizes files according to their content, by searching for the following types
of personal identity information:
N
– Credit card numbers

o
– Social Security numbers and other national identification numbers

D
– Other sensitive data that can be characterized by a pattern of numbers, letters, and symbols
• Activity Monitoring: Audits file activity according to policy, alerts on improper access, or
selectively blocks access to files to prevent data leakage.

V7.0
Uempty
FAM architecture
e
ut
ib
tr
is
Note: Guardium uses two special agents, FS-TAP and FAM Crawler, that work with S-TAP
D
FAM architecture
e
FAM policies are pushed to the monitoring agent in the file server. FAM Discovery on the file server
performs file discovery and classification. The basic scan includes owner, size, last change, and
at
access privileges to user or group. For classification, use sets of classifier rules known as decision
plans. You can create your own customized decision plans using IBM Content Classification
ic
Workbench.
l
up
Note: File monitoring is supported on Linux, AIX, and Windows.

D
ot
N
o
D

V7.0
Uempty
FAM agents
Two agents on the file server implement FAM functionality
• FS-TAP implements policy and sends results of policy actions to the collector
• FAM Crawler inventories files on each server and identifies sensitive data within the files
e
ut
ib
tr
is
FS-TAP
D
FAM Crawler
FAM agents
e
The file system monitoring agent is included in the same bundle as the regular S-TAP database. It
is distinguished in the Guardium UI with a :FAM suffix appended to the S-TAP Host name. It
at
implements policy and sends results of policy actions back to the collector.
ic
FAM uses a discovery agent called a file crawler to inventory the files on each server and identify
sensitive data within the files. The file crawler gathers the list of folders and files, their owner,
l
access permissions, size, and the date and time of the last update. The discovery agent is
up
distinguished with the FAM_Agent suffix.

D
ot
N
o
D

V7.0
Uempty
FAM agent parameters
e
ut
ib
tr
is
Notes:
• FS-TAP and FAM Crawler agent parameters are configured in the same window
D
• For detailed information on configuring each of the parameters, see the Guardium Knowledge Center
FAM agent parameters

e
The example on the slide shows the FAM agent configuration parameters. Parameters for both the
FS-TAP and FAM Crawler agent are configured in the same window. The Guardium Knowledge
at
Center provides detailed information about configuration, but the following list provides a summary:
ic
• FAM_ICM_CLASS_DECISION_PLANS determine how the file information is classified. In the

example above, HIPAA, PCI, source code, and SOX decision plans are used in evaluating file
l
information.
up
• FAM_SOURCE_DIRECTORIES tell the FAM Agent where to search for files to classify and
monitor. You can also specify directories, extensions, and specific files to exclude.
D
• FAM_SCHEDULER parameters specify how often the FAM crawler will run. In the example
above, the time interval is 0 hours and 5 minutes. While this is satisfactory for a laboratory
ot
environment, a production environment will have the FAM crawler run much less frequently.
For more information, refer to the FAM configuration with GIM Parameters documentation at
N
http://ibm.co/2dugQro.
o
D

V7.0
Lesson 2 Organizing files
Uempty
e
Lesson: Organizing files
ut
ib
tr
is
D
or
e
at
Discovery includes finding files, their associated permissions, and additional metadata.
Classification rules can be used to identify any files that contain sensitive data. You can use
ic
classification to look through files for potentially sensitive data, such as credit card information or
personally identifiable information (PII). In this lesson, you learn how to use Search to locate file
l
entitlements and classification data. You also learn how to filter search results and create
up
customized FAM queries and reports.

D
ot
N
o
D

V7.0
Uempty
Discovery and classification

• Use provided decision plans
or create custom ones
• Supports common file types
SOX
e
PCI
ut
HIPPA
Source code
• Results available through
ib
search and reports
• Ability to build policies from
tr
results
is
D
Discovery and classification

e
FAM uses decision plans to identify sensitive data within files. Each decision plan contains rules for
recognizing a certain type of data. By default, FAM uses decision plans that identify data for SOX,
at
PCI, HIPAA, and source code. You can create your own decision plans, and you can activate and
deactivate decision plans to focus on the types of sensitive data you are concerned about. Think of
ic
this as analogous to the classification process used with databases. Decision plans are analogous
to classification policies.
l
up
Most common data file types, including PDF, Text, Word, PowerPoint, Excel, XML, CSV, logs,
source code, and configuration files, are supported. You can create custom decision plans in a
D
standalone Windows application called ICM Workbench that is available for IBM customers.
Entitlements and classification are available via the Search feature using the files option. The FAM
Discovery Agent must be configured to scan and send data to Search.
ot
You can even automatically add discovered files to a security policy rule to set up monitoring,
N
alerting, and blocking.

o
D

V7.0
Uempty
Using Search
• Search enables quick access to some Guardium functions
• To view entitlements and classification data for files in Search, select File in the search list in the
banner; this action opens the Search function and displays file data
e
ut
ib
tr
Note: You configure the FAM discovery agent to scan and send data to Search by running the following
command on the Guardium collector: grdapi enable_fam_crawler
is
D
Using Search
e
The file crawler sends file metadata and data from its classification process to the Guardium
system. You can view that data in reports or in the file version of the enterprise search function.
at
To view entitlements and classification data for files in the Search function, choose File in the
ic
search drop-down list in the banner. This action opens the Search function and displays file data.
The FAM discovery agent must be configured to scan and send data to Search. You do that by
l
running the following command on the Guardium collector:

up
grdapi enable_fam_crawler
D
ot
N
o
D

V7.0
Uempty
Filtering search results

You can filter
search results on
several criteria
• Appliance
e
• Server
ut
• Owner
• Classification
ib
• Entity
• Date
tr
is
D
Filtering search results

e
Results can be filtered on a number of different criteria:
at
• Guardium Appliance: Which collector collected the data

• Server: Which file server contains the file
ic
• Owner: File owner

l
• Classification: Which discovery plan pertains to the file

up
• Entity: Which entity within the classification pertains to the file

• Date: Date files were available
D
You can create a new rule from the list of enterprise search results, or from the FAM policy builder,
and use values from the results to populate rule values.
ot
N
o
D

V7.0
Uempty
Discovery and classification reports

• Guardium includes several predefined FAM reports
• Use Query Builder and Report Builder to create customized reports
e
ut
ib
tr
is
D
Discovery and classification reports

or
e
This is one of the FAM reports that shows the results of the discovery and classification process. It
scans a directory, drive, USB, or any mounted drive and provides a list of all files it contains, with
at
the entitlements; that is, it shows which users are authorized to do what on that file.
ic
The classification tells you if the content of that file matches one of FAM’s decision plans, such as
these examples:
l
up
• Source code
• HIPAA
D
• SOX
• PCI
ot
• A custom decision plan

N
o
D

V7.0
Uempty
Custom FAM queries and reports

FAM queries use two entities
• FAM_File: Information about the file, including
owner, privileges, and time stamp
e
• FAM_Classification: Information about how
Guardium classifies the file
ut
ib
tr
is
D
Custom FAM queries and reports

e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
• Verifying settings for file access monitoring
• Creating a file access monitoring dashboard and report
e
• Running discovery and classification
ut
ib
tr
is
D
e
at
l ic
up
D
ot
N
o
D

V7.0
Lesson 3 Creating policies that manage files
Uempty
e
Lesson: Creating policies that
ut
manage files
ib
tr
is
D
or
e
at
File activity monitoring includes using security policy rules to monitor and collect information. In this
lesson, you learn how to use the Build Rule wizard to create a policy that logs file activity. You also
ic
learn how to configure the policy to block access to a file.

l
up
D
ot
N
o
D

V7.0
Uempty
Monitoring file activity

• Independent of discovery and classification
• Uses a separate subagent FAM or FS-TAP (as opposed to FAM_Crawler)
• Uses policies to determine what to monitor
e
ut
ib
tr
is
D
Monitoring file activity

e
File monitoring can be used with or without discovery and classification to monitor access to files
and, based on policy rules, audit and alert on inappropriate access, or even block access to the
at
files to prevent data leakage.

l ic
up
D
ot
N
o
D

V7.0
Uempty
Creating policies for files

• In file monitoring, rules are pushed to
and evaluated at the data source
• FAM performance is affected by the
number of rules because every file
e
operation on the system is matched
ut
against every rule
ib
tr
is
D
Creating policies for files

e
You can create policies for files, just as you create policies for database activity. In file monitoring,
the rules are pushed to the data source and are evaluated there.
at
Having more than one rule for a file is very inefficient. The performance of FAM is critical. After FAM
ic
is enabled, every single file operation on the entire system has to be matched against every rule,
regardless of whether the operation is to a monitored file. Therefore, having three rules has three
l
times the performance hit as one.

up
You choose which operations to apply the policy to. You can choose such operations as read, write,
execute, delete, and fileop,
D
ot
N
o
D

V7.0
Uempty
FAM policy rule builder

1. To create a rule, right-click an entry
and select Add Policy Rule
2. In the Build Rule wizard, fields such
as Rule name and Choose
e
datasources are populated based on
Rule actions include the
ut
the selected entry values following options
3. Select a Rule action • Alert and Audit
• Audit only
ib
4. Select a Notification Type • Ignore
• Log as Violation and Audit
• Block, Log as Violation and
tr
Audit
is
D
FAM policy rule building

e
The table below describes the rule actions.
at
Action Description
ic
Alert and Audit • Send an alert to a designated receiver

• Log the event
l
up
Audit only Log the event

Ignore Ignore the event
Note: This action is useful for trusted traffic or applications to reduce the
D
amount of traffic sent to Guardium.

Log as Violation • Log as a policy violation
ot
and Audit • Log the event

Block, Log as • Block access to the file
N
Violation, and Audit • Log as a policy violation

• Log the event
o
• Sends an alert to a designated receiver

D
Note: This action is only available with the Advanced offering.

V7.0
Uempty
FAM policy rule builder (continued)

6. Specify the File path for the rule
7. Specify the User for the rule
8. Select a Access command for the rule
e
9. Click Save
ut
ib
Rule criteria
tr
is
D
FAM policy rule builder (continued)

e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
• Creating a policy from the file access monitoring discovery and classification results
• Creating a policy to log file activity
e
• Blocking access to a file
ut
ib
tr
is
D
e
at
l ic
up
D
ot
N
o
D

V7.0
Unit summary
Uempty
Unit summary
• Describe the components of file access monitoring (FAM)
• Discover and classify files
• Implement policies that monitor and control access to files
e
ut
ib
tr
is
D
Unit summary
e
at
l ic
up
D
ot
N
o
D

V7.0
Uempty
IBM Training
e
ut
ib
tr
is
D
or
e
at
l ic
up
D
ot
N
o
D
© Copyright IBM Corporation 201. All Rights Reserved.

Guardium IBM

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Guardium IBM

Transféré par

Droits d'auteur :

Formats disponibles

®

trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.

IT Infrastructure Library is a Registered Trade Mark of AXELOS Limited.

© Copyright International Business Machines Corporation 2016.

Scalable, multitier architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Guardium components overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Guardium V10 user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Real-time monitoring to control access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Built-in and custom reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Vulnerability assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Data classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Unit 2 IBM Guardium: Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

© Copyright IBM Corp. 2016 iii

Lesson 1 Navigating the user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Top banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Search bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Guided processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66

Lesson 2 Using the command line interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

CLI users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71

Navigating the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

Show and store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

Network configuration commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

© Copyright IBM Corp. 2016 iv

Unit 4 IBM Guardium: Access management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

User and role reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109

Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111

Unit 5 IBM Guardium: System view and data management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

System configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116

IP-to-Hostname Aliasing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119

Inspection engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121

Agent Module setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124

© Copyright IBM Corp. 2016 v

Unit 6 IBM Guardium: Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Adding group members by classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163

Hierarchical groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166

Flattening hierarchical groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168

Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169

Unit 7 IBM Guardium: Policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Lesson 1 Policy overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Default behavior: Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175

Constructs received multiple times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179

Lesson 2 Installing and creating policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

© Copyright IBM Corp. 2016 vi

Extrusion rules and inspection engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216

Regular expression builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220

Lesson 5 Selective Audit Trail policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Audit only rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226

Policy logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229

S-GATE overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

Lesson 8 Classification policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Classification policies and processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235

© Copyright IBM Corp. 2016 vii

Query Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267

Query Builder: New query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269

Entity overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271

Logging and parsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273

New query steps summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276

Adding fields and conditions to a query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278

Saving queries and generating reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280

Runtime parameter configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283

Report customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284

© Copyright IBM Corp. 2016 viii