Home

Checkpoint (2 of 2)

image

Contents

1. v amp EVE DB User and or Group v MEME EI CNN TENES E Client IP Src App DB User Server IP Svc Name Trusted Connections v JM E 1 C App User and or Group v O Os user and or Group v ata O Src App and or Group mp CERE Field and or Group v J EEr Object and or Group v Command and or Group vl ta commenta Aen an LOC Bock Object Cmd Group lt 3 Close thia window Object Field Group v amp Pattern at XML Pattern at App Event Exists Event Type Event User Name App Event Values Text and or Group v 48 Numeric Date Data Pattern a Replacement Character Time Period AD Minimum Count 0 Reset Interval 0 minutes Message Template Default v Quarantine for 0 minutes Records Affected Threshold 0 Rec Vals v Cont to next rule Actions x E IGNORE S TAP SESSION Back Add Comments Save Copyright IBM Corporation 2011 2013 Figure 9 38 Ignore STAP session rule Trusted connections GU2022 0 Notes The Client IP Src App DB User Server IP Svc Name group allows you to specify the exact sessions that you would like to ignore For example activity from a service account on an application server using a specific
2. S DB Type v L Sve Name and or Group _______ v1 44 DB Name and or Group ew 48 xc Buser guarsum tempty anser crou de Client IP Src App DB User Server IP Svc Name v C App User and or Group S CO os user and or Group S Src App O v A O Field and or Group v amp C object andlar GIoUp uia mFS Command and or Group v a Object Cmd Group v 4S Object Field Group vl amp Pattern ae XML Pattern ae App Event Exists Event Type Event User Name App Event Values Text and or Group 4S Numeric Date Data Pattern ag Replacement Character Time Period 7 7 7 7 7 via Minimum Count 0 Reset Interval 0 minutes Message Template Default v Quarantine for 0 minutes Records Affected Threshold 0 Rec Vals v Actions x ALLOW Copyright IBM Corporation 2011 2013 Figure 9 33 Allow GU2022 0 Notes With multiple rules in a policy the rules are processed from top to bottom When a rule is triggered the default behavior is to stop processing subsequent rules unless the Cont to next rule box is checked The Allow action serves to help control this flow The A
3. Figure 6 27 Exercise GU2022 0 Notes 6 32 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solution 1 of 2 1 Adata archive backs up the data that has been captured by an appliance during a given time period 2 Adata purge deletes the data that has been captured by an appliance during a given time period 3 A data export sends the data that has been captured by an appliance during a given time period to an aggregator 4 The Guardium catalog tracks every archive file and where it is stored so that the file can be easily retrieved and restored 5 True or false Only an aggregator can perform a data import operation 6 Once a system has been added to a central management environment the status of the appliance will change from standalone unit to mangaged by Figure 6 28 Checkpoint solution 1 of 2 GU2022 0 Notes Write your answers here 1 mom m ge I Copyright IBM Corp 2011 2013 Unit 6 System View and Administration Console II 6 33 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solution 2 of 2 T True or false The current day s data cannot be archived 8 The opposite of an archive is a n restore 9 The maximum number of Central Managers i
4. No QBA 4Access Rule DML on Sens Obj alert and log masked details Cat Classif Sev ClientiP ServeriP SrcApp OBName DBUser App User Client IP Src App DB User Server IP Svc Name ANY ANY i ANY ANY ANY ANY Y ANY ANY OS User Svo Name Het Protocol Field Pattern XML Pattern DB Type ANY AN ANY Client MAC ANY ANY ANY ANY s the command irr Records Object Command P j ct Command ObjectField auri e Thresi the DML Commands Data Replacement Min Reset Quarantine Messag Rec group and is the object in Yes p Log Masked Details sted Pattern Character POF Ct imt Min Template Action vais Co the Sensitive Objects Group LOG MASKED DETAILS o ANY ANY 0 o 0 Default vi ALERT PER MATCH App Event Exists App Event Text Val Event Type App Event Num Val App Event Date Event User Name ANY N No ANY ANY ANY Log Traffic Normally Alert Per Match Copyright IBM Corporation 2011 2013 Figure 9 76 Policy logic GU2022 0 Notes In the example above the incoming database traffic will be evaluated as follows Have there been 3 failed logins with in 5 minutes from a singe user If yes alert If not go to the next rule Note because this rule is an exception rule and the remaining rules are access rules this rule could have been placed anywhere Does the session information match the Trusted Connection group If
5. 2010 08 17 09 46 22 Process Start Started processing of Classification Process Xe ag 2010 08 17 09 46 22 info Connecting to Datasource ORACLE XE 169 ef Data 2010 08 17 09 46 23 Info Successfully connected to Datasource ORACLE XE 169 at ORACLE 192 168 169 130 1521 xe in 499 00 milliseconds ag Classification 2010 08 17 09 47 17 Datasource Statistics Statistics for Datasource ORACLE XE 169 at ORACLE 192 168 169 130 1521 xe ef Results p 2010 08 17 09 47 19 Process Complete Completed processing of Classification Process XE Mf Report details horizontal O vertical show original values Use Aliases Column Rule Classification Datasource Catalog Schema Table Name ice Description Comments Cum Category Description Date Tuesday August 17 2010 9 46 44 AM EDT Datasource ORACLE 192 168 169 130 1521 xe Object SCOTT CC NUMBERS VARCHAR2 25 CC NUM Category Prod Classification Prod SCOTT CC NUMBERS CC_NUM CC numbers Rule Search For Data CC numbers Prod Prod XE 169 TABLE TYPE TABLE VIEW TABLE NAME LIKE cc 6 DATA TYPE TEXT SEARCH VALUE PATTERN T0 SJ4 T0 SK4jt T 0 9 430 0 9K47 Action Log Result Log CC Selecta unseectan Adhoc Action Records 1 To 1 Of 1 Close this window E Download PDF Copyright IBM Corporation 2011 2013 Figure 10 13 Database Discovery and classification 2 of 2 GU2022 0 Notes Due to the complexity of some environments and other factor
6. Caution When used be sure to save the shared secret value in a safe location If you lose the value you will not be able to access archived data License Key This value is not displayed It is inserted in the configuration during installation Do not modify this field unless you are instructed to do so by Technical Support You may need to paste a new product key here if optional components are being added The remaining fields allow you to change the basic network settings IP address default route etc 5 32 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration Upload Key File System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Incide Administration Console Configuration Upload Key File OQ Alerter Key File Anomaly Detection Application User Translation Custom ID Procedures Customer Uploads Flat Log Process Global Profile Guardium for z OS Incident Generation Inspection Engines Q0 P to Hostname Aliasing Policy Installation Portal Query Hint Session Inference System Upload Key File Pass Phrase Retype Phrase Copyright IBM Corporation 2011 2013 Figure 5 22 Configuration Upload Key File GU2022 0 Notes Under rare conditions a Microsoft SQL Server key fil
7. Sel PLike 192 168 169 8 REMOTE_SOURCE Report details R Compare with omer resuta Server Client Server Twnestomp Session Start Type Cent iP ServerIP not Port 2010 12 20 2010 12 20 DBZ 1921681698 192 108 109 8 37956 50001 135622 141006 Show onginatvaues O Use Aliases Network Da DR Protocol DR User Source Count of Protocol Protocol Version Name Program Sessions TCP DRDA 30 OBZINST1 DB82BP 1 Copyright IBM Corporation 2011 2013 Figure 12 14 Report delivery Notes The workflow results contain each of the tas GU2022 0 ks configured and the status of the workflow including the distribution status and any comments made by other receivers Copyright IBM Corp 2011 2013 Course materials may not be Unit 12 Compliance Workflow Automation reproduced in whole or in part 12 19 without the prior written permission of IBM Instructor Guide Workflow results Workflow results include Distribution Status Comments IBM InfoSphere Guardium Training01 Other Results For This Process o Audit process execution began 2010 12 21 11 44 09 on grd01 Escalate Comment Download PDF Distribution Status zi Receiver Status Viewed not Signed Viewed not Signed Action Required Review and Sign Review and Sign Role infosec User User01 Henry Xavier Role infosec User User02 Tracy Yuen Role dba User User03 Dan Charles Role audit User User04 Pat Deacy
8. DBAS PI Objects test Account Management Commands Account Management Procedures Active Users Admin Users Administration Objects M Flatten All Hierachichal Groups Scheduling Flattening All Hierachichal Groups is currently not scheduled for execution Modify Schedule Populate fom Query ___ L_LDAP_ Group Fier J Roes clone _Moaiy_ Delete _ Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 23 Populate from Query 1 of 4 GU2022 0 Notes The fourth method of populating a group is Populate from Query The Populate from Query option allows you to add members to a group using data from Guardium s database This data may originate from monitored database traffic or from an external source using External Data Correlation To use Populate from Query Create a new group or use a previously created group Under Modify Existing Groups highlight the group that you are interested in and press Populate from Query 8 28 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Populate from Query 2 of 4 Group Builder Populate Group from Query Set Up Group Name Privileged Users Group Type USERS Classification Set up Query to Run Query Fetch Member From Column From Date To Date Remote
9. Figure 4 11 User Browser deleting a user Notes GU2022 0 All objects queries policies etc owned by a user will be reassigned to the admin user whenever the owning user is deleted 4 14 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide User Role Browser Arole is a group of Guardium users all of whom have the same access privileges There are several pre defined out of the box roles Users can be members of roles Roles can be assigned to items for example a query Only members of that role can access that item Custom site specific roles can be added or deleted by name Access Management Data Security User Browser Role Browser Data Security User Role Browser Role Name Actions Role Form User Role Permissions accessmgr User LDAP Import Role Name ISTA User amp Role Reports ser ports z 3 appdev Delete Add Role audit Delete cas Delete cli datasec exempt dba Delete diag infosec Delete inv netadm Delete review only user Add Role Copyright IBM Corporation 2011 2013 Figure 4 12 User Role Browser GU2022 0 Notes A role is a group of Guardium users all of whom have the same access privileges Default Roles There are several pre defined out of the box roles which should never be d
10. Figure 9 3 Policies defined GU2022 0 Notes Each rule can apply to a request from a client or to a response from a server Rule types include e Access requests from the client to the server Exception SQL errors and failed login messages from the server to the client Extrusion result sets from the server to the client Each rule contains conditions and one or more actions When all of the rule s conditions have been met the action s are triggered The rules are applied sequentially A policy must be installed to be in effect e After any change to a policy including group member updates the policy must be reinstalled Copyright IBM Corp 2011 2013 Unit 9 Policies 9 5 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Default behavior Traffic C 34305 Database Server The sniffer receives all of the database traffic from STAP then analyzes parses Activity from the and logs the data database server to the database client Activity from the database client to the database server Failed Login Messages Sessions log in log out Sessions log In log out SQL Requests commands SQL Requests commands Failed Login Messages SQL Errors Result sets are sent by STAP but are discarded by the sniffer Database Client Ry ad oa if Copyright IBM Corporation 2011 201
11. cone sce Category Classification Severity NFO Server IP 1 and or Group jesse C ClientiP i and or Group 190 16 169 0192 160 169 88 COTT seled fom Client MAC a Net Prtcl and or Group da DBType iaj Svc Name and or Group amp DB Name and or Group sw 3 DB User and or Group vi amp Client IP Src App DB User Server IP Svc Name ________ v a C App User and or Group S OS User and or Group v 3 Src App and or Group vl amp C Field and or Group v S Object and or Group mF s Command and or Group Pubic DDL Commaras ata Object Cmd Group M 4 ObjectiField Group iv h Pattern ag XML Pattern ag App Event Exists Event Type Event User Name App Event Values Text and or Group 3 Numeric Date Data Pattern co Replacement Character Time Period iv 135 Minimum Count 0 Reset Interval 0 minutes Message Template Default iv Quarantine for 0 minutes Records Affected Threshold 0 Rec Vals Cont to next rule Actions x E LOG ONLY Copyright IBM Corporation 2011 2013 Figure 9 50 Log only GU2022 0 Notes The Log Only rule can be thought of as
12. 000 0 c cee eee 12 7 Compliance Automation screen 02 2 c eee eee 12 8 Audit Process Definition occi s se tek eee ee died os See Sead ee eee Rs 12 9 Receiver Table PERTH bese et esows Goda eee ems eee w eee ese 12 11 AUG WIESO creerea renare i ocd nee ehasedaders ceeds eek ateaeduene ees 12 13 Roles Process Management 0 0c 12 15 xii InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Activating and running an audit process illl 12 16 To Do notification TEC rr caw eee bates oes ete 12 17 Viewing an audit process 2 du codccaes RR m rx xRR ERA ERR ee een se 12 18 Report delivery llslllllsseeeeeeelll nn 12 19 Workflow results PC Tm 12 20 Suede MMC eLLmTT 12 21 Unit summary HE E MERERETUR TTD 12 23 mp m P ETTTT 12 24 Checkpoint solutions ez ws Sek dau E RS e p piu cet eique o ten oe sees 12 25 Appendix A Monitoring Overview esee A 1 A T isole o DIREPTA A 1 A2 Intended Audience 632 bs e wo ER CV E aes Ghee eevee ER rur E ER RES A 1 A 3 Gathering Requirements usas kg o ko ror EXE GE CR dn Rok eos Ox n A 1 AA Building Groups asume d Row uou ae E nes Ebene NE Ea EE s REM E A 2 A5 Defining Poelley cuu se t n ir re t e o n dr E C be are eee A 4 AA Creating Penns uz uuskeseqeq
13. Configuration Application User Translation System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Incident Managem Administration Console Configuration Application User Translation Configuration D OQ Alerter E Add App User Translation Anomaly Detection Application Code PS Application User Translation m T ji Custom ID Procedures Mec Tine ae x Customer Uploads Application Version 10 Flat Log Process Database Type ORACLE M Global Profile Server IP 192 168 20 9 Guardium for 205 Port 4539 Incident Generation Inspection Engines instance Name QOO IP to Hostname Aliasing DB Name Q6 Policy Installation Active Portal User Name Query Hint Password Session Inference i wis System esponsibility Upload Key File Data Management Scheduling Central Management oo Application User Translation is currently not scheduled for execution Local Taps Copyright IBM Corporation 2011 2013 Figure 5 7 Configuration Application User Translation GU2022 0 Notes Some applications manage a pool of database connections In such three tier architectures the pooled connections all log into a database using a single functional ID and then manage all application users internally When a user session needs access to the database it acquires a connection from the pool uses it and then releases it back to the pool When this happens Guardium can see how the application interacts with the data
14. Enter the appropriate connection information to connect the database server Press Apply and Test Connection 8 22 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Auto Generated Calling Prox example 4 of 6 Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 18 Auto Generated Calling Prox example 4 of 6 GU2022 0 Notes e Highlight the new datasource and press Add Copyright IBM Corp 2011 2013 Unit 8 Group Builder 8 23 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Auto Generated Calling Prox example 5 of 6 Group Builder Analyze Stored Procedures 2 Datasources Name Type Host UserName X A Training_DB2 Database Analyzer DB2 192 168 169 8 a8000 Query Parameters Schema owner optional Object name optional Source Detail Configuration The page at https 9 32 29 104 8443 says Selected group PI Objects Append F A New member s have been successfully added to the group PI Store Procedures New group name PI Store Procedures Existing group name Flatten namespace Analyze Database Copyright IBM Corporation 2011 20139 Copyright IBM Corporation 2011 2013 Figure 8 19 Auto Generated Callin
15. filtered Account Management Commands Account Management Procedures Active Users Admin Users Administration Objects Administrative Commands Administrative Programs Flatten All Hierachichal Groups Scheduling Flattening All Hierachichal Groups is currently not scheduled for execution Modify Schedule m LLL P Using Database Dependencies Using Reverse Dependencies Using Observed Procedures Generate Selected Object This button will only be available when choosing an object or a command group from the list above Copyright IBM Corporation 2011 20130 Copyright IBM Corporation 2011 2013 Figure 8 15 Auto Generated Calling Prox example 1 of 6 GU2022 0 Notes To use Auto Generated Calling Prox using DB Sources Highlight an existing object or command group Press Auto Generated Calling Prox and choose Using DB Sources 8 20 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Auto Generated Calling Prox example 2 of 6 Group Builder Analyze Stored Procedures t Datasources Name Type Host UserName No datasource has been added to this item Add Datasource Schema owner option Datasourc Finder Object name option Query Parameters Source Detail Configuration
16. 182168 422207ack 1521 1521 1521 onir b35 00000001 Discovered Instances QQ records Join OO Yo Ha A Dropped Requests Fwrantinn nunt Copyright IBM Corporation 2011 2013 Figure 1 15 Database Discovery GU2022 0 Notes Due to the complexity of some environments and other factors such as mergers and acquisitions some companies do not have a full inventory of their database servers Database Discovery probes a network to identify servers running database services In the example shown above Database discovery located a previously unregistered Oracle database server 1 16 InfoSphere Guardium V9 Technical Training Course materials may not be reproduced in whole or in part without the prior written permission of IBM Copyright IBM Corp 2011 2013 Instructor Guide Data Classification Data Classification Scans databases Locates objects matching certain patterns Reports on its findings IBM InfoSphere Guardium e Results for Classification Process Policy Xe From 84740 9 46 AM To 8 17 10 9 47 AM Datasources ORACLE XE 169 Select another result of this Process Process Run Log Fl 2010 08 17 09 46 22 Process Start Started processing of Classification Process Xe ag 2010 08 17 09 46 22 info Connecting to Datasource ORACLE XE 169 ag Data 2010 08 17 09 46 23 info Successfully connected to Datasource ORACLE XE 169 at ORACLE 192 16
17. Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide CLI overview 1 of 2 Command Line Interface Copyright IBM Corporation 2011 2013 Figure 3 2 CLI overview 1 of 2 GU2022 0 Notes The Guardium appliance runs a hardened version of Red Hat Enterprise Linux This means that no one except perhaps a system administrator has direct access to the operating system Instead all access to the appliance is through a tool called the Guardium Command Line Interface or CLI The CLI is an administrative tool that allows for configuration troubleshooting and management of the Guardium system It is implemented using a Perl script and includes a series of many commands that an administrator can use to view and configure settings in the Guardium appliance The Perl script accepts only those command no operating system commands are allowed Copyright IBM Corp 2011 2013 Unit 3 Command Line Interface 3 3 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide CLI overview 2 of 2 The CLI commands are arranged in 10 different categories Network Configuration Commands Aggregator Commands Alerter Configuration Commands Configuration and Control Commands File Handling Commands Diagnostic Commands Inspection Engine Commands User Acc
18. Event Type Event User Name App Event Values Tee Numericl o Min Ct 0 Reset Interval minutes 0 Rec Vals 7 Action S GATE TERMINATE gt Copyright IBM Corporation 2011 2013 Figure 9 85 S GATE Terminate Notes GU2022 0 The S GATE terminate action will block the SQL command from reaching the database server and drop the user s session Copyright IBM Corp 2011 2013 Unit 9 Policies 9 119 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Redact v Cross DBMS policies v Mask sensitive data v Nodatabase changes gt v Noapplication changes Issue SQL E SSN Number Application l SQL Servers e Unauthorized i Users Sybase etc ay Actual data stored Outsourced DBA 25 in the database LastName SSN_Number i teen ie Redact and Mask 2 Smith J j Jone Joe ze 618 Sensitive Data 4 Craven Joe mae ne ae User view of the data in the database Copyright IBM Corporation 2011 2013 Figure 9 86 Redact GU2022 0 Notes For extrusion rules only redact masks sensitive data returned to the user from the database server 9 120 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Quarantine L Objec
19. Instructor Guide Vulnerability Assessment 3 of 4 How does Guardium Vulnerability Assessments work e What are the Essential Security Testing methods e What are Predefined Assessment Tests e What are Behavioral Tests e What are Configuration Vulnerability Tests e What are Query based Tests Copyright IBM Corporation 2011 2013 Figure 10 10 Vulnerability Assessment 3 of 4 GU2022 0 Notes How do Guardium Vulnerability Assessments Work The Guardium Vulnerability Assessment application enables organizations to identify and address database vulnerabilities in a consistent and automated fashion Guardium s assessment process evaluates the health of your database environment and recommends improvement by e Assessing system configuration against best practices and find vulnerabilities or potential threats to database resources including configuration and behavioral risks For example identifying all default accounts that haven t been disabled checking public privileges and authentication methods chosen etc e Finding any inherent vulnerabilities present in the IT environment like missing security patches e Recommend and prioritizing an action plan based on discovered areas of most critical risks and vulnerabilities Copyright IBM Corp 2011 2013 Unit 10 CAS VA and Discovery 10 15 Course materials may not be reproduced in whole or in part without the prior written permission of IBM In
20. Purpose Details Answers 1 Explain what a selective audit trail policy is A selective audit trail policy is a method of filtering which SQL requests will be monitored Additional information Transition statement 9 98 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Topic summary Having completed this topic you should be able to Understand the Selective Audit Trail policy Create an Audit Only policy rule Copyright IBM Corporation 2011 2013 Figure 9 72 Topic summary GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 9 Policies 9 99 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solution 1 Explain what a selective audit trail policy is A selective audit trail policy is a method of filtering which SQL requests will be monitored Copyright IBM Corporation 2011 2013 Figure 9 73 Checkpoint solution GU2022 0 Notes Write your answers here 1 9 100 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 9 6 Rule Order and Logic Instructor topic introduction What
21. Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Administration Console Configuration Central Management Data Management Insp Installed Central Manag nt Unit Engines Policy Model Ver Last Patch Last Ping De B m or B Show nis G2000 80 14 7 10 7 16 PM Central Management gj a ward Portal User Sync z swg usma ibm com Reboot _ Restart Portal __ Restart Inspection Engines J Refresh L instan oiy Patch Distribution Y Distribute Uploaded Jar Files J Distribute Patch Backup Settings Distrbute Authentication Config Distribute Configurations J Register New J Patch Installation Status Show Distributed Map J Distributed Monitor Guardium Definitions Copyright IBM Corporation 2011 2013 Figure 6 16 Central Management screen GU2022 0 Notes From the Central Manager an administrator can Register Guardium units for management e Monitor managed units unit availability inspection engine status etc e View system log files syslogs of managed units e View reports using data on managed units e View main statistics for managed units e Install Guardium security policies on managed units e Restart managed units e Manage Guardium inspection engines on managed units Maintain the complete set of Users Security Roles Groups and Application Role Permissions used on all managed systems Distribute patch
22. Transition statement Unit summary Having completed this unit you should be able to Understand domains entities and attributes Create custom queries and reports Copyright IBM Corporation 2011 2013 Figure 11 55 Unit summary GU2022 0 Notes 11 74 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Exercise At this point you should complete Exercise 12 in the Exercise Guide Alternately if you waited you can do Exercises 10 11 and 12 now Pihi ENBE Qparpadicarti a0 2012013 Figure 11 56 Exercise GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 75 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions 1 True or false A query needs a report and a report needs a query 2 What format s are available for Guardium reports 1 Tabular 2 Chart 3 Both a and b 4 Neither a nor b Copyright IBM Corporation 2011 2013 Figure 11 57 Checkpoint solutions GU2022 0 Notes 11 76 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide U
23. 2 ete 11 55 Exercise OCT 11 57 Checkpoint solutions 1 of 2 isos tex icerum E au Sos REC RO ee ced n 11 58 Checkpoint solutions 2 of 2 224 2c2c05 sex ERRORI FEE ERE EORR 11 59 11 3 Report BUDE 2a sick ea Gage Dide Re ce babe Eee ees dele e Rie edet 11 61 i evujWP 4 C 11 62 Report builder acd core wears teen Bae e Os Che pied baeaededee ees ammariasa 11 63 Searching for a report 0 0 eee 11 64 Report builder buttons uisaute rd Ru REESE ded sol d werE Rees 11 65 Modify report Tabular 1 of 2 5 22 sure eR RU cuc CRX ER e n 11 67 Modify report Tabular 2 of 2 liiis 11 68 Modify report Chart 1 of 2 conc ene uer amu E ERE E EEXxREEEER E EE same 11 69 Modify report Chart 2 of 2 Ls des vule ER neki eres n OR eR Re e eh 11 70 TOPIC SUMMAN ox icd caseceas ei anayea EP SU OEC REFER EE ENDO e Ge cus 11 71 GIIBCRDOIDE de dord ee eR REEISTQRESRDEeRe ERR a D aa a ed RAE ea neds 11 72 Ba wl T iae a ae ara a Aaaa ia eaae Saa E ata aie 11 74 EXBICIBE Au gos ace aa aes ues VIRO QNO Bd esce Sia me iee EE E ma did Mae 11 75 Checkpoint solutions s s liliis eh 11 76 Unit 12 Compliance Workflow Automation leeeseeeee 12 1 Unit objectives PCR rT ETITTTTTTTTT 12 2 Compliance Workflow Automation llle 12 3 Compliance Workflow Automation elements 0000 cece eeaee 12 4 Compliance Workflow Automation log 020 cece eee ee eee eee 12 6 Define an Audit Process
24. After completing this topic you should be able to Use the interactive installation method to setup S TAP on a Windows database server Manually configure a Microsoft SQL Server inspection engine Verify the installation of an inspection engine Copyright IBM Corporation 2011 2013 Figure 7 6 Interactive installation Windows GU2022 0 Notes 7 8 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Windows STAP interactive installation setup exe fi C Documents and Settings Administrator Desktop stap IBM InfoSphere Guardium S TAP InstallShield Wizard X File Edit Yiew Favorites Tools Help Guardium license D Back O P JP Search Folders dy o X V9 m Address la C Documents and Settings Administrator Desktop stap Name Size Type Date Modified A IGUARDIUM INC AN IBM COMPANY Garone File Folder 11 24 2010 2 08 PM SQL GUARD TM LOCAL TAP LICENSE AGREEMENT Agreement Casystemsz File Folder 11 24 2010 2 09 PM NOTICE CAREFULLY READ THESE TERMS AND CONDITIONS BEFORE T 0x0409 ini 14KB Configuration Settings 11 29 20104 2PM A DOWNLOADING INSTALLING COPYING ACCESSING CLICKING ON AN ACCEPT BUTTON OR OTHERWISE USING THE SQL GUARD TM LOCAL TAP SOFTWARE jek T esi on MIB oco ic M SOFTWARE
25. Client Search Criteria Figure 6 23 Module Installation Notes GU2022 0 Module installation allows you to apply modules to Guardium agents See the GIM STAP unit for further details 6 26 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 1 of 2 1 Adata backs up the data that has been captured by an appliance during a given time period 2 Adata deletes the data that has been captured by an appliance during a given time period 3 Adata sends the data that has been captured by an appliance during a given time period to an aggregator 4 The Guardium tracks every archive file and where it is stored so that the file can be easily retrieved and restored 5 True or false Only an aggregator can perform a data import operation 6 Once a system has been added to a central management environment the status of the appliance will change from to Figure 6 24 Checkpoint 1 of 2 GU2022 0 Notes Write your answers here 1 2 3 4 5 6 Copyright IBM Corp 2011 2013 Unit 6 System View and Administration Console II 6 27 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers 1 A data archive backs up the data
26. Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions 1 True or false The order in which rules are recorded in a policy is not important 2 Which option box must be checked to force evaluation of the next rule when the current rule is evaluated as true a NEXT b CONT c MORE d GOTO 3 Explain what happens if none of the rules in a policy are evaluated as true The incoming message is passed to the database server as usual for evaluation and execution Copyright IBM Corporation 2011 2013 Figure 9 79 Checkpoint solutions GU2022 0 Notes 9 110 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Exercise At this point you should complete Exercise 7 in the Exercise Guide Alternately you can wait and do Exercises 6 and 7 at the end of this unit GbfyrixyniglEINBIYo Gunaticrtiao 2012013 Figure 9 80 Exercise GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 9 Policies 9 111 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 9 112 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without
27. Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit objectives After completing this unit you should be able to Identify the main functionality InfoSphere Guardium Describe the key components of the InfoSphere Guardium solution Copyright IBM Corporation 2011 2013 Figure 1 1 Unit objectives GU2022 0 Notes 1 2 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Main features Real time Database Security amp Monitoring Prevent cyberattacks Automated amp centralized controls Monitor amp block privileged users Cross DBMS audit repository Detect application layer fraud Monitor i Preconfigured policies reports Enforce change controls amp Sign off management Real time alerts Enforce 1 Entitlement reporting Control firecall IDs Minimal performance impact SIEM integration No database changes Assess static and A behavioral database Continuously update SSESS vulnerabilities security policies amp y Configuration auditing Discover embedded Harden y Preconfigured tests malware amp logic bombs based on best practices standards STIG CIS CVE Find amp classify sensitive data Copyright IBM Corporation 2011 2013 Figur
28. E WHERE Object Object Name IN GROUP v Sensitive Objects w Of ND Command SQL Verb IN GROUP lv DML Commands Iw LC or Command SQL Verb v Value iv select Start Date 2010 12 10 08 03 12 End Date 2010 12 10 11 03 12 Aliases OFF Server IP Client IP DB User Name Service Name Source Program SQL Verb Object Name Total access 192 168 169 8 192 168 169 8A2840 DB2INST1 DB2BP DELETE db2inst1 G PRODUCTS 15 192 168 169 8 192 168 169 8A2840 DB2INST1 DB2BP SELECT db2instt cc numbers 15 192 168 169 8 192 168 169 8A2840 DB2INST1 DB2BP SELECT ga_customers T 192 168 169 8 192 168 169 8A2840 DB2INST1 DB2BP SELECT sysibm sysdummy1 30 192 168 169 8 192 168 169 8A2840 DB2INST1 DB2BP SELECT SYSIBM SYSTABLES 14 192 168 169 8 192 168 169 8A2840 DB2INST1 DB2BP SELECT v cc 15 192 168 169 8 192 168 169 8A8000 DB2INST1 DB2BP INSERT db2instt G EMPLOYEES 15 192 168 169 8 192 168 169 8A8000 DB2INST1 DB2BP INSERT db2instt G PRODUCTS 15 192 168 169 8 192 168 169 8A8000 DB2INST1 DB2BP SELECT db2instt g employees 15 192 168 169 8 192 168 169 8A9404 DB2INST1 DB2BP SELECT abc 7 192 168 169 8 192 168 169 8APPUSER DB2INST1 DB2BP DELETE db2instt G PRODUCTS 8 192 168 169 8 192 168 169 8APPUSER DB2INST1 DB2BP INSERT db2instt G PRODUCTS 800 192 168 169 8 192 168 169 8APPUSER DB2INST1 DB2BP SELECT db2insti G PRODUCTS 742 192 168 169 8 192 168 169 8DB2INST1 DB2INST1 DB2BP INSERT ccn 420 192 168 169 8 192 168 169 8DB2INST1 DB2INST1 DB2BP INSERT G PROD
29. Figure 4 20 Exercise GU2022 0 Notes 4 26 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solution 1 of 2 1 True or False You can delete the accessmgr user if you do not want to use it 2 True or False By default new users are automatically enabled 3 User01 is currently in the USER role and is logged into the Guardium web interface You add User01 to the DBA role When will the user have access to the DBA functions a Immediately b Only after logging out and logging back in C Only after you run change layout d Only after you run change layout and the user logs out and logs back in again Copyright IBM Corporation 2011 2013 Figure 4 21 Checkpoint solution 1 of 2 GU2022 0 Notes Write your answers here 1 Copyright IBM Corp 2011 2013 Unit 4 Access Management 4 27 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solution 2 of 2 4 True or false A Guardium user can belong to multiple roles 5 True or false Once set the user name that is user id cannot be changed 6 What feature can be implemented using the Data Security tab a Assigning a user to a role b Assigning an application to a role c Filtering result
30. Instructor Guide Common modules System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Reports Administration Console Configuration Common Modules Data Management Step 2 Select a module to Config Install Update Uninstall on selected client s and click on Next Central Management Selected Clients Local Taps Client Name Client IP Client OS Client OS Version P dbserver01 192 168 169 8 Linux 2 6 16 21 0 8 default Guardium Definitions Custom Alerting Module Installation Process Monitoring Display Latest Versions Modules Module Status Sees ATAP 8 0 120992 1 This module has not been set for any of the selected clients Upload BUNDLE STAP 8 0 120992 COMPONENTS 8 0 120992 1 KTAP 8 0 120992 1 STAP 8 0 r20992 1 STAP UTILS 8 0 20992 1 TEE 8 0 20992 1 L Copyright IBM Corporation 2011 2013 Figure 7 35 Select clients GU2022 0 Notes Otes Step 1 Check the box es for the database server s for which you would like to apply the module and press Next If you have multiple servers you may choose more than one from this screen Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 43 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Module Parameters Module Parameters w Step 3 Config Install Update Uninstall BUNDLE STAP Commo
31. Notes If you have multiple systems with identical or similar requirements and are not using Central Management you can define the components you need on one system and export those definitions to other systems provided those systems are on the same software release level You can export one type of definition reports for example at a time Each element exported can cause other referenced definitions to be exported as well For example a report is always based on a query and it can also reference other items such as IP address groups or time periods All referenced definitions except for security roles are exported along with the report definition However only one copy of a definition is exported if that definition is referenced in multiple exported items An export of policies or queries exports only the groups referenced by the exported policies or queries Previously an export of policies or queries would export all groups 6 22 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Import definitions System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Reports Administration Console Configuration Definitions Import Data Management Upload Exported Definitions Local Taps Import Uploaded Defini
32. XML Pattern Re App Event Exists Event Type Event User Name App Event Values Text and or Group v 48 Numeric Date Data Pattern QE Replacement Character Time Period TER Minimum Count 0 Reset Interval 0 minutes Message Template Default iv Quarantine for 0 minutes Records Affected Threshold 0 Rec Vals Cont to next rule yrixniglBt NBIVo Raati a 20 120 13 Figure 9 26 Access Rule Criteria GU2022 0 Notes All of the fields from Server IP through Records Affected Threshold make up the criteria of the rule e If you choose fields in separate rows both conditions must be satisfied for the rule to trigger AND Conditions In the example above the user must be in the Privileged Users group and the object must be in the Sensitive Objects group for the rule to fire e OR Condition If you choose two fields within the same row a match for either will satisfy that criterion Object cc numbers OR Object IN GROUP Sensitive Objects Copyright IBM Corp 2011 2013 Unit 9 Policies 9 41 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Access Rule Action and Back Save Actions x ALERT ONCE PER SESSION x LOG FULL DETAILS 3 2 Gs Add New Action Add Action PpighigNBOd Cparradicrti a 2012013 Figure 9 27 Access Rule Action and Back Save GU2022 0 Notes Actions The
33. gt Policy builder The remainder of the slides show how to manage policies as an admin user 9 24 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Create a new policy Policy Builder Policy Finder Allow All Basel Il Data Privacy Data Privacy PII HIPAA PCI PCI Oracle EBS PCI SAP Privileged Users Monitoring black list Privileged Users Monitoring white list SOX SOX Oracle EBS Vulnerability amp Threats Management Edit Rules Copyright IBM Corporation 2011 2013 Figure 9 15 Create a new policy GU2022 0 Notes Under the Policy Builder screen you will find Policy Finder Lists the existing policies accessible by the user who is currently logged in For access to an existing policy you must either be the creator of the policy or belong to a role that has been granted access to it In this example these are the policies owned by the admin user and are built in to the system The Allow all policy contains no rules If you need to go back to the collector s default behavior as described earlier in this unit installing the A ow all policy will bring you there e The remaining built in policies Base ll Data Privacy Sox etc provide example rules to help users build their own policies If you choose to use one of the
34. 2 000 0c eee eee 7 63 S TAP installation Non interactive methods 0000 eee eee eeee 7 64 UNIX non interactive installer llle 7 65 Windows non interactive installer 00 0000 ees 7 67 GrdApi inspection engine creation 0 002 ees 7 69 TOPIC nuc cs 2028200 aaia E E esos een eet DOTEM 7 71 Checkpoint caseonecteacdnehekucee sous ue DERE ERNAS IRAE EERE REK 7 72 Unit SUMMA poiri ee adaa E a a ha Eia ae a EN E E eee cee wore eee 7 74 zii c peee na ge rrna re rS a sound E E EE C a EEn E nG 7 75 Copyright IBM Corp 2011 2013 Contents vii Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solution saeua p ws sea da deee Rr ERR we dade da PREACRRNE ee ae 7 76 Checkpoint solution continued 0000 cee ee 7 77 Unit 8 Group Builder em cn a Q6 e C it CD A am a io mi ili 8 1 Unit objectives corcucaeoed eor vet ub OE OG n NE PROP TELS HE did c anf uri dus 8 2 Group Definition MTM 8 3 Methods to build groups uude goo CER aeo Re wr uc P CS Pe Re gr 8 5 Accessing Group Builder llllleslllelllelleeellllees 8 6 Group Builder screen overvieW 0 00 eee 8 7 Modify existing groups 1 of 2 0 ee ees 8 8 Modify existing groups 2 01 2 ces csc ivi ewe ee eee RR ba oes eee eens ee wee 8 9 Create New Group 0 000 ete 8 10 Manual entry 1 of 2 cu sse Erico RR Ro
35. 2013 Figure 7 7 Windows STAP interactive installation setup exe GU2022 0 Notes This section will demonstrate how to install S TAP using the standard Windows installer InstallShield Windows S TAP can also be installed using the Guardium Installation Manager GIM or from the command line using a non interactive installer Follow these steps to install S TAP on Windows Download the Windows S TAP installer from IBM Run setup exe Accept the license and press Next e Enter your User Name and Company Name Press Next Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 9 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Setup type Custom IBM InfoSphere Guardium S TAP InstallShield Wizard x Setup Type Select the setup type to install Click the type of setup you prefer then click Next C Typical Program will be installed with the most common options Recommended for most users C Compact Program will be installed with minimum required options You may select the options you want to install Recommended for advanced users InstallShield lt Back Cancel Copyright IBM Corporation 2011 2013 Figure 7 8 Setup type Custom GU2022 0 Notes Under Select Type choose Custom and press Next Always choose a custom installation to avoid installing unnecessary drivers 7 10 InfoSphere Gu
36. 3 of 3 Configuration Auditing System CAS Hosts eo On the top row only of the panel displays the CAS status on the Guardium appliance CAS Re po rti n g Red CAS is not running on this Guardium appliance Green CAS is active on this Guardium appliance CAS Statu S oo For each CAS host where this Guardium appliance is the active Guardium host the status lights indicate whether CAS is connected See CAS Stat S Panel Red Host and or the CAS agent is offline or unreachable u Green Host and CAS agent are online Yellow The Guardium appliance is a secondary for the CAS host Reset the CAS agent on this monitored system This stops and restarts Reset the CAS agent on the database server Remove this monitored system from CAS and also deleting the data on Delete the appliance that was associated with the CAS client This button is disabled if the CAS agent is running on this system You must stop the CAS agent to use this button See Stopping and Starting the CAS Agent below ooo Each set of lights indicates the status of a CAS instance on the monitored system If the owning monitored system status is red indicating that the CAS agent is offline ignore this set of status lights Red The instance is disabled Green The instance is enabled and online and its configuration is synchronized with the Guardium appliance configuration Yellow The instance is enabled but the instance con
37. 3341905 1010 88 1010 98SCOTT BOLPEUS CENTOEA nsettinto SCOTT C_PRODUCTS P_ID Insertinto SCOTT G_PRODUCTS PID _ 1 Log Full Details with Values In a policy rule you will see options for Log Full Details and Log Full Details with Values Log Full Details provides the Full SQL string and exact timestamp as shown above Log Full Details with Values will do the same and will also parse and log the values into a Copyright IBM Corp 2011 2013 Appendix A Monitoring Overview A 17 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide separate table in the database This creates a great deal of additional overhead and is recommended that you discuss this with Guardium Services if you think you need this option Log Full Details is generally sufficient for most reporting needs 9 2 Timestamps The illustration below describes the different timestamp options available in the Query Builder Client Server Timestamp will generally appear as the first time Session Start records Access Period Timestamp Within the Application Events Timestamp that the specific client server when a session began logging granularity usually 1 hour this is records the start of an Appliation connection was recorded This Recommended especially the most recent time that the unique Event This will only be populated timestamp can be very old and is when using the Session construct w
38. 9 58 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Ignore session criteria LaLeguiy vIassInauur Seventy uerw m L Server IP I MEN BIEN v S C Client IP y and or Group Iv a C Client MAC and or Group and or Group and or Group and or Group v ah Object Cmd Group amp Object Field Group v Pattern XML Pattern App Event Exists Event Type Event User Name App Event Values Text andor Group v a Numeric Data Pattern a Replaceme aracter Time Period mg Minimum Coup Reset Interval 0 minutes Message Template Qefault v Quarantiffe for 0 minutes Records Affected Threshold 0 Rec Vals Copyright IBM Corporation 2011 2013 Net Prtcl and or Group v amp Bye x Only session criteria C Svc Name and or Group m 4S should be used in L DB Name arua Midi ignore session rules C DB User and or Group Client IP Src App DB User Server IP Svc Name Trusted Connections FA L App User and or Group v C OS User and or Group ata Cont to next rule Figure 9 40 Ignore session criteria N
39. A8000 TABLC is an undefined name SQLSTATE 42704 9 80 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Failed login alert Exception Rule Definition up Rule 1 of policy Training01 Description Category Classification Severity INFO v C Server iP and or Group v O Client iP 1 and or Group vl CD Client MAC Net Prtcl and or Group v A DB Type v C Sve Name and or Group v 4S C DB Name and or Group M C DB User and or Group __ v s Client IP Src App DB User Server IP Svc Name m C App User and or Group v a O os user and or Group S O sre App and or Group mE s C Error Code and or Group v4 C Excpt Type LOGIN FAILED M Data Pattern 8 Replacement Character Time Period vd Message Template Defaut v Quarantine for 0 minutes Rec Vals Cont to next rule Actions x ALERT PER MATCH Add Action Add Comments Copyright IBM Corporation 2011 2013 Figure 9 59 Failed login alert GU2022 0 Notes The
40. ALTER Commands Application Privileged Commands v Flatten All Hierachichal Groups Scheduling GO Fiattening All Hierachichal Groups is currently not scheduled for execution lity Schedule Create New Group Application Type Public Group Description Privileged Users Group Type Description USERS Group Sub Type Description Category Classification Hierarchical g Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 8 Create New Group GU2022 0 Notes The following fields are required to create a new group Application Type This will indicate which applications will be able to access this group with Public indicating all applications Group Description This is the name of the group It is recommended to start the group name with a character or characters to distinguish the custom groups from the built in groups It this example a dash is used which also causes the group to appear at the top of the list of groups e Group Type Description This is the data element on which you are basing your group users objects client IPs server IPs etc The remaining fields are optional e Group Sub Type Description A sub type is used to collect multiple groups of the same group type where the membership of each group is exclusive For example assume that you have database servers located in three data centers and that you 8 10 InfoSphere Guardium V9 Technical T
41. Copyright IBM Corporation 2011 2013 Figure 10 3 CAS Components GU2022 0 Notes Configuration Auditing System CAS Databases can be affected by changes to the server environment for example by changing configuration files environment or registry variables or other database or operating system components including executables or scripts used by the database management system or the operating system CAS tracks such changes and reports on them The data is available on the Guardium appliance and can be used for reports and alerts CAS Agent CAS is an agent installed on the database server and reports to the Guardium appliance whenever a monitored entity is changed either in content ownership or permissions You install a CAS client on the database server system using the same utility that is used to install S TAP CAS shares configuration information with S TAP though each component runs independently of the other Once the CAS client has been installed on the host you configure the actual change auditing functions from the Guardium portal 10 4 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Template Set A CAS template set contains a list of item templates bundled together share a common purpose such as monitoring a particular type of database Oracle on Unix fo
42. Customer Uploads sellesleeelleerlss 5 14 Configuration Flat Log Process 4 cepe ERES XXE RE RI RIEPRISZEeES 5 16 Configuration Global Profile 42 9 pose pee hy Ere reg b yeh eme 5 18 Configuration Guardium for z OS a an anaana cee 5 20 Configuration Incident Generation Process 000 cece eee eee 5 21 Configuration Inspection Engines 10f2 lille 5 22 Configuration Inspection Engines 2 of 2 00 0c cee eee 5 24 Configuration IP to Hostname Aliasing 00 0c eee eee eee 5 25 Configuration Policy Installation lille 5 27 Configuration Portal 12 ir ar RC SER ne rl We p BU RC EE Rd Reed ecd 5 28 Configuration Query HIE 4st egeaz nexa ucexRE exu eRaE eR Ru uS fos 5 29 Configuration Session Inference lllllllllllellllllllees 5 30 Configuration System qouerucem doped eRe PROMO PIER Eire ede ub eee 5 31 Configuration Upload Key File uus eevee ead ER Ce eI as 5 33 usn M ru ETT 5 34 Unit SUMMAN sesrssis nsina D 015 710 20005 07 TUTTI 5 36 Checkpoint solutions uu nu ue phe er Ee E dor etg In P er i ei n cen 5 37 Copyright IBM Corp 2011 2013 Conients V Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit 6 System View and Administration Console Il 6 1 Unit objectives 6 2 Administra
43. Database Activity Monitor Content Subscription previously known as Database Protection Subscription Service supports the maintenance of predefined assessment tests SQL based tests CVEs and groups such as database versions and patches DPS is provided as a service to keep information current and within industry best practices to protect against newly discovered vulnerabilities Distribution of updates will be done on a quarterly basis Uploading Jar files is also done through at this menu screen Note If a custom group exists with the same name as a predefined Guardium group the upload process will add Guardium in front of the name for the predefined group e Select Administration Console gt Customer Uploads For DPS Upload Enter the name of the file to be uploaded or click the Browse button to locate and select that file Import DPS identifies what files have been uploaded For Upload DB2 z OS License jar Enter the name of the file to be uploaded or click the Browse button to locate and select that file 5 14 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide For Upload Oracle JDBC driver or Upload MS SQL Server JDBC driver Use this function to upload open source drivers for Oracle and MS SQL Oracle Data Direct and MS SQL Data Direct drivers are pre loaded i
44. Each user has a username password first name last name and email address Users can be enabled or disabled be sure to uncheck the DISABLED box if you want the user to become immediately active All users are automatically added to the user role by default 4 10 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide User Browser editing a user The Edit link is used to update an existing user Any attribute can be changed except user name Access Management Data Security User Role Browser Filter string case sensitive User Name M Add User User Role Permissions User LDAP Import Username First Name Last Name Email Actions User amp Role Reports accessmgr accessmgr accessmgr Edit Roles Change Layout admin admin admin Edit Roles Change Layout tjones Ted Jones zit gore s Change Layout Delete Data Security User Form Username tjones Password e eeesseesceccecesecececec Password confirm First Name Ted Last Name Jones Email Disabled Last Login 2010 10 07 14 55 44 0 Password Last Changed In an effort to provide the highest level security new passwords must be 8 or more characters in length and must include at least one uppercase letter lowercase letter digit and special character A special character is considered any of the follo
45. Flat Log checkbox option listed in Policy Definition screen of Policy Builder is checked e Data will not be parsed in real time 5 16 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide e The flat logs can be seen on a designated Flat Log List report e The offline process to parse the data and merge to the standard access domains is configured through the Administration Console Copyright IBM Corp 2011 2013 Unit 5 System View and Administration Console 5 17 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration Global Profile System View Administration Console Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Reports Administration C onsole Gonfguration Global Profile O Alerter OQ Anomaly Detection specified Application User Translation PDF footer text copyright Guardium Inc Custom ID Procedures jessage template Aiert based on rule D puleDeactaton Category category Classification classification Severity severity Customer Uploads Flat Log Process Global Profile Ussrliame Guardium for z OS Source Program SeurgeProgram Authorization Code kA
46. L ANY x a 7 Objects ER Commands Val App Event Num VaL PB Group f ANY N S No Continue to next rule O 8 F 5 Access Rule DML on Sensitive Objects Log Full Details Cat Classif Sev Client IP Server IP Sre App DB Name DB User App User fo N ANY ANY i ANY ANY ANY ANY ANY ANY if d Is Object in N Met Protocol Pattern XML Pattern DB T Client MAC A proe E 1 T um eum d oc l E ur elei c s DT Conan in DML 7 Yes Log Full Details I Senstive AN AN o Commands Ed Group iz Val US App Event Hum VaL App Event Date Event User llame ANY ANY ANY NS F f No TR EN Log traffic normally A 6 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide A 6 Creating Reports Now that the groups and policies have been defined we are ready to create our queries and reports These are required elements in creating your queries reports 1 Main Entity The main entity defines the data type that will be the main focus of the report Generally you will choose one of the following four main entities e Session Used when reporting on successful logins to the database server This main entity provides one line per login with no detail on the activity performed by the user Command Used when user actions are the main focus of the repo
47. OQ anomaly Detection Log Exception Sql String V Log Records Affected Application User Translation Log timestamp per second Compute Avg Response Time Custom ID Procedures Inspect Returned Data V Record Empty Sessions Customer Uploads Parse XML Flat Log Process Logging Granularity 60 x Max Hits per Returned Data 64 EAE Ignored Ports List Guardium for z OS Buffer Free 100 Incident Generation 7 Inspection Engines Restart Inspection Engines J Add Comments Em 06 iP3c Hostname Aliasing Fada inspection Eagind E Lin ation Maa mecos Rulo _MG Eg Suppostnomos Bac j Add Extrusion Rule Copyright IBM Corporation 2011 2013 Figure 9 60 Extrusion Rules GU2022 0 Notes An extrusion rule evaluates data returned by the server in response to requests for example it might test the returned data for numeric patterns that could be social security or credit card numbers Before using extrusion rules they must be enabled as follows e Go to Administration Console gt Inspection Engines Check the Inspect Returned Data checkbox Press Apply After making this change you will see that the Add Extrusion Rule button will no longer be grayed out 9 82 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Extrusion Rule example Uu Extrusion Rule Definition
48. TODICSDITITIdE Y ceita EL PAT ne ERDRP ERI DELE S ERR ERE Sa Sud 9 16 Checkpoint solutions i 13e EE CER Xe xu gr ce Rob ee ee x Redes 9 17 9 2 Installing and creating policies llle 9 19 Installing and creating policies llle 9 20 lastall DOT ete ce edet wie ard d Meine ate etane role een eee ere mace error 9 21 Currently Installed Policies 42s vee xs ede RUE RE RAE ERG e eee ee eee Rm Re 9 23 Accessing the Policy Builder 0 0000 eee ees 9 24 Create a new policy sz nehm re EE RR ERE EXER RES ware sean scales 9 25 Policy Definition 1 of 2 1 iv rt E ROO ad car i red o d ba d luo te ure ea 9 27 Policy Definition 2 of 2 vs sdus s xh sep otauus Kee Ghodaed ER RR Rie unen Be we 9 29 Policy RUIE PT a Da aA E e aai a a oe EA ara a aa a W aa 9 30 urs leri UT iiaa ere eee a ia laa a ord eee aie Raa aia feers 9 31 esos nunc PPP 9 33 Checkpoint solutions liliis 9 34 mit eT 9 35 9 9 Access RUES cce ua i e keen d CUR bn ie cora RU QA CER eee reg 9 37 ACCESS THIBS ud ee deb PUER IEEE Ru eod eid oe TERR eid i 9 38 Access Rule Overview 22220 civeeevex ee da dadPtedddedie ees RBS eee 9 39 Access Rule Description 0 00 ee es 9 40 Access Rule Criteria ones esee RR tan heden OSeee Soe RR RR 9 41 Access Rule Action and Back Save 00 cece eee eee eens 9 42 Access Rule ACHONS o erc vecakewnseaeune oes eae ees eke a NEUE Mura Rut 9 43 Access Rule Example oc suas
49. The only limitation is that policies defined as selective audit policies can not be mixed with polices not defined as selective audit policies If trying to mix policies an error message will result when installing these mixed policies Copyright IBM Corp 2011 2013 Unit 9 Policies 9 21 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide The order of appearance can be controlled during the policy installation such as first last or somewhere in between But the order of appearance can not be edited at a later date Remember in all of the following examples the policy must be installed after any modifications for the changes to take effect 9 22 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Currently Installed Policies Currently Installed Policies Installed Policy 1 Installed Policy Training01 Date Installed 10 18 10 1 48 PM This is not a selective audit policy Not logging to flat Rules don t fire on flat Installed Rules 2 Baseline records 0 Edit Installed Policy View Details Report Policy Installer TrainingO 1t Allow All Basel Il Data Privacy Data Privacy PII HIPAA PCI PCI Oracle EBS PCI SAP Privileged Users Monitoring black list Pri
50. accessmgr accessmgr s a built in user s automatically in the access management role Cannot be deleted Can create and maintain user accounts and roles Provides for separation of duties ih 3c CUN Copyright IBM Corporation 2011 2013 Figure 4 2 accessmgr GU2022 0 Notes One of the two major built in users in Guardium is the user named accessmgr pronounced Access Manager The Access Manager s primary functions are to create and maintain user accounts and roles Access management functions create users change passwords etc are performed by users in the access management role Access Manager the user is automatically part of the access management role Admin the user is not automatically part of the access management role This allows for the separation of system duties between the administrator admin and the access manager accessmgr Copyright IBM Corp 2011 2013 Unit 4 Access Management 4 8 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Access Management GUI panes The access management GUI screen layout includes two panes Access Management Access Management pa Security serm User Browser User Role Browser Filter string case sensitive User Name Filter Add User Search Users User Role Permissions User LDAP Import Username FirstName Last Name Email Action
51. 0 Notes After pressing Install Update a scheduling window will appear Enter the time that you would like to install to run and press apply In this example we will enter Now to run the installation immediately 7 48 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Discovery Setup By Module System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Administration Console Configuration Modules Search Criteria Data Management Module Name Central Management Module Version Local Taps Guardium Definitions Clear Custom Alerting Module Installation Process Monitoring STUD g iil Setup By Module Upload Copyright IBM Corporation 2011 2013 Figure 7 41 GIM Events List GU2022 0 Notes It will take a few minutes for the process to complete You can check the GIM Events List which can be found on the Guardium Monitor table to check the status Hint The GIM Installed Modules option will also come in handy to verify the modules which were GIM installed Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 49 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Bundle discovery System View Administration Console
52. 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Monitoring at the network level SQL Statement data content and context Guardium Data Access Security 09 NS SQUNeU all commands objects DDL DML source programs DB user DB version protocol version origin etc Who what when and how Copyright IBM Corporation 2011 2013 Figure 1 6 Monitoring at the network level GU2022 0 Notes Guardium collects traffic at the network level and off loads the processing to a network appliance This greatly reduces the resource utilization at the database level and minimizes any impact on the normal database operations Guardium s agent STAP simply forwards network packets to a network appliance for processing Copyright IBM Corp 2011 2013 Unit 1 InfoSphere Guardium 1 7 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Logging example c Bl Microsoft Windows XP Version 5 1 26001 lt C Copyright 1985 2661 Microsoft Corp C Documents and Settings AdministratoP gt sqlplus scott tiger xenet SQL Plus Release 16 2 6 1 Production on Tue fug 3 13 24 28 2616 Copyright lt c gt 1982 2885 Oracle All rights reserved Connected to Oracle Database 1 g Express Edition Release 10 2 0 1 0 Production SQL gt insert into custom
53. 2013 Figure 7 55 UNIX non interactive installer GU2022 0 Notes Below is the syntax to configure the Unix non interactive installer lt guard stap setup gt is the name of the script file modules is the tgz file with all the compiled kernel modules ni indicates that the shell is being run in non interactive mode tls specifies that the S TAP and collector communication is in TLS protocol with failover more O or 1 0 do not failover If fails to connect to collector keep on trying using TLS 1 failover to non tls protocol if fails to connect to collector failover to non secure protocol k indicates that K Tap should be installed or t indicates that the Tee should be installed dir lt s tap_dir gt identifies the S TAP installation directory Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 65 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide e tapip ip address specifies the IP address of the database server Omit if tapfile is used sqlguardip lt guardium_ip gt specifies the IP address of the Guardium appliance Omit if tapfile is used e tapfile lt file gt identifies a text file listing one or more servers on which the S TAP agent is to be installed Each row of the text file must have the following format with each of the following three variables separated from the next by a tab ch
54. 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Audit Process Definition The Audit Process Definition includes general options for the process Description Activation Archiving results Minimum retention period File label Zipping results Email subject Compliance Automation Audit Process Definition Description Training01 Active oO There is no schedule associated with this process Archive Results Keep for a minimum of 0 days or 5 runs CSVICEF File Label Training Zip CSV for mail Email Subject Guardium Workflow please review Copyright IBM Corporation 2011 2013 Figure 12 7 Audit Process Definition GU2022 0 Notes The Audit Process Definition menu includes general options for the process and includes Description Enter a name of the audit process Active Check this box to enable a schedule for the audit process Archive Results Checking this box will include this audit processes results in the Results Archive process Keep for a minimum of x days x runs Enter a number in either of this fields to control the purge schedule for this processes results CSV CEF Label If one or more tasks create CSV or CEF files you can optionally enter a label to be included in all file names in the CSV CEF File Label box Zip CSV for mail The CSV file be compressed or Zipped by clicking on t
55. 2013 Unit 12 Compliance Workflow Automation 12 3 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Compliance Workflow Automation elements Elements of the compliance workflow automation process include A distribution plan Defines receivers which can be individual users user groups or roles Defines the review sign responsibility for each receiver Defines the distribution sequence A set of tasks Reports Security assessments Entity audit trails Privacy sets Classification processes External feeds A schedule The audit process can be run immediately or a schedule can be defined to run the process on a regular basis Copyright IBM Corporation Z011 Figure 12 3 Compliance Workflow Automation elements GU2022 0 Notes A compliance workflow automation process answers the following questions What type of report assessment audit trail or classification is needed Who should receive this information and how are signoffs handled What is the schedule for delivery A workflow process may contain any number of audit tasks including Reports custom or pre defined Guardium provides hundreds of predefined reports with more than 100 regulation specific reports Security assessment report The security database assessment scans the database infrastructure for vulnerabilities and provides an ev
56. 7 17 vi InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Complete Installatlori 3294 o ox RO dun nnd ruv b ow eie ed xal Saud 7 18 Confirm services escocpac6 4 oS ade auod ald ao eR od p ee a Ee 7 19 S TAP Control status zai exe SU ce swsabeedmss e eq dee ama purses Bu es 7 20 S TAP Configuration Details 1 of 2 0 2 20 0 ee 7 21 S TAP Configuration Details 2 of 2 20 002 ee 7 23 S TAP Configuration CAS and Application Server User ID 7 25 S TAP Configuration Guardium Hosts 000 c eee 7 26 Add Inspection EndIIIgs s s ore due cot ie the Du CERE tens h Oe ges modd 7 28 Confirm Inspection Engine lt 2 vedeucox twas ve seek EE WEE kW ender ete 7 30 Verify traffic Pc ITI 7 31 Topic nig PI 7 32 7 2 GIM installation UNIX LINUX 23630025 drea eR ERERHERT Heese eeee es 7 33 GIM installation UNIX LINUX usce epee eS RR eee eee eee a Rh oud 7 34 GIM GVETVEW sss ou veda aca nonweds Chua deuwens 84 ed an tew daa wus 7 35 Download and extract GIM installer llle 7 36 GIM installers directory 22 2 ves ox E RERO Er RE EE Mw e ara Ee 7 37 acclagetc M CPTTPLr TLTT 7 38 Confirm installation trom the UI uda eee heu PEE ERE ERRARE ES usd 7 40 Module Upload get cc apn et tere
57. Active S TAPs Changed Activity By Client IP Activity Summary By Client IP Admin Users Login Admin Users Login Graphical Admin Users Sessions Administration Objects Usage Administrative Commands Usage Aggregation Errors ALTER Commands Execution AME Files Application Objects Summary Archive number Archive results attempted Archive results number Al Copyright IBM Corporation 2011 2013 Figure 11 48 Report builder buttons GU2022 0 Notes The Report Search Results page will display all of the reports found based on your search criteria Because we left the criteria blank on the previous screen all reports are presented Below are the options available from this screen e New Create a new report based on previously created query e Clone Copy an existing report and save with a new name e Modify Make changes to an existing report see the following slides Delete Delete a report This does not delete the associated query but you must delete the report before you can delete any associated queries e Roles Grant access to the report other users based on their roles To grant access to a report you must grant the roles to the underlying query first Comment Make notes on a report for reference e Add to My New Reports Publish the report to the My New Reports tab e Add to Pane Publish the report to any menu pane Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report
58. Alerting pen Basel II Data Privacy wo Are you sure you want to install this policy and apply it to all Inspection Engines Module Installation Data Privacy PII HIPAA PCI PCI Oracle EBS PCI SAP Privileged Users Monitoring black list Privileged Users Monitoring white list sox SOX Oracle EBS Vulnerability amp Threats Management Install Add Comments Scheduling G6 Poiicy installation is currently not scheduled for execution Modify Schedule Run Once Now Copyright IBM Corporation 2011 2013 Figure 9 12 Install policy GU2022 0 Notes The remainder of this unit will focus on creating policies and configuring policy rules However for a policy or any changes to a policy to take effect it must be installed To install a policy Go to the Administration Console Policy Installation Highlight the policy that you would to install and choose Install from the drop down list If the groups contained within the policy are updated regularly the installation should be scheduled by clicking Modify Schedule to open the general purpose scheduling utility For example if you are using Populate from Query to update a group of privileged users nightly the policy should be scheduled to be reinstalled after the group update More than one installed policy is permitted at the same time All installed policies are available for action and are run sequentially
59. BY DOWNLOADING INSTALLING COPYING ACCESSING Sigeavaven oa DKE Windows Batch Fie Bje3fz010 11 52 AM JA CLICKING ON AN ACCEPT BUTTON OR OTHERWISE USING THE SOFTWARE D os bmp 959KB Bitmap Image 8 23 2010 11 52AM A YOU AGREE TO THE TERMS OF THIS AGREEMENT IF YOU ARE ACCEPTING Elodie Dt 1KB Text Di t 8 23 2010 11 52AM A THESE TERMS ON BEHALF OF ANOTHER PERSON DR A COMPANY OR OTHER Gon eae eee iei Wd Noter p M METAM A LEGAL ENTITY YOU REPRESENT AND WARRANT THAT YOU HAVE FULL Boa ete San Leute indows Instaler P 8 23 AUTHORITY TO BIND THAT PERSON COMPANY OR LEGAL ENTITY TO THESE v 3 IBM InfoSphere Guardium S TAP pdf 1KB PDF File 8 23 2010 11 52AM A Sjlinstmsiv exe 1 780KB Application 8j23j201011 52AM A ant Print 3 ISSetup dll 1 635KB Application Extension 8 23 2010 11 53AM A C I do not accept the terms of the license agreement 596KB Application 8 23 2010 11 53AM A Setup ini 3KB Configuration Settings 11 24 20102 19PM A Installshield setup isn 293KB ISN File 8 23 2010 11 53AM A 4 at gt Cancel S setup skip java bat 1KB Windows Batch File 8 23 2010 11 53AM A Loca IBM InfoSphere Guardium S TAP InstallShield Wizard X Customer Information Please enter your information User Name Company Name Guardium Install this application for Anyone who uses this computer all users C Only for me Guardium nstallShield lt Back tes Copyright IBM Corporation 2011
60. Copyright IBM Corporation 2011 2013 Figure 9 64 Topic summary GU2022 0 Notes 9 88 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions 1 Explain why you might need to put a period in the DBUser field when setting up a failed login exception rule Without the period Guardium will check the number of failed logins in a given time period for all users With the period Guardium will check the number of failed logins in a given time period for each user 2 True or false An exclusion rule can be created to detect and log information on SQL error messages that are generated 3 Explain what a regular expression is A regular expression is a set of data pattern characters Copyright IBM Corporation 2011 2013 Figure 9 65 Checkpoint solutions GU2022 0 Notes Write your answers here 1 HU e ce qe Copyright IBM Corp 2011 2013 Unit 9 Policies 9 89 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions continued 4 To have Guardium examine an actual result set value during an extrusion rule s evaluation the Inspect Returned Data option box must be selected 5 Which character is used by default when masking a value with an ext
61. Copyright IBM Corporation 2011 2013 Figure 5 14 Configuration Inspection Engines 1 of 2 GU2022 0 Notes Inspection Engine Configuration controls settings that apply to all inspection engines Log Request Sql String If marked each SQL request statement is logged in its sanitized format Otherwise no statements are logged Log Sequencing If marked a record is made of the immediately previous SQL statement as well as the current SQL statement provided that the previous construct occurs within a short enough time period Log Exception Sql String If marked when exceptions are logged the entire SQL statement is logged Log Records Affected If marked the number of records affected is recorded for each SQL statement when applicable as well as the ingress and egress counts Note When using JDBC this must be marked to properly log Oracle bind variable traffic Log timestamp per second If marked allows you to display the distribution of requests down to the second regardless of the default logging granularity see below 5 22 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Logging Granularity The number of minutes 1 2 5 10 15 30 or 60 in a logging unit If requested in a report Guardium summarizes request data at this granularity For example
62. Corp 2011 2013 Unit 5 System View and Administration Console Course materials may not be reproduced in whole or in part without the prior written permission of IBM 5 27 Instructor Guide Configuration Portal System View Administration Console Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Reports Administration Console Configuration Guardium Portal e OQ Alerter Active on startup OQ Anomaly Detection HTTPS Port 1025 65535 8443 Application User Translation Custom ID Procedures Customer Uploads Flat Log Process Global Profile Guardium for z OS Incident Generation Inspection Engines m D IP to Hostname Aliasing Authentication ssp alent Policy Installation Local RADIUS LDAP Server dap ibm com Query Hint Port 636 Session Inference User RDN Type uid System t User Base DN dc ibm dc com Upload Key File Use SSL Data Management Trusted Certificates Add Trusted Certificate Central Management Local Taps Apply FK LIIAID LIl FALELIIIDILIII Copyright IBM Corporation 2011 2013 Figure 5 18 Configuration Portal GU2022 0 Notes Guardium Portal You can keep the Guardium appliance Web server on its default port 8443 or reset the portal as described below We strongly recommend that you use the default port Authentication Configuration By default Guardium user logins are authenticated by Guardium independent of any other applicat
63. Corp 2011 2013 Unit 2 Guardium Architecture 2 17 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Aggregation central management and integration After completing this topic you should understand e Data aggregation Central management Hardware and software configuration options Integration options Copyright IBM Corporation 2011 2013 Figure 2 10 Aggregation central management and integration GU2022 0 Notes 2 18 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Hardware and software Collectors and Aggregators G2000 Collector G5000 Aggregator Dell R610 1U Rack mountable 12 GB RAM 600 GB Hard drive with Raid 0 drive mirroring Software Hardened Red Hat Enterprise Linux 5 MySQL database Copyright IBM Corporation 2011 2013 Figure 2 11 Hardware and software GU2022 0 Notes Guardium appliances can be configured as collectors or as aggregators The collectors are known as G2000s and the aggregators are known as G5000s The Guardium appliances are implemented on Dell R610 computers with 12 GB RAM and 600 GB Hard Disk The appliances run a hardened version of Red Hat Enterprise Linux 5 and implement an internal MySQL rela
64. DQ Addition mode SAND OOR _ HAvING Query Conditions Entity Agg Attribute Operator Runtime Param Copyright IBM Corporation 2011 2013 Figure 11 15 Adding fields GU2022 0 Notes Add Fields to the Query Fields Pane There are two ways to add a field to the Query Fields pane Pop Up Menu Method Click on the field to be added Select Add Field from the popup menu e Drag and Drop Method Click on the icon to the left of the field not on the field name Drag the icon to the Query Fields list and release it Regardless of the method used the field will be added to the end of the list Move or Remove Fields in the Query Fields Pane To move a field in the Query Fields pane e Mark the checkbox in the left most column for the field 11 18 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Use the arrow buttons to move the field to the desired location To remove a field from the Query Fields pane e Mark the checkbox in the left most column for the field e Click the x button to remove the field Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 19 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Changing query settings 8 Trainin
65. Daily Monitor Guardium Monitor Tap Monitor Incident Management Reports Administration Console Configuration S TAP Control Data Management Central Management S TAP Host Status Last Response a x 69 m BY 192 168 169 8 ooQ 2010 12 01 02 10 39 0 CAS Status Details SSH Public Key Management 3 Change Auditing S TAP Control inii eae Application Server User Identification t Guardium Hosts KTAP Sees DB Real Port DB2 50001 50001 50001 Mask 0 0 0 0 0 0 0 0 DB Install Dir Process Name Ihome db2inst1 Ihome db2inst1 sqllib badm db2sysc DB2 Shared Memory DB2 Shared Memory DB2 Shared Memory Adjustment Client Position Size 20 61440 131072 Guardium Definitions Custom Alerting Module Installation Copyright IBM Corporation 2011 2013 Figure 7 50 Complete process Notes Press Close after the process completes GU2022 0 7 58 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Verify traffic db2 gt connect to localtcp user a8000 using a8000abc Database Connection Information DB2 LINUX 9 7 1 A8000 LOCALTCP Database server SQL authorization ID Local database alias db2 gt create table training01 coll int col2 int DB20000I The SQL command completed successfully db2 gt insert int
66. Description Back me Copyright IBM Corporation 2011 2013 Figure 4 10 User Browser changing layouts Notes GU2022 0 The Access Management tab is used to modify a user s GUI layout The user s initial GUI layout will be determined by the roles to which he she belongs when he she first logs into the system For example if a user account is assigned to accessmgr role when logging in to the appliance for the first time that user will only have the Access Management and Data Security tabs If the admin role is later added to that user the GUI tabs for admin will not appear until the Change Layout option is selected Copyright IBM Corp 2011 2013 Unit 4 Access Management 4 13 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide User Browser deleting a user The Delete link is used to delete a Guardium user account Accessmgr and admin are required users and cannot be deleted Access Management lt Data Security User Browser User Browser User Role Browser User Role Permissions User LDAP Import User amp Role Reports Filter string case sensitive Username FirstName LastName Email Actions accessmgr accessmgr accessmgr admin admin admin tjones Ted Jones ser nane v Edit Roles Change Layout Edit Roles Change Layout Edit Roles a Copyright IBM Corporation 2011 2013
67. Drill down report example Detailed Sessions List Start Date 2010 12 14 18 34 29 End Date Aliases OFF Timestamp Session Start 2010 12 14 19 34 29 ServerlPLike LIKE Server Type Client IP Server IP 2010 12 14 18 45 45 02010 12 14 18 15 31 0DB2 2010 12 14 18 45 45 02010 12 14 18 15 32 0DB2 2010 12 14 18 45 45 02010 12 14 18 15 32 0DB2 2010 12 14 18 45 46 02010 12 14 18 15 32 0DB2 2010 12 14 18 45 46 02010 12 14 18 15 32 0DB2 2010 12 14 18 45 46 02010 12 14 18 15 32 0DB2 2010 12 14 18 45 46 02010 12 14 18 15 32 0DB2 2010 12 14 18 45 46 02010 12 14 18 15 32 0DB2 2010 12 14 18 45 46 02010 12 14 18 15 32 0DB2 2010 12 14 18 45 46 02010 12 14 18 15 32 0DB2 2010 12 14 18 45 46 02010 12 14 18 15 33 0DB2 2010 12 14 18 45 46 02010 12 14 18 15 33 0DB2 2010 12 14 18 45 46 02010 12 14 18 15 33 0DB2 2010 12 14 18 45 47 02010 12 14 18 16 34 0DB2 2010 12 14 18 45 47 02010 12 14 18 16 36 0DB2 2010 12 14 18 50 29 02010 12 14 18 43 33 0DB2 2010 12 14 18 50 29 02010 12 14 18 44 08 0DB2 2010 12 14 18 54 22 02010 12 14 18 50 02 0DB2 2010 12 14 18 54 22 02010 12 14 18 50 06 0DB2 2010 12 14 18 54 22 02010 12 14 18 50 18 0DB2 OC IBM InfoSphere Guardium 192 168 169 8192 168 169 855930 192 168 169 8 192 168 169 855931 192 168 169 8192 168 169 855932 192 168 169 8 192 168 169 855933 192 168 169 8192 168 169 855934 192 168 169 8 192 168 169 855935 192 168 169 8192 168 169 855936 192 168 169 8 192 168 169 855937 192 168 169 8 192 16
68. EMPLOYEES 20 192 168 169 8192 168 169 8DB2INST1 DB2INST1 DB2BP DROP TABLE db2insti G CUSTOMERS 20 192 168 169 8192 168 169 8DB2INST1 DB2INST1 DB2BP DROP TABLE db2insti G PRODUCTS 20 192 168 169 8192 168 169 8DB2INST1 DB2INST1 DB2BP DROP TABLE db2instt G REGION 20 192 168 169 8192 168 169 8DB2INST1 DB2INST1 DB2BP DROP TABLE db2insti G TICKETS 20 192 168 169 8192 168 169 8DB2INST1 DB2INST1 DB2BP DROP TABLE db2instt G FUNDS 20 192 168 169 8192 168 169 8DB2INST1 DB2INST1 DB2BP DROP TABLE db2insti EMP DEPT SYN20 192 168 169 8192 168 169 8DB2INST1 DB2INST1 DB2BP DROP TABLE db2insti g ef 20 192 168 169 8192 168 169 8DB2INST1 DB2INST1 DB2BP DROP TABLE db2inst1 CCN 20 192 168 169 8 192 168 169 8 DB2INST1 DB2INST1 DB2BP CREATE TABLE SUSERS 20 192 168 169 8 192 168 169 8 DB2INST1 DB2INST1 DB2BP CREATE TABLEG_EMPLOYEES 20 192 168 169 8 192 168 169 8 DB2INST1 DB2INST1 DB2BP CREATE TABLEG_CUSTOMERS 20 192 168 169 8 192 168 169 8DB2INST1 DB2INST1 DB2BP CREATE TABLECC_NUMBERS 20 192 168 169 8 192 168 169 8 DB2INST1 DB2INST1 DB2BP CREATE TABLESSN_NUMBERS 20 OY fhoca 4 nana 2n MD c b Ed co TM eve nz Copyright IBM Corporation 2011 2013 Figure 11 32 Parenthesis Notes GU2022 0 The parenthesis buttons provide the ability to add parenthesis button to the query allowing for complex queries 11 44 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part witho
69. FULL DETAILS PER SESSION ement Character Tias Parodi is mars DETAILS Minimum Count 0 QUARANTINE Message Template Default v Quarantine for 0 QUICK PARSE 0 Rec Vals v Cont to next rule z S GATE ATTACH Actions S GATE DETACH d S GATE TERMINATE S TAP TERMINATE Copyright IBM Corporation 2011 2013 Figure 9 34 Ignore session rules Notes GU2022 0 Ignore Session rules provide the most effective method of filtering traffic An ignore session rule will cause activity from individual sessions to be dropped by the STAP or completely ignored by the sniffer logged even if the session is ignored Note connection login logout information is always 9 52 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Ignore STAP session C SZ Sniffer instructs STAP to 2 traffic from specific sessions Database Server ELEI For a session marked as Ignored STAP the sniffer Activity from the database Activity from the i i i client to the database database server to the receives the following traffic server database client from STAP and logs it into the lcu sat eros SQ mm Sessions log in log out PN Sessions log in log out Result sets commands N The following types of traffic are discarded by STAP and never
70. Guide NOT IN DYNAMIC GROUP Not equal to any member of a group selected from the drop down list in the runtime parameter column to the right which appears when a group operator is selected NOT IN DYNAMIC ALIASES GROUP The operator works on a group of the same type as NOT IN DYNAMIC GROUP however assumes the members of that group are aliases NOT IN GROUP Not equal to any member of the specified group selected from the drop down list in the runtime parameter column to the right which appears when a group operator is selected NOT IN ALIASES GROUP The operator works on a group of the same type as NOT IN GROUP however assumes the members of that group are aliases NOT IN PERIOD For a timestamp only not within the selected time period NOT LIKE Not like the specified value see the description of LIKE above NOT REGEXP Not matched by the specified regular expression REGEXP Matched by the specified regular expression The Guardium implementation of regular expressions conforms with POSIX 1003 2 The specification can be viewed from http www unix org version3 ieee std html Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 41 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Addition mode AND OR O Addition mode C Au C on 1 Havinc Query Conditions Entity Agg Attribute Operator Runtime Param
71. In this situation even if Kerberos authentication is also used it is of no consequence because S TAP obtains all of the information it needs before the message is encrypted and before Kerberos replaces the real database username Kerberos Cred Map When Kerberos authentication is used controls how S TAP obtains the database user names If either Sync option below is selected S TAP will not forward messages to the Guardium appliance until it resolves the real database user name When the Async option is used all messages will be forwarded to the Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 23 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Guardium appliance but initial sessions for users with new Kerberos tickets will have strings of hexadecimal characters in the database username field until S TAP resolves the actual database user name At Startup Sync During startup processing S TAP obtains all authenticated users from the domain controller This can be time consuming After all users have been obtained and tabled S TAP starts sending data to the Guardium appliance When it encounters a message from a user it does not recognize it obtains that database user name as described for On Demand Sync below On Demand Sync When S TAP encounters a Kerberos message for an unrecognized user S TAP fetches the user name from the d
72. Last Response Local Taps 60 ms EP 192 168 169 104 60Q 2010 11 30 10 08 00 0 CAS Status SSH Public Key Management S TAP Control H Details Change Auditing Application Server User Identification d Guardium Hosts Inspection Engines Protocol Port Range MSSQL 1433 1433 Ip Mask 0 0 0 0 0 0 0 0 Process Names Named Pipe SQLSERVR EXE SQL QUER PIPE SQLLOCAL Instance Name GTEST Guardium Definitions Pam Alactina Copyright IBM Corporation 2011 2013 Figure 7 24 Confirm Inspection Engine GU2022 0 Notes After you have made any changes to an inspection engine always confirm that the changes are reflected in S TAP Control Go to Administration Console gt Local taps gt S TAP Control Expand Inspection Engines your inspection engine should be listed Hint Also check the System View pane If the inspection engine is running the S TAP will be displayed in green and you will see numbers incrementing for the appropriate database server type 7 30 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Topic summary Having completed this topic you should be able to e Use the interactive installation method to setup S TAP on a Windows database server e Manually configure an Microsoft SQL Server inspection engine Cop
73. S TAP Control status GU2022 0 Notes Next log into the Guardium Console as admin or a user in the admin role Go to Administration Console gt Local Taps gt S TAP Control You should see the newly installed S TAP with a green light under Status Click the Edit icon to configure S TAP Note S Tap is running but is not doing anything yet because there is no inspection engine configured 7 20 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide S TAP Configuration Details 1 of 2 S TAP Configuration Host 192 168 169 104 Last response 2010 11 30 09 43 15 0 Version 8 21066 7 Details Load balancing 0 Messages v Remote v syslog Alternate ips Shared Memory Disseie Alert Shared Mem Monitor V mssaL o82 Named Pipes Monitor v On For Network Local TCP Monitor v On For Network App server user id 0 Oracle Encryption go Sybase Encryption L1 SQL Server Decrypt None Kerberos and SSL SSL Only Kerberos Cred Map At Startup Sync Qon Demand Sync Oon Demand Async tts use Failover Change Auditing Application Server User Identification Guardium Hosts Inspection Engines Add Inspection Engine Copyright IBM Corporation 2011 2013 Figure 7 19 S TAP Configuration Details 1 of 2 GU2022
74. Security Assessment Builder Description Oracle Security Assessment Observed Test Parameters Period From NOW 4 DAY a 5l To Now _ Eg Client IP or IP subnet optional Server IP or IP subnet Coptional Datasources Hame Type Host Userllame x on1r4531 Security Assessment ORACLE 192 168 4 222 system Add Datasource Roles No Roles have been assigned to this Security Assessment Add Comments Configure Tests CAS Support Copyright IBM Corporation 2011 2013 Figure 10 9 Vulnerability Assessment 2 of 4 GU2022 0 Notes The Guardium Vulnerability Assessment solution is a licensed product that has an expiration date and is limited by a maximum number of datasources that can be defined and number of datasource scans Metered scans The License valid until date and Metered scans left can be seen on the System Configuration panel of the Administrator Console A Vulnerability or Classification process with N datasources are counted as N scans every time they run Guardium Vulnerability Assessments requires access to the databases it evaluates To do this Guardium provides a set of SQL scripts one script for each database type that creates users and roles in the database to be used by Guardium 10 14 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM
75. Selected group PI Objects Append New group name Existing group name Flatten namespace Analyze Databa Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 16 Auto Generated Calling Prox example 2 of 6 GU2022 0 Notes Next you will configure a datasource to allow Guardium to login to the database to analyze the store procedures e Onthe Analyze Stored Procedures screen press Add Datasource Press New on the Datasource finder screen Copyright IBM Corp 2011 2013 Unit 8 Group Builder 8 21 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Auto Generated Calling Prox example 3 of 6 2 Datasource Definition Name Training Database Type DB2 Severity classification NONE v Description Share Datasource v Authentication Save Password v Login Name a8000 Password eeeese Location Host NamelIP 192 168 169 8 Port 50001 Database Name sample Informix Server Schema Connection Property Custom Url CAS Database Instance Account Database Instance Directory Roles No roles have been assigned to this datasource Add Comments Test Connection Apply Back Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 17 Auto Generated Calling Prox example 3 of 6 GU2022 0 Notes In the Datasource Definition screen
76. Session Database Name Value Vv go L1 8 Command SQL Verb Value Vv go F 9 Object Object Name Value V go 10 FULLS L Full Sql Value v go S Jii IE OO uey Condos Entity Aggregate Attribute Operator Runtime Param o WHERE Object oo Object Name IN GROUP Monitoring Sensitive Objects v A4ND Command SQL Verb IN GROUP DML Commands v oO AND Client Server Server Type LIKE Parameter v DB Server Type Copyright IBM Corp 2011 2013 Appendix A Monitoring Overview A 11 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide A 7 Adding Guardium Users and Roles Now that you have created all of your required reports Guardium s workflow functionality allows you to automatically deliver them to end users To enable your users to receive workflow automation results however they must be added within Guardium first Workflow results can be delivered to users or roles a group of one or more users As a best practice workflow results should be delivered to roles This allows more than one user to sign off on a result set and is easier to manage employee turnover Below are the required steps to create users and roles within Guardium 1 Define your roles by answering the following questions a Who should receive reports and what are the job functions of each receiver Audit Information Security DBA Manager and so on b What users have the same job functio
77. Solution Kit e sox Database Activity Monitor SOX Solution Kit 4 16 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide User Role Permissions Access to each application within Guardium that is each Guardium function is determined by privileges based on roles Roles assigned to an application can be modified The application is accessible to each checked role The application is not accessible to any unchecked role Edit Application Role Permissions Assign Security Roles 9 Access Management lt Data Security Owner admin x ae Assign Roles for Access Map Builder Viewer enc Breer Edit Application Role Permissions PETERE User Role Browser Assign Roles to Applications b accessmgr User Role Permissions admin Access Map Application oles User LDAP Import appdev User amp Role Reports Access Map Builder Viewer E cas Access Tracking oles cli datasec exempt Administration Console doo Agg Archive Activity Trackin C Rotes diag a9 ty Tracking Roes Bes Alert Builder Roles inv Alert Trackinn Roles HEAD review only user m Copyright IBM Corporation 2011 2013 Figure 4 13 User Role Permissions GU2022 0 Notes Access to each application that is each Guardium function is determined by privileges ba
78. Source Enter Value for Server IP Clear existing group members before importing Detailed Sessions List v DB User Name v now 1 week nj now ma Sl none a Scheduling QOO This Import from Query is currently not scheduled for execution Save Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 24 Populate from Query 2 of 4 GU2022 0 Notes Enter the following information on the Populate Group from Query Set Up screen Query Choose the query that contains records in which you are interested This query can be based on observed traffic or based on a customer query originating from an external source e Fetch Member From Column Choose the field from the report that will be used to populate the group e From Date enter the starting date and time for the query In this example now 1 week means that the starting time of the query will be one week past from this moment To Date the ending point in time for this query In the example now means the present time e Remote Source if running this from a Central Manager you can choose the run the query against data on a managed collector or aggregator Copyright IBM Corp 2011 2013 8 29 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Unit 8 Group Builder Instructor Guide e Run time parameters if you have any run ti
79. Tools Daily Monitor Guardium Monitor Tap Mo Administration Console Configuration Data Management Central Management Local Taps Guardium Definitions Custom Alerting Module Installation Process Monitoring Setup By Client Setup By Module Upload Modules Step 1 Select s module and continue Display Latest Versions BUNDLE GIM_8 0_r20992_1 BUNDLE STAP_8 0_r20992_1 CAS_8 0_r20992_1 COMPONENTS_8 0_r20992_1 DISCOVERY_8 0_r20992_1 GIM_8 0_r21066_1 INIT 8 0 120992 1 KTAP 8 0 120992 1 STAP 8 0 120992 1 STAP UTILS 8 0 r20992 1 SUPERVISOR 8 0 120992 1 TEE 8 0 120992 1 UTILS 8 0 120992 1 WINSTAP 8 0 121068 1 Copyright IBM Corporation 2011 2013 Figure 7 42 Discovery Setup By Module Notes GU2022 0 Next we will install the Discovery module which after it is installed will search for database instances on your server and allow you to quickly create inspection engines based on those discovered instances In this example we will use Setup By Module as follows Go to Administration Console gt Module Installation and click Setup By Module Press the Search button 7 50 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Select client Clients a Step 2 Select client s on which you want to Conf
80. Topic summary GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 2 Guardium Architecture 2 29 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 1 Guardium are also known as G2000s and Guardium are also known as G5000s 2 True or False The span port method and the network tap method monitor both local and network traffic 3 Which operating system is used on the Guardium appliances 1 SUSE Linux 2 Windows 8 3 RedHat Enterprise Linux 5 4 AIX 4 True or False One collector can monitor and gather data from multiple database servers 5 True or False Guardium includes a built in email server Copyright IBM Corporation 2011 2013 Figure 2 21 Checkpoint GU2022 0 Notes Write your answers here 1 2 3 4 5 2 30 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details 1 Guardium collectors are also known as G2000s and Guardium aggregators are also known as G5000s 2 True or False The span port method and the network tap method monitor both local and network traffic 3 Which operating system is used on the Guardium appliances a SUSE Linux b Windows 8 c RedHat Enterprise Linux 5 d AIX 4 True or
81. Trail C5 Privacy Set Classi fication Process Report Report Detailed Sessions List riod executed dit TE Event and Additional Columns J Apply J Add Audit Task Copyright IBM Corporation 2011 2013 Figure 12 9 Audit Tasks GU2022 0 Notes The audit tasks section controls what is delivered to the receivers Description Enter a user defined description of the task e Task Type Report Security Assessment Entity Audit Trail Privacy Set Classification Process In this example we will choose a report Report Select the report that you would like to send from the pull down list e CSV CEF File Label Enter an optional label for the file in the CSV CEF File Label box The default is from the Description for the task This label will be one component of the generated file name another will be the label defined for the workflow automation process Export CSV file Check this box to export the report results to an CSV file The CSV export process must also be configured from Administration Console Export CEF file Check this box to export the report results to a CEF file Copyright IBM Corp 2011 2013 Unit 12 Compliance Workflow Automation 12 13 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Export PDF file Check to export a PDF file A PDF file with similar name
82. Viewed Review Only Comments E 5 Timestamp User 2010 12 22 10 06 23 0 User03 2010 12 21 11 47 32 0 Signed Review and Sign Comment for Result OK User01 Change control 829482 Report Training02 Training02 Overall Value 0 Report DBServer01 Sessions Detailed Sessions List Overall Value 463 Close this window Copyright IBM Corporation 2011 2013 Figure 12 15 Workflow results GU2022 0 Notes This is an example of a completed audit process 12 20 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint T The three elements of a Compliance Automation Workflow process are a a anda 2 True or false A user can optionally be notified of pending work in the Compliance Automation Workflow through a To Do list link 3 The table controls who receives the reports and what action s they must take 4 True or false A Workflow can be either activated and scheduled to run or it can be run once now but not both 5 Which button takes you to a particular item in your To Do list 1 GOTO 2 VIEW 3 OPEN 4 SAVE Figure 12 16 Checkpoint GU2022 0 Notes Write your answers here 1 2 3 4 5 Copyright IBM Corp 2011 2013 Unit 12 Compliance Workflow Automation 12 21 Course materials may not be reproduced in whole
83. a a E E E OA Aa aa a a 10 26 Checkpoint solutions 1 of 2 0 0 0 2 00 eee 10 27 Checkpoint solutions 2 of 2 2 0 0 0 000 ees 10 28 Unit 11 Custom Query and Report Building 20000ee eee eens 11 1 Unit ODICCIVGS 2e inu pP RIDE RE RED Ede dS E ded rcd sided 11 2 11 1 Query overview and creating a simple query 0 0 00 00 eee eee 11 3 Query overview and creating a simple query lllsslllllssllssn 11 4 Creating a custom query 000 een 11 5 TEHEK dale ACCESS ecco ueekudweEsa gees see aes ce Mehadeaseue seas Remar 11 6 DOMAIN M m 11 7 Query finder New query iius saxa Ra m roe eee eee CR CR aon ea wea ewes 11 8 New query Name and main entity 0002 e eee eee 11 9 Main entity About entities 0000 eee 11 10 Access domain entities 0 00 c ec eee 11 11 Logging and parsing uses sudes he bens tom nm mh Ee p eon Roo m tke e was 11 13 Entity Hierarchy A HC 11 14 ciam A PPP PP IT pepcc E 11 15 New query steps summary sleeeellee enn 11 16 Custom query builder 2222 eun RE ee voce ee Behe ee Remo E ERE ES 11 17 Adding elis sru cee sacer did E B eel eee MER WEN E El eee wets 11 18 Changing query settings cuc hh ERR 11 20 Adding a condition saving and publishing report 00 2000 11 22 Viewing a report CC 11 23 CUSIOMIZESCIOGN scrasa s ox pee xb uUR cece eo a ERR AE EAE aaa a a a 11 24 Pan
84. a and b d Neither a nor b 2 True or false You can modify one or more of the CAS default templates 3 CAS has been configured with a period of 2 hours The last set of tests ran at 10 30 am When will the next set of tests run a At 11 30 am b At 12 30 pm c Between 11 30 am and 12 30 pm d Between 10 30 am and 12 30 pm Copyright IBM Corporation 2011 2013 Figure 10 18 Checkpoint solutions 1 of 2 GU2022 0 Notes Write your answers here 4 5 6 Copyright IBM Corp 2011 2013 Unit 10 CAS VA and Discovery 10 27 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions 2 of 2 4 What are the three categories of VA tests Query based Behavioral CAS based 5 How often are the Guardium assessment tests updated by IBM a Annually b Quarterly c Monthly d Weekly 6 True or false You need only CAS or only VA not both Copyright IBM Corporation 2011 2013 Figure 10 19 Checkpoint solutions 2 of 2 GU2022 0 Notes 10 28 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit 11 Custom Query and Report Building Estimated time 01 45 What this unit is about This unit describes how to create custom queries and reports What y
85. actions section allows you to specify the resulting activity when the rule s criteria has been met One rule may contain multiple actions To add an action choose the name from the pull down list and press Apply When you have added all of the actions that you require press the Add Action button Back Save The Back and Save buttons allow you to discard or save an changes made to the rule 9 42 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Access Rule Actions ALERT DAILY ALERT ONCE PER SESSION ALERT PER MATCH ALERT PER TIME GRANULARITY ALLOW IGNORE RESPONSES PER SESSION IGNORE S TAP SESSION IGNORE SESSION IGNORE SQL PER SESSION LOG FULL DETAILS LOG FULL DETAILS PER SESSION LOG MASKED DETAILS LOG ONLY QUARANTINE QUICK PARSE S GATE ATTACH S GATE DETACH S GATE TERMINATE S TAP TERMINATE SKIP LOGGING Copyright IBM Corporation 2011 2013 Figure 9 28 Access Rule Actions Notes Access rules fall into these categories Alerts Policy Violations ALERT DAILY e ALERT ONCE PER SESSION ALERT PER MATCH ALERT PER TIME GRANUALITY LOG ONLY Filters IGNORE RESPONSES PER SESSION IGNORE S TAP SESSION IGNORE SESSION IGNORE SQL PER SESSION GU2022 0 Copyright IBM Corp 2011 2013 Unit 9 Policies Course materials may not be r
86. application can be ignore but if the connection does not meet all three criteria the activity should be logged Copyright IBM Corp 2011 2013 Unit 9 Policies 9 57 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Trusted connections group IBM InfoSphere Guardium Manage Members for Selected Group 9 Group Name Trusted Connections Group Type Client IP Src App DB User Server IP Svc Name Modify Group Type Category Modify Category Group Members Fiter e o a Yor Vo ht 192 168 169 8 DB2BP APPUSER 192 168 169 8 DB2INST1 Please select one of the following options Create amp add a new Member named Attribute 1 Attribute 2 Attribute 5 Add Attribute 1 10 10 9 1 Attribute 2 Backup Attribute 3 serviceaccount Attribute 4 192 16 169 8 Attribute 5 svs4 Rename selected Member to Delete selected Member Add Comments Aliases LDAP Back Close this window Copyright IBM Corporation 2011 2013 Figure 9 39 Trusted connections group GU2022 0 Notes The Client IP Src App DB User Server IP Svc Name group contains five attributes that should be added in this order Attributive 1 Client IP Attributive 2 Src App Attributive 3 DB User Attributive 4 Server IP Attributive 5 Svc Name A wildcard can be added if a specific attribute is not relevant
87. applications Audit Processes Queries Portlets etc which can be run on both the Managed Units and the Central Manager In both cases the definitions come from the Central Manager and the data comes from the local machine which could also be the Central Manager Once a Central Management system is set up customers can use either the Central Manager or a Managed Unit to create or modify most definitions Keep in mind that most of the definitions reside on the Central Manager regardless of which machine the actual editing is done from To configure an aggregator as a Central Manager from the CLI type store unit type manager You will see in the upper right hand corner of the GUI that the system is a Central Manager 6 14 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Registering to a CM from a collector System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Mor Administration Console Configuration Central Management Registration 4 Data Management Host IP 192 168 169 200 Central Management Port 8443 Registration Register The page at https 192 168 169 200 8443 A Registration Succeeded Copyright IBM Corporation 2011 2013 Figure 6 13 Registering to a CM from a collector GU2022 0 Notes
88. as true a NEXT b CONT c MORE d GOTO 3 Explain what happens if none of the rules in a policy are evaluated as true Copyright IBM Corporation 2011 2013 Figure 9 77 Checkpoint GU2022 0 Notes Write your answers here 1 Copyright IBM Corp 2011 2013 Unit 9 Policies 9 107 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers 1 True or false The order in which rules are recorded in a policy is not important 2 Which option box must be checked to force evaluation of the next rule when the current rule is evaluated as true a NEXT b CONT c MORE d GOTO 3 Explain what happens if none of the rules in a policy are evaluated as true The incoming message is passed to the database server as usual for evaluation and execution Additional information Transition statement 9 108 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Topic summary After completing this topic you should be able to Order policy rules so that actions are triggered properly Copyright IBM Corporation 2011 2013 Figure 9 78 Topic summary GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 9 Policies 9 109
89. attributes Add a query to a pane View a report and change a report s run time parameters Copyright IBM Corporation 2011 2013 Figure 11 2 Query overview and creating a simple query GU2022 0 Notes 11 4 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Creating a custom query Choose the domain Name the query Select the main entity Identify fields to be listed Add a query condition Generate the report e View the results Copyright IBM Corporation 2011 2013 Figure 11 3 Creating a custom query GU2022 0 Notes This topic will cover the seven steps required to create a new query Choose the domain Name the query Select the main entity Identify fields to be listed Add a query condition Generate the report View the results Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 5 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Track data access View Quick Start Monitor Audit Discover Assess Harden Comply Protect Build Audit Policies Build Reports My New Reports Privacy Sets Custom Reporting Track data access ES gt Track exceptions _ Track policy
90. audit tasks mark the audit process as active and press Modify Schedule to schedule delivery of the audit process Copyright IBM Corp 2011 2013 Appendix A Monitoring Overview A 15 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide A 9 Appendix 9 1 Policy Definitions Ignore STAP Session Ignore STAP Session causes the collector to send a signal STAP instructing it to stop sending all traffic except for the logout notification for specific sessions For example if you have a rule that says where DBUserName scott Ignore STAP Session e When Scott logs into the database server STAP sends the connection information to the collector The collector logs the connection Session information log in log outs are always logged The collector sends a signal to STAP to stop sending any more traffic from this specific session This means that any commands run by Scott against the database server and any responses result sets SQL errors and so on sent by the Database server to Scott will be discarded by STAP and will never reach the collector e When Scott logs out of the database server STAP will send this information to the collector log in log out information is always tracked even if the session is ignored e When Scott logs in again the steps above are repeated The logic on which sessions should be ignored is maintained by the colle
91. by the appliance e Message Template customizes the message format used to generate alerts Note this is often changed to enable SIEM integration e The No wrap checkbox below allows you to see where the line breaks appear in the message 5 18 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide No accordion menus Check this box to display the Tools tab with Config and Control and Report Building in one column and their associated functions in another column e Named template The feature defines multiple message templates and facilitates the use of different templates on different rules In the past only a single message template was available for all rules all receiver types etc e CVS Separator defines a separator to be used in audit processes HTML left right allows you to change the text displayed at the top of the page Login message Show login message displays a pop up message to users upon login Concurrent login from different IP not allowed when enabled each Guardium user will be allowed to log in from only one IP address at a time Data level security filtering when enabled the system will filter results system wide in a way that each user will only be able to see the information from those databases that the user is responsible
92. configurations What you should be able to do After completing this unit you should be able to e Configure an IBM InfoSphere Guardium appliance from the Administration Console Copyright IBM Corp 2011 2013 Unit 6 System View and Administration Console ll 6 1 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit objectives After completing this unit you should be able to Configure an IBM InfoSphere Guardium appliance from the Administration Console Copyright IBM Corporation 2011 2013 Figure 6 1 Unit objectives GU2022 0 Notes 6 2 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Administration Console Data Management Data Management includes Data Archive Data Export Data Restore Catalog Archive Catalog Export Catalog Import Patch Backup Results Archive audit Results Export files e System Backup Data Management Data Archive Data Export Data Restore Catalog Archive Catalog Export Catalog Import Patch Backup OO Results Archive audit Q0 Results Export files GO System Backup Copyright IBM Corporation 2011 2013 Figure 6 2 Administration Console Data Management Notes Data Management includes Data
93. console or through a terminal connected through the serial port The user can also logon through a secure connection using an ssh secure shell client Common ssh tools include Putty and SecureCRT 3 10 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide CLI user login 2 of 2 Category Console Session Basic options for your PuTTY session H Sirm Specify the destination you want to connect to P u tty Keyboard Host Name or IP address Port SQL Guard 8 8 Bel cie0 6018513 2 Features Connection type E Window C Raw Telnet C Rlogn SSH Serial Unauthorized access is prohibited Aj o P hens Scip Load save or delete a stored session R Translation Saved Sessions guard login cli Selection Password n cd Default Settings Load st login Fri Oct 1 11 88 24 on tty1 b eid gotector Welcome cli this is your first login in this system Proxy Your password has expired ee Leite 1 login Chang ing SSW CIR al SSH Enter cur Serial Close window on exit E new pas C Always C Never Only on clean exit Re enter new pi Eile Ed ibserv Terminal ector01 ibm com gt Terminal it View Terminal Tabs Help ssh cli 10 60 185 13 Figure 3 7 CLI user login 2 of 2 Notes GU2022 0 Three
94. contain sensitive credit card data Copyright IBM Corp 2011 2013 Unit 1 InfoSphere Guardium 1 17 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 1 of 2 1 List three drawbacks to doing native auditing rather than using a product like Guardium 2 What is a rule and what is a policy Copyright IBM Corporation 2011 2013 Figure 1 17 Checkpoint 1 of 2 GU2022 0 Notes Write your answers here 1 2 1 18 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details 1 List three drawbacks to doing native auditing rather than using a product like Guardium High resource utilization significant impact on the database environment No separation of duties ability of super users to bypass native auditing Inconsistent auditing features difficulty of integrating auditing features of multiple database systems 2 What is a rule and what is a policy A rule is a set of filtering criteria and actions A policy is a set of rules to be enforced Additional information Transition statement Copyright IBM Corp 2011 2013 Unit 1 InfoSphere Guardium 1 19 Course materials may not be reproduced in whole or in part
95. employees E ID E FIRSTNAME E LASTNAME 1001 Henry Xavier 1 record s selected z GP000 Standalone Un System View Administration Console Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management lt gt Reports Policy Violations Incident Management CUBE ST Yel be Start Date 2010 10 11 14 04 24 End Date 2010 10 19 14 04 24 9 Aliases OFF DB gt Count of Violation Catec ma Severity Incident Timestamp lient IP ServerlP User rip Policy Rule Log Id Name Nu Description Number Violati 2010 10 18 select from 1 18 58 27 0 92 168 169 8192 168 169 8A8000 db2inst g employees INFO 0 1 Copyright IBM Corporation 2011 2013 Figure 9 32 Policy violation GU2022 0 Notes When an alert rule is triggered the appliance will also log a Policy Violation The Incident Management tab is an easily accessible location to view all policy violations Copyright IBM Corp 2011 2013 Unit 9 Policies 9 49 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Allow Access Rule Definition Rule 5 of policy Training01 Description guardium empty Allow Category Classification Severity INFO v O server iP 1 and or Group v amp O Client iP 1 and or Group ___ MES O Client MAC Net Prtcl and or Group
96. full details by privileged Name Monitoring Privileged Users Type Users Members sa sys system a4920 a2840 a9404 a8000 a4939 Alert on three or more failed n a logins within five minutes Log full details and alert on Name DML Commands DML against Sensitive Objects Type Commands Members Built in group with 8 members Name Monitoring Sensitive Objects Type Objects Members scott cc_numbers scott ssn_numbers customers employees addresses Copyright IBM Corp 2011 2013 Appendix A Monitoring Overview A 3 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide A 5 Defining Policy A policy is a set of rules and actions that are applied against SQL traffic as it is captured by the Guardium appliance in real time Each rule within the policy contains a set of criteria and one action For example send an alert via e mail any time DML is executed against a sensitive object Each rule is applied in sequence as the data is being collected in real time This is where we ensure that activity is logged based on your monitoring requirements as defined by the Logging and real time alerting questions from step one Policies define what traffic should be ignored what activities require more detail and which actions should prompt real time alerts The order and logic of the policy is very important Also there are options
97. g customers which could be used to insert values into the g customers table CREATE PROCEDURE sp g customers IN c id in INT IN c firstname in varchar 25 IN c lastname in varchar 25 LANGUAGE SQL BEGIN insert into g customers c id c firstname c lastname values c id in c firstname in c lastname in END 8 14 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide When the stored procedure is executed all Guardium normally sees is the CALL statement so it captures call sp g customers The individual code contained within the stored procedure is not captured by Guardium when the procedure is called Therefore in this example Guardium does not capture the insert statement that is inside the stored procedure Copyright IBM Corp 2011 2013 Unit 8 Group Builder 8 15 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Auto Generated Calling Prox 2 of 2 f your monitoring is based on activity against specific tables that is sensitive tables you may need to include other objects such as views stored procedures synonyms and so on that provide alternate access to the data within the sensitive tables The Auto Generated Calling feature facilitates the categorization
98. guardium CREDIT_CARD and there is a valid credit card number pattern in the Data pattern field the policy will use the Luhn algorithm a widely used algorithm for validating identification numbers such as credit card numbers in addition to standard pattern matching The Luhn algorithm is an additional check and does not replace the pattern check A valid credit card number is a string of 16 digits or four sets of four digits with each set separated by a blank There is a requirement to have both the guardium CREDIT_CARD rule name and a valid 0 9 16 number in the Search Expression box in order to have the Luhn algorithm involved in this pattern matching Copyright IBM Corp 2011 2013 Unit 9 Policies 9 83 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide DB User IN GROUP Privileged Users Data Pattern 0 9 4 0 9 4 0 9 4 0 9 4 This is a regular expression that will search for any string of 16 digits or four sets of four digits with each set separated by a blank or a dash The parenthesis are surrounding the portion of the string that will be masked when logged by Guardium In this case only the last 4 digits of the credit card numbers will be logged To receive help in building a regular expression press the RE button which will bring up the Build Regular Expression box where you can test your regula
99. if the logging granularity is 60 a certain request occurred n times in a given hour If the above check box is not marked exactly when the command occurred within the hour is not recorded But if a rule in a policy is triggered by a request a real time alert can indicate the exact time When you define exception rules for a policy those rules can also apply to the logging unit For example you might want to ignore 5 login failures per hour but send an alert on the sixth login failure e Inspect Returned Data Mark to inspect data returned by SQL requests If extrusion rules will be used in the security policy this checkbox must be marked e Max Hits per Returned Data When returned data is being inspected indicate how many hits policy rule violations are to be recorded Compute Avg Response Time When marked for each SQL construct logged the average response time will be computed e Record Empty Sessions When marked sessions containing no SQL statements will be logged When cleared these sessions will be ignored e Buffer Free n Display only n is the percent of free buffer space available for the inspection engine process This value is updated each time the window is refreshed There is a single inspection engine process that drives all inspection engines This is the buffer used by that process Ignored Ports List A list of ports to be ignored Add values to this list if you know your database servers are proc
100. import Upioa raiona Catalog Archive Exported From Type Set Members Catalog Export amp 2010 11 07 grd01 guard swg usma ibm com Data 2010 11 01 00 00 00 0 grd01 Catalog Import X EA 18 47 06 v8 0 Catalog 2010 11 03 00 00 00 0_grd01 AB Daculte Archive andit Copyright IBM Corporation 2011 2013 Figure 6 9 Data Management Catalog Import GU2022 0 Notes Catalog import allows you to import a previously exported data or results catalog Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part Unit 6 System View and Administration Console II 6 11 without the prior written permission of IBM Instructor Guide Data Management Results Archive audit System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Incidei Administration Console Configuration Results Archive audit b Data Management Configuration OQ Data Archive Archive results older than 1 Day s M Q0 Data Export Ignore results older than 30 Day s M optional Data Restore Catalog Archive Protocols SCP FTP Catalog Export Host 192 163 169 128 Catalog Import Directory root archive results OO Results Archive audit icis a000 DO Results Export files Q0 System Backup Password eeseesec Re enter password eeeeecees Scheduling Results Archive is currently not scheduled for execution Copyright IBM Corporation 2011 2013 Figure 6 10 Data Manag
101. info iptables large_files netstat passkey slow lo 3c v log top a Copyright IBM Corporation 2011 2013 Figure 3 10 Navigating the CLI 3 of 4 GU2022 0 Notes To display command syntax and usage options enter a question mark as an argument following the command word or words For example agg list supp show show 3 16 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Navigating the CLI 4 of 4 Another way of getting all possible arguments for a command is to enter the first word or words of the command Examples system where arg is Clock conntrack cpu custom db max size custom db 1 fullname hostname issue key netfilter buffer size ntp patch e root login scheduler snif buffers reclaim snmp rt public remo stop o1 ibm com stop GE stop lt arg gt where arg is alerter gui inspection core inspection engines system Copyright IBM Corporation 2011 2013 Figure 3 11 Navigating the CLI 4 of 4 GU2022 0 Notes An alternate method of getting all possible arguments for a command is to enter the first word or words of the command at the command prompt For example agg list supp show show Copyright IBM Corp 2011 2013 Unit 3 Command Line Interface 3 17 Course ma
102. ip or hostname The address or host name of the Guardium appliance to which this S TAP will report e install dir Identifies the program directory into which the S TAP agent will be installed e install table file Full network path name of the install table file which must be accessible from all database server machines on which S TAP will be installed from the command line This must be a text file with fields separated by spaces and it must have Unix format line separator characters M Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 67 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Options described below MSSQLSharedMemory Install the MS SQL Server shared memory driver to monitor MS SQL Server traffic via shared memory DB2SharedMemory Install the DB2 shared memory driver to monitor DB2 traffic via shared memory 1 TLS Use a secure encrypted connection for all communication with the Guardium appliance failoverTLS Applies only if TLS above is true If no TLS connection can be made attempt to connect over a non secure connection CAS Install the CAS agent It can be installed later without having to uninstall or re install S TAP NamedPipes Install the Named Pipes driver to monitor local traffic over named pipes Lhmon Install the LHmon driver to monitor local TCP traffic LhmonForNetwork Use L
103. it What students will learn How this will help students on their job Copyright IBM Corp 2011 2013 Unit 9 Policies 9 19 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Installing and creating policies After completing this topic you should be able to Install a policy Access the policy builder Create a new policy Copyright IBM Corporation 2011 2013 Figure 9 11 Installing and creating policies GU2022 0 Notes 9 20 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Install policy System View Administration Console 4 Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Reports Administration Console Configuration Currently Installed Policies e 00 Alerter No Policy Currently Installed Anomaly Detection Application User Translation Custom ID Procedures Customer Uploads Flat Log Process Global Profile Guardium for z OS Incident Generation inspection Engines GO P to Hostname Aliasing Portal Query Hint Session inference System Upload Key File Data Management The page at https 9 70 145 185 8443 says Central Management Local Ti 2 ocal Taps Policy Installer 2 Guardium Definitions omes Custom
104. lt Tools Daily Monitor Guardium Monitor Tap Monitor Incident Mz Administration Console Configuration Flat Log Process T OQ Alerter Configuration OQ Anomaly Detection Process Application User Translation O mur Custom ID Procedures Purge Only Customer Uploads Flat Log Process Apply Restore Default Global Profile Scheduling Guardium for z OS Incident Generation Inspection Engines Flat Log Processing is currently not scheduled for execution hih o as 2s Copyright IBM Corporation 2011 2013 Figure 5 10 Configuration Flat Log Process GU2022 0 Notes The Flat Log option is a process to allow the Guardium appliance to log information without immediately parsing it in real time This saves processing resources so that a heavier traffic volume can be handled The parsing and amalgamation of that data to Guardium s internal database can be done later either on a collector or an aggregator unit Note Rules on flat files do not work with policy rules involving a field an object SQL verb command Object Command Group and Object Field Group In the Flat Log process flat means that a syntax tree is not built If there is no syntax tree then the fields objects and SQL verbs cannot be determined The following actions do not work with rules on flat policies LOG FULL DETAILS LOG FULL DETAILS PER SESSION LOG FULL DETAILS VALUES LOG FULL DETAILS VALUES PER SESSION LOG MASKED DETAILS When Log Flat
105. may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Drill down reports DrillDownExample Copyright IBM Corporation 2011 2013 mi Main Entity Object Add Count Add Distinct Oo Sort by count x Query Fields Seq Entity Attribute Field Mode Order by Sort Rank Descend Fi 1 Client Server Server IP Value v FI Fi 2 Client Server Client IP Value o L1 3 Client Server DB User Name Value v O Fi 4 Client Server Service Name Value v o oO 5 Client Server Source Program Value v oO Fi 6 Command SQL Verb Value v o o 7 Object Object Name Value v oO OO Addition mode AND or L HAVING Query Conditions Entity Agg Attribute Operator Runtime Param F WHERE Client Server DB User Name LIKE Parameter v DBUser CO AND Client Server Client IP LIKE v ClientiP Figure 11 35 Drill down reports Notes GU2022 0 Adding runtime parameters to reports also make them available as drill down reports In the example above there are runtime parameters for database username and client IP This means that any report containing these two fields will have this report available as a drill down report as shown on the following page Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 47 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide
106. may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes If time allows have the students follow along from their virtual machines Purpose Details Additional information Transition statement Copyright IBM Corp 2011 2013 Unit 4 Access Management 4 9 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide User Browser adding a user 2 of 2 User information includes Username Password Password confirm First Name Disabled uncheck Last Name Email All fields are required except email address The new user is added to the user role by default Access Management e User Browser User Role Browser User Role Permissions User LDAP Import User amp Role Reports Data Security User Form Username tjones Password IIIIIIDI Password confirm eeeesece First Name Ted Last Name Jones Email tjones ibm com Disabled E In an effort to provide the highest level security new passwords must be 8 or more characters in length and must include at least one uppercase letter lowercase letter digit and special character A special character is considered any of the following Q 96 amp ENF TEN Copyright IBM Corporation 2011 2013 Figure 4 7 User Browser adding a user 2 of 2 GU2022 0 Notes
107. most common type of exception rule created is to alert on x number of failed login attempts within x minutes for example 3 failed login attempts within 5 minutes To create this alert create a new exception rule as follows Action Alert Per Match Minimum Count 3 Reset Interval 5 e Excpt Type LOGIN FAILED DB User period Placing a period in DB User causes to the system to place a counter on DB User so that you will only receive an alert the same user attempts to login three times with in five minutes Otherwise it will alert whenever there are three failed logins from any three users within five minutes which could result in a great deal of false positives Copyright IBM Corp 2011 2013 Unit 9 Policies 9 81 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Extrusion Rules Policy Rules amp Training System View Administration Console Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Repo C ipanaa Comesem J Administration Console LID 8 EAccess Rule DOL activity in production Log Only Configuration Inspection Engine Configuration e OOA 82 Access Ru Privigad users accessing Alerter Log Request Sql String V Log Sequencing SOD BS Access Rise Trusted connections Ignore STAPS
108. of such objects Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 12 Auto Generated Calling Prox 2 of 2 GU2022 0 Notes Auto Generated Calling Prox allows a group to capture the internal contents of database objects such as stored procedures synonyms views and so on 8 16 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Auto Generated Calling Prox Options Auto Generated Calling Prox allows Guardium to Populate a Group Using Database Sources All databases Populate a Group Using Database Dependencies Oracle and MS SQL Server Only Populate a Group using Reverse Dependencies and Generate Selected Object Oracle only Populate a Group Using Observed Procedures All databases Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 13 Auto Generated Calling Prox Options GU2022 0 Notes Auto Generated Calling Prox has several options Not all of the options are available with every database type The four options are Populate a Group Using Database Sources Guardium will analyze the stored procedure source code on one or more database servers Populate a Group Using Database Dependencies Guardium will populate groups based on Database Dependencies such as Functi
109. or Group Publi ER Client IP Sre App DB User Server IP Svc Name a App User and or Group vs OS User Group jal UD Src App oup vid Field and or Group vis Object lor Group Public Sensitive Objects vid Command pg fe la ObjectiCmd Group v A Object Field Group v Pattern fa XML Pattern fat App Event Exists Event Type Event User Name App Event Values Text and or Group v A Numeric Date Data Pattern Replacement Character Time Period via Minimum Count 0 Reset Interval 0 minutes Message Template Defaut v Quarantine for 0 minutes Records Affected Threshold 0 Cont to next rule Actions EF ALERT PERMATCH Action ALERT PER MATCH v Notification X Notification Type SYSLOG Alert Receiver SYSLOG Notification Type Alert Receiver Add Action Back Add Comments Save Copyright IBM Corporation 2011 2013 Figure 9 30 Alert rules GU2022 0 Notes Alert rules will send a notification to designated receivers at a defined frequency depending on the action chosen Actions Alert Daily sends notifications only the first time the rule is matched each day Alert Once Per Session sends notifications only once for each session in which the rule is matched Alert Per Match sends notifications each time the rule is satisfied Alert Per Time Granularity sends notifications once per logging granularity
110. part without the prior written permission of IBM Instructor Guide LDAP 1 of 2 Groups can be populated from an LDAP sever by clicking the LDAP button which is accessible when building a new group or by modifying an existing group Please select one of the following options Create amp add a new Member named Add an existing Member to Group v New Rename selected Member to Update 9 rou p Delete selected Member Delete a Commens Cias tone Group Builder Modify Existing Groups 2 Not Filtered Secon Privileged Users BAS ERAS fo aan ee eee meee zi PI Objects Existing xs Account Management Commands g rou p Account Management Procedures Active Users Admin Users Administration Objects w Flatten All Hierachichal Groups Scheduling Flattening All Hierachichal Groups is currently not scheduled for execution Modify Schedule J Run Once Now Populate from Query Group Filter l Roles Clone Modify Delete Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 21 LDAP 1 of 2 GU2022 0 Notes A third method of populating a group is through an interaction with LDAP 8 26 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instr
111. reach the collector SQL Errors commands Database Client 2 Copyright IBM Corporation 2011 2013 Figure 9 35 Ignore STAP session GU2022 0 Notes The Ignore STAP session action follows this process 1 a o ae ee The user logs into the database server STAP sends the connection information along with the first few commands to the sniffer The sniffer determines based on the policy rule that the session should be ignored The sniffer sends a signal to STAP to stop sending traffic from that session STAP discontinues sending traffic from the session The user logs out of the database STAP sends the logout packet to the sniffer If STAP continues to send traffic from a session that should be ignored the sniffer will continue to send the signal to STAP to ignore the session Copyright IBM Corp 2011 2013 Unit 9 Policies 9 53 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide e The process described above is repeated for every connection this keeps resource utilization as low as possible on the database server All policy logic is maintained by the collector while STAP only maintains the list of sessions to be ignored e If you have an STAP only environment use the Ignore STAP Session rule not Ignore Session to completely ignore a session gnore Session only sends the ignore signal to STAP once and is not as robu
112. s00015000150001db2inst 0 0 0 0 0 0 0 0 Ihomeldb2inst1 saliib 20 61440 131072 9 Logged R T Alerts o o invoke m a wad a ladmdb2sysc Tese rea INILITITONMMNNN MEE Logging Collectors Discovered Instances Start Date 2010 11 30 04 57 45 End Date 2010 12 02 01 57 45 Aliases OFF KTAP Port Instance Exclude Proc Nan Timestamp Host Max Genrer Sma Client Names Pipe 2010 12 01 01 57 17 0 192 168 169 8DB2 15000150001 db2inst1 0 0 0 0 0 0 0 0 records jotottQ reste datasource create_stap_inspection_engine Copyright IBM Corporation 2011 2013 Figure 7 47 GIM Events List GU2022 0 Notes To confirm that the Discover module has installed successfully go to the Guardium Monitor tab and click the GIM Events List Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 55 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Invoke now EGER https 192 168 169 9 8443 repor 5 7 IBM InfoSphere Guardium Report Discovered Instances Api Function ceste_stap_inspection_engine stapHost 192 168 169 8 protocol DB2 portMin 50001 portMax 50001 teeListenPort teeRealPort connectTolp 127 0 0 1 client 0 0 0 0 0 0 0 0 excludeClient procNames namedPipe ktapDbPort 50001 dbinstaliDir home db2inst1 procName home db2inst1 sqllib admi db2SharedMemAdjustment 20 db2SharedMemcClientPosition 81440 db2SharedMemSize 131072 instanceName db2ins
113. secure logons are demonstrated on this slide The secure logon can be done physically from the Guardium appliance s console through a secure Putty connection or through a secure ssh connection from a Unix terminal window Copyright IBM Corp 2011 2013 Unit 3 Command Line Interface Course materials may not be reproduced in whole or in part without the prior written permission of IBM 3 11 Instructor Guide Navigating the CLI 1 of 4 Commands and keywords can be abbreviated by entering enough characters so the commands are unambiguous Most Guardium CLI commands consist of a command word followed by one or more arguments The argument may be a keyword or a keyword followed by a variable value e Commands and keywords are not case sensitive but element names are Quotation marks are used around words or phrases to precisely define search terms Copyright IBM Corporation 2011 2013 Figure 3 8 Navigating the CLI 1 of 4 GU2022 0 Notes CLI commands follow some standard usage conventions e Commands and keywords can be abbreviated by entering enough characters so the commands are unambiguous Most Guardium CLI commands consist of a command word followed by one or more arguments The argument may be a keyword or a keyword followed by a variable value Commands and keywords are not case sensitive but element names are Quotation marks are used around words or phrases to precisely define
114. select from db2inst1 cc numbers Extrusion Values 2010 10 28 guardium CREDIT_CARD ERKEERREEKREER 11154 09 59 19 0 Privileged users 192 168 169 8 192 168 169 88COTT6654 tt NFO 0 1 xor ra accessing credit cards du Apenes 1564 stir 1677 A5 Rhine 1662 Copyright IBM Corporation 2011 2013 Figure 9 62 Extrusion rule results example GU2022 0 Notes This example shows how Guardium logs and displays the data resulting from an extrusion rule firing The Full SQL string contains the SQL string that was issued and the masked values that the database server returned Copyright IBM Corp 2011 2013 Unit 9 Policies 9 85 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 1 Explain why you might need to put a period in the DBUser field when setting up a failed login exception rule 2 True or false An exclusion rule can be created to detect and log information on SQL error messages that are generated 3 Explain what a regular expression is 4 To have Guardium examine an actual result set value during an extrusion rule s evaluation the option box must be selected 5 Which character is used by default when masking a value with an extrusion rule a b c lt blank gt d Copyright IBM Corporation 2011 2013 Figure 9 63 Checkpoint GU2022 0 Notes Write your answers here 1 a se wy 9 86 In
115. students will do How students will do it What students will learn How this will help students on their job Copyright IBM Corp 2011 2013 Unit 9 Policies 9 101 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Rule order and logic After completing this topic you should be able to Order policy rules so that actions are triggered properly Copyright IBM Corporation 2011 2013 Figure 9 74 Rule order and logic GU2022 0 Notes 9 102 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Rule order and policy logic Rule order can affect whether policy rules fire correctly or not Actions and settings that can affect the policy logic include Multiple actions Continue to next rule Ignore session rules Exception versus access rules Copyright IBM Corporation 2011 2013 Figure 9 75 Rule order and policy logic GU2022 0 Notes This slide describes the default behavior if you were to install a selective audit policy with no rules Multiple actions if you require two actions for the same criteria use multiple actions Example Alert Per Match AND Log Masked Details for DML on Sensitive Objects Continue to Next Rule if you have two re
116. the Continuous box is checked and the receiver is a group or a role one member of that group or role must take the indicated action before the results will continue on to the next receiver in the list Unchecked If the Continuous box is cleared the results will immediately be released to the next receiver on the list e Approve if Empty The Approve if Emtpy flag controls how the distribution of results takes place when the results are empty Checked When this checkbox is checked if all the reports of the task are empty the system will automatically sign the result and or mark it as viewed and continue if relevant It will NOT notify the recipient via either the To Do list or email It will not generate any PDF CSV CEF files Unchecked When this checkbox is unchecked all normal processing takes place even when the results are empty 12 12 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Audit Tasks Audit Tasks controls what is delivered to the receivers Reports Secuirty Assessments Entity Audit Trails Classification Processes Report Trainingo2a Trainin 9gOZ2 inow 1 day to now Report DBServerO1 Sessions Detailed Sessions List Description DBServero1 Sessions Task Type Report C5 Security Assessment C5 Entity Audit
117. the built in policies In the example above the dash helps to show that it is not a built in policy and causes the policy to appear at the top of the list The remaining fields are optional Policy category an arbitrary label that can be used to group policy violations for reporting purposes The category specified here will be used as the default category for each rule and it can be overridden in the rule definition Policy baseline if you have created a baseline you can create a policy based on it This is outside the scope of this training Log flat not covered in this training This option can be used in extremely high volume environments When this box is checked e Data will not be parsed in real time e The flat logs can be seen on a designated Flat Log List report Copyright IBM Corp 2011 2013 Unit 9 Policies 9 27 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide The offline process to parse the data and merge to the standard access domains can be configured through the Administration Console gt Configuration gt Flat Log Process e Rules on flat not covered in this training This only applicable when Rules on flat is checked and will result in the following behavior e Session Level rules will be examined in real time e No rules will be evaluated when the offline processing does takes place e When Rules on fl
118. the user is not in the group of privileged users Other implementations are defined as comprehensive in which all or almost all sessions are logged Most implementations fall somewhere in between more than just privileged users will be logged but many trusted sessions applications backups scheduled processes etc can be ignored The ignore session rules have a great impact on the performance of the collector and data retentions If you log privileged user activity only you would require less collectors than a comprehensive implementation in which all traffic is logged 9 56 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Ignore STAP session rule Trusted connections Access Rule Definition uj Rule 1 of policy Training01 IBM InfoSphere Guardium Manage Members for Selected Group Description Trusted connections Ignore STAP Session apium icd LLL Category Classification Severity INFO a Server IP I and or Group vl O Client ip and or Group h O Client MAC Net Prtcl and or Group les FA DB Type Saas REN EER v Svc Name and or Group v 48 DB Name and or Group
119. time Copyright IBM Corp 2011 2013 Unit 5 System View and Administration Console 5 3 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Logins to Guardium The Logins to Guardium area shows a report of recent logins to the Guardium appliance e Scheduled Job Exceptions The Scheduled Job Exceptions area includes a report listing any recent issues with scheduled jobs 5 4 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Administration Console The Administration Console includes Configuration Data Management Central Management Local Taps Guardium Definitions Custom Classes Module Installation IBM InfoSphere Guardium System View Administration Console lt roolis Daily Monitor Guardium Monitor Tap N Administration Console _ Configuration Q0 Alerter OQ Anomaly Detection Application User Translation Custom ID Procedures Customer Uploads Flat Log Process Global Profile Guardium for VOS Incident Generation Inspection Engines OQ IP to Hostname Aliasing 6 Policy Installation Portal Support Maintenance Session Inference System Upload Key File O6 Unit Utilization Levels Data Management Central Management Local Ta
120. traffic while STAP would be used for monitoring local traffic only However STAP always included the ability to forward network traffic as well eliminating the need for a hardware solution Copyright IBM Corp 2011 2013 Unit 2 Guardium Architecture 2 11 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide STAP Local and network monitoring Guardium Collector Database Server Copyright IBM Corporation 2011 2013 Figure 2 7 STAP Local and network monitoring GU2022 0 Notes Because the ease in using a software solution as compared to hardware solutions and the great increases in STAP s efficiency and sophistication STAP has become the primary method of data capture for Guardium customers Only a small percentage of customers still use span ports or network taps However it is still important to understand the hardware options because STAP is basically a software implementation of the span port and or network tap solution STAP forwards network packets to the collector for logging STAP features Light weight agent running on the data server that forwards traffic in the form of network packets to a Guardium collector e Minimal resource utilization 3 to 5 CPU 10 MB memory mapped file e Encrypted Database traffic handles most forms of database encryption SSL ASO Kerberos etc e Redundancy sends traffic to mo
121. without the prior written permission of IBM Instructor Guide Installation resources Resource materials include e s lap help book pdf e Guardium Installation Manager pdf IBM InfoSphere Guardium 8 STAP Installation and Configuration yyyy mm dd doc Copyright IBM Corporation 2011 2013 Figure 7 5 Installation resources GU2022 0 Notes When installing S TAP these documents will help ensure that you have all covered all the installation prerequisites and have completed all of the required steps e s lap help book pdf available from the on line help e Guardium Installation Manager pdf available from the on line help e IBM InfoSphere Guardium 9 STAP Installation and Configuration yyyy mm ad doc provided by your professional services consultant Guardium technical support 7 6 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 7 1 Interactive installation Windows Instructor topic introduction What students will do How students will do it What students will learn How this will help students on their job Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 7 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Interactive installation Windows
122. written permission of IBM Instructor Guide Modify report Chart 1 of 2 Custom Reporting Report Attributes Query Training01 Report Title Training01 Attributes Refresh Rate 0 seconds Graph Types Tabular Chart m Custom Reporting Report Chart Type i Query Training01 Report Title Training01 Chart Types Chart Type Area v m Copyright IBM Corporation 2011 2013 Figure 11 51 Modify report Chart 1 of 2 GU2022 0 Notes When choosing Chart instead of tabular on the Reports Attributes window the next window will prompt you to select a Report Chart Type On the Chart Type pull down menu choose from standard chart types such as Area Line Pie etc Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 69 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Modify report Chart 2 of 2 plotareaLeft 0 2 plotAreaColor Click on Color field to change yAxisTitle 5 labelAngle labels v labels Back Cancel Preview _ Next Copyright IBM Corporation 2011 2013 Figure 11 52 Modify report Chart 2 of 2 GU2022 0 Notes The final screen allows you to change the chart formatting 11 70 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the p
123. yes gnore STAP Session f no go to the next rule This should be the first access rule because all of the trusted connections should be ignored If placed lower in the rule order some rules may fire inappropriately Is the user in the Privileged User group If yes Log Full Details and Continue to next Copyright IBM Corp 2011 2013 Unit 9 Policies 9 105 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide If the Cont box is not checked the policy would stop at this rule for all privileged user activity So in order to ensure that rule number 4 is processed for privileged users you must check the Cont box s the object in the Sensitive Objects group and is the command in the DML Commands group If yes Log Masked Details and Alert Per Match f the user is a privileged user the Log Full Details action from rule number 3 will take precedence e f none of the above are matched then log traffic normally 9 106 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 1 True or false The order in which rules are recorded in a policy is not important 2 Which option box must be checked to force evaluation of the next rule when the current rule is evaluated
124. 0 Notes The Details pane of the S TAP Control panel applies to basic configuration settings for the S TAP agent The following describes Windows S TAP controls e Load balancing controls how S TAP reports traffic to Guardium appliances as follows 0 Report all traffic to a single appliance the default 1 Load balancing distribute sessions evenly to all appliances by client port number all traffic for a single session must go to the same appliance 2 Full redundancy report all traffic to all appliances Messages Controls where S TAP processing messages not database traffic will be written Remote writes the active Guardium host Syslog writes to syslog file on the database server e Shared Memory Controls the action to be taken when a shared memory connection is detected Disable disconnects the session Alert sends an alert Note these settings are rarely changed Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 21 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide e Shared Mem Monitor enable monitoring of shared memory e Named Pipes Monitor enable monitoring of named pipes traffic both local and network Local TCP Monitor enable monitoring of TCP traffic local and network e App Server user id used for monitor application user names Oracle Encryption monitor encrypted Oracle traffi
125. 013 Figure 3 27 Unit summary GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 3 Command Line Interface 3 35 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Exercise At this point you should complete Exercise 1 in the Exercise Guide GofyrirynigEINBIVo Gpampadicarti ao 2012013 Figure 3 28 Exercise GU2022 0 Notes 3 36 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions 1 How does the CLI user differ from the GUARDCLI1 user The CLI user signs on with a password the guardcli1 user signs on with a password and then issues the set guiuser command to complete the logon 2 True or False CLI users can be authenticated through LDAP 3 List three ways a CLI user can make a logon connection with the Guardium appliance Console ssh ssh tool like Putty 4 What CLI command could you use to list all of the commands that fall into the Aggregator category comm agg 5 The show command is used to display the value of a Guardium configuration option The store command is used to set the value of a Guardium configuration option 6 Which Guardium CLI command is normally used only under the guidance of Technical Support diag 7 The commands needed for repetit
126. 013 Figure 3 15 Aggregator commands GU2022 0 Notes Aggregation is the process by which export files are sent from each collector to an aggregator where the data from all of the collectors is merged and stored in a single database This provides a single reporting source for all of the monitored data 3 22 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Alerter configuration commands Use the alerter configuration CLI commands to Stop or restart the alerter Specify that the alerter will be started automatically whenever the system is rebooted Set the polling interval for the alerter Set the alerter s SMTP authentication password Set the alerter s SMTP email authentication username And so on Copyright IBM Corporation 2011 2013 Figure 3 16 Alerter configuration commands GU2022 0 Notes The Alerter subsystem transmits messages that have been queued by other components for example correlation alerts that have been queued by the Anomaly Detection subsystem or run time alerts that have been generated by security policies The Alerter subsystem can be configured to send messages to both SMTP and SNMP servers Alerts can also be sent to syslog or custom alerting classes but no special configuration is required for those tw
127. 022 0 Notes In this example Guardium will block anyone in the developer group from accessing cardholder objects on production servers It will also terminate the user s connection and send an alert to the Guardium administrators via SNMP As a result of the rule being triggered e The command does not reach the database server e The user s session is terminated An alert is sent via SNMP Copyright IBM Corp 2011 2013 Unit 1 InfoSphere Guardium 1 11 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Built in and custom reporting View PF Quick sat Monster meee hasen Compty Poi Capfusmiay Une Report Overview n DU Aces mart Date 2013 08 11 082924 End Daie 2013081200 WA Ame OFF Exceptions DB Admunistranon De username Count oA Gent ie Coumt tensions Schema Changes amo E Damis acaso p am J es 26000 178 AGRO t APPUSER 1 am Deans m O Onsa e100 lt OhHe ower View Quick Start Monitor Audit Discover Assess Harden Comply Build Audit Policies Build Reports lt My New Reports Privacy Sets Custom Reporting Built in Reports Protect Capture Replay User01 Reports Entity List 8 Activity on Sensitive Objects al LlClientServer Main Entity Object Add Count Add Distinct Sort by count Cisession vam Query Fields server IP Server Port Se
128. 1 2013 Figure 3 20 Inspection engine commands GU2022 0 Notes An inspection engine monitors the traffic between a set of one or more servers and a set of one or more clients using a specific database protocol Oracle or Sybase for example The inspection engine extracts SQL from network packets compiles parse trees that identify sentences requests commands objects and fields and logs detailed information about that traffic to an internal database Copyright IBM Corp 2011 2013 Unit 3 Command Line Interface 3 27 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide User account password and authentication commands Use the user account password and authentication CLI commands to Define when an inactive user account will be disabled Define when a password must be changed Lockout users after failed login attempts Enable and disable password validation And so on Copyright IBM Corporation 2011 2013 Figure 3 21 User account password and authentication commands GU2022 0 Notes The user account password and authentication commands work with user account information 3 28 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Generate new layout c
129. 1 2013 Unit 8 Group Builder 8 13 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Auto Generated Calling Prox 1 of 2 Guardium operates at the network level capturing interactive SQL requests The STAP agent does not reside within the database For example this DB2 stored procedure inserts values into the g_customers table CREATE PROCEDURE sp g customers IN c id in INT IN c_firstname_in varchar 25 IN c lastname in varchar 25 LANGUAGE SQL BEGIN insert into g customers c id c firstname c lastname values c id in c firstname in c lastname in END When the stored procedure is executed Guardium captures call sp g customers The individual code contained within the stored procedure is not captured when the procedure is called Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 11 Auto Generated Calling Prox 1 of 2 GU2022 0 Notes The second method of populating a group is called Auto Generated Calling Prox This method of data capture allows the STAP agent to utilize minimal resources on the database server Guardium operates at the network level capturing interactive SQL requests The STAP agent does not reside in the database itself Stored procedures are created inside the database For example the following SQL CREATE statement creates a DB2 stored procedure named sp
130. 1 2013 Unit 8 Group Builder 8 5 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Accessing Group Builder IBM InfoSphere Guardium System View Administration Console Tools 2 Daily Monitor Guardium Monitor Tap Monitor Incident Managemen Config amp Conzo Group Builder Access Map Builder Viewer Group Filter 2 Alert Builder ua Alias Builder uw iw Audit Process Builder Group Type v Audit Process To do List Group Description Auto discovery Configuration Category Baseline Builder CAS Host Config 5e CAS Template Set Config Classification Policy Builder Classification Process Builder Datasource Definitions Group Builder Policy Builder mllicAfTda Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 4 Accessing Group Builder GU2022 0 Groups are accessed from Tools Config amp Control Group Builder as a user with the Admin role or Monitor Audit Build Reports Group Builder as a user with the User role From the Group Filter screen press Next to reach the Group Builder Optionally you can choose to filter the list of groups displayed in the Group Builder by choosing filter options For example if you only want to see user groups you would choose Users under Group Type 8 6 InfoSphere Guardium V9 Technical Training Copyright IBM C
131. 10 20 n8 21 n3 n2n10 10 20 NR 17 42 N19 1RR 160 R192 1RR 160 RDIRZINST4 NRIRP DR2INST1 SAMPI F Na Copyright IBM Corporation 2011 2013 Figure 9 41 Ignore STAP session example GU2022 0 To confirm that an Ignore STAP Session works properly create a report with the Session Ignored flag This report is included on the training machines 9 60 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Ignore responses per session MA Sniffer instructs STAP to discontinue Server to Client traffic from specific sessions Database Server For a session marked as 10 10 9 8 Ignored Responses the sniffer ox TI receives the following traffic Activity from the database Activity from the from STAP and logs it into the client to the database database server to the database server database cliont Sessions log in log out Sessions log in log out SQL mmm fN SQL Requests commands commands NT The following types of traffic are discarded by STAP and never reach the collector Q Ss Database Client Copyright IBM Corporation 2011 2013 Figure 9 42 Ignore responses per session GU2022 0 Notes The Ignore Responses Per Session action will cause the collector to continue logging SQL Requests but the sniffer will instruct STAP to discont
132. 104 Last response 2010 11 30 10 04 30 0 Version 3 21066 Details Change Auditing DB2 Application Server User Identification Informix z Guardium Hosts KERBEROS MSSQL Inspection Engines Mysal Named Pipes Add Inspection Engine Casi Protocol MSSQL v Sybase Windows File Share Port Range 1433 H1433 Client Ip Mask 0 0 0 0 0 0 0 0 Add Pair Exclude Client Ip Mask Add Pair Process Names SQLSERVR EXE Named Pipe SQL QUER PIPE SQLLOCAL Instance Name gtesi m Copyright IBM Corporation 2011 2013 Figure 7 23 Add Inspection Engines GU2022 0 Notes Inspection engines define what traffic on the database server will be forwarded to the collector Fields for MS SQL on Windows include e Protocol The type of database server being monitored DB2 FTP Informix KERBEROS MySQL Netezza Oracle PostgreSQL Sybase Teradata Windows File Share etc e Port Range The range of ports monitored for this database server There is usually only a single port in the range If a range is used do not include extra ports in the range as this may result in excessive resource consumption while the S TAP attempts to analyze unwanted traffic Client IP Mask A list of Client IP addresses and corresponding masks to specify which clients to monitor If the IP address is the same as the IP address for the database server and a mask of 255 255 255 255 is used only local traffic will be monitored An a
133. 13 Unit 7 S TAP and GIM 7 77 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 7 78 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit 8 Group Builder Estimated time 1 00 What this unit is about This unit describes how to create and use groups What you should be able to do After completing this unit you should be able to e Understand all of the options to create groups Create groups using the manual entry and populate from query methods Copyright IBM Corp 2011 2013 Unit 8 Group Builder 8 1 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit objectives After completing this unit you should be able to Understand all of the options to create groups Create groups using the manual entry and populate from query methods Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 1 Unit objectives GU2022 0 Notes 8 2 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Group Definition A group
134. 17 25 0 E_FIRSTNAME E_LASTNAME values scott 2010 10 20 insert into db2inst1 g_employees e_id 2010 10 20 insert into db2inst1 G_EMPLOYEES E_ID 1 15 24 43 0 e_firstname e_lastname values 15 17 25 0 E_FIRSTNAME E_LASTNAME values scott 2010 10 20 insert into db2inst1 g_employees e id 2010 10 20 insert into db2inst1 G EMPLOYEES E ID 1 15 25 09 0 e firstname e lastname values 15 17 25 0 E FIRSTNAME E_LASTNAME values The Full SQL time stamp is The actual SQL command is logged and a separate line will masked be logged for each occurrence of the command Copyright IBM Corporation 2011 2013 Figure 9 49 Log masked details GU2022 0 Notes Log Masked Details logs the Full SQL Timestamp but continues to mask the SQL string This is used in instances where the exact time of SQL request is important but the values should not be exposed 9 68 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Log only System View n Tools DatyMonitor Gusedium Monitor Tap Monitor Incident Management c Access Rule Definition Policy Violations Incident Manageme Rule 1 of policy Training01 m 10 21 11 17 50 Enc Date 2010 10 21 13 17 50 MM SRST
135. 1adb675d1d6b2adb19e9ba1935e4957f005e9 insert into grd construct col1 col2 values 160 2841adb675d1d6b2adb19e9ba1935e4957f005e9 insert into grd construct col1 col2 values 41 2841adb675d1d6b2adb19e9ba1935e4957f005e9 insert into grd construct col1 col2 values 7990 2841adb675d1d6b2adb19e9ba1935e4957f005e9 insert into grd construct col1 col2 values 7 2860 nl 8S B Ee c A new line is also added when a new session begins 2010 08 20 07 54 46 02010 08 20 07 00 00 00 2010 08 20 08 48 19 02010 08 20 08 00 00 007 53 55 2010 08 20 09 06 31 02010 08 20 09 00 00 007 53 55 2010 08 20 08 32 05 02010 08 20 08 00 00 008 31 31 2010 08 20 08 46 38 02010 08 20 08 00 00 008 46 no The SQL request was made 202 times within the same session but was made in three difference Access Periods A new entry is made for each Access Period The two lines occur during the same Access Period but were run in different sessions Copyright IBM Corporation 2011 2013 Figure 9 7 Constructs 2 of 2 GU2022 0 Notes If the sniffer receives the same construct multiple times within the defined Access Period usually one hour and within the same session it counts the number of times it receives the construct and updates the Access Period Timestamp to the time of the last request So in reporting the finest level of detail you will see is that the construct was run x number of times within an hour with a timestamp repr
136. 2011 2013 Figure 4 14 User LDAP Import GU2022 0 Notes User definitions can be imported from an LDAP Active Directory server To import from an LDAP server press the User LDAP Import link Enter the required fields to access to LDAP server Press Apply and Run Once Now Choose the users to be imported Optionally the import process can be scheduled to run periodically or at a later date time 4 18 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide User amp Role Reports User amp Role Reports includes access to two pre defined reports User Role Lists all users with the number of roles to which each belongs Drill down lists the actual roles All Roles User Lists all roles with the number of users belonging to each role Drill down lists the actual users Access Management 7 te 2010 10 09 17 30 03 End Date 2010 10 10 17 30 03 OFF Users Belong fof Roles 0 diag nfosec 0 n 0 netadm 0 0 O records i wu uQQ hASORrds Copyright IBM Corporation 2011 2013 Figure 4 15 User amp Role Reports GU2022 0 Notes The User amp Role Reports link contains two reports User Role Lists all users with the number of roles to which each belongs Drill down lists the actual roles To access the drill down double click
137. 22 0 Notes Guardium s Vulnerability Assessment tool evaluates the security of your database environment It uses three different kinds of tests query based tests behavioral tests and CAS based tests Query based tests check for vulnerabilities such as missing patches weak passwords poorly configured privileges and default accounts e Behavioral tests are based on data gathered by Data Access Monitoring and look for items like excessive failed logins clients executing administrative commands and after hours logins CAS based tests look for OS level configuration vulnerabilities After running the selected tests Guardium presents an overall report card along with details on each result including recommendations on resolving any issues it identifies as problem areas Copyright IBM Corp 2011 2013 Unit 1 InfoSphere Guardium 1 15 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Database Discovery Database Discovery Probes the network Locates servers running database services Reports on its findings Discovered Instances C 8 i 9 Y Admin User Logins Cnnecions Quarantined em ua 10 26 05 End Date 2040 01 34 10 38 05 Database Discovery ew Port Port KTAP Instance Exclude Results Databases Discovered Timestamp Host zs pn tax DB Port une Client Client DataSources 10 01 34 DB Users lapping Li
138. 3 Figure 9 4 Default behavior Traffic GU2022 0 Notes To understand what a policy does you must first understand how the system works with no policy installed the default behavior Once STAP has been installed and the inspection engines configured STAP will start forwarding all database traffic to the collector This traffic is analyzed parsed and logged by the sniffer process on the collector as follows Traffic sent by STAP Database Client gt Database Server Client server network connections e Sessions logins logouts SQL requests commands Database Server Database Client Failed login messages 9 6 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide SQL errors Result sets Traffic analyzed parsed and logged by the sniffer Database Client gt Database Server e Client server network connections e Sessions logins logouts e SQL requests commands Database Server Database Client Failed login messages e SQL errors Traffic ignored and discarded by the sniffer Result sets Copyright IBM Corp 2011 2013 Unit 9 Policies 9 7 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Default behavior Parsing and logging L S
139. 3 Unit 9 Policies 9 37 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Access rules After completing this topic you should be able to Create access rules within a policy Copyright IBM Corporation 2011 2013 Figure 9 23 Access rules GU2022 0 Notes 9 38 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Access Rule Overview Policy Builder Access Rule Definition Rule 1 of policy Training01 Description Category Server IP Client IP Client MAC Net Prtcl DB Type Svc Name DB Name DB User App User OS User Src App Field Object Command Object Cmd Group Object Field Group Pattern XML Pattern App Event Exists App Event Values Data Pattern Time Period Event Type Text Numeric Minimum Count 0 Quarantine for 0 Actions Description Classification Severity INFO v I and or Group 1 and or Group and or Group v xj and or Group MFS and or Group v A and or Group Client IP Src App DB User Server IP Svc Name v 3 and or Group I and or Group Criteri
140. 6 Exception and Extrusion rules GU2022 0 Notes 9 78 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Exception Rule overview Policy Rules w 8 Training01 ritr w E X Expand All Collapse All Select All Unselect All Delete Selected Copy Rules Ug 8 1 Access Rule DDL activity in production Log Only Ug 8a 2 Access Rule Privileged users accessing sensitive objects Alert Per Match dg Su 3 Access Rule Trusted connections Ignore STAP Session omonga Add Access Rule Add Exception Rule Rule Suggestion Suggest from DB Rule min ct Object Group min ct Back Copyright IBM Corporation 2011 2013 Figure 9 57 Exception Rule overview GU2022 0 Notes Exception rules evaluate exceptions returned by the database server to the client generally failed logins and SQL errors Copyright IBM Corp 2011 2013 Unit 9 Policies 9 79 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Exception Rule Definition Exception Rule Definition Ww Rule 1 of policy Training01 Description Category Classification Severity INFO O server IP I and or Group v A C Client iP I and or Group v
141. 6 64 gim guard bundle GIM guard 8 0 xx r20992 1 suse 10 linux x86 64 gim sh guard bundle GIM guard 8 0 xx r20992 1 suse 11l linux i686 gim guard bundle GIM guard 8 0 xx r20992 1 suse 11l linux i686 gim sh guard bundle GIM guard 8 0 xx r20992 1 suse 11 linux x86 64 gim guard bundle GIM guard 8 0 xx r20992 1 suse 11 linux x86 64 gim sh guard bundle GIM guard 8 0 xx r20992 1 suse 9 linux i686 gim guard bundle GIM guard 8 0 xx r20992 1 suse 9 linux i686 gim sh guard bundle GIM guard 8 0 xx r20992 1 suse 9 linux x86 64 gim guard bundle GIM guard 8 0 xx r20992 1 suse 9 linux x86 64 gim sh dbserver01 tmp stap STAP Suse Discovery and GIM Agents Copyright IBM Corporation 2011 2013 Figure 7 29 Download and extract GIM installer Notes GU2022 0 In this example we will install GIM and Discovery on a SUSE Linux database server running DB2 We will GIM to do the installation We will also use the Instance discovery module to automatically configure inspection engines Please note that like Windows you may also run the S TAP installer and add inspection engines manually First download the installer from IBM and extract it on the database server In the example above the directory STAP Suse was extracted from the file CZMSTEN tgz using the command tar xzvf CZM3TEN tgz 7 36 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the p
142. 6 and or Group _ _ v A Command and or Group v A Object Cmd Group ae Object Field Group m amp Pattern ac XML Pattern ac App Event Exists Fj Event Type Event User Name App Event Values Text and or Group v dh Numeric Date Data Pattern as Replacement Character wg Minimum Count 0 Reset Interval 0 minutes Message Template Defaut v Quarantine for 0 minutes Records Affected Threshold 0 Rec Vals Cont to next rule Actions x E SKIP LOGGING Copyright IBM Corporation 2011 2013 Figure 9 52 Skip logging GU2022 0 Notes Skip Logging When matched do not log a policy violation and stop logging constructs This action is used to eliminate the logging of constructs for requests that are known to be of no interest For example this is commonly used with temp tables object beginning with a pound sign in MS SQL Server This feature also applies for exception rules concerning database error code only allowing users to not log errors when an application generates large amounts of errors and there is nothing that the user can do to stop the application errors These SQL requests or SQL errors are still sent by STAP and is still processed by the sniffer It helps in data retention and eases reporting but does not provide the same performan
143. 8 Viewing a report GU2022 0 Notes After adding the report to a pane go to that pane to view the results By default the report will show the results for the previous three hours To modify the time frame click the Customize icon Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 23 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Customize screen Customize Portlet Report Training01 Based on Query Training01 E Title Training01 Run Time Parameters QUERY FROM DATE gt NOW 3 HOUR Fa fe Enter Period From QUERY TO DATE lt NOW s S Enter Period To REMOTE_SOURCE none M Remote Data Source SHOW ALIASES On Off default Show Aliases Presentation Parameters fetchSize 20 M Max records per page refreshRate 0 Refresh rate seconds Copyright IBM Corporation 2011 2013 Figure 11 19 Customize screen GU2022 0 Notes The Customize Portlet screen allows you to change both the data returned by the report and how it is presented There are two types of report parameters e A run time parameter provides a value to be used in a query condition There is a default set of run time parameters for all queries and any number of custom run time parameters can be defined in the query used by the report Custom run time parameters will be covered later i
144. 8 169 130 1521 xe in 499 00 milliseconds La Classification 2010 08 17 09 47 17 Datasource Statistics Statistics for Datasource ORACLE XE 169 at ORACLE 192 168 169 130 1521 xe ef Results ey 2010 08 17 09 47 19 Process Complete Completed processing of Classification Process XE i Report details horizontal vertical show original values Use Aliases Column Rule Classification Datasource Catalog Schema Table Name M Descripti Comments Category Description Date Tuesday August 17 2010 9 46 44 AM EDT Datasource ORACLE 192 168 169 130 1521 xe Object SCOTT CC_NUMBERS VARCHAR2 25 CC_NUM Category Prod Classification Prod SCOTT CC NUMBERS CC NUM CC numbers Rule Search For Data CC numbers Prod Prod XE 169 TABLE_TYPE TABLE VIEW TABLE_NAME_LIKE cc DATA_TYPE TEXT SEARCH VALUE PATTERN T0 S 4Y T 0 SK43C J 0 9K430 1710 9147 Action Log Result Log CC SelectAll Unseiectan Adhoc Action Records 1 To 1 Of 1 Close this window Copyright IBM Corporation 2011 2013 Figure 1 16 Data Classification GU2022 0 Notes Additionally also due to the complexity of some environments and other factors such as mergers and acquisitions some companies do not know where all of their sensitive data resides Data Classification scans databases to find and classify any objects or fields containing sensitive data In the example shown above Data Classification has located a column in a table which might
145. 8 169 8192 168 169 8A2840 DB2BP 1 192 168 169 8192 168 169 8A8000 DB2BP 192 168 169 8192 168 169 8DB2INST1 DB2BP Ch C Records to3 of 3 O O xol AS 3 ES C l O x Copyright IBM Corporation 2011 2013 Figure 11 20 Pane buttons GU2022 0 Notes Other portlet buttons include from left to right above Print Friendly Format Displays the panel contents in a printer friendly format which minimizes the use of curved lines Information Displays information about the portlet Minimize Minimize the portlet When minimized the Minimize and Maximize buttons are replaced by a Restore button Maximize Maximizes the report window Close Removes the portlet from the current pane 11 26 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Report buttons Training01 P B Start Date 2010 12 08 13 18 12 End Date 2010 12 08 16 18 12 Aliases OFF ServerlIP Client IP DB User Name Source Program Count of Sessions 192 168 169 8192 168 169 8A2840 DB2BP 1 192 168 169 8192 168 169 8A8000 DB2BP 1 192 168 169 8192 168 169 8DB2INST1 DB2BP 2 C Q Recors 7 to3 0f 3 Oe c HS D E E Copyright IBM Corporation 2011 2013 Figure 11 21 Report buttons GU2022 0 Notes Other report buttons available at the bottom of all reports include fro
146. 8 169 855938 192 168 169 8 192 168 169 855939 192 168 169 8 192 168 169 855940 192 168 169 8 192 168 169 855941 192 168 169 8 192 168 169 855942 192 168 169 8 192 168 169 849155 192 168 169 8 192 168 169 849156 192 168 169 8 192 168 169 849158 192 168 169 8 192 168 169 849159 192 168 169 8 192 168 169 848513 192 168 169 8 192 168 169 848514 192 168 169 8 192 168 169 848515 50001 50001 50001 50001 50001 50001 50001 50001 50001 50001 50001 50001 50001 50001 50001 50001 50001 50001 50001 50001 TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP DRDA 3 0 DB2INST1 DB2BP DRDA 3 0 A8000 DB2BP DB2BP DB2BP DB2BP DB2BP DRI Coyimands Execution Summary DB2BP DRI cfmmands List DEHE DRU DB2BP DRI fbiects Access Summary DB2BP DRY Objects List DB2BP DRY Sessions By Client IP DB2BP Df DB2BP p j Sessions By Server IP DB2BP PRI Sessions By Source Program DB2BP ORI Sessions By User DB2BP xd DB2BP DR Sessions Details By Server DB2BP DR User Activity Summary DB2BP DRDA DB2BP Server IP 192 168 169 8 192 168 169 8 A8000 192 168 169 8 192 168 169 8 A8000 192 168 169 8 192 168 169 8 A8000 ClientlIP DBUser Name Service Name Source Program DB2INST1 DB2INST1 DB2INST1 DB2BP DB2BP DB2BP SQL Verb INSERT INSERT SELECT Records 1 to30f3 Ix ld S B Copyright IBM Corporation 2011 2013 O
147. 8192 168 169 8HR DB2BP DB2INST1 SAMPLE es STAT 192 168 169 8192 168 169 8APPUSER DB2BP DB2INST1 SAMPLE ALERT PER MATCH 192 168 169 8192 168 169 8A2840 DB2BP DB2INST1 SAMPLE ALERT PER TIME GRANULARITY 192 168 169 8192 168 169 8A8000 DB2BP DB2INST1 SAMPLE Yes Response ALLOW 192 168 169 8192 168 169 8DB2INST1 DB2BP DB2INST1 SAMPLE No IGNORE RESPONSES PER SESSION 192 168 169 8 192 168 169 8DB2INST1 DB2BP DB2INST1 SAMPLE No IGNORE S TAP SESSION 192 168 169 8192 168 169 8A8000 DB2BP DB2INST1 SAMPLE No IGNORE SESSION 192 168 169 8192 168 169 8A8000 DB2BP DB2INST1 SAMPLE No IGNORE SQL PER SESSION 192 168 169 8192 168 169 8A8000 DB2BP DB2INST1 SAMPLE No LOG FULL DETAILS 192 168 169 8192 168 169 8A8000 DB2BP DB2INST1 SAMPLE No LOG FULL DETAILS PER SESSION 192 168 169 8192 168 169 8DB2INST1 DB2BP DB2INST1 SAMPLE No LOG MASKED DETAILS 192 168 169 8192 168 169 8A4939 DB2BP DB2INST1 SAMPLE Yes Sg LOG ONLY 192 168 169 8192 168 169 8A9404 DB2BP DB2INST1 SAMPLE QUARANTINE 192 168 169 8192 168 169 8A4939 DB2BP DB2INST1 SAMPLE pane APOE 192 168 169 8192 168 169 8A9404 DB2BP DB2INST1 SAMPLE Yes 40 420 ALN 046 ACO ACN 0 onn nonon nonmera caunc Ma Copyright IBM Corporation 2011 2013 Figure 9 45 Session ignored values GU2022 0 Notes Each gnore Session rule type has its own flag in the Session Ignored field 9 64 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part
148. 98 101098 5COTT SOLPLUSQCENTOS PRODUCT NAME values PRODUCT NAME values 1201 Al Gran f1 0 460 2342019 101098 1010988COTT SQLPLUS CENTOS4 PRODUCT NAME values 7 PRODUCT NAME values 224 Rice Kilspys 7 1104200 332009 101098 10 1098SCOTT SQLPLUS CENTOS4 PRODUCT NAME values 7 PRODUCT NAME Values 202 AmendDelgn o2r4sp 2941886 10 1098 10 1099SCOTT SOLPLUS CENTOSA PEON a PRODUCT NAME values 1227 Sugar Cips 1027930 3341965 101098 101099800TT SOLPLUS CENTOSE PODES PRODUCT NAME ales 1274 ting itaman 1025460 381884 10 1098 101098 5COTT SQLPLUSQCENTOS PRODUCT NAME values P PRODUCT NAME values 1229 Stat 0935210 3341012 10 1098 10 1098SCOTT SOLPLUS CENTOS4 PRODUCT NAME values 7 PRODUCT NAME values 1225 Rocky Road 1 a 2941811 10 1098 a PRODUCT NAME values 1207 BluebenyMoming L 0917330 3341910 101098 10 1098SCOTT SOLPLUS CENTOS4 PRODUCT NAME values 7 M PRODUCT NAME values 1229 Money Nut Cheerios 1 09 17 28 0 2941908 10 1098 10 1088SCOTT SOLPLUS CENTOS4 PRODUCT NAME values 2 7 PRODUCT NAME values 1237 Smart Stat 1 Qat7010 2941908 101098 101098SCOTT SOLPLUS CENTOSA PRODUCT NAME aues PRODUCT NAME values 1257 Pink Panther 7 sesgo 33907 101098 10 1098SCOTT SOLPLUBQOCENTOS PRODUCT Ni values 2 7 PRODUCT NAME Values 1264 Nutt Grain 1 oares00 2341806 10 1098 10 1098SCOTT SOLPLUS CENTOS4 PRODUCT NANE use rA PRODUCT NAMB Values 1205 Wl Bran Squares 2008 11 04
149. Access Management 4 23 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers 4 True or false A Guardium user can belong to multiple roles 5 True or false Once set the user name that is user id cannot be changed 6 What feature can be implemented using the Data Security tab a Assigning a user to a role b Assigning an application to a role c Filtering results so specific users will only be able to see information from specific databases d Filtering results so specific panes will only be visible to specific users Additional information Transition statement 4 24 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit summary Having completed this unit you should be able to Create new users Assign roles to new users Copyright IBM Corporation 2011 2013 Figure 4 19 Unit summary GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 4 Access Management 4 25 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Exercise At this point you should complete Exercise 2 in the Exercise Guide PyiyhighNeOd pamadikarti a 2012013
150. Activity and so on Optional Product Domains for example Classifier Results CAS Changes database server configuration file changes for example Copyright IBM Corporation 2011 2013 Figure 11 5 Domain GU2022 0 Notes A domain provides a view of the stored data and has the following characteristics e Each domain contains a set of data related to a specific purpose or function data access exceptions policy violations and so forth Each domain contains one or more entities An entity is a set of related attributes basically a field value A query returns data from one domain only When the query is defined one entity within that domain is designated as the main entity of the query Each row of data returned by a query will contain a count of occurrences of the main entity matching the values returned for the selected attributes for the requested time period This allows for the creation of two dimensional reports from entities that do not have a one to one relationship Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 7 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Query finder New query View Quick Start Monitor Audit Discover Assess Harden Comply Protect Build Audit Policies Build Reports P My New Reports Privacy Sets Custom Reporting Query Finder Query Name S
151. Administration Console Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Administration Console Configuration Q Alerter Anomaly Detection Application User Translation Custom ID Procedures Customer Uploads Flat Log Process Global Profile Guardium for z OS Incident Generation Inspection Engines 0 IP to Hostname Aliasing 6 Policy Installation Portal Query Hint O Session Inference System Upload Key File Data Management Central Management Local Taps Guardium Definitions Custom Alerting Module Installation Currently Installed Policies o Repor Installed Policy 1 Installed Policy Training01 Date Installed 10 21 10 12 16 PM Not logging to fiat Rules don t fire on flat Installed Rules 3 Baseline records 0 This is not a selective audit policy Edit Installed Policy View Details Report Policy Installer Training01 Allow Al Basel ll Data Privacy Data Privacy PII HIPAA PCI PCI Oracle EBS PCI SAP Privileged Users Monitoring black list Privileged Users Monitoring white list Sox SOX Oracle EBS Vulnerability amp Threats Management Add Comments Run Once Now Copyright IBM Corporation 2011 2013 Figure 5 17 Configuration Policy Installation Notes GU2022 0 Policies must be installed to take effect This will be covered in the Policy unit Copyright IBM
152. Archive Data Export Data Restore Catalog Archive Catalog Export Catalog Import Patch Backup Results Archive audit Results Export files System Backup GU2022 0 These feature will be discussed in the upcoming pages Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Unit 6 System View and Administration Console Il 6 3 Instructor Guide Data Management Data archive and purge System View Administration Console 2 Toots Daily Monitor Guardium Monitor Tap Monitor Incident Management R Administration Console Configuration Data Archive Data Management Configuration DO Data Export Archive data older than 1 Day s v Data Restore Ignore data older than 2 Day s m optional Catalog Archive Activo Values arr ak Protocols SCP FTP Results Archive audit Host 192 168 169 8 GO Results Export files Directory opt backup archive System Backup Username a8000 Password Re enter password Purge Purge data older than 14 Day s v Central Management Local Taps Guardium Definitions Allow purge without exporting or archiving Scheduling Data Archive is actively scheduled Modify Schedule Copyright IBM Corporation 2011 2013 Figure 6 3 Data Management Data archive and purge Notes GU2022 0 Archive and purge operations should be run on a scheduled basis Data Archive backs up
153. BM Instructor Guide Checkpoint solution 1 of 2 1 True or False A Guardium group is always defines a group of users 2 List the six methods used to build and populate Guardium groups 1 Manual Entry Auto Generate Calling Prox LDAP Populate from Query Classifier GuardAPI aN 3 Which of the following is not a built in Guardium group a Sensitive Objects b DML c DDL d DCL Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 38 Checkpoint solution 1 of 2 GU2022 0 Notes 8 46 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solution 1 of 2 continued 4 True or False Manual entry of lists always includes a drop down list of items 5 True or False The Auto Generated Calling Prox option Populate a Group Using Database Sources is available on all database types Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 39 Checkpoint solution 1 of 2 continued GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 8 Group Builder 8 47 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solution 2 of 2 6 True or False GuardAPI can be used to script the populating of g
154. Building 11 65 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Regenerate Portlet Click this button after changing the runtime parameters for the query on which the report is based API Assignment Link additional API functions to predefined Guardium reports or custom reports Drilldown Control Remove drilldown entries for this report e Back Exit the window without making any changes 11 66 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Modify report Tabular 1 of 2 chive results attempted chive results number API Assignment Drilldown Control Back ll lt Custom Reporting Custom Reporting Report Columns Query Training01 Report Title Training01 e w Report Parameter Description Query Training01 Report Title Training01 eee eee Parameter Descriptions Server IP Enter Period From Client IP Enter Period To DB User Name Show Aliases Source Program Count of Sessions Remote Data Source Back Back Copyright IBM Corporation 2011 2013 Figure 11 49 Modify report Tabular 1 of 2 GU2022 0 Notes To make changes to report click the Modify button which will present a series of windows to change all of the report s settings e Report Col
155. Client Setup By Module Upload Copyright IBM Corporation 2011 2013 Figure 7 32 Confirm installation from the GUI GU2022 0 Notes After successfully completing the GIM installation go the Guardium GUI and click the Process Monitoring link under Administration Console Process Monitoring You should have a GIM process and a SUPERVISOR process running on your database server In this example GIM is pointed to a collector GIM can also be managed by a Central Manager 7 40 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Setup By Client System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Mor Administration Console Configuration Client Search Criteria Data Management Client Name Central Management Client IP 192 168 169 8 Local Taps Client OS Guardium Definitions Custom Alerting Clear Search Module Installation Process Monitoring Setup By Client Setup By Module Upload Copyright IBM Corporation 2011 2013 Figure 7 33 Module Upload GU2022 0 Notes GIM is now available to aid in the installation of additional modules To apply modules such as S TAP they must first be uploaded to the collector or Central Manager To upload a module Go to the Upload link under Administration Console g
156. Commands Account Management Procedures Active Users Admin Users v Flatten All Hierachichal Groups Scheduling Flattening All Hierachichal Groups is currently not scheduled for execution Modify Schedule Run Once Now Populate from Query LDAP LL GreupFiter J Roes J Clone Modiy _ __Delete Create New Group 2 Application Type Public Group Description Monitored Commands Group Type Description COMMANDS Group Sub Type Description Category Classification Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 30 Hierarchical groups 1 of 3 GU2022 0 Notes The Hierarchical checkbox allows a group to be defined as a group of groups For example if you have three groups of users DBAs SAs and Developers who are also considered to be privileged users you could create a group called Privileged Users that would contain the members of all three groups This allows you to be specific when necessary all DBA activity for instance while allowing for fewer steps when you have broader requirements all Privileged user activity To create a Hierarchical group e Create a new group In this example we will created a group of Monitored Commands that will contain the DML and DDL groups e Check the Hierarchical checkbox Press Add 8 36 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course m
157. Copyright IBM Corp 2011 2013 Appendix A Monitoring Overview A 13 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide A 8 Developing Workflow Now that we have defined our reports users and roles we must create an Audit Process to deliver the reports to the appropriate users based on our requirements The Audit Process Builder is used to define e Who receives the reports e Which reports are delivered The frequency of delivery e The workflow which includes The order of delivery Whether sign off is required Whether the delivery should stop at any user or role until they have reviewed or signed off on the audit process Based on our Requirements below is an example of how to configure an audit process Example Requirements e Reports should be delivered to Information Security IS group and signed by the IS manager After the IS Manager has signed the reports the reports should be delivered to the Audit and Database Manager groups for review Delivery of reports should be broken down by database type MS SQL Server or Oracle A 14 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Example Audit Process Description vos itoring fil View Active There is no sche
158. Copyright IBM Corporation 2011 2013 Figure 11 17 Adding a condition saving and publishing report GU2022 0 Notes This unit will cover query conditions in great detail but in this example we will show how to add a simple condition and save the report Adding a condition To add a condition click on the attribute in which you are interested and choose Add Condition alternatively drag and drop the attribute In this example we will choose DB User Name e Choose and operator choose IN GROUP and choose tr Trusted Users To save the report Press the Save button Press the Add to Pane button and in the pop up window select the Pane on which you would like to add the report You may add the report to any pane defined as a menu pane 11 22 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Viewing a report G2000 Standalone Unit View Quick Start Monitor Audit Discover Assess Harden Comply Protect Reports e Trainingo1 Trainingo1 cya esr es 08 08 2 Server IP ClientIP DB User Name Source Program Count of Sessions 192 168 169 8192 168 169 8A2840 DB2BP 2 192 168 169 8192 168 169 8A8000 DB2BP 192 168 169 8192 168 169 8DB2INST1 DB2BP O necis 7 03930 0 x ol E BE ci Copyright IBM Corporation 2011 2013 Figure 11 1
159. D_IP STAP_USE_TLS TEE_DEBUG g g TEE_ENABLED Apo to Seectea to Selected Client Module Parameters T Input required f STAP PART OF BUNDLE STAP SQLGUARD IP STAP SYMVERSION STAP_TAP_IP STAP_USE_TLS STAP_VERSION ed o 192 188 189 9 E 192 168 169 8 BAO Is i gt a Cancel instal update Uninstall L Canceruninstan Copyright IBM Corporation 2011 2013 Figure 7 38 Client Module Parameters 1 of 2 GU2022 0 Notes Step 3 continued For Unix the first setting we will apply is changing KTAP LIVE UPDATE to Y In Unix and Linux this will later allow you to upgrade S TAP without rebooting the database server 7 46 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Schedule installation IBM InfoSphere Guardium Schedule Mozilla Fire Joe 2 Schedule pate now rs fe The page at https 192 168 169 9 8443 says duled for installation on all selected clients A Module has been successfully Copyright IBM Corporation 2011 2013 Figure 7 39 Client Module Parameters 2 of 2 GU2022 0 Notes Step 3 continued Continue to scroll to the right and make the following entries e STAP_SQLGUARD_IP the IP address of the collector If you are running this process from a Central Manager this
160. Details Answers 1 True or False You can delete the accessmgr user if you do not want to use it 2 True or False By default new users are automatically enabled 3 User01 is currently in the USER role and is logged into the Guardium web interface You add User01 to the DBA role When will the user have access to the DBA functions a Immediately b Only after logging out and logging back in c Only after you run change layout d Only after you run change layout and the user logs out and logs back in again Additional information Transition statement 4 22 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 2 of 2 4 True or false A Guardium user can belong to multiple roles 5 True or false Once set the user name that is user id cannot be changed 6 What feature can be implemented using the Data Security tab a Assigning a user to a role b Assigning an application to a role c Filtering results so specific users will only be able to see information from specific databases d Filtering results so specific panes will only be visible to specific users Copyright IBM Corporation 2011 2013 Figure 4 18 Checkpoint 2 of 2 GU2022 0 Notes Write your answers here 1 Copyright IBM Corp 2011 2013 Unit 4
161. Don t purge restored data for at least days Restore Data Select Host Name From Date grd01 2010 10 25 00 00 00 0 grd01 2010 10 26 00 00 00 0 Records 1 to 2 of 2 Select All Unselect All Copyright IBM Corporation 2011 2013 Figure 6 6 Data Management Data Restore GU2022 0 Notes Data restore is the opposite of a data archive To restore data from a an archive file Enter a date range and host name or a for all hosts for the archive file that you would like to restore and press Search e Check the boxes next to the files you would like to restore Enter the number of days you would like to retain the newly restored data in the Don t purge restored data for at least field This will prevent the data from being purged before you have had a chance to review it Press Restore 6 8 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Data Management Catalog Archive System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Ir Administration Console Configuration Catalog Archive Search Criteria 2 Data Management d From now 1 month SI OQ Data Archive To now C38 Q0 Data Export Host Name d Data Restore Coa ase Fea Catalog Export Catalog Archive Entry Locations i qu Host Name From Date File Na
162. EEEGSI He Sek 8 37 Hierarchical groups 3 of 3 0 eee 8 38 Group TEPOS sue ees qs cee netvedaawe foe exi ERRERA See uda os 8 39 Checkpoint 1 0f 2 TP 8 40 Checkpoint 2 of 2 ose cya wan oe See ae eed ee ba ee eee eee eee 8 42 Unit SOROITIBby de od eR ERE REED ERPLCH ERG eli oe aude benkawed ER d 8 44 mir M UIS 8 45 Checkpoint solution 1 of 2 a ccccccan cca uu Re RR EE RUBER gate dures 8 46 Checkpoint solution 1 of 2 continued lllllllllllllleeleln 8 47 Checkpoint solution 2 of 2 s sums em enema RURIREIR RR TOR UR AERIS cera 8 48 UNITO senori aaddendanede espe kee eee een ee ee wewe Policies9 1 LInit oDIBC IBS at ededeussneeasetenes ddat anane NERDE RAEE GEE a E cant 9 2 9 1 Policy OVEWIOW sus cues Ede er Ep WE OU Bold hold e pou ou E ot e o rs 9 3 viii InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Policy OVOIVIDW i us 5180 Vx dvd eee of tuu ie dee dd ua wed 9 4 Policies defined rETC EPA 9 5 Default behavior Traffic cece ee eee RR RR 9 6 Default behavior Parsing and logging 00 cece eee eee 9 8 CONSWUCIS 00 2 224s aaneres EEE dese pe eabeuseedaece sees pened 9 10 Constructs 2 0f 2 cette ek Bre ku t e d aiu Rue pu ee red eee hake dy Eus bears 9 12 GIBCNRDUIDD 299 qup FREE ERR RURSUS PP RE BUD ER MCN eod dol a seer 9 14
163. ETAILS LOG ONLY QUARANTINE Em S GATE TERMINATE S TAP TERMINATE Copyright IBM Corporation 2011 2013 Figure 9 84 S GATE ATTACH DETACH Notes GU2022 0 Before a user can be terminated the user must be in firewall mode If the firewall default state is set to 0 to put the user in firewall mode you must apply the rule S GATE ATTACH this shou Id be fore privileged users only If the firewall default state 1 then all users will be attached by default This can cause some latency so applications should never be left in firewall mode In this case use S GATE DETACH to take applications out of firewall mode 9 118 InfoSphere Guardium V9 Technical Training Course materials may not be reproduced in whole or in part without the prior written permission of IBM Copyright IBM Corp 2011 2013 Instructor Guide S GATE Terminate Policy Violations Details 5 4 x v B Start Date 2010 08 20 06 11 59 End Date 2010 08 23 06 31 59 Category Copyright c 1982 2005 Oracl oe ERROR at line 1 ORA 03113 end of file on communication channel to ORACLE Access Rule Description Clientip Sawer Daise fuu SQL Sting 2 Block Drop commands 10 109 56 1010 9 56 JOED Not DBName andirGroup ul all Not DB User and or Grouf Public Authorized LDAP Imported Users sa Paten 6 xMLPatem Period je App Event Exists
164. EXTENSION 1 GIM Clients Status Monitored Commands COMMANDS 2010 09 30 14 30 43 0CREATE FUNCTION 1 eee Monitored Commands COMMANDS 2010 09 30 14 30 43 0DROP TYPE MAPPING 1 Monitored Commands COMMANDS 2010 09 30 14 30 43 0CREATE TABLE 1 EM pcd Modsico Monitored Commands COMMANDS 2010 09 30 14 30 43 0ALTER MATERIALIZED VIEW 1 Groups Usage Report Monitored Commands COMMANDS 2010 09 30 14 30 43 0DROP OPERATOR 1 Guardium API Exceptions Monitored Commands COMMANDS 2010 09 30 14 30 43 0CREATE MATERIALIZED VIEW1 Guardium Applications Monitored Commands COMMANDS 2010 09 30 14 30 43 0TRUNCATE 1 Monitored Commands COMMANDS 2010 09 30 14 30 43 0CREATE TYPE MAPPING 1 G srdr Holes Monitored Commands COMMANDS 2010 09 30 14 30 43 0ALTER PROCEDURE 1 eee rd Monitored Commands COMMANDS 2010 09 30 14 30 43 0BULK INSERT 1 Monitored Commands COMMANDS 2010 09 30 14 30 43 0DROP SYNONYM 1 ocn Monitored Commands COMMANDS 2010 09 30 14 3043 0CREATE PACKAGE BODY 1 Logins to Guardium Monitored Commands COMMANDS 2010 09 30 14 30 43 0WRITETEXT 1 Number of Active Audit Processes Monitored Commands COMMANDS 2010 09 30 14 30 43 0DROP CLUSTER 1 Outstanding Audit Process Reviews Records 3 _ to 20 of 80 69 Ie lH E 3 E72 Query Entities amp Attributes Copyright IBM Corporation 2011 20139 Copyright IBM Corporation 2011 2013 Figure 8 33 Group reports GU2022 0 Notes Under Guardium Monitor there are two reports that provide details on all of the gr
165. False One collector can monitor and gather data from multiple database servers 5 True or False Guardium includes a built in email server Copyright IBM Corp 2011 2013 Unit 2 Guardium Architecture 2 31 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit summary Having completed this unit you should be able to Identify the methods that Guardium uses to capture database traffic Describe aggregation and central management Understand the options to integrate Guardium with other tools Copyright IBM Corporation 2011 2013 Figure 2 22 Unit summary GU2022 0 Notes 2 32 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions 1 Guardium collectors are also known as G2000s and Guardium aggregators are also known as G5000s 2 True or False The span port method and the network tap method monitor both local and network traffic 3 Which operating system is used on the Guardium appliances 1 SUSE Linux 2 Windows 8 3 RedHat Enterprise Linux 5 4 AIX 4 True or False One collector can monitor and gather data from multiple database servers 5 True or False Guardium includes a built in email server Figure 2 23 Checkpoint solutions GU2022 0 Notes Co
166. Guardium goes about capturing database traffic What you should be able to do After completing this unit you should be able to e Identify the methods that Guardium uses to capture database traffic e Describe aggregation and central management e Understand the options to integrate Guardium with other tools e Identify Guardium s hardware and software configuration Copyright IBM Corp 2011 2013 Unit 2 Guardium Architecture 2 1 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit objectives After completing this unit you should be able to Identify the methods that Guardium uses to capture database traffic Describe aggregation and central management Understand the options to integrate Guardium with other tools Copyright IBM Corporation 2011 2013 Figure 2 1 Unit objectives GU2022 0 Notes 2 2 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 2 1 Data collection methods Instructor topic introduction What students will do How students will do it What students will learn How this will help students on their job Copyright IBM Corp 2011 2013 Unit 2 Guardium Architecture 2 3 Course materials may not be reproduced in whole or in pa
167. Hmon to monitor network TCP traffic START Start the S TAP and or CAS service after installation 7 68 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Topic summary After completing this topic you should be able to Understand the non interactive installation methods for UNIX and Linux Understand how to use GuardAPI to configure inspection engines Copyright IBM Corporation 2011 2013 Figure 7 57 GrdApi inspection engine creation GU2022 0 Notes The syntax to create an inspection engine using GrdApi include the following see the S TAP help book for additional optional commands grdapi create stap inspection engine the Guard API command Protocol The database protocol DB2 Informix Oracle Sybase MySQL FTP Windows file share kerberos MSSQL Named Pipes portMin Starting port number of the range of listening ports configured for the database portMax Ending port number of the range of listening ports for the database see the note above Client A list of Client IP addresses and corresponding masks to specify which clients to monitor A client address mask value of 1 1 1 1 0 0 0 0 will monitor all clients procNames For a Windows Server For Oracle or MS SQL Server only when named pipes are used For Oracle the list usually has t
168. IBM Training Instructor Guide InfoSphere Guardium V9 Technical Training Course code GU202 ERC 2 0 Instructor Guide Trademarks IBM the IBM logo and ibm com are trademarks or registered trademarks of International Business Machines Corp registered in many jurisdictions worldwide The following are trademarks of International Business Machines Corporation registered in many jurisdictions worldwide AIX amp AS 400 DB DB2 Guardium Informix InfoSphere S TAP System z Tivoli z OS Adobe is either a registered trademark or a trademark of Adobe Systems Incorporated in the United States and or other countries Intel is a trademark or registered trademark of Intel Corporation or its subsidiaries in the United States and other countries Linux is a registered trademark of Linus Torvalds in the United States other countries or both Microsoft and Windows are trademarks of Microsoft Corporation in the United States other countries or both UNIX is a registered trademark of The Open Group in the United States and other countries Java and all Java based trademarks and logos are trademarks or registered trademarks of Oracle and or its affiliates VMware and the VMware boxes logo and design Virtual SMP and VMotion are registered trademarks or trademarks the Marks of VMware Inc in the United States and or other jurisdictions Netezza is a trademark or registered trademark of IBM Interna
169. IN DYNAMIC GROUP as the operator and enter the name of the parameter In this example Command is the name of the parameter Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 45 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Run Time Parameters Dynamic groups Results Run Time Parameters Command IN DYNAMIC GROUP DDL Commands Choose Group For SQL Verb DBUser LIKE Enter Value for DB User Name QUFRY FROM NATE gt INOW 3 HOUR Start Date 2010 12 14 15 13 32 End Date 2010 12 14 18 13 32 Aliases QO ommand IN DYNAMIC GROUP DDL Commands DBUser LIKE scott DB User Service Source Object Total ServerIP ClientIP qw Name Program O access 192 168 169 8192 168 169 88COTT DB2INST1 DB2BP ae training01 2 492 168 169 8192 168 169 8SCOTT DB2INST1 DB2BP ora v1 1 Ilis ge Copyright IBM Corporation 2011 2013 Figure 11 34 Run Time Parameters Dynamic groups Results GU2022 0 Notes The example above demonstrate how runtime parameters work You simply enter the values in which you are interested and the report will return only data related to those values Alternatively you may enter a wildcard 96 to return all data For dynamic groups you must choose a value from the pull down list 11 46 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials
170. If a report is created on one collector it is immediately available on all of the other appliances including the Central Manager itself 2 22 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Central management 2 of 2 The central manager also defines users roles and other values and pushes them down to the collectors cE Aggregator Central Manager Users Roles Group Members Etc Collector Collector Collector PpiyhigheUb Gunatiatiao 2012013 Figure 2 15 Central management 2 of 2 GU2022 0 Notes The Central Manager also provides a central location for the creation of users roles and other values Users and roles can be managed on the Central Manager and pushed out to the managed units on a scheduled basis Copyright IBM Corp 2011 2013 Unit 2 Guardium Architecture 2 23 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Small environments e In a small environment one appliance might act as both an aggregator and a central manager for the entire system Definitions Aggregator Central Manager Users Roles Group Members Etc Collector Collector Collector Figure 2 16 Small environments GU2022 0 Notes A small environment might incl
171. Log policy violation Only It is similar to an alert in that any time the rule is trigged a policy violation will be created This is useful when you need to report on specific policy violations but do not require an alert Copyright IBM Corp 2011 2013 Unit 9 Policies 9 69 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Quick parse Description Function Users using Authorized Source Programs Quick Parse Category Classification Severity INFO v O server iP 1 and or Group v amp O Client 1p I and or Group v A Client MAC Net Prtcl and or Group mj d DB Type Y L sve Name and or Group M 4S C DB Name and or Group aal O DBUser and or uu i EE Client IP Src App DB User Server IP Svc Name __________ A C App User and or Group 3 O osuser and or Group m O Field and or Group S C Object and or Group vi amp C Command and or Group v 44 Object Cmd Group v amp ObjectiField Group mF s Pattern ee XML Pattern ae App Event Exists Fi Event Type Event User Name App Event Values Text and or Group mj amp Numeric Date Data Pattern as Replacement Character Time Period v 35 Minimum Count 0 Reset Interval 0 minutes Message Template Default v Quarantine for 0 minutes
172. MP traps or alert related Syslog messages will be sent until the Alerter is configured and activated Other components create and queue messages for the Alerter The Alerter checks for and sends messages based on the polling interval that has been configured for it Active on startup If marked the Alerter will be activated automatically each time the appliance restarts Polling Sets the frequency that the Alerter checks for and sends messages The polling interval is measured in seconds This should usually be left at the default frequency which is every 60 seconds SMTP The SMTP section is used to configure the Alerter to send SMTP email messages You can configure the SMTP connections as follows Copyright IBM Corp 2011 2013 Unit 5 System View and Administration Console 5 7 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide IP Address Host Name Enter the IP address or hostname for the SMTP gateway Port Enter the SMTP port number It is usually set to port 25 Test Connection Optional Click the Test Connection button to verify the SMTP address and port This only tests that there is access to specified host and port It does not verify that this is a working SMTP server A dialog box is displayed informing you of the success or failure of the operation User Name If your SMTP server uses authentication enter a valid user name for your
173. NY ANY ANY ANY ANY ANY ANY source program in N Y Object Command ObjecUCommandGreup ObjectField Group Period Min Ct Reset int Action Ree Vals con lt Monitoring Scheduled Yes lgnore Session ANY ANY ANY ANY AN o 0 Io oO Processes App Event Exists App Event Str Val EventType App Event Num Val App Event Date Event User Name Group a ANY ANY ANY ANY ANY N 80 E 3 Access Rule Privileged Users Log Full Details No Cat Classif Sev ClientiP ServeriP SrcApp DB Name DB User App User ZN ANY ANY i ANY ANY ANY ANY Monitoring Privieged Users ANY OR OSUser Service Name Net Protocol FieldName Pattern XML Pattern DB Type Client MAC Z liste N ANY ANY ANY ANY ANY ANY ANY ANY DB User in the NC Object Command Object Command Group ObjectField Group Period Min Ct Reset Int Rec Vals gn SC Monitoring Privileged Yes Log Full Details ANY ANY ANY ANY ANY 0 EN Users group App Event Exists App Event Str Val Event Type App Event Hum VaL hen teak Event User Name y B ANY ANY ANY ANY ANY Ns No Continue to next rule O 8 4 Access Rule DML on Sensitive Objects Alert Y Ca Classif Sev ClintiP Server IP Sre App DB Name DB User App User y ANY ANY i ANY ANY ANY ANY ANY ANY J fo NS mma rae uum Field ame Pattern um Tw E s Object in ANY ANY Monitoring Sensitive rg barad M Reset Objects group AND Alert and Record ESH a HB 3 Command in DML iis Values
174. OG MASKED DETAILS Copyright IBM Corporation 2011 2013 Figure 9 46 Log full details GU2022 0 Notes To meet some customer requirements logging just the construct would not be sufficient For these cases Guardium has the ability to log more than the construct using the Log Full Details policy action With some variation the Log Full Details actions Log the exact timestamp for each occurrence matching the rule criteria Log the unmasked full SQL string executed by the user Examples of when Log Full Details rules are appropriate e The exact timestamp is required e The values entered in a SQL request are of interest Copyright IBM Corp 2011 2013 Unit 9 Policies 9 65 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Log full details Example Cat Classif Sev ClientIP ServerIP Src App DBName DB User App User Client IP Src App DB User Server IP Svc Name ANY ANY i ANY ANY ANY ANY Privileged Users ANY ANY OS User Svc Name Net Protocol Field Pattern XML Pattern DB Type Client MAC ANY ANY ANY ANY ANY ANY ANY ANY Object Command Object Field z Data Replacement Min Reset Quarantine Messa Rec Object Command Affected riod n z ge Action Cont Group Group Pattern Character CE int Min Template Vals Threshold n n v ids Communi ANY ANY 0 ANY ANY 0 0 0 Default LOG FULL DETAILS L1 App Event Exists App Event
175. OP TABLE Object Details DROP TABLE INSERT Sensitive Objects List ac Throughput Chart Alias Definition Show SQL Show SQL with Values WIEN InfoSphere Guardium Alas Quick Defi CUES tse 192 168 109 90 43 lae Qucidiulider do 7 IBM InfoSphere Guardium Wia Group Type Valve Alias Server iP 192 160 169 0 Finance Server Client IP 192 168 169 8 USERS SCOTT Senice Name DB2INST1 CE x PROGRAM occse COMMANDS INSERT w OBJECTS a001 x Revet Appi d EET a SQL String insert into dd01 values Records 1 to 10f1 In kd 3 SQL String insert into dd01 values 1 2093 Records 1 to 10f1 ky HSB Copyright IBM Corporation 2011 2013 Figure 11 37 Special drill down options Notes GU2022 0 In addition to the drilldown reports described on the previous pages most reports will also display three drill downs with special characteristics Alias Definition When aliases are enabled this drilldown will bring up a window to apply aliases to the values displayed on the given row e Show SQL Clicking this option will provide the underlying masked SLQ string for the row selected e Show SQL with Values This option will display the full unmasked SLQ string if the request was logged with Full Details Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission o
176. P is currently connected If you want to modify the S TAP configuration from the Guardium administrator console you must be logged into the active host Usually the active host will be the primary host Primary Host the preferred Guardium appliance to received data from and control this S TAP This is the host that the S TAP attempts to connect with each time that the S TAP restarts or following a re established the connection to primary host e Secondary Host If multiple Guardium appliances are defined as hosts for the S TAP any appliance not designated as the primary host is a secondary host If the S TAP loses its connection to the active host and it cannot re connect to the primary host it will attempt to connect to a secondary host in the order listed When you are logged into the administrator console of a secondary host you can view the S TAP 7 26 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide configuration but you cannot edit it unless that host is also the active host at that moment Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 27 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Add Inspection Engines S TAP Configuration Host 192 168 169
177. Raw network traffic GU2022 0 Notes The Guardium collector receives the traffic from the span ports and network taps as raw network traffic A Linux process the sniffer on the collector parses this traffic analyzes it and logs it into an internal relational database on the Guardium appliance The current database is a MySQL server 2 14 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Topic summary Having completed this topic you should understand Guardium s data collection methods including SPAN ports Network taps STAP Copyright IBM Corporation 2011 2013 Figure 2 9 Topic summary GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 2 Guardium Architecture 2 15 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 2 16 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 2 2 Aggregation Central Management and Integration Instructor topic introduction What students will do How students will do it What students will learn How this will help students on their job Copyright IBM
178. Records Affected Threshold 0 Rec Vals Cont to next rule Actions x QUICK PARSE Copyright IBM Corporation 2011 2013 Figure 9 51 Quick parse Notes GU2022 0 When a Quick Parse rule is triggered for the remainder of the session WHERE clauses will not be parsed This reduces parsing time In this mode all objects accessed can be determined since objects appear before the WHERE clause but the exact object instances affected will be unknown since that is determined by the WHERE clause 9 70 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Skip logging Description Temp Tables Skip Logging Category Classification Severity INFO O Server iP I and or Group v s O Client 1p I o P vl C Client MAC Net Prtcl and or Group v 3 DB Type v Sve Name and or Group s C DB Name and or Group S DBUser and or Group v 44 Client IP Src App DB User Server IP Svc Name v A C App User and or Group 4 h CO os user and or Group amp Js src App and or Group vl C Field and or Group 4 Object 3
179. Reports My New Reports Privacy Sets New Query Overall Details D Custom Reporting New Query Overall Details Query Name Training01 Main Entity Session Back Copyright IBM Corporation 2011 2013 Figure 11 13 New query steps summary GU2022 0 Notes This is a Summary of the steps we have taken so far to create a new query 1 Go to Monitor Audit gt Build Reports and press the Track data access button 2 Click New 3 Enter a Query Name and choose a Main Entity 4 Press Next 11 16 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Custom query builder Custom Reporting Entity List Training01 _ Client Server Main Entity Session Add Count Add Distinct Sort by count fill session Entity list x al ej Query Fields contains Seq Entity Attribute Field Mode Order by Sort Rank Descend Application Events available C FuLL SOL Values attributes C FuLL soL sar Attributes fields that will Access Period appear in the report a To expand an entity which will display the available attributes Query Fields beneath it click lField SQL Value on the iXI C Addition mode AND COOR HAVING Query Conditions lObiect Field appropriate entity Entity Agg Attribute Operator Runtime Param C Qualified Object
180. S Catalog Entry Datasource Datasource Reference Group Role S TAP Process control PpighigANeOd frrornpadicrti Q0 20 120 13 Figure 3 24 GuardAPI 1 of 2 GU2022 0 Notes GuardAPI provides access to Guardium functionality from the command line or from scripted files This allows for the automation of repetitive tasks which is especially valuable in larger implementations Calling these GuardAPI functions enables a user to quickly perform operations such as creating datasources maintaining user hierarchies or maintaining Guardium features such as S TAP GuardAPI includes a set of CLI commands all of which begin with the keyword grdapi Copyright IBM Corp 2011 2013 Unit 3 Command Line Interface 3 31 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide GuardAPI 2 of 2 e Use grdapi commands to list all of the GuardAPI commands lv9collector0Ol ibm com gt grdapi commands ID 0 API Function list add approved stap clie add as sment dataso add sment test nt jurc e itodetect task add receiver to rule action add time period change rule order Copyright IBM Corporation 2011 2013 Figure 3 25 GuardAPI 2 of 2 GU2022 0 Notes e To list all GuardAPI commands available enter the grdapi command with no arguments or use the grdapi commands command with no search argumen
181. Sphere Guardium S TAP InstallShield Wizard InstallShield Wizard Complete Setup has finished installing IBM InfoSphere Guardium S TAP on your computer InstallShield Copyright IBM Corporation 2011 2013 Figure 7 16 Complete installation GU2022 0 Notes The next page will inform you if S TAP started successfully or not Confirm that it the services have started and press Next Finally press Finish to complete the installation 7 18 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Confirm services Mame Description By NET Runtime Optimization Service v2 0 Microsoft NET Framework NGEN amp Alerter Notifies selected users and computers of administrative alerts IF the serv amp Application Experience Lookup Service Process application compatibility lookup requests For applications as they Sa Application Layer Gateway Service Provides support for 3rd party protocol plug ins for Internet Connection amp Application Management Processes installation removal and enumeration requests for Active Dire SB ASP NET State Service Provides support for out of process session states for ASP NET If this s SRy Automatic Updates Enables the download and installation of Windows updates If this service a Background Intelligent Transfer Servi
182. Sphere Guardium logs traffic Create a policy or set of policies to meet your requirements Install and manage policies Note The following topics will not be covered during this training Baselines Flat logging Copyright IBM Corporation 2011 2013 Figure 9 90 Unit summary GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 9 Policies 9 125 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Exercise If you waited to do exercises you should complete Exercises 6 and 7 in the Exercise Guide at this point GofyriryniglEINBIVo pampadicari ao 2012013 Figure 9 91 Exercise GU2022 0 Notes 9 126 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions 1 Explain the purpose of S GATE S GATE acts proactively as a firewall examining incoming messages before they reach the database server 2 Which S GATE option is utilized to put a user in firewall mode a S GATE ATTACH b S GATE FIREWALL c S GATE JOIN d S GATE BEGIN 3 Explain what REDACTion does Redaction marks out or masks all or part of a result set value 4 What happens to a user s session when it is S GATE TERMinated The user s session is dropped or disconnected from the databa
183. TAP The Sniffer process on the collector accepts the Database Server database traffic forwarded from the STAP agent It performs three main functions 10 10 9 8 1 Analyzes the traffic and passes th relevant traffic to the parser 2 Parses the connection information d and SQL strings 3 Logs the parsed data Session established over port 1521 at 9 02 AM Client issues the command insert into emp_salary id salary values 2049 185000 Session entity is joined to the Client Server enity The following is parsed and logged to the Session Entity Session Start 9 02 AM Session End 9 14 AM Server Port 1521 Client Logs out at 9 14 AM SQL Entity is joined to the Session Entity The SQL statement is logged into the SQL entity with the values changed to question marks SQL insert into emp_salary id salary values The contents of the SQL statement are parsed further to allow for more flexible and detailed reporting These are logged to their own entities and are joined to the SQL entity Database Client Command Entity Object Entity 192 168 20 143 SQL Verb Insert Object Name emp_salary Note the joins listed here are simplified for demonstration purposes and do not reflect the exact ERD Copyright IBM Corporation 2011 2013 Figure 9 5 Default behavior Parsing and logging GU2022 0 Notes When the sniffer receive
184. Taps Inspection Engine Configuration Log Request Sql String v Log Sequencing oO Log Exception Sql String v Log Records Affected oO Log timestamp per second F Compute Avg Response Time oO Inspect Returned Data Record Empty Sessions Parse XML a These inspection Logging Granularity 60 v Max Hits per Returned Data 64 Ignored Ports List Buffer Free 100 96 Restart Inspection Engines Add Comments Apply Add Inspection Engine Name Protocol E DB Client IP Mask Port DB Server IP Mask Exclude DB Client IP engines are only used when using a hardware solution span port or network tap to collector traffic If using STAP only inspection engines are m configured in the Local Oracle M Taps section 0 0 0 0 0 0 0 0 1521 192 168 169 8 255 255 255 255 Oo Copyright IBM Corporation 2011 2013 Figure 5 15 Configuration Inspection Engines 2 of 2 Notes GU2022 0 Inspection Engine Configuration Add Inspection Engine for SPAN port or Network Taps only An inspection engine monitors the traffic between a set of one or more servers and a set of one or more clients using a specific database protocol Oracle or Sybase for example The inspection engine extracts SQL from network packets compiles parse trees that identify sentences requests commands objects and fields and logs detailed information about that traffic to an int
185. Text Val Event Type App Event Num Val App Event Date Event User Name oO ANY ANY ANY ANY ANY Full SQL Bbi uox Start Date 2010 10 20 13 52 51 End Date 2010 10 20 15 22 51 m Aliases OFF a1Dbuser LIKE 4939 DB User Count of tame Timestamp Full Sal Timestamp Sai FULL SQLs A4939 2010 10 20 insert into db2inst1 g employees e id 2010 10 20 insert into db2inst1 G EMPLOYEES E ID 1 14 28 06 0 e firstname e lastname values 2001 Fed Jackson 14 22 36 0 E FIRSTNAME E LASTNAME values A4939 2010 10 20 insert into db2inst1 g employees e id 2010 10 20 insert into db2inst1 G EMPLOYEES E ID 1 14 29 22 0 e_firstname e_lastname values 2002 Simon McCann 14 22 36 0 E_FIRSTNAME E LASTNAME values A4939 2010 10 20 insert into db2inst1 g_employees e_id 2010 10 20 insert into db2inst1 G_EMPLOYEES E_ID 1 14 29 58 0 e_firstname e_lastname values 2003 Sara Jame 14 22 36 0 E FIRSTNAME E_LASTNAME values A4939 2010 10 20 insert into db2inst1 g_employees e_id 2010 10 20 insert into db2inst1 G_EMPLOYEES E_ID 1 14 30 18 0 e_firstname e_lastname values 2004 Manny Ortiz 14 22 36 0 E_FIRSTNAME E_LASTNAME values Q ORnofuas jto49140 O X Spy AsShrac Full SQL Timestamp This will reflect the exact time Full SQL is the unmasked SQL string The construct and Access Period that the command was Timestamp will still be logged issued and a separate record will be logged for ea
186. To register to a Central Manager from a collector click the Registration link Enter the IP address and port of the Central Manger and press Register The shared secret on the Central Manager and unit to be managed must match to enable registration Copyright IBM Corp 2011 2013 Unit 6 System View and Administration Console II 6 15 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Registering a unit from the Central Manager System View Administration Console 2 Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Administration Console Configuration Central Management Data Management s Insp Installed 3 LI Unit Engines Policy Model Ver Last Patch Last Ping Selected Units Portal User Sync i Reboot J Restart Portal I Restart Inspection Engines Refresh __instaliPolicy _ Patch Distribution jl Distribute Uploaded Jar Files J Distribute Patch Backup Settings Distribute Authentication Config Distribute Configurations Register New Patch Installation Status J Show Distributed Map Distributed Monitor A Registration Succeeded Copyright IBM Corporation 2011 2013 Figure 6 14 Registering a unit from the Central Manager GU2022 0 Notes You can also register units from the Central Manager Press the Central Management link press the Register New
187. UCTS 15 192 168 169 8 192 168 169 8DB2INST1 DB2INST1 DB2BP SELECT cc numbers 420 192 168 169 8192 168 169 8DB2INST1 DB2INST1 DB2BP SELECT SYSIBM SYSTABLES 120 192 168 169 8 192 168 169 8HR DB2INST1 DB2BP SELECT db2instt G PRODUCTS 8 192 168 169 8192 168 169 88COTT DB2INST1 DB2BP SELECT db2inst1 ccn 14 192 168 169 8192 168 169 8SCOTT DB2INST1 DB2BP SELECT db2instt cc numbers 14 PA fhoc a 5 d an a an 4989 8 coh EM cO UO m m rs Copyright IBM Corporation 2011 2013 Figure 11 30 Addition mode AND OR GU2022 0 Notes The AND amp OR radio buttons allow you to control how the conditions are added to the query 11 42 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Having Main Entity Session C Add Count C Add Distinct Sort by count x Query Fields Seq Entity Attribute Field Mode Order by Sort Rank Descend oO 1 Client Server Server IP Value v o L1 2 Client Server Client IP Count v CIO Addition mode AND OonEznavmd Query Conditions Entity Agg Attribute Operator Runtime Param O Havne CientServer Client IP gt Vaue w 1 E Start Date 2010 12 10 11 31 22 End Date 2010 12 10 14 31 Aliases OFF Server IP Count of Client IP 192 168 169 8 2 O Q Recors to10110Q Q 5 ka kd Copyright IBM Corporation 2011 2013 Figure 11 31 Havin
188. Y N Svc Name DB Type Client MAC ANY ANY ANY 3 Failed Logins within 5 minutes from 1 Yes Alert Error Data Replacement Mes Rec 2 Code Pattem Character am Template Vas Cont VER N AN AN Default ALERT PER MATCH v o i 2 Access Rule Trusted connections Ignore STAP Session No Cat Classif Sev ClientiP ServeriP SrcApp DBName DBUser App User any aw G ANY ANY AN ANY ANY OS User Svo Name Net Protocol Field Pattern XML Pattern ANY ANY AN ANY Does the session dE information match the Yes Ignore STAP Object C ng OdjectCommand ObjectField co Mot P n Nest cm ena Trusted Connections Session Group OUP Threshold Pate Pl group ANY ANY o 9 o fault IGNORE S 80 3 Access Rule Privileged users log full details Cat Classif Sev Client IP ServerIP Src App DB Name No App User Client IP Src App DB User Server IP Svc Name D aw ANY ANY ANY ANY ANY OS User Svc Name Net Protocol XML Pattern DB Type Client MAC ANY A ANY ANY ANY ANY ObjectCommand ObjectField P9945 Data Replacement Min Reset Quarantine M Rec Ine tisch tbe Ye Log Full Details ject Comma jectFie ata Repla lin Res rantine Messag X Object Command Group esed Pattern Character P amp S ct qnt Template ais Privileged Users group ANY ANY 0 ANY ANY 0 0 o Default LOG FULL DETALS v App Event Exists App Event Text Val Event Type App Event Num Val App Event Date Event User Name A ANY AN
189. a and or Group and or Group and or Group and or Group v afa v ate at RE Event User Name and or Group f Replacement Character Reset Interval 0 minutes Message Template Default minutes Records Affected Threshold 0 Rec Vals v Cont to next rule Action Back Save Copyright IBM Corporation 2011 2013 Figure 9 24 Access Rule Overview GU2022 0 Notes A policy rule is made up of four sections Rule Description Explains the purpose of the policy rule Criteria Defines the fields and options that will trigger the rule e Action The activity that the appliance will perform when a rule is triggered e Back Save Allows you to save or discard the policy rule Copyright IBM Corp 2011 2013 Unit 9 Policies 9 39 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Access Rule Description Access Rule Definition Rule 1 of policy Training01 Description Privileged users accessing sensitive objects Log Full Deta Category Classification Severity INFO w Copyright IBM Corporation 2011 2013 Figure 9 25 Access Rule Description GU2022 0 Notes e Rule Description Use this to describe what the rule does This will be displayed in any policy rule violation e Category The category will be logged with violations and is used for grouping and reporting purposes I
190. a beca coameadieve ganas entes 8 12 Manual entry 2 of 2 i uestra e rior pg DERE see od ee Rol e Manera on 8 13 Auto Generated Calling Prox 1 of 2 2 0 0 2 0020 8 14 Auto Generated Calling Prox 20f2 0 0 ccc ees 8 16 Auto Generated Calling Prox Options 000 c cee ee eee 8 17 Auto Generated Calling Prox Using DB sources 200002 eae 8 19 Auto Generated Calling Prox example 1 of 6 0 002 e eee eee 8 20 Auto Generated Calling Prox example 2 of 6 00 00 eee eee 8 21 Auto Generated Calling Prox example 3 of 6 00 0c 8 22 Auto Generated Calling Prox example 4 of 6 liliis 8 23 Auto Generated Calling Prox example 5 of 6 0 00 02 ee eee eee 8 24 Auto Generated Calling Prox example 6 of 6 000 0c e eee eee 8 25 EDAP TION Los dae ciate es masta ate wig 6 Ge Hoe a RAR a nh ag UH ALIE RD E It a 8 26 LDAP 2 01 8 ce pnd te ete om dej ae E qe eh eR o eh eit d SP te se do So Ae t a 8 27 Populate from Query 1 ol 4 ican dose rne marmo Rh d n 8 28 Populate from Query 2 of 4 2 0 ee eee eens 8 29 Populate from Query 3 of 4 2 2 2 eee 8 31 Populate from Query 4 of 4 2 02 eee 8 32 ecc Er 8 33 Gu uardAPI T Of 2 er LT 8 34 G ardApi 2 Ol B a siisii ma Qu XN D ba aa a Ea a EE Ee Ree bd 8 35 Hierarchical groups 1 of 3 iue ger R ERR eher Renew Rm s 8 36 Hierarchical groups 2 of 3 csc cede dodceanedevesune Ee ERA ER
191. add new members to a group is to manually type them in To add new members using this method type the member name in the Create amp add a new Member named field and press Add 8 12 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Manual entry 2 of 2 Group Builder Manage Members for Selected Group 9 Group Name Frivileged Users Group Type USERS Modify Group Type Category Modify Category Group Members Filter Oz a8000 scott Please select one of the following options Create amp add a new Member named Add an existing Member to Group Rename selected Member to Aoga49 A8000 Delete selected Member APPUSER DB2INST1 HR LDAP Back SCOTT Copyright IBM Corporation 2011 20139 Copyright IBM Corporation 2011 2013 Figure 8 10 Manual entry 2 of 2 GU2022 0 Notes Some groups will also allow you to manually choose from a pull down list by using the Add an existing Member to Group field This list is based on data logged by Guardium and will be available for groups where the size of the list will be limited For example the number of users logged will be in the hundreds or thousands and thus will have the pull down available However there will likely be millions of fields logged making a pull down list impossible Copyright IBM Corp 201
192. ademark of Linus Torvalds in the United States other countries or both Microsoft and Windows are trademarks of Microsoft Corporation in the United States other countries or both UNIX is a registered trademark of The Open Group in the United States and other countries Java and all Java based trademarks and logos are trademarks or registered trademarks of Oracle and or its affiliates VMware and the VMware boxes logo and design Virtual SMP and VMotion are registered trademarks or trademarks the Marks of VMware Inc in the United States and or other jurisdictions Netezza is a trademark or registered trademark of IBM International Group B V an IBM Company Other product and service names might be trademarks of IBM or other companies Copyright IBM Corp 2011 2013 Trademarks xV Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide xvi InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor course overview This course enables the students to acquire the skills necessary to create reports audits alerts metrics compliance oversight processes and database access policies and controls This course also teaches the students how to archive purge and backup Course stra
193. aluation of database and data security health with both real time and historical measurements It compares current environment against preconfigured vulnerability tests based on known flaws and vulnerabilities grouped using common database security best practices like STIG and CIG1 as well as incorporating custom tests The application generates a Security Health Report Card with weighted metrics based 12 4 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide on best practices and recommends action plans to help strengthen database security An entity audit trail A detailed report of activity relating to a specific entity is produced for example a client IP address or a group of addresses A privacy set A report detailing access to a group of object field pairs a Social Security number and a date of birth for example is produced during a specified time period Aclassification process The existing database metadata and data is scanned reporting on information that may be sensitive such as Social Security numbers or credit card numbers An external feed Data can be exported to an external specialized application for further forensic analysis Copyright IBM Corp 2011 2013 Unit 12 Compliance Workflow Automation 12 5 Course materials may not be reproduce
194. and actions A policy is a set of rules to be enforced Copyright IBM Corporation 2011 2013 Figure 1 20 Checkpoint solutions 1 of 2 GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 1 InfoSphere Guardium 1 23 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions 2 of 2 3 Match the following Guardium components with their correct usage a Real time monitoring b Reporting c Compliance Workflow Automation d Configuration Auditing System e Vulnerability Assessment f Database Discovery g Data Classification d Tracks changes to database a g setup files and security objects Locates operating databases Performs database access filtering alerting and prevention Locates sensitive data Generates built in or custom documents Tests to evaluate the overall security of the database environment Routes reports to users for comments and sign off Copyright IBM Corporation 2011 2013 Figure 1 21 Checkpoint solutions 2 of 2 Notes GU2022 0 1 24 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit 2 Guardium Architecture Estimated time 00 30 What this unit is about This unit describes how IBM InfoSphere
195. antages No database downtime required Zero impact on the database server Disadvantages Local traffic is not captured Copyright IBM Corp 2011 2013 Unit 2 Guardium Architecture 2 7 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Most switch vendors provide a limited number of SPAN ports Network administrators do not want to give up their available span ports If spanning several servers extraneous traffic may be captured Contingency is difficult if not impossible to configure Encrypted traffic requires key management to be logged 2 8 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Network tap collection method Database Clients Database Server Network TAP Copyright IBM Corporation 2011 2013 Figure 2 5 Network tap collection method GU2022 0 Notes Another common hardware solution is a network tap The database server s network cable is connected to the network tap not directly into the switch The tap is then connected to the switch and to one or possibly two of the promiscuous ports on the Guardium collector The network tap acts as a Y connector all traffic going to and from the database server also goes to the collector Adv
196. antages No network reconfiguration needed Zero impact on the database server Disadvantages Server downtime is required Local activity is not captured Additional hardware cost Contingency is difficult if not impossible to configure Copyright IBM Corp 2011 2013 Unit 2 Guardium Architecture 2 9 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Encrypted traffic requires key management to be logged 2 10 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide STAP Local monitoring Guardium Collector Database Server Span port AKA mirroring port Copyright IBM Corporation 2011 2013 Figure 2 6 STAP Local monitoring GU2022 0 Notes Of all the disadvantages with span ports and network taps the lack of local host monitoring is the most critical To close this hole Guardium developed a software agent called an STAP software tap to forward local database activity to the collector Local activity includes users directly accessing the system from a physically attached device as well as those connecting via SSH secure shell or remote desktop Initially STAP was meant to complement the hardware solutions A span port or network tap would be used for network
197. any user and choose Record Details All Roles User Lists all roles with the number of users belonging to each role Drill down lists the actual users To access the drill down double click on any role and choose Record Details Copyright IBM Corp 2011 2013 Unit 4 Access Management 4 19 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Data Security tab Data Security enables data level security at the observed data level and includes e Datasources Associated e Datasources Not Associated Servers Associated Servers Not Associated e User Heirarchy User DB Association t Data Security lt Datasources Associated Aliases OFF DataSourceNameLike LIKE LoginName LIKE Datasource Name Host Service Name Login Name Assoc Type No data found C C Records to0o0t0 Q O 9 I IH S l3 ge c Datasources Associate Datasources Not Associate Servers Associated Servers Not Associated User Hierarchy User DB Association Copyright IBM Corporation 2011 2013 Figure 4 16 Data Security tab GU2022 0 Notes Data Security is designed to enable data level security at the observed data level In the case where specific Guardium users are responsible for specific databases this mechanism will filter results system wide so that the specific users will only be able to see the information from the spec
198. apabilities of the database management systems they work with There are many drawbacks to native monitoring including the impact on the database system the ability of super users to bypass native monitoring and the difficulties of integrating the native monitoring features of multiple database environments Copyright IBM Corp 2011 2013 Unit 1 InfoSphere Guardium 1 5 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Guardium s database access monitoring IBM InfoSphere Guardium provides a complete monitoring solution that in most cases provides greater detail than native auditing methods while addressing their deficiencies Minimal resource utilization 3 to 5 CPU utilization DBAs have no access to Guardium unless provided by a Guardium administrator Guardium collects database traffic from heterogeneous environments and standardizes it allowing one system to monitor multiple database types Copyright IBM Corporation 2011 2013 Figure 1 5 Guardium s database access monitoring GU2022 0 Notes IBM InfoSphere Guardium provides a complete solution to a company s monitoring needs It has minimum impact on the database system operations is implemented outside the database environment and works consistently in heterogeneous database environments 1 6 InfoSphere Guardium V9 Technical Training Copyright IBM Corp
199. aracter lt hostname gt lt tap_ip gt lt sqlguard_ip gt where hostname is the name of the database server tap_ip is the IP address of the database server and sqlguard_ip is the IP address of the Guardium appliance e presets may be a file that contains a subset of global guard tap ini options or an option list 7 66 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide GrdApi inspection engine creation The GuardAPIs can be used to create and configure inspection engines grdapi create stap inspection engine stapHost 192 168 2 118 protocol Oracle portMin 1521 portMax 1521 dblnstallDir data oracle 10 procName data oracle10 oracle product 10 2 0 db 1 bin oracle client 192 168 0 0 255 255 0 0 ktapDbPort 1521 Copyright IBM Corporation 2011 2013 Figure 7 56 Windows non interactive installer GU2022 0 Notes Below is the syntax to configure the Windows non interactive installer setup s z lt key gt lt install_dir gt lt install_table_file gt lt options gt e key A string value used to identify a line in the install table file There will be one line for each S TAP In addition to the key the install table file must contain the following server ip or hostname The IP address or host name of the database server on which S TAP will be installed guard
200. ardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Choose Destination Location IBM InfoSphere Guardium S TAP InstallShield Wizard x Choose Destination Location Select folder where setup will install files Setup will install IBM InfoSphere Guardium S T P in the following folder To install to this folder click Next To install to a different folder click Browse and select another folder M Destination Folder C Program FilessGuardiumsGUARDIUM STAP Browse InstallShield lt Back Cancel Copyright IBM Corporation 2011 2013 Figure 7 9 Choose Destination Location GU2022 0 Notes On the Choose Destination Location screen press Next to install in the default location or press Browse to select an alternate location Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 11 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Select Features IBM InfoSphere Guardium S TAP InstallShield Wizard x Select Features Select the features setup will install Select the features you want to install and deselect the features you do not want to install ORACLE Encryption plugin S0 MSSQL Encryption plugin CAS Local Host Monitor Na
201. as CSV Export file for this Audit Task is created and exported together with the CSV CEF files Note The Export PDF file will not be compressed even if the Compress box in the previous step is checked Write to Syslog If Export CEF file was selected optionally mark the Write CEF to Syslog box to write the CEF records to syslog If the remote syslog facility is enabled the CEF file records will thus be written to the remote syslog Compress If this box is checked then the CSV CEF files to be exported will be compressed PDF Content The selection of PDF Content are Report the current results Diff difference between one earlier report and a new report and Reports and Diff both Note The selection of PDF Content applies to both PDF attachments and PDF export files The Diff result only applies only AFTER the first time this task is run There is no Diff with a previous result if there is no previous result The maximum number of rows that can be compared at one time is 5000 If the number of result rows exceeds the maximum the message compare first 5000 rows only will show up in the diff result 12 14 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Roles Process Management Roles can be Deleted Cloned Refreshed Roles No roles have been assigned t
202. as recorded Recommended an if the GuardAppEvent not for general Main Entity E if not logging full details t functionality is in use reporting D Standalone L imest o DIT B art Date 2009 04 10 10 05 31 nd Date 2009 04 10 11 05 iln ia ClienServer Session Session FullSQL AccessPeriod Period App Event Full SOL Event im Wve Objects Timestamp Timestamp Start Timestamp Timestamp Stat Timestamp yalueStr SQLs 2008 12 29 2009 04 10 2009 04 10 2009 04 10 2009 04 10 2009 04 10 2009 04 19 sertinto 10 44 170 10 51 16 0 1050510 11 05410 10105110 11 00 00 0 10 51 16 0 timestampdemo 98748948 1 values 3 2008 12 28 2009 04 10 2009 04 10 2009 04 10 2009 04 10 2009 04 19 Insert into E 10 44 17 0 10 51 16 0 1050510 10 54 04 0 10 00 00 0 10 51 18 9 Dmestampdemo 98749949 1 p values 2 2008 12 28 2009 04 10 2009 04 10 2009 04 10 2009 04 10 2009 04 10 iii i d SERHBHD d 10 44 17 0 10 51 16 0 10 50 51 0 10 53 52 0 10 00 00 0 10 51 16 0 Imestampcemo values 1 p 2008 12 28 2009 04 10 2009 04 10 2009 04 10 2009 04 10 2009 04 10 2009 04 10 insert into 1044170 10 51 16 0 1050510 1053370 1053080 10 00 00 0 10 51 16 0 pru 9974994911 rs Racords 1 to 4 of 4 amp kh JI en Y Aliases OFF Full SQL Time Stamp when logging 1 2 Full or Masked details this is the exact nisi en The Session Timestamp is time that Guardium records a SQL
203. ase client Failed Login Messages Sessions log in log out Sessions log in log out SQL Errore Falled Login Messages SQL Requests Result sets commands SQL Requests and Result sets are sent by STAP but are discarded by the sniffer unless a policy rule is in effect to log the the specific requests Q Database Client 192 168 20723 sae Copyright IBM Corporation 2011 2013 SQL Requests commands i Figure 9 69 Selective Audit Trail default behavior GU2022 0 Notes This slide describes the default behavior if you were to install a selective audit policy with no rules Traffic sent by STAP Database Client gt Database Server Client server network connections e Sessions logins logouts SQL requests commands Database Server gt Database Client Failed login messages SQL errors Result sets Traffic analyzed parsed and logged by the sniffer 9 94 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Database Client gt Database Server e Client server network connections e Sessions logins logouts Database Server gt Database Client Failed login messages SQL errors Traffic ignored and discarded by the sniffer e SQL Requests e Result sets The policy must contain a rule to log specific SQL requests otherwise t
204. asically a field value GU2022 0 An 11 10 InfoSphere Guardium V9 Technical Training Course materials may not be reproduced in whole or in part without the prior written permission of IBM Copyright IBM Corp 2011 2013 Instructor Guide Access domain entities Client Server Session Application Events Full SQL Values Full SQL e SQL Access Period e Command Object Object Command Field Field SQL Value Object Field Copyright IBM Corporation 2011 2013 Figure 11 9 Access domain entities GU2022 0 Notes Below are the entities within the Access domain The access domain is where all SQL requests are logged Client Server Client and database server connection info IPs OS etc Session Database name session start and end times Application Events Events from the Guardium API Full SQL Values Values logged separately for faster search Full SQL The full SQL string with values SQL The SQL request no values Access Period When Logging granularity Command SQL command Object SQL object Object Command Command detected in object Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 11 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide e Field Field e Field SQL Value Field value logged separately for faster search Object Field Field detect
205. at is NOT checked Policy rules will fire at processing time using the current installed policy at processing time Selective audit trail This will cause a special type of policy to be created that will cause all SQL requests to be dropped by the sniffer Only SQL requests defined in the Audit Pattern or in individual rules will be logged Failed logins SQL errors and session level information will be logged Creating and installing a policy with this box checked will change the default behavior even with no rules defined This will be Covered as a separate topic within this unit e Audit pattern used in conjunction with the Selective audit trail checkbox as described above 9 28 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Policy Definition 2 of 2 Policy Builder Policy Definition D Policy description Policy category Training Policy baseline Log flat Rules on flat Selective audit trail Audit pattern Roles No roles have been assigned to this policy Back Edit Rules Apply Copyright IBM Corporation 2011 2013 Figure 9 17 Policy Definition 2 of 2 Notes e The Roles button allows you to grant access to other users e Back will bring you back to the previous screen Edit Rules will tak
206. aterials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Hierarchical groups 2 of 3 Group Builder Manage Members for Selected Hierarchical Group 9 Group Name Monitored Commands Group Type COMMANDS Category Apply Group Members DDL Commands Please select one of the following options i Add existing Group to Group L Delete selected Member 4e Account Management Commands Administrative Commands dd Comments Back ALTER Commands Application Privileged Commands CREATE Commands Data Transfer Commands DBCC Commands DML Commands DROP Commands GRANT Commands Java Commands KILL Commands Peer Association Commands Performance Commands Procedural Commands PROCEDURE DDL RESTORE Commands M Copyright IBM Corporation 2011 20139 Copyright IBM Corporation 2011 2013 Figure 8 31 Hierarchical groups 2 of 3 GU2022 0 Notes For Hierarchical groups there is no option to type in group members Instead you must use the pull down containing all of the groups matching the group type of the Hierarchical group From Add existing Group to Group choose DDL Commands and press Add e Repeat for DML Commands Press Back when you are done Copyright IBM Corp 2011 2013 Unit 8 Group Builder 8 37 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Hiera
207. ating system type for example UNIX Oracle or Windows Oracle Many of the preconfigured default template sets are used within Guardium s Vulnerability Assessments where for example known parameters file locations and file permissions can be checked 10 6 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide The Guardium default template sets all begin with the word Guardium You cannot modify a Guardium default template set but you can clone it and modify the cloned version Each of the Guardium default template sets defines a set of items to be monitored Make sure that you understand the function and use of each of the items monitored by that default template set and use the ones that are relevant to your environment After defining a template set of your own you can designate that template set as the default template set for that template set type After that any new template sets defined for that operating system and database type will be defined using your new default template set as a starting point The Guardium default template set for that type will not be removed it will remain defined but will not be marked as the default Database Templates Each database has a set of defined CAS templates Copyright IBM Corp 2011 2013 Unit 10 CAS VA and Discovery 10 7 Cours
208. base but it cannot attribute specific database actions to specific application users For some widely used applications such as SAP and PeopleSoft Guardium has built in support for identifying the end user information from the application and can therefore relate database activity to the application end users Applications supported by Application User Translation include BO WI Business Objects Web Intelligence e EBS Oracle E Business Suite e PeopleSoft SAP Observed Copyright IBM Corp 2011 2013 Unit 5 System View and Administration Console 5 11 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide e SAP DB SIEBEL Observed e SIEBEL DB If you need to log the application user for an application not included in the above list the following options provide alternate methods to achieving the same results Identify Users via API see the on line help Identify Users via Stored Procedures see the next page 5 12 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration Custom ID Procedures System View Administration Console Tools Daily Monitor Guardium Monitor Tap Monitor Administration Console Configuration Custom Identification Procedures e OQ Alerte
209. bject Name db2inst1 G_EMPLOYEES 10 db2inst1 G_PRODUCTS 10 db2inst1 g_employees 10 Cm GA oh BR ob Ok oh fab oh GSA oh GGA ok CG ad Gk ob A ob Total access Client Port Server Port Network Protocol DB Protocol DB Protocol Version DB User Name Source Program Count of Sessions Figure 11 36 Drill down report example Notes GU2022 0 The build in Details Sessions List report contains DB User Name and Client IP as fields so the new report we created on the previous page is now available as drill down drill down reports are invoked by double clicking a row on a report When you choose a drill down it simply feeds data from the row that you click to the runtime parameters and displays the result 11 48 InfoSphere Guardium V9 Technical Training without the prior written permission of IBM Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part Instructor Guide Special drill down options UKEAIE IABLE aqui INSERT dd0 DROP TABLE DROP TABLE z params Admin Users Sessions CALL DROP PROCEDURE db2 Client IP Activity Summary DROP TABLE Command Details DROP TABLE DB Predefined Users Sessions DELETE DB Server Throughput Chart INSERT SELECT Detailed Sessions List INSERT Exceptions Type Distribution DELETE Full SQL By Client IP SELECT GRANT REVOKE Full SQL By DB User Object Activity Summary DR
210. button enter the IP address of the unit to be managed and press enter 6 16 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Standalone versus Managed By IBM InfoSphere Guardium Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Reports Administration Console 81 n0x Canfieusentian IBM InfoSphere Guardium 19 25 Edit Account admin Customize Logout About amp 8 2 System View 2 Administration Console Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management S TAP Status Monitor C amp i O X RequestRate Aliases OFF o DB Last 3 Win Win Start Date 2010 11 S TAP Host _S TAP Version Server Status Response PfmarvHost rap tee MSS pp Local pipes Encrypted Firewall Copyright IBM Corporation 2011 2013 Figure 6 15 Standalone versus Managed By GU2022 0 Notes Once a system has been added to a central management environment the status of the appliance will change from Standalone Unit to Managed by Copyright IBM Corp 2011 2013 Unit 6 System View and Administration Console II 6 17 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Central Management screen System View Administration Console lt
211. c e Sybase Encryption monitor encrypted Sybase traffic 7 22 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide S TAP Configuration Details 2 of 2 S TAP Configuration 9 Host 192 168 169 104 Last response 2010 11 30 09 43 15 0 Version 8 21066 zi Details Load balancing 0 Messages v Remote Syslog Alternate ips Shared Memory _ Disable _ Alert Shared Mem Monitor V mssaL o82 Named Pipes Monitor V On For Network Local TCP Monitor v On For Network App server user id 0 Oracle Encryption L1 Sybase Encryption F Change Auditing Application Server User Identification Guardium Hosts Inspection Engines Add Inspection Engine Copyright IBM Corporation 2011 2013 Figure 7 20 S TAP Configuration Details 2 of 2 GU2022 0 Notes e SQL Server Decrypt Controls the type of automatic decryption applied to the traffic seen by S TAP None No automatic decryption All SQL in SSL traffic will be ignored All SQL in Kerberos traffic will be seen but the database user name will be replaced by a string of hexadecimal characters by Kerberos Kerberos and SSL Automatically decrypts SSL and maps Kerberos names SSL Only Automatically decrypts SSL traffic Use this option if all traffic of interest is SSL traffic
212. ccessmgr accessmgr accessmgr Edit Roles Change Layout accessmgr admin admin admin Edit Roles Change Layout admin tjones Ted Jones Edit Roles Change Layout Delete appdev audit cas cli datasec exempt dba diag infosec inv netadm review only Copyright IBM Corporation 2011 2013 Figure 4 9 User Browser modifying roles GU2022 0 Notes The Access Management tab is also used to assign users to roles A user must belong to at least one of the following roles accessmgr admin or user By default every new user is added to the user role 4 12 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide User Browser The Change Layout modified roles changing layouts link is used to update the user s GUI to reflect Auser s GUI layout is determined by the roles to which the account belongs when logging into the system Access Management lt Data Security User Browser User Browser User Role Browser User Role Permissions User LDAP Import User amp Role Reports Username accessmgr admin tjones Filter string case sensitive accessmgr accessmgr admin Ted FirstName Last Name Email Actions Edit Roles Change Layout admin Edit Roles Change Layout Edit Roles Change Layout Delete Jones Layout Username tjones
213. ce Transfers files in the background using idle network bandwidth If the ser Sa Change Audit System Change Audit System 64 ClipBook Enables ClipBook Viewer to store information and share it with remote co By cOM Event System Supports System Event Notification Service SENS which provides auto SR COMM System Application Manages the configuration and tracking of Component Object Model CO SRy Computer Browser Maintains an updated list of computers on the network and supplies this li Sa Cryptographic Services Provides three management services Catalog Database Service which c Sy DCOM Server Process Launcher Provides launch functionality For DCOM services SRA DHCP Client Registers and updates IP addresses and DNS records for this computer I Sa Distributed File System Integrates disparate File shares into a single logical namespace and man SRy Distributed Link Tracking Client Enables client programs to track linked Files that are moved within an NTF amp Distributed Link Tracking Server Enables the Distributed Link Tracking Client service within the same domai SRy Distributed Transaction Coordinator Coordinates transactions that span multiple resource managers such as SRADNS Client Resolves and caches Domain Name System DNS names for this compute SRADNS Server Enables DNS clients to resolve DNS names by answering DNS queries and Sa Error Reporting Service Collects stores and reports unexpected applica
214. ce benefit as Ignore STAP Session It is only meant to be used when ignoring a small number of SQL requests If you cannot use Ignore STAP Session but would like to ignore many types of requests for example log DDL and DML but ignore everything else a Selective Audit Trail policy would be more effective Copyright IBM Corp 2011 2013 Unit 9 Policies 9 71 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 1 True or false The Action portion of a rule is executed whenever the conditions in the rule are met True or false You can only have one action per rule True or false Access rules are ANDed left to right and ORed row to row True or false An ALERT logs information as well as sending out an email or some other kind of notification What is the effect of an Ignore Session action on an SQL statement What is the effect of a Log Full Details action on an SQL statement Copyright IBM Corporation 2011 2013 Figure 9 53 Checkpoint GU2022 0 Notes Write your answers here 1 oo ose ep 9 72 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers 1 True or false The Action portion of a rul
215. cending order 11 20 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide e Add Count adds a count of distinct instances as the last column of the report e Add Distinct adds or drops the ability to display one row per value in the report e Sort by count will cause the report to sort by the count field Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 21 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Adding a condition saving and publishing report Custom Reporting x OQ Addition mode Qand OoR uaviu Query Conditions Entity List 2 i ty Entity Agg Attribute Operator Seay Actient Server ee m Rm 23 Timestamp Timestamp Date Timestamp Time Timestamp WeekDsy 1 Timestamp Year d Server Type 123 Client IP 321 Server IP Re Network Protocol Delete Clone Roles Generate Tabular Regenerate Addto Pane Add to My New Reports Expand All Collapse All Oh DB Protocol 10101 g DB Protocol Version amp Add Field Source H 7AX5 cient ABER Condition G IBM InfoSphere Guardium H EJ View FE Monitor Audit Discover FeiAssess Harden
216. cess Name Date Last Executed Close this window Copyright IBM Corporation 2011 2013 Figure 12 13 Viewing an audit process GU2022 0 Notes After an audit process has be run receivers will be notified of new results via e mail or through a link when logging into the appliance To view an audit process click on the link then press the View button 12 18 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Report delivery IBM InfoSphere Guardium Training01 Audit process execution began 2010 12 21 11 44 09 Distribution Status sec User User0 1 Hengy Xarder Role infosec User User racy Yuen Role dba User User 3 Dan Charles Role audit x Omer Results For This Process Sign Resums Escalate Comment Download POF Status Viewed nol Signed Acton Required Review and Sign Viewed not Signed Not Vi Review and Sign owed Review and Sign Not Distributed Review Only Comments 6 Timestamp User Comment for Resuft 2010 12 21 11 47 32 0 Userdt hange controli 029482 s Re Traini Iraming 2 Overall Value Report DBServer01 Sessions Detailed Sessions List Overall value this execution 463 Overall Value History Report Parameters used QUERY FR QUERY DATE DATE 12 2010 12 00 AM 12 2040 11 59 PM
217. ch occurrence normally The Full SQL information will be logged in addition to the standard logged data PypiyhightNBUb Gpampadicarti ao 20 120 13 Figure 9 47 Log full details Example GU2022 0 Notes When the Log Full Details action is triggered each individual SQL request will be logged into the Full SQL entity with the exact time the command was issued and the full unmasked SQL string The constructs and Access Period timestamps will also still be logged normally Because each SQL request will now be logged rather than just updating the construct counter Log Full Details rules can potentially fill Guardium s internal database very quickly 9 66 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Log full details per session Cat Classif Sev ClientIP Server IP Src App DB Name DB User App User Client IP Src App DB User Server IP Svc Name ANY ANY i ANY ANY ANY ANY ANY ANY OS User Svc Name Net Protocol Field Pattern XML Pattern DB Type Client MA ANY ANY ANY ANY ANY ANY ANY Ot j Object Command Object Field X Data Replacement Min Reset Quarantine Message ET Group Group Bul Pattern Character T Ct Int Min Template te Threshold Sensitive DML A d am ANY ANY 0 ANY x ANY 0 0 0 Default LOG FULL DETAILS PER SESSION Objects Command
218. could include any of the managed units In this case we are running it from a collector so the IP address will be the same as the collector we are using which is 192 168 169 9 e STAP_TAP_IP the IP address of the database server which is 192 168 169 8 After making these entries press Apply to Clients and Install Update to complete the configuration Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 47 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide GIM Events List System View Administration Console Tools Daily Monitor Guardium Monitor lt Tap Monitor incident Management Reports Aggregation Archive Log GIM Events List AME Files Start Date 2010 12 01 00 46 05 End Date 2010 12 01 00 46 06 Application Objects Summary Aliases OFF Audit Process Log Event Generator Event Description Available Patches ine a Buffer Usage Monitor BUNDLE STAP 8 0_r20992_1 INSTALLED Cis Asmt Job Queue STAP UTILS 8 0 r20992 1 INSTALLED Current Status Monitor 168 169 COMPONENTS 8 0_r20992_1 INSTALLED 2010 12 01 00 46 05 0 Definitions Export Import Log fe dlp sam iren Enterprise Buffer Usage Monitor STAP BENE 1 INSTALLED GIM Clients Status TEE 8 0_r20992_1 INSTALLED GI Evene ust O recors 7 191010 O X Sh I D E GIM Installed Modules d eee Copyright IBM Corporation 2011 2013 Figure 7 40 Schedule installation GU2022
219. ctivity_by_Privieged T write to Syslog Dic Gn ae eer ED De radar iiic delivered as displayed here Since the requiement is that Oracle and MS SQL QUERY FROM DATE Enter Period From sa of last week Es traffic should be in separate reports QUERY TO DATE Enter Period To end of isst week i Es create each task twice using the DB Server Type runtime parameter to DB Server Type Enter Value for Server Type breakout each database type GROUPING_SUB_TYPE Choose Grouping Type Choose A Group Type Or Sub Type to Group By SHOW ALIASES ie oer a Oa e EE EX Repeat this step for each report REMOTE SOURCE Remote Data Source Fone A Appi ort All Activi Privileged users M IL Monitoring All Activity by Privileged users start of last week to end of last week leport DDL Activity in Production Oracle Monitoring DDL Activity in Production start of last week to end of last week leport DDL Activity in Production MSSQL Monitoring DDL Activity in Production Start of last week to end of last week eport DML on Sensitive Objects Oracle Monitoring DML on Sensitive Objects start of last week to end of last week Report DML on Sensitive Objects MSSQL Monitoring DML on Sensitive Objects start of last week to end of last week No roles have been assigned to this Process Ef Roles Q Back X Remove Clone Ij GbRefresh P Save Done FR After entering all the receivers and
220. ctor not STAP Log Full Details By default the Guardium collector will mask all values when logging a SQL string For example insert into tableA name ssn ccn values Bob Jones 429 29 2921 29249449494949494 will be logged as insert into tableA name ssn ccn values This is the default behavior for two reasons 1 Values should not be logged by default because they might contain sensitive information 2 Logging without values can provide for increased system performance and longer data retention within the appliance Very often database traffic consists of many SQL requests identical in everything except for their values repeated hundreds thousands or even millions of times per hour By masking the values Guardium is able to aggregate these repeated SQL requests into a single request called a construct When constructs are logged instead of each individual SQL request construct being logged separately it is only logged once per hour per session with a counter of how many times the construct was executed This can save a tremendous amount of disk space because instead of creating a hundreds or millions of lines in the database only one new line is added A 16 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide sa 3 3 4 G9 v EJ Start Dat
221. d a Client Module Parameter Common Used when there are multiple database servers being configured at once parameters apply to all of them Client Used when there is just one database server being configured parameters apply to just that server 5 True or false GuardAPls are designed to run in an executable script and provide a method of performing non interactive installs Additional information Transition statement Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 73 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit summary Having completed this unit you should be able to Understand S TAP Install S TAP on Windows interactively Install S TAP on Linux using GIM Understand the non interactive installation methods Copyright IBM Corporation 2011 2013 Figure 7 60 Unit summary GU2022 0 Notes 7 74 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Exercise At this point you should complete Exercise 4 in the Exercise Guide Copyright IBM Corporation 2011 2013 Figure 7 61 Exercise GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 75 Course materials may not be reproduced in whole or in part witho
222. d in whole or in part without the prior written permission of IBM Instructor Guide Compliance Workflow Automation log Compliance Workflow Automation includes a detailed activity log Audit Process Log 7 8 G9 v Start Date 2009 12 08 10 57 50 End Date 2009 12 08 11 57 50 m Loa e Ier de Process Ad Process uate TET Avett Task mmm E of Audit Process 23 5 1000000 Weekly database changes 0 eed Finished manual run 1 22 1000000 Weekly database changes 0 deliver Result s distribution processed 1 1 admin 1000000 es 1000002 Event statustranston task stop Finish processing audit task 1 20 admin 3 1000000 Weekly database changes 1000002 d status transition task start Start audit task 1 1 admi 1000000 Weekly database changes 1000001 outstanding events bp Finish processing audi task 1 18 admi 3 1000000 Weekly database changes 1000001 outstanding events bp Start audit task 1 1 admin 1000000 Weekly database changes 1000000 failed logins Finish processing audit task 1 16 admin 1000000 Weekly database changes 1000000 failed logins Start audit task 1 15 0 Pp 1000000 Weekly database changes 0 Sart arial audi pr cess Week dabes 4 changes 51 48 0 O QRecords _ tosors Q O X c5 lk HS 3 EZ o Copyright IBM Corporation 2011 2013 Figure 12 4 Compliance Workflow Automation log GU2022 0 Notes Compliance Workflow Automation maintains a detailed activity log for all tasks which includes ta
223. d in whole or in part without the prior written permission of IBM Instructor Guide Query conditions 2 of 2 gt CATEGORIZED AS CLASSIFIED AS IN ALIASES GROUP IN DYNAMIC ALIASES GROUP IN DYNAMIC GROUP IN GROUP IS NOT NULL IS NULL LIKE LIKE GROUP NOT IN ALIASES GROUP NOT IN DYNAMIC ALIASES GROUP NOT IN DYNAMIC GROUP NOT IN GROUP NOT LIKE NOT REGEXP REGEXP iM Copyright IBM Corporation 2011 2013 Figure 11 29 Query conditions 2 of 2 GU2022 0 Notes Query conditions continued IS NOT NULL Attribute value exists but may be blank or unprintable IS NULL Empty attribute e IN PERIOD For a timestamp only is within the selected time period e LIKE Matches a like value specified in the boxes to the right A like value uses the percent sign as a wildcard character and matches all or part of the value Alphabetic characters are not case sensitive For example tea would match tea TeA tEam steam If no percent signs are included the comparison operation will be an equality operation LIKE GROUP Matches any member of a group that may contain wildcard member names For example if the group contained a member named tea it would match tea TeA tEam steam etc 11 40 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor
224. data files And so on Copyright IBM Corporation 2011 2013 Figure 3 18 File handling commands GU2022 0 Notes The file handling commands are used to work with the Guardium files including the configuration files the database files the profiles auditing files and so on Copyright IBM Corp 2011 2013 Unit 3 Command Line Interface 3 25 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Diagnostic commands The diag command will bring up a menu driven window that will allow you perform a number of diagnostic functions There are no functions that you would perform with the diag command on a regular basis Generally you would use this command only as directed by Technical Support Copyright IBM Corporation 2011 2013 Figure 3 19 Diagnostic commands GU2022 0 Notes The diagnostic commands are used only under the direction of Technical Support 3 26 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Inspection engine commands Use the inspection engine CLI commands to Add an inspection engine Delete an inspection engine List inspection engines Stop and restart an inspection engine And so on Copyright IBM Corporation 201
225. ddress mask value of 1 1 1 1 0 0 0 0 or 0 0 0 0 0 0 0 0 will monitor all clients 7 28 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide e Exclude Client IP Mask A list of Client IP addresses and corresponding masks to specify which clients to exclude This option allows you to configure the S TAP to monitor all clients except for a certain client or subnet or a collection of these e Process Name For MS SQL Server use sqlservr exe e Named Pipes Specifies the name of the named pipe used by MS SQL Server for local access If a named pipe is used but nothing is specified here S TAP will attempt to retrieve the named pipe name from the registry Instance Name The database instance name is required for MS SQL Server 2005 2008 using encryption or MS SQL Server using Kerberos Authentication MSSQLSERVER is the default Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 29 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Confirm Inspection Engine System View Administration Console amp Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Administration Console Configuration S TAP Control Data Management Central Management S TAPHost Status
226. der than 1 Day s M Ignore data older than 2 Day s M optional Export Values Host 192 168 169 200 v Purge Data older than 14 Day s M Allow purge without exporting or archiving Scheduling Data Export is currently not scheduled for execution IMPORTANT This Purge configuration is used by both Data Export and Data Archive Changes made here will apply to any executions of Data Archive and vice versa In the event that purging is activated and both Data Export and Data Archive run on the same day the first operation that runs will likely purge any old data before the second operation s execution For this reason any time that Data Export and Data Archive are both configured the purge age must be GREATER than BOTH the age at which to export Local Taps AND the age at which to archive Copyright IBM Corporation 2011 2013 Figure 6 4 Data Management Data Export GU2022 0 Notes Data Export configures the export of data from a collector to an aggregator and like data archive should be set to Export data older than 7 day and Ignore data older than 2 days Note if you change the purge parameters here they will also be changed in the data archive screen 6 6 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Data Management Data Import Aggregator
227. die bade 1 2 Main features 2 uc eeu e nee econ err bans maet hoe eh boit at deme eds 1 3 The need for database access monitoring 00 cee eee eee eee 1 4 Native AUGHING s sei Dies ree a eeteed acd eb eereene cent dada eee ed 1 5 Guardium s database access monitoring 00 cee eee eee eee 1 6 Monitoring at the network level 0 0 0 c eee ees 1 7 Logging example lt lt isce eire d YN a ada wende eleg se bte 1 8 Guardium components uus messes be ewesuq Arma pe uude d edis 1 9 Real time monitoring 1 of 2 0 2002 ee 1 10 Real time monitoring 2 Of 2 2 csse ken p Rx a de bene erm hes 1 11 Built in and custom reporting xum eee ede ae RR eee eee we dee Rm ee 1 12 Compliance Workflow Automation 0 000 e eee eee 1 13 Configuration Auditing System c c26c6 enecce cea eeeeveeenesaadeenee 1 14 Vulnerability Assessment 00 000 ee 1 15 Database Discovery usos irae kb Eae E ERE ad RSEN Eq EAS EE ES 1 16 Data ClassiiGallol cs uix atu Deor et eRERR had T eden Xa RE eRPid eek 1 17 Checkpoint 1 of 2 M ETT 1 18 Checkpoint T2 Ol 2 aa ie au Rho ER un ne Rho SER ACE OE p UR ER dos 8 eee 1 20 Unit summary oo oc 2c beac toe bes Kew h eee cdGae pet bnieteeusedwecaee abt 1 22 Checkpoint solutions 1 of 2 0 0 eee 1 23 Checkpoint solutions 2 of 2 seen cereus xe rrr e E RE EE whe dees rey 1 24 Unit 2 Guardium Architecture 200s 2 1 Unit objectives CHE 2 2 2 1 Data collec
228. distinguishing the colors on your monitor for all status light sets the left most light is always red the right most light is green and on sets of three lights the middle light is yellow The TAP_IP entry in the guard tap ini file is required If TAP_IP is missing CAS will not start and an error message will be logged in the log file on the CAS client Copyright IBM Corp 2011 2013 Unit 10 CAS VA and Discovery 10 11 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide VA Vulnerability Assessment Runs a series of tests Gives you a rating of the percentage of tests that were passed IBMT InfoSphere Guardum outs tor Seco Assesenent D XE asesinan Rete Hntery Copyright IBM Corporation 2011 2013 Figure 10 7 VA GU2022 0 Notes With Guardium s Vulnerability Assessment Tool you choose from a series of tests The results of the tests are displayed along with a rating which represents a percentage of the tests that were passed A rating of 75 means that 25 of the tests that were run detected at least one area of vulnerability in your system 10 12 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Vulnerability Assessment 1 of 4 Three types of VA tes
229. dule associated with this process TY Modify Schedule Archive Results Keep for a minimum or o days or s runs Under Receivers enter each role CSVICEF File Label Monitoring based on the order in the requirements Because the Audit and Database Email Notif Manager roles should not receive the Run Once Now Receiver X role Information Security E Gio Ot 1 audit process until the Information Security Manager has signed them gm Full Resutts Action Rea i ried as Sion for ffs X role Information Security Manager ica uo C Link ion Req is marked as Sign for the lc O Information Security Manager role Seas Also the Cont checkbox is unchecked u E An 2 Ud wo C ink J so that it will not reach subsequent BI sign Full Results users until it has been signed X role Database Manager G Review m G uo C Link 5 Full Results Action Required To Do List Email Notification Continuous Review C sign M ada None C Link Only Full Resutts val a Add i E Report All Activity by Privileged users Oracle Monitoring All Activity by Privileged users Description Al Activity by Privileged users Oracle Task Type C Report Security Assessment Entity Audit Trail Privacy Set Classification Process Report I Monitoring All Activity by Privileged users zi export csv fie Export CEF file CSV CEF File Label All_A
230. e 2009 11 04 07 41 32 End Date 2009 11 04 14 41 32 Session z Server gt DB User Total Source Program Id Timestamp IP Client IP Name Sql access EA I sep 2000 11 04 Q Sani SCOTT G PRODUCTS P ID PRODUCT NAME values g4 548594 ER 10 10 9 8 10 10 8 8 SCOTT SQLPLUSQGCENTOS4 abies SCOTTO ERODUCTS CET PRODUC TANAME values Er sso 2009 11 04 window ED HOLPLUBBOENTOSK Insartinto SCOTT G_PRODUCTS P ID PRODUCT NAME values 3 sso 209 1104 ER uname END ETERNI Ken SCOTT O PRODUCTS P D PRODUCT NAME values 3 Records 1t0 4 0f 4 c gt When logging constructs without values the constructs are logged are logged once per hour per session Instead of adding addtional lines per SQL Request the Total Access is incremented and the timestamp is updated So in this example the system logged four additional lines instead of 111 When logging with Full Details in addition to logging the data as shown above Guardium logs the data with the values unmasked and each separate request as shown below Logging Full Details also provides the exact timestamp whereas logging without details provides the most recent timestamp of a construct within the logging granularity time period usually 1 hour Full SQL with Parameters O 1 x v A Start Date 2009 11 04 07 41 32 End Date 2009 11 04 14 41 32 m Timestamp icu cm Client IP pore Source Program Sql Full Sql P x 104530 3942020 1010
231. e Email kj Actions admin admin bmanty Bill accessmgr accessmgr accessmgr jaccessmgr quardium com Edit Roles Manty bill manty quardium com admin admin quardium com Edit Roles Edit Roles Remove 62000 After adding a user click the roles link On the next screen check the appropriate role s for the user then press Update Note all users must have the either the User Role or Admin role or both Add User cas cas From the Access Managent tab User Browser link Press Add User On the next screen enter the Username Password First Name Last Name and E mail address Uncheck the Disabled box Press Add User cas Edit Roles Remove Based on our example requirement below are the necessary groups and users Example Roles and Users Requirement Reports should be delivered to Information Security IS group and signed by the IS manager After the IS Manager has signed the reports the reports should be delivered to the Audit and Database Manager groups for review ROLE Information Security USERS Bell rbell Jim McNulty jmcnulty Jay Landsman jlandsman Lester Freamon Ifreamon Russell Information Security Manager Russell Bell rbell Audit Thomas Hauk thauk Joe Stewart jstewart Ellis Carver ecarver Database Manager Bill Rawls brawls Omar Little olittle
232. e and can work with user ids There are options to find users add users edit users delete users except for accessmgr and admin and to change a user s GUI layout 4 6 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes If time allows have the students follow along from their virtual machines Purpose Details Additional information Transition statement Copyright IBM Corp 2011 2013 Unit 4 Access Management 4 7 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide User Browser adding a user 1 of 2 The Add User button is used to create modify and delete Guardium user accounts Access Management 4 Data Security User Role Browser Filter string case sensitive User Name Fiter Add User User Search Users j Users User Role Permissions User LDAP Import Username FirstName LastName Email Actions User amp Role Reports accessmgr accessmgr accessmgr Edit Roles Change Layout admin admin admin Edit Roles Change Layout Copyright IBM Corporation 2011 2013 Figure 4 6 User Browser adding a user 1 of 2 Notes 4 8 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials
233. e 1 2 Main features GU2022 0 Notes IBM InfoSphere Guardium is a database security and monitoring solution that addresses all aspects of database protection including e Database Access Monitoring Real Time Monitoring Alerting Filtering and Prevention through policies and rules e Reporting Built in and Custom Compliance Workflow Automation e Configuration Auditing e Vulnerability Assessment e Database Discovery and Data Classification Copyright IBM Corp 2011 2013 Unit 1 InfoSphere Guardium 1 3 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide The need for database access monitoring Regulations and industry standards SOX Sarbanes Oxley PCI Payment Card Industry HIPAA Health Insurance Portability and Accountability Act and so on Many corporations are required to monitor activity performed against their databases PCI requires that all access to credit card information is logged e SOX requires that all privileged user activity is monitored Other corporations choose the monitor database activity To meet their own internal security requirements To protect sensitive and valuable data Copyright IBM Corporation 2011 2013 Figure 1 3 The need for database access monitoring GU2022 0 Notes Every company has its own reasons for monitoring database access It some cases monitoring is
234. e 2 5 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Additional detail on the hardware options will be supplied later in this module 2 6 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Span port collection method A Database Clients ethd eth1 eth2 eth3 Span port Database Server AKA mirroring port Span port AKA mirroring port Copyright IBM Corporation 2011 2013 Figure 2 4 Span port collection method GU2022 0 Notes When the Guardium solution was first developed the goal was to provide a completely passive i e zero impact on the database server method to monitor database activity by capturing the database activity from the network The two most widely used methods for capturing network traffic are span ports and network taps Most modern network switches contain one or two ports called span ports or mirroring ports designated to monitor traffic on the switch For the Guardium solution these ports are configured to forward a copy of all traffic to and from a database server to one of the promiscuous ports on the Guardium appliance Guardium receives an exact copy of all database traffic which it can digest and log it in its own internal database Adv
235. e DUNONS 224540208 ana a R Gen a A AE EE eee ace ak 11 26 xeeieli lr 11 27 uen aM TEE 11 29 Topic summary EEETRTIETIO CETTE ILLI ILLI 11 31 Copyright IBM Corp 2011 2013 Conients xi Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions on casts iets Peng dake sedated we RESE da debe ERR E MEE 11 32 EXOIClSe 11 33 UE NER Eco Nc 11 35 Query conditions s sore sca dia e eX EE er i es eae ede bE RUE aa o ee a 11 36 New query Object main entity llllslllelssllllslllleen 11 37 Query conditions 1 of 2 4 5 8 bati e eh UC ORDER RR n a rado doqua 11 38 Query conditions 2 of 2 uu sanc a o ORC aee CC ECC RC edes 11 40 Addition mode AND OR sssleeeseleleeee nr 11 42 ac PDC 11 43 Parenthesis E 11 44 Run Time Parameters Dynamic groups 000 eee eee eee eee 11 45 Run Time Parameters Dynamic groups Results 00 000 11 46 Drill down reports uu uve ex erlidu ERREUR RM EGRE REEAU RE did ndr 11 47 Drill down report example 200s 11 48 Special drill down options 2202426 ceu EY denG eae seeped RE E RR 11 49 QUE DUMONS aorses cn Cee Rota eRe Dad Uow eee cha e eke Rd a ne 11 50 Topic summary hee se rete cloves Ol LO eh iT T ee nee Bee 11 52 Checkpoint 1 of 2 cco purtabicketeeedGaresaiuiaead se teed eee eects tates 11 53 Checkpoint 2 of 2 2
236. e allows access to the default CAS reports but not to the CAS query builders The cas role allows access to both the default CAS reports and the query builders 10 10 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide CAS Status By default the functions described in this topic are available to the admin user and users with the admin role Open the Administrator portal and locate the Local Taps section of the Administration Console If there is no Local Taps section the unit type setting for this Guardium appliance needs to be changed See the description of the store unit type command in the Configuration and Control CLI Commands topic for instructions on how to enable the Local Taps menu To monitor CAS status select CAS Status in the Local Taps section of the Administration Console to open the Configuration Auditing System Status panel For each database server where CAS is installed and running and where this Guardium appliance is configured as the active Guardium host this panel displays the CAS status and the status of each CAS instance configured for that database server Regarding the sets of status lights on the Configuration Auditing System Status panel when you hover the mouse over a set of status lights a pop up text box displays the current status If you have trouble
237. e database user is a query might check WHERE DB USER NAME scott OR DB USER NAME a8000 OR DB USER NAME a4902 OR DB USER NAME a4949 OR DB USER NAME a5710 OR DB USER NAME a9449 OR DB USER NAME sa Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Unit 8 Group Builder 8 3 Instructor Guide If a group named Privileged Users is created and the user ids scott a8000 a4902 a4949 a5710 a9449 and sa are added to that group the query needs only to check WHERE DB USER NAME IN GROUP Privileged Users 8 4 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Methods to build groups There are six methods to build groups Manual Entry Auto Generated Calling Prox LDAP Populate From Query Classifier GrdAPI Copyright IBM Corporation 2011 20139 Copyright IBM Corporation 2011 2013 Figure 8 3 Methods to build groups GU2022 0 Notes There are six different ways groups can be built and populated in Guardium These methods include e Manual Entry e Auto Generated Calling Prox e LDAP e Populate From Query e Classifier e GrdAPI Each of these methods will be described in the upcoming pages Copyright IBM Corp 201
238. e is executed whenever the conditions in the rule are met True or false You can only have one action per rule 3 True or false Access rules are ANDed left to right and ORed row to row True or false An ALERT logs information as well as sending out an email or some other kind of notification What is the effect of an Ignore Session action on an SQL statement The SQL is NOT sent on to the database server What is the effect of a Log Full Details action on an SQL statement The entire SQL statement including any values it contains are logged Copyright IBM Corp 2011 2013 Unit 9 Policies 9 73 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Topic summary Having completed this topic you should be able to Create and understand access rules PypiyhightNGUb pampadicri Q9 20 120 13 Figure 9 54 Topic summary GU2022 0 Notes 9 74 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions 1 True or false The Action portion of a rule is executed whenever the conditions in the rule are met 2 True or false You can only have one action per rule 3 True or false Access rules are ANDed left to right and ORed row to row 4 True or false An ALERT log
239. e materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration Auditing System 2 of 3 Configuration Auditing System CAS CAS Template Item Monitored Entity CAS Instance CAS Application Monitored Item Template Definition i OS Type UNX DB Type DB2 Description Type File name Permissions limit File Owner File Group Penod Hour s v Period will vary as a random interval between 1 second and whatever duration you provide here Keep data Use MD5 Enabled v Add Comments Apply Back Copyright IBM Corporation 2011 2013 Figure 10 5 Configuration Auditing System 2 of 3 GU2022 0 Notes CAS Template Item The definition or set of attributes of a monitoring task over a single Monitored Entity Users can define new CAS test to construct new CAS templates or use predefined templates for each OS and each database type optionally modifying to meet specific database monitoring requirements A template item is a specific file or file pattern an environment or registry variable the output of an OS or SQL script or the list of logged in users The state of any of these items is reflected by raw data i e the contents of a file or the value of a registry variable CAS detects changes by checking the size of the raw data or computing a checksum of the raw data For files CAS can also check for system level cha
240. e must be uploaded to the Guardium appliance in order for the appliance to monitor encrypted SQL Server traffic No key file is needed if an S TAP has been installed on the SQL Server and configured to handle encryption This is the recommended and most common way of configuring an S TAP agent for MS SQL Server To determine if an S TAP is configured to handle encrypted MS SQL Server traffic Copyright IBM Corp 2011 2013 Unit 5 System View and Administration Console 5 33 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 1 A n monitors the traffic between a set of one or more servers and a set of one or more clients using a specific database protocol 2 Using the S TAP Status Monitor on the System View pane how can you tell if an inspection engine has been configured or not 3 Which of the following is NOT a function of the Configuration option on the Administration Console a b C d Create and configure Guardium users Create and configure Inspection engines Configure local taps Upload and install software modules 4 Appling license keys is a function of the configuration option Copyright IBM Corporation 2011 2013 Figure 5 23 Checkpoint GU2022 0 Notes Write your answers here 1 2 3 4 5 34 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials
241. e reports and includes Receiver name To Do list notification Continuation flag Receiver Table Receiver Action Req jrole infosec C Review Sign X x Gejroie dba C Review 73 Sign zs g role audit g Review Sign Add Receiver Receiver name __ _____ _ _ Action Required Review Sign To Do List Add Action receiver must take Email notification Empty approval flag To Do List Email Notif cont No Link C Full Results C No O Link Fi C Full Results C No C Link C Ful Results t Search users Email Notification None C Link Only Full Results Continuous Approve if Empty ves Add Copyright IBM Corporation 2011 2013 Figure 12 8 Receiver Table Notes GU2022 0 The receiver table controls who receives the workflow the order in which users receive it and the user s required action upon receipt Options include e Receiver name The receiver is selected from a drop down list of Guardium individual users or roles If a role is selected all users with that role will receive the results however if signing is required only one user will need to sign the results e Action Required Any actions the receiver is required to take a detailed here The received may be required to Review Indicates that the receiver does not need to sign the results Sign Indicates that the receiver m
242. e right which appears when a group operator is selected 11 38 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide IN DYNAMIC GROUP Member of a group that will be selected from the drop down list in the runtime parameter column to the right which appears when a group operator is selected IN DYNAMIC ALIASES GROUP The operator works on a group of the same type as IN DYNAMIC GROUP however assumes the members of that group are aliases IN GROUP Member of the group selected from the drop down list in the runtime parameter column to the right which appears when a group operator is selected IN GROUP or IN ALIASES GROUP can not both be used at the same time IN ALIASES GROUP The operator works on a group of the same type as IN GROUP however assumes the members of that group are aliases Note that the INGROUP IN ALIASES GROUP operators expect the group to contain actual values or aliases respectively An alias provides a synonym that substitutes for a stored value of a specific attribute type It is commonly used to display a meaningful or user friendly name for a data value For example Financial Server might be defined as an alias for IP address 192 168 2 18 Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 39 Course materials may not be reproduce
243. e you to the next step in creating your policy e Apply saves the policy definition GU2022 0 Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Unit 9 Policies 9 29 Instructor Guide Policy Rules Policy Builder Policy Rules e amp SOX01 Fite v B X Dg Expand all L Coilapsean SelectAll _ Unselectau Deleteseledead CopyRues Add Access Rule Add Exception Rule Rule Suggestion Suggest from DB Rule min ct Object Group min ct Back Copyright IBM Corporation 2011 2013 Figure 9 18 Policy Rules GU2022 0 Notes Next you start adding your rules to the policy There are three types of rules to choose from Access Rule SQL requests made by client against a database server Exception Rule SQL Errors and Failed login messages returned by the database server to the client Extrusion Result sets returned by the database server to the client We will start with Access Rules followed by Exception and Extrusion rules Pressing Add Access Rule will allow you to create a new Access Rule as shown in the next topic 9 30 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 1 Wh
244. eate member to group by desc desc Privileged Users member a7564 grdapi create member to group by desc desc Privileged Users member a4567 grdapi create member to group by desc desc Privileged Users member a2233 grdapi create member to group by desc desc Privileged Users member a5678 grdapi create member to group by desc desc Privileged Users member a4544 From a Linux or UNIX server run the following command ssh cli collector or central manager ip lt file name created above For example dbserver01 ssh cli a 192 168 169 9 group upload txt Pseudo terminal will not be allocated because stdin is not a terminal cli 192 168 169 9 s password Welcome cli your last login was Tue Sep 28 08 45 29 2010 grd01 guard swg usma ibm com gt ok ID 1000008 grd01 guard swg usma ibm com gt ok ID 1000009 Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 29 GuardApi 2 of 2 GU2022 0 Notes GuardAPI commands including those to create and populate groups can be scripted and run in batch files Copyright IBM Corp 2011 2013 Unit 8 Group Builder 8 35 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Hierarchical groups 1 of 3 Group Builder Modify Existing Groups Not Filtered gt Privileged Users credit card objects DBAs PI Objects test Account Management
245. ectors Um ues CC Ca uw Se x a gt Aggregator and Collectors E Aggregator and Collectors Ss UI ei Ms c n Aggregator and Collectors wc ue e n ex eA c as Aggregator and Collectors amc Cac e Cm eae Aggregator and Collectors n d war un Cn Lo Aggregator and Collectors T m al i _ T ET n Aggregator and Collectors Figure 2 18 Larger sized environments Notes GU2022 0 In a enterprise sized deployment usually more than 10 to 15 collectors the Central Manager will not function as an aggregator Instead it will be dedicated to central management functions only 2 26 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Integration The Guardium appliances interact with other servers in the network environment database servers file servers FTP Server ftp se rve rs File Server Windows 1 Backup Server SCP FTP TSM or Centera QN CSV files N backup servers email servers d Xv Email Server File Server Unix Linux other servers 2 LDAP Activ r SNMP Server ctive Directory Copyright IBM Corporation 2011 2013 Figure 2 19 Integration GU2022 0 Notes Guardium interacts with many other software servers i
246. ed The two jobs can be scheduled individually or the auto discovery process can be defined to run the probe job as soon as the scan job completes Because the processes of scanning and probing ports can take time the progress of an auto discovery process can be displayed at any time by clicking the Progress Summary button Once the jobs have been completed the results can be viewed using predefined reports Copyright IBM Corp 2011 2013 Unit 10 CAS VA and Discovery 10 19 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Database Discovery and classification 2 of 2 Admin User Logins Connections Quarantined Databases by Type Databases Discovered DataSources DB Users Mapping List Discovered Instances Dropped Requests Eveentian Count Discovered Instances G9 v Sint Date 2010 01 20 48 38 05 End Date 2010 04 31 18 38 05 Database Discovery Port Port KTAP Instance _ Exclude Results Timestamp Host Protocol Min Max DB Port Client Client 2010 01 31 5 5 535 0 0 0 0 0 0 0 13 21 02 0 192 168 4 2220racle 1521 1521 1521 on1r4535 0 0 0 0 0 0 0 0 CQ Qrecords to109 10 O X c5 Ed 8 DJ E 6 IBM InfoSphere Guardium Results for Classification Process Policy Xe Select another result of this Process v From 847 10 9 46 AM To 8 17 10 9 47 AM Datasources ORACLE XE 169 Process Run Log El
247. ed in object 11 12 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Logging and parsing Database Server Session established over port 1521 at 9 02 AM Client issues the command insert into emp_salary id salary values 2049 185000 Client Logs out at 9 14 AM Database Client The Sniffer process on the collector accepts the database traffic forwarded from the STAP agent It performs three main functions 1 Analyzes the traffic and passes th relevant traffic to the parser 2 Parses the connection information and SQL strings 3 Logs the parsed data Session entity is joined to the Client Server enity The following is parsed and logged to the Session Entity Session Start 9 02 Al Session End 9 14 AM Server Port 1521 SQL Entity is joined to the Session Entity The SQL statement is logged into the SQL entity with the values changed to question marks SQL insert into emp_salary id salary values The contents of the SQL statement are parsed further to allow for more flexible and detailed reporting Eran av logged to eir m nd and are joined to the construct entitity Command ERA EAM ERA Verb Insert Ea Name emp_salary Note the joins listed here are simplified for demonstration purposes and do not r
248. eflect the exact ERD Copyright IBM Corporation 2011 2013 Figure 11 10 Logging and parsing Notes We viewed this slide in the policy unit and is repeated here to help visualize the entity structure GU2022 0 Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building Course materials may not be reproduced in whole or in part without the prior written permission of IBM 11 13 Instructor Guide Entity Hierarchy Entities Description Each client server connection has one or more 1 Client Server Session SESSIONS Each session has one of more requests 2 Application Events Each request has some combination of this entity Full SQL Values Full SQL NM u 3 SQL Each request has some combination of these entities Access Period 4 Command leach request may contain commands 5 object leach command may contain objects Object Command Field 6 Each object may contain these entities Field SQL Value Object Field Copyright IBM Corporation 2011 2013 Figure 11 11 Entity Hierarchy GU2022 0 Notes The data within the Guardium database is logged in a hierarchal manner Entities higher in the entity structure may contain multiple instances of entities lower in the hierarchy For example e One Client Server connection can contain multiple sessions One SQL request complete SQL statement can contain many commands One command may reference m
249. elect a Query Report Title Select a Report Main Entity Select an Entity Bu Copyright IBM Corporation 2011 2013 Figure 11 6 Query finder New query GU2022 0 Notes After selecting a domain in this example we chose the Access domain by choosing Track Access Data on the Build Reports pane you will be brought to the Query Finder for that domain To create a new query press the New button Alternatively choose to Search for an existing query Existing custom queries can be modified directly or cloned and saved as a new query Existing built in queries cannot be modified directly If you would like to change a built in query you must clone it In our example we will be create a New query 11 8 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide New query Name and main entity View Quick Start Monitor Audit Discover Assess Harden Comply Protect Build Audit Policies Build Reports lt My New Reports Privacy Sets Custom Reporting New Query Overall Details Query Name TrsiningO 1 Main Entity Select an Entity Client Server By Session Client Server Session Application Events FULL SQL Values Object Command Object Join Field SQL Value Object Field Qualified Object Server IP Server Po
250. eleted These default roles include 1 GN pe esI user Provides the default layout and access for all common users admin Provides the default layout and access for Guardium administrators accessmgr Provides the default layout and access for the access manager cli Provides access to CLI The admin user has default access to CLI diag See the topic diag CLI Command in the on line help on how to manage the diag role inv Provides the default layout and access for investigation users Copyright IBM Corp 2011 2013 Unit 4 Access Management 4 15 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 7 datasec exempt This role is activated when Data level security is enabled If the user has this role a Show all check box will appear in all reports 8 review only A user specified by this role can only view results Audit Assessment Classifier Audit Results and the To Do List Note A user must belong to at least one of these roles user admin or accessmgr Sample roles There are several sample roles that are provided out of the box They can be deleted if not needed and include dba infosec netadm appdev and audit Module based roles These roles will be available if the system license includes the associated software function e cas Configuration Auditing System CAS pci Database Activity Monitor PCI
251. ement Results Archive audit GU2022 0 Notes Results Archive backs up audit task results reports assessment tests entity audit trail privacy sets and classification processes as well as the view and sign off trails and the accumulated comments from workflow processes Results sets are purged from the system according to the workflow process definition 6 12 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Data Management Results Export files System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Incide Administration Console Configuration Results Export files W OQ Data Archive Data Export Data Restore Catalog Archive Username a8000 Catalog Export SCP FTP password eeeeecce Catalog Import Re enter password ELTTI QOO Results Archive audit i Results Export files Scheduling BO System Backup Results Export is currently not scheduled for execution Configuration Host 192 168 169 128 Directory root archive results Copyright IBM Corporation 2011 2013 Figure 6 11 Data Management Results Export files GU2022 0 Notes CSV CEF and PDF files can be created by workflow processes The Results Export files function exports all such files that are on the appliance Copyrig
252. ems br ee reneeEqueequhiE eng tins xxu Eg A 7 A 7 Adding Guardium Users and Roles nnan naaa aana A 12 A 8 Developing Workflow 00 00 ree A 14 RS ADBODUD cree enata Kass ERR be eee ks heeds ps d oer ede kee ce eed A 16 Copyright IBM Corp 2011 2013 Conients xiii Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide xiv InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Trademarks The reader should recognize that the following terms which appear in the content of this training document are official trademarks of IBM or other companies IBM the IBM logo and ibm com are trademarks or registered trademarks of International Business Machines Corp registered in many jurisdictions worldwide The following are trademarks of International Business Machines Corporation registered in many jurisdictions worldwide AIXG AS 400 DB DB2 Guardium Informix InfoSphere S TAP System z Tivoli z OS Adobe is either a registered trademark or a trademark of Adobe Systems Incorporated in the United States and or other countries Intel is a trademark or registered trademark of Intel Corporation or its subsidiaries in the United States and other countries Linux is a registered tr
253. epresents the correct heirarchy a Attribute gt Entity gt Domain b Entity gt Domain gt Attribute c Domain gt Attribute gt Entity d Domain gt Entity gt Attribute 4 You have set SQL as your Access Domain Can you still ask for a count of something in the Session entity Yes since Session is above SQL 5 In terms of an SQL select statement Query Fields go on the SELECT clause and Query Conditions go on the WHERE clause 6 True or false On the customization screen you can change the date range for the main entity Copyright IBM Corporation 2011 2013 Figure 11 24 Checkpoint solutions GU2022 0 Notes 11 32 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Exercise At this point you should complete Exercise 10 in the Exercise Guide Alternately you can wait and do Exercises 10 11 and 12 at the end of this unit PypjyhightNGUb Gunpaticrti a0 2012013 Figure 11 25 Exercise GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 33 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 11 34 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced i
254. eproduced in whole or in part without the prior written permission of IBM 9 43 Instructor Guide e SKIP LOGGING Log Full Details Rules e LOG FULL DETAILS e LOG FULL DETAILS PER SESSION e LOG MASKED DETAILS Firewall Blocking e QUARANTINE e S GATE ATTACH e S GATE DETATCH e S GATE TERMINATE e S TAP TERMINATE Other Logging Rules e ALLOW e QUICK PARSE 9 44 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Access Rule Example Policy Builder Rule 1 of policy Training01 Descriptions Privileged users accessing sensitive objects Log Full Dd Category Classification Severity INFO iv C server iP I and or Group vi amp C client iP I and or Group mFS C ctient mac Net Prtcl and or Group DB Type m Svc Name and or Group as s DB Name and or Group vi amp Client IP Src App DB User Server IP Svc Name v App User and or Group v2 F OS User and or Group vi EA C sre App and or Group dh C Fieta and or Group v amp objec arsi ooo men Serative ose fS Command and or Group m Object Cmd Group v 4S8 Object Field Group dha Pattern XML Pattern App Event Exists Li Event Type Event User Name App Event Values Text and or Gro
255. eproduced in whole or in part without the prior written permission of IBM Instructor Guide Topic summary Having completed this topic you should be able to Understand the default logging behavior Understand the concept of constructs Copyright IBM Corporation 2011 2013 Figure 9 9 Topic summary GU2022 0 Notes 9 16 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions 1 A policy is a set of rules applied by the sniffer collector against every request received 2 The three types of rules are access exception and extrusion 3 A construct with a primary key is created for each new SQL request that the collector encounters Copyright IBM Corporation 2011 2013 Figure 9 10 Checkpoint solutions GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 9 Policies 9 17 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 9 18 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 9 2 Installing and creating policies Instructor topic introduction What students will do How students will do
256. er_data Cidi namei ssn values 161 Ted Simmons 19 2948 gt A row created DB s Service SQL Timestamp User source Program me Timestamp Server IP ClientIP User Source Program Na Verb Sal Name CAORACLEXE APP ORACLE 192 168 20 127 10 10 9 1 SCOTT PRODUCT 10 2 0 XE SERVER BIN SQLPLUS EXE insert into customer_data id1 name1 ssn values INSERT customer data Copyright IBM Corporation 2011 2013 Figure 1 7 Logging example GU2022 0 Notes All defined and monitored database activity is logged into Guardium s database in real time When a user issues a command or statement against a monitored database it is immediately logged into Guardium s database and is immediately available for alerting or reporting Additionally the strings are parsed into smaller data elements so that data is easier to categorize and build reports on In the example above the connection sqlplus scott tiger xenet is broken down to the database user name source program and service name The client IP and server IP are automatically logged along with this connection information In addition to the entire SQL request being logged it is also broken down into its constituent parts the SQL Verb INSERT and object name customer data 1 8 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or
257. ernal database 5 24 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration IP to Hostname Aliasing System View Administration Console Tools Daily Monitor Guardium Monitor Tap Monitor Incident Managemer Administration Console z P a Configuration IP to Hostname Aliasing D A OQ Alerter Configuration Anomaly Detection Application User Translation Generate Hostname Aliases for Client and Server IPs when available Custom ID Procedures Update existing Hostname Aliases if rediscovered evert Apply Flat Log Process Global Profile Scheduling Guardium for z OS Incident Generation Inspection Engines Q0 IP to Hostname Aliasing DO Policy Installation P to Hostname Aliasing is currently not scheduled for execution Copyright IBM Corporation 2011 2013 Figure 5 16 Configuration IP to Hostname Aliasing GU2022 0 Notes The IP to Hostname Aliasing function accesses the Domain Name System DNS server to define hostname aliases for client and server IP addresses Note that there are two separate sets of IP addresses one for clients and one for servers When IP to Hostname Aliasing is enabled alias names will replace IPs within Guardium where appropriate Mark the Generate Hostname Aliases for Client and Server IPs when availab
258. ers 1 A CAS template set is tailored to a An Operating System such as Unix b An Operating System and Database such as Unix and DB2 c Bothaand b d Neither a nor b 2 True or false You can modify one or more of the CAS default templates 3 CAS has been configured with a period of 2 hours The last set of tests ran at 10 30 am When will the next set of tests run a At 11 30 am b At 12 30 pm c Between 11 30 am and 12 30 pm d Between 10 30 am and 12 30 pm 10 22 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 2 of 2 4 What are the three categories of VA tests 5 How often are the Guardium assessment tests updated by IBM a Annually b Quarterly c Monthly d Weekly 6 True or false You need only CAS or only VA not both Copyright IBM Corporation 2011 2013 Figure 10 15 Checkpoint 2 of 2 GU2022 0 Notes Write your answers here 4 5 6 Copyright IBM Corp 2011 2013 Unit 10 CAS VA and Discovery 10 23 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers 4 What are the three categories of VA tests Query based Behavioral CAS based 5 How often are the Guardium assess
259. es 6 18 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Distribute Uploaded Jar Files Distribute Patch Backup Settings Distribute Authentication Config Distribute Configurations Copyright IBM Corp 2011 2013 Unit 6 System View and Administration Console II 6 19 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Portal User Sync System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Administration Console Configuration Managed Unit Portal User Synchronization 9 Data Management Configuration Central Management s Synchronize Guardium portal users across all managed units using Secure File Copy SCP FTP No configuration necessary Scheduling User Synchronization is actively scheduled Modify Schedule Run Once Now Copyright IBM Corporation 2011 2013 Figure 6 17 Portal User Sync GU2022 0 Notes The Central Manager controls the definition of Users Security Roles and Groups for all managed units It does this by making an encrypted and signed copy of its complete set of definitions and transmitting that information to all managed units in addition some other definitions that are required f
260. es rules and policies to perform real time filtering alerting and prevention Rule A set of filtering criteria and actions Policy A set of rules to be enforced Filtering Criteria specifying what is to be monitored Alerting Notification when specific actions occur Prevention Blocking actions before they are processed Copyright IBM Corporation 2011 2013 Figure 1 9 Real time monitoring 1 of 2 GU2022 0 Notes Guardium does not simply log database activity using policies and rules defined by the Guardium administrators it can automatically perform specific actions blocking alerting etc in real time A policy is set of rules applied against the database traffic as it is being monitored and logged into the Guardium appliance database Each rule contains a set of criteria and one or more actions 1 10 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Real time monitoring 2 of 2 C WINDOWS system32 cmd exe sqlplus scott tiger xenet lol X ae Windows XP Version 5 1 2600 a Access Rule Definition Mibight 1985 2001 Microsoft Corp Rue 1 ot poly P nts and Settings Administrator gt sqlplus scott tiger xenet Release 10 2 0 1 Production on Wed Aug 4 10 32 34 2018 lt c gt 1982 2005 Oracle All rights reserved to tabase 1
261. esenting the latest occurrence When the sniffer receives the same construct multiple times over an extended time period it will make new entries in the database in two cases 1 The user starts a new session When a new session starts a new record is entered with its own Access Period timestamp and counter All further occurrences of this construct within this session will update this record s Access Period timestamp and counter until a new Access Period begins as described below 2 When a new Access Period begins within the same session The default access period is one hour 9 00 to 9 59 10 00 to 10 59 etc When a new access period begins the next occurrence will be be entered as a new line with its own Access Period timestamp and counter 9 12 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide This method of logging saves a tremendous amount of space As show in the examples above thousands of requests can be collapsed into just a few lines If each line is written separately the disk will be filled up very quickly In a production environment millions of lines per hour can be saved in this manner From an user perspective the most important things to remember about constructs are 1 You will see a masked SQL string question marks instead of values 2 f the collector log
262. essing non database protocols and you want Guardium to not waste cycles analyzing non database traffic For example if you know the host on which your database resides also runs an HTTP server on port 80 you can add 80 to the ignored ports list ensuring that Guardium will not process these streams Separate multiple values with commas and use a hyphen to specify an inclusive range of ports For example 101 105 110 223 e Restart Inspection Engines Click the Restart Inspection Engines button to stop and restart all inspection engines Comment Click the Comment button to add comments to the Inspection Engine Configuration e Apply Click the Apply button to save the configuration Copyright IBM Corp 2011 2013 Unit 5 System View and Administration Console 5 23 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration Inspection Engines 2 of 2 System View Administration Console Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Repo Administration Console Configuration OQ Alerter OQ Anomaly Detection Application User Translation Custom ID Procedures Customer Uploads FlatLog Process Global Profile Guardium for z OS Incident Generation P to Hostname Aliasing Policy Installation Portal Query Hint Session Inference System Upload Key File Data Management Central Management Local
263. ettings include Archive Values box to include values from SQL strings in the archived data If this box is cleared values will be replaced with question mark characters on the archive and hence the values will not be available following a restore operation e Storage method radio button provides a value chosen from the list below Depending on how the appliance has been configured one or more of these buttons may not be available For a description of how to configure the archive and backup storage methods see the description of the show and store storage system commands in the CLI Appendix Available options include EMC CENTERA TSM SCP and FTP Host Directory Username Password enter the credentials required for the destination server Copyright IBM Corp 2011 2013 Unit 6 System View and Administration Console II 6 5 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Data Management Data Export System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Reports Administration Console Configuration Data Management G2000 Standalone Un ZB IU Ses C2 Configuration Du Data Archive Data Restore Catalog Archive Catalog Export Catalog Import Results Archive audit Results Export files Q0 system Backup Central Management Export Export data ol
264. etwork store network interface ip lt ip_address gt store network interface mask lt subnet_mask gt store network routes def lt default_router_ip gt store network resolver 1 lt resolver_1_ip gt store network resolver 2 lt resolver_2_ip gt store network resolver 3 resolver 3 ip store system hostname host name 3 20 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide store system domain lt domain_name gt e After the configuration has been completed a restart system must be performed e After the system has rebooted connectivity can be confirmed with the following commands ping default router ip ping resolver 1 ip Copyright IBM Corp 2011 2013 Unit 3 Command Line Interface 3 21 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Aggregator commands Use the aggregator CLI commands to Back up the shared secret keys file to a specified location Define the amount of collector data that the aggregator UI will work with Set the system shared secret key to null Start or stop writing debug information related to aggregator activities Move or rename failed import files And so on Copyright IBM Corporation 2011 2
265. eux ex oe reru o CERE Pu eee ed Rr BESS 9 45 AISIETHIBS arie dioc arna obici Pn S C dob RIA DRESD Pre duda betur eife 9 46 Alert example uua xoa NE ed EREDeRI ERE TEE PRX e EE enPE SGT eS 9 48 Policy viaa ties ere eoru ete ee ya stk cid Peet acre ne ante ste weet deed 9 49 nl A v rrr 9 50 Ignore session rules lsslleeeselllleeel rhe 9 52 Ignore STAP session iurc cece di vhe bbe pu serm Rr BR RR eee ease el 9 53 Ignore STAP Session rule i ue se uud n SER nh eee eee dd eae aes 9 55 Ignore sessions and sizing usos ce rx rr ORE RR OR ERROR ROR RO Y Ple m bas 9 56 Ignore STAP session rule Trusted connections 0000 eee eee 9 57 Trusted connections group 3 23 2 Ede dede Sm dr EE OE Re SR RI y 9 58 Ignore SESSION criteria occa wee e eke eee RR ae ee ewe RERO Rh rn eek ee 9 59 Ignore STAP session example 20 0c 9 60 Ignore responses persession 0 0 0 ee 9 61 Ignore SQL per session ante coats eee ee ddd e Sek e Se eee eked deeb a 9 62 Igore SESSION o sud o5 6eacencrbe Gi seueds becca a E Eea a EE sas EH 9 63 Session ignored values issue er euet Rs REERRREREER Ea ERE ees EREE 9 64 Bossa per crc pm 9 65 Log full details Example ssec khe RR RE E ese E ERR RE RR EE x d 9 66 Copyright IBM Corp 2011 2013 Conients ix Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Log full details per ses
266. f IBM Unit 11 Custom Query and Report Building 11 49 Instructor Guide Query buttons Delete _ Clone _Roles Generate Tabular Regenerate Add to Pane AG to My New Reports m Copyright IBM Corporation 2011 2013 Figure 11 38 Query buttons GU2022 0 Notes After adding your required query fields and defining the query conditions you will need to save the query and configure it as a report As described earlier the simplest method to do this is to press Save and Add to Pane which will save the query create a tabular report and it to a pane Other options include Delete Deletes the query If you have created a report based on the query you will need to delete the report first Clone Saves the query with a new name e Roles Share the query with other roles e Back Exit the query builder without saving your changes Generate Tabular Generates a tabular report without adding it to a pane e Regenerate Regenerates the report pane You should press this button anytime that you add remove or alter runtime parameters on existing reports 11 50 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide e Add to My New Reports Generates a tabular report and adds it to the My New Reports pane Copyrigh
267. f nothing is entered the default for the policy will be used Classification Optionally enter a classification in the Classification box Like the category above these are logged with exceptions and can be used for grouping and reporting purposes Severity Select a severity code Info Low Med or High the default is Info The Rule Description is the only required field 9 40 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Access Rule Criteria O Server IP I and or Group Client IP i and or Group ve O Client MAC Net Prtcl and or Group v a DB Type _ v Svc Name and or Group v S DB Name and or Group S DBUser and or Group Public Privileged Users vl Client IP Src App DB User Server IP Svc Name m v C App User and or Group v C OS User and or Group w dh L Src App and or Group v O Field and or Group w 8 Object and or Group Public Sensitive Objects v a C Command and or Group vie Object Cmd Group v aea Object Field Group vl Pattern Re
268. face 3 29 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Certificate commands Use the certificate CLI commands to Create a certificate signing request CSR Store a CA Certificate Authority or intermediate trusted path certificate on the Guardium appliance Store a server certificate on the Guardium appliance Create a Certificate Signing Request in PEM format Copyright IBM Corporation 2011 2013 Figure 3 23 Certificate commands GU2022 0 Notes The certificate commands are used to create a certificate signing request CSR and to install server CA or trusted path certificates on the Guardium appliance Note Guardium does not provide Certificate Authority CA services and will not ship systems with certificates that differ from the one installed by default A customer that wants their own certificate will need to contact a third party CA such as VeriSign or Entrust 3 30 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide GuardAPI 1 of 2 e GuardAPI is a set of CLI commands that provide access to Guardium functionality from the command line Allows for the automation or scripting of repetitive tasks GuardAPI covers the following functions CA
269. figuration on the Guardium appliance does not match the instance configuration on the moni tored system it has been updated on the Guardium appliance but that update has notbeen applied on the monitored system Refresh Click the Refresh button to re check the status of all servers in the list This button does not stop and or restart CAS on a database server it only checks the connection between CAS on the Guardium appliance and CAS on each database server Note The TAP IP entry in the guard tap ini file is required If TAP IP is missing CAS will notstart and an error message will be logged in the log file on the CAS dient Copyright IBM Corporation 2011 2013 Figure 10 6 Configuration Auditing System 3 of 3 GU2022 0 Notes CAS Hosts Once you have defined one or more CAS template sets and have installed CAS on a database server you are ready to configure CAS on that host A CAS host configuration defines one or more CAS instances Each CAS instance specifies a CAS template set and defines any parameters needed to connect to the database For each database server on which CAS is installed there is a single CAS host configuration which typically contains multiple CAS instances for example one CAS instance to monitor operating system items and additional CAS instances to monitor individual database instances CAS Reporting The admin user has access to all query builders and default reports The admin rol
270. foSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers 1 Explain why you might need to put a period in the DBUser field when setting up a failed login exception rule Without the period Guardium will check the number of failed logins in a given time period for all users With the period Guardium will check the number of failed logins in a given time period for each user 2 True or false An exclusion rule can be created to detect and log information on SQL error messages that are generated 3 Explain what a regular expression is A regular expression is a set of data pattern characters 4 To have Guardium examine an actual result set value during an extrusion rules evaluation the Inspect Returned Data option box must be selected 5 Which character is used by default when masking a value with an extrusion rule a b c blank d Copyright IBM Corp 2011 2013 Unit 9 Policies 9 87 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Topic summary Having completed this topic you should be able to Create exception rules within a policy Create a failed logins alert Enable extrusions rules Create an extrusion rule
271. for Default filtering Permits the logged in viewer to see all the rows in the result regardless of who these rows belong to When used with the Datasec exempt role permits an override of the data level security filtering Include indirect records Permits the logged in viewer to see the rows that belong to the logged in user but also all rows that belong to users below the logged in user in the user hierarchy e Escalate result to all users A check mark in this check box escalates audit process results and PDF versions to all users even if data level security at the observed data level is enabled Upload logo image adds a company logo graphic to the upper right portion of the Guardium window Copyright IBM Corp 2011 2013 Unit 5 System View and Administration Console 5 19 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration Guardium for z OS System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Reports Administration Console Configuration Guardium for z OS Interface Definition Finder i OQ Alerter Anomaly Detection Application User Translation Custom ID Procedures Customer Uploads Flat Log Process Global Profile Incident Generation Inspection Engines GO IP to Hostname Aliasing O6 Policy Installation Portal Query Hint Session Inference Syste
272. g This Import from Query is currently not scheduled for execution Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 26 Populate from Query 4 of 4 GU2022 0 Notes You can also choose to import members on a scheduled basis by pressing the Modify Schedule button If you choose this option it will import all returned results Because it is unattended there is no option to pick specific values to import 8 32 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Classifier Classification Policy Builder Classification Rule 1 For Classification Policy Credit Card search a Rule Name Credit Card Category credit card Classification credit card Description Continue on Match Rule Type Search For Unstructured Data v Search Like Search Expression 0 9 4 0 9 4 0 9 4 0 9 4 RE Classification Rule Actions E X 1 Add to credit card objects Add to Group of Objects Copyright IBM Corporation 2011 20139 Copyright IBM Corporation 2011 2013 Figure 8 27 Classifier GU2022 0 Notes The classifier will search a database and automatically add group members matching user supplied criteria Classification will be covered in a separate module Copyright IBM Corp 2011 2013 Un
273. g STAP_FIREWALL_TIMEOUT STAP_SQLGUARD_IP E E STAP USE TLS TEE DEBUG g g TEE_ENABLED E Apply to Selected Client Module Parameters _ Input required IPONENTS VERSION KTAP DEBUG KTAP DISKSPACE KTAP ENABLED KTAP LIVE UPDATE KTAP NO ROLLBACK KTAP PACKAGE o EA 1 B E lt T D Select All Unselect All Back _ Revert Apply to clients _ Instal Update Cancel instal Update Uninstall Cancel Uninstall Copyright IBM Corporation 2011 2013 Figure 7 37 Module Parameters GU2022 0 Notes Step 2 The Module Parameters allows you to apply the S TAP settings The Common Module Parameters pane would apply toward all of GIM clients chosen in Step 1 if you had selected multiple database servers In this example we only chose one module so we will only be changing the settings under Client Module Parameters Scroll to the right to the select the appropriate settings Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 45 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Client Module Parameters 2 of 2 Module Parameters Step 3 Config Install Update Uninstall BUNDLE STAP Common Module Parameters ATAP_ENABLED KTAP_DEBUG KTAP_ENABLED KTAP_LIVE_UPDATE STAP_DEBUG STAP_ENABLED g E STAP_FAILOVER_TLS STAP_FIREWALL_DEFAULT_STATE g g STAP_FIREWALL_FAIL_CLOSE STAP_FIREWALL_INSTALLED g g STAP_FIREWALL_TIMEOUT STAP_SQLGUAR
274. g DETAILS Objects including Objects Sensitive Objects the Full SQL string Log Full Command Group Details DML Commands A 4 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide The appendix at the end of this document provides additional definitions of the Ignore STAP Session and Log Full Details rules The flow chart on the next page demonstrates how commands are processed by the policy rules Copyright IBM Corp 2011 2013 Appendix A Monitoring Overview A 5 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 18 E1 Exception Rule Alert on Failed Logins ge Cat Classi Sev Client IP Server IP Sre App DB Name m App User we Se ANY ANY i ANY ANY ANY P 3 Failed Logins gt y osien Serena WetiProtornl lt wWithin5 minutes Yes Alert oid edd a ANY N from one user Ne S S Exception Type Error Code Period Actio Rec Vals Cont 3 13 LOON FALED iri o S Pd No 1 80 9 2 Access Rule Scheduled Processes Ignore Session X Cat Classif Sev Client IP Server IP DBName DB User App User N ANY ANY i ANY ANY Monitoring Scheduled Proccesses ANY ANY ANY a OSUser Service llame MetProtoco FiekdWame Pattern XMLPattern DBType Client MAC sthe ANY A
275. g Express Edition Release 18 2 0 1 0 Production ct from cc number from cc numbers 08 Name line 1 7 Di User B end of file on communication channel Client IP Sre App 06 UseriServer IPiSve Name C App User cir Group vid O os user sader Group at dis C src Apo 6 er fiel l 192 168 159 9 4019 O Object 2010 08 04 10 54 54 192 168 159 9 via UDP 3 TRAP SNMP vl community NULL via janen za SNMPv2 SMI enterprises 18708 1 1 Enterprise Specific T L ime HON ET Q n STRING Alert ba App Event Exists Event Type User Name App Event Values Te x Data Pattern Replacement Character ategory assirication everity NEO y an adds eere rests nr Rule 20000 Alert and Block on Developers Accessing Cardholde Quarantene or mutes Recogf Affected Threshold hee vais j cor Data cH Request Info Session start 2010 08 04 10 53 24 Server I CURVA Type ORACLE Client 10 10 9 1 WORKGROUP IBM 59799CA7DEF Se X E S ALERT PCR MATCH rver 192 168 159 128 10 10 9 99 Client PORT 43536 Server Po rt 1521 Service Name XE Net Protocol TCP DB Protocol TNS DB Protocol Version 3 13 DB User SCOTT Application User Name Source Program C ORACLEXE APP ORACLE PRODUCT 10 2 0 SER VER BIN SQLPLUS EXE Authorization Code 0 Request Type SQL L AN a Q Copyright IBM Corporation 2011 2013 Figure 1 10 Real time monitoring 2 of 2 GU2
276. g GU2022 0 Notes Having provides the ability to query against aggregate values Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 43 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Parenthesis LOD Jason mode AND QOR C HAVING Entity Agg Attribute gt Object C WHERE Object inan C AND Command SQL Verb DB User C AND Client Server tic D O s DB User L OR Client Server lia AND Command Operator LIKE NOT LIKE SQL Verb IN GROUP Query Conditions Runtime Param Vaue v cc a Value v select a Value v scott g Vale a e v DDL Commands v Start Date 2010 12 14 14 45 31 End Date 2010 12 14 17 45 31 Aliases OFF Server IP Client IP DB User Name v Service Name Source Program SQL Verb Object Name Total acces 192 168 169 8192 168 169 88COTT DB2INST1 DB2BP SELECT db2insti cc numbers 21 192 168 169 8192 168 169 88COTT DB2INST1 DB2BP SELECT db2inst1 ccn 21 192 168 169 8192 168 169 8DB2INST1 DB2INST1 DB2BP DROP TABLE db2inst1 SUSERS 20 192 168 169 8192 168 169 8DB2INST1 DB2INST1 DB2BP DROP TABLE db2inst1ADDRESSES 20 192 168 169 8192 168 169 8DB2INST1 DB2INST1 DB2BP DROP TABLE db2insti CC NUMBERS 20 192 168 169 8 192 168 169 8 DB2INST1 DB2INST1 DB2BP DROP TABLE db2inst1 SSN_NUMBERS 20 192 168 169 8192 168 169 8DB2INST1 DB2INST1 DB2BP DROP TABLE db2insti G
277. g Prox example 5 of 6 GU2022 0 Notes e Enter a New group name or click Append and choose an Existing group name and Press Analyze Database The Guardium appliance will now login to the database server and search all stored procedures for any that access any objects in the source group Pl Objects If it finds any you will receive a message saying that New member s have been successfully added to the group PI Stored Procedures The new group will be an Object group Other options The Flatten namespace checkbox will apply wildcards around each of the stored procedures added to the new group 8 24 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Auto Generated Calling Prox example 6 of 6 Group Builder Manage Members for Selected Group Group Name PI Store Procedures Group Type OBJECTS M Modify Group Type Modify Category Category Group Members Filter sil o a sp_g_customers test01 test02 Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 GU2022 0 Figure 8 20 Auto Generated Calling Prox example 6 of 6 Notes Finally you can view the new group to review the newly imported members Copyright IBM Corp 2011 2013 Unit 8 Group Builder 8 25 Course materials may not be reproduced in whole or in
278. ge policies Note The following topics will not be covered during this training Baselines Flat logging Copyright IBM Corporation 2011 2013 Figure 9 1 Unit objectives GU2022 0 Notes 9 2 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 9 1 Policy overview Instructor topic introduction What students will do How students will do it What students will learn How this will help students on their job Copyright IBM Corp 2011 2013 Unit 9 Policies 9 3 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Policy overview After completing this topic you should be able to Understand the default logging behavior Understand the concept of constructs Copyright IBM Corporation 2011 2013 Figure 9 2 Policy overview GU2022 0 Notes 9 4 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Policies defined A policy is an ordered set of rules applied by the sniffer against each request received Rule types include Access Exception Extrusion Copyright IBM Corporation 2011 2013
279. go1 2 Main Entity Session Add Count Add Distinct oO Sort by cou Qag Query Fields Seq Entity Attribute Field Mode L1 1 Client Server Server IP Value v L1 2 Client Server Client IP Value e L1 3 Client Server DB User Name Value v oO 4 Client Server Source Program G9 0 1 Addition mode AND Cor _ HAVING Query Conditions Entity Agg Attribute Operator Runtime Param Copyright IBM Corporation 2011 2013 Figure 11 16 Changing query settings GU2022 0 Notes Other Query Field options include Field Mode indicates what to print for the field its Value or the Count count is a count of distinct values Min Max Average AVG or Sum for the row The Value option is not available for attributes from entities lower than the main entity in the entity hierarchy for the domain Order by check the corresponding box to sort by a specific field By default query data is sorted in ascending order by attribute value with the sort keys ordered as the attributes appear in the query If aliases are being used they are ignored for sorting purposes the actual data values are always used for sorting Attributes for which values are computed by the query Count Min Max or Avg cannot be sorted e Sort Rank when the order by box is checked enter to number here to indicate the rank by which the field will be sorted relative to the other sorted fields e Descend optional controls whether the field will sort in ascending or des
280. gure 7 58 Topic summary 6 0 GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 71 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 1 An S TAP is installed on and monitors traffic on a server a Guardium b Network c DNS d Database 2 Listthree ways an S TAP can be installed 3 There are two ways GIM can install additional modules by and by 4 Whatis the difference between a Common Module Parameter and a Client Module Parameter 5 True or false GuardAPIs are designed to run in an executable script and provide a method of performing non interactive installs Figure 7 59 Checkpoint GU2022 0 Notes Write your answers here 1 2 3 4 5 7 72 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers 1 An S TAP is installed on and monitors traffic on a server a Guardium b Network c DNS d Database 2 List three ways an S TAP can be installed Interactive S TAP installer Guardium Installation Manager GuardAPI non interactive installation 3 There are two ways GIM can install additional modules by client and by module 4 What is the difference between a Common Module Parameter an
281. h or other special character as part of your query s name Which of the following represents the correct heirarchy a Attribute gt Entity gt Domain b Entity gt Domain gt Attribute c Domain gt Attribute gt Entity d Domain gt Entity gt Attribute You have set SQL as your Access Domain Can you still ask for a count of something in the Session entity In terms of an SQL select statement Query Fields go on the clause and Query Conditions go on the clause True or false On the customization screen you can change the date range for the main entity Copyright IBM Corporation 2011 2013 Figure 11 22 Checkpoint GU2022 0 Notes Write your answers here 1 mom m ge I Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 29 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers 1 2 True or false A query can access the data in only one domain Why should you use a dash or other special character as part of your query s name To differentiate them from built in queries and to move them to the top of the sorted list Which of the following represents the correct heirarchy a Attribute gt Entity gt Domain b Entity gt Domain gt Attribute c Domain gt Attribute gt Entity d Domain gt Entity g
282. he Zip for mail box to add a checkmark Copyright IBM Corp 2011 2013 Unit 12 Compliance Workflow Automation 12 9 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide e Email Subject This is used in the emails for all receivers for that audit process The subject may contain one or more of the following variables that will be replaced at run time for the subject ProcessName will be replaced with the audit process description ExecutionStart will be replaced with the start date and time of the first task ExecutionEnd will be replaced with the end date and time of the last task It also includes buttons to e View After the audit process has been run at least once this button will allow you view the results e Run Once Now Run the audit process on an ad hoc basis The Receiver Table and Task Definition sections must be completed for this to execute e Modify Schedule Create or modify a schedule for the audit process The Receiver Table and Task Definition sections must be completed and the Active checkbox must be checked to enable scheduled processes 12 10 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Receiver Table The receiver table controls who receives th
283. hey will be discarded Alternately you may enter a regular expression in the Audit Pattern field However this is not commonly used Copyright IBM Corp 2011 2013 Unit 9 Policies 9 95 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Audit Only rule Policy Builder Rule 1 of policy SAT Description DML Activity Audit Only Category Classification Severity INFO Server IP I and or Group vl Client IP 1 and or Group v Client MAC Net Prtcl and or Group v 48 DB Type c vi Svc Name and or Group v 8 DB Name and or Group v A DB User and or Group vl Client IP Src App DB User Server IP Svc Name rn App User and or Group v 4S OS User and or Group v ata C Src App and or Group v Field and or Group v 4 Object and or Group v amp Command and or Group Public DML Commands v p Object Cmd Group 3 Object Field Group vl Pattern Re XML Pattern gt App Event Exists Event Type Event User Na
284. ht IBM Corp 2011 2013 Unit 6 System View and Administration Console II 6 13 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Administration Console Central Management cm guard swg usma ibm com gt store unit type manager All inspection engines stopped Restarting gui Changing to port 8443 Stopping Safekeeping xregs ok IBM InfoSphere Guardium System View Administration Console Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Administration Console AT i OX Configuration Managed Unit Portal User Synchronization Data Management Configuration Central Management Synchronize Guardium portal users across all managed units using Secure File Copy SCP FTP No configuration necessary Manage OQ Portal User Sync Scheduling G User Synchronization is actively scheduled Modify Schedule Pause _ Run Once Now Copyright IBM Corporation 2011 2013 Figure 6 12 Administration Console Central Management GU2022 0 Notes In a central management configuration one Guardium unit is designated as the Central Manager That unit can be used to monitor and control other Guardium units which are referred to as managed units Unmanaged units are referred to as standalone units The concept of a local machine can refer to any machine in the Central Management system There are some
285. i d O Client MAC Net Prtcl and or Group S DBType _ C Sve Name and or Group las oe C DB Name and or Group M C DB user and or Group mF s Client IP Src App DB User Server IP Svc Name v oe C App User and or Group 4S C os user and or Group A C src App mE v amp and or Group _ _ ml or Code C Excpt Type f Data Pattern EZ amp Replacement Character Time penoa EN inimum Count SQL_ERROR rval 0 minutes Message Template Default v Quarantine for 0 minutes Rec Vals Cont to next rule Actions Copyright IBM Corporation 2011 2013 Figure 9 58 Exception Rule Definition GU2022 0 Notes Exception rules contain session level criteria like access rules but do not have criteria for SQL request command object etc Instead Exception rules contain a field for Exception Type which includes LOGIN FAILED failed login messages from the database server to the database client SESSION ERROR errors related to connection information e SQL ERROR error messages returned from the database server to the database client For example when executing select against a table that does not exist in DB2 will return this error SQLO204N
286. i ee ciate ed T CLIE 2 29 S RIE 2 30 Unit summary AERETTCTITOECRRC RR TTLTTE TRITT 2 32 Checkpoint solutions s e ode atus cri de ma ER dex ES ORDRE E a aA Wd E ER d 2 33 Unit 3 Command Line Interface ellesleees serrer 3 1 Unit ODIBCHVOS ui beides nn de 9d S HERO edes a a a D E E ee PIS 3 2 CLI overview 1 of 2 Pc 3 3 CLI overview 2 of 2 esate dates anaana 3 4 CLI users 3 6 CLI password requirements s n aaua aaa 3 8 CLl user login 1 Of 2 udo qus 3 5 Ron eri cte E E un RC OR eee ORE aa 3 10 CLI user login 2 of 2 c cea on rb e Oe oon Woo Sob PE dun ees ee eee 3 11 Navigating the CLI 1 of 4 ues et pEEEE ERE GDERESLEPBPELTE rp ERREUR E 3 12 Navigating the CLI 2 of 4 Ln ced ed RS ER nde wee eR EE Ker ERE 3 14 Navigating the CLI 3 of 4 0 0 0 ee eA 3 16 Navigating the CLI 4 0f 4 0 eee 3 17 Show and store SOC ERR 3 18 Reminder CLI command categories anaana anaana ee 3 19 Network configuration commands 0 eeaeee 3 20 Aggregator commandS asses kam e E RE ss dadanteaddaewveaducnenus 3 22 Alerter configuration commands 00 00 e eee eee ele 3 23 Configuration and control commands 00 cece eee eese 3 24 File handling commands cs eeceedeu sexes Seah eset ERES cewek sean RE us 3 25 Diagnostic commandS o ca 2 PU D ee deed a ee ea eed ees a dotis 3 26 Inspection engine commands 0002 cece eee eee 3 27 User account
287. ials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Appendix A Monitoring Overview A 1 Introduction This document describes the steps required to successfully implement database monitoring using the Guardium solution In this context we define monitoring as the review of database activity that can pose compliance or security violations The end result of these steps is a process that automatically delivers your required reports to the appropriate staff members on a scheduled basis using Guardium s workflow automation The required steps include 1 Gathering requirements Building Groups Defining Policy Creating reports Adding Guardium users and roles 6 Creating a workflow ae po me The following sections explain these steps in detail A 2 Intended Audience This document is intended to be used with customers who have some familiarity with the Guardium solution and preferably are currently working on an implementation with a Professional Services consultant A 3 Gathering Requirements The first step is to define your requirements Requirements are often determined by an organization s auditors especially in SOX or PCI implementation but can also be determined by internal security rules If you do not have a clear definition of your requirements try to answer the following questions Logging and real time alerting Who needs to be monitored Privi
288. ich of the following is NOT a built in policy in Guardium 1 HIPAA 2 BASEL Il 3 PCI 4 SOX 5 ACCT IV 2 Result sets would be part of an rule 3 Failed logins would be part of an rule 4 SELECTS would be part of an rule Figure 9 19 Checkpoint GU2022 0 Notes Write your answers here 1 p e Ie Copyright IBM Corp 2011 2013 Unit 9 Policies 9 31 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers 1 Which of the following is NOT a built in policy in Guardium a HIPAA b BASEL II c PCI d SOX e ACCT IV 2 Result sets would be part of an extrusion rule 3 Failed logins would be part of an exception rule 4 SELECTS would be part of an access rule 9 32 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Topic summary Having completed this topic you should be able to Install a policy Access the policy builder Create a new policy Copyright IBM Corporation 2011 2013 Figure 9 20 Topic summary GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 9 Policies 9 33 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Gu
289. ide Checkpoint solutions 1 Which of the following is NOT a built in policy in Guardium 1 HIPAA 2 BASEL II 3 PCI 4 SOX 5 ACCT IV 2 Result sets would be part of an extrusion rule 3 Failed logins would be part of an exception rule 4 SELECTS would be part of an access rule Copyright IBM Corporation 2011 2013 Figure 9 21 Checkpoint solutions GU2022 0 Notes 9 34 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Exercise You can complete Exercise 6 in the Exercise Guide Alternately you can wait and do Exercises 6 and 7 at the end of this unit GbfyrixyniglEINBIYo Gunaticrtiao 2012013 Figure 9 22 Exercise GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 9 Policies 9 35 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 9 36 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 9 3 Access Rules Instructor topic introduction What students will do How students will do it What students will learn How this will help students on their job Copyright IBM Corp 2011 201
290. ific databases for which they are responsible This would be commonly used when you have multiple business units sharing the same Guardium infrastructure but require data to be segregated between each unit This is advanced functionality and will not be covered in this training For more information see the Access Management help book which is accessible from the online help 4 20 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 1 of 2 1 True or False You can delete the accessmgr user if you do not want to use it 2 True or False By default new users are automatically enabled 3 User01 is currently in the USER role and is logged into the Guardium web interface You add User01 to the DBA role When will the user have access to the DBA functions a Immediately b Only after logging out and logging back in C Only after you run change layout d Only after you run change layout and the user logs out and logs back in again Figure 4 17 Checkpoint 1 of 2 GU2022 0 Notes Write your answers here 1 Copyright IBM Corp 2011 2013 Unit 4 Access Management 4 21 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose
291. ig Install Update Uninstall BUNDLE DISCOVERY Client Name Client IP Client OS Client OS Version Fi centos5 192 168 169 128 Linux 2 6 18 128 el5 Elo dbserver01 192 168 169 8 Linux 2 6 16 21 0 8 default Records 1 To 2 Of 2 Unselect Al Reset Cents Copyright IBM Corporation 2011 2013 Figure 7 43 Bundle discovery GU2022 0 Notes Highlight the BUNDLE DISCOVERY module from the list and press Next Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 51 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Java installation directory Module Parameters Step 3 Config Install Update Uninstall BUNDLE DISCOVERY Common Module Parameters DISCOVERY_ADDITIONAL_ENV DISCOVERY_DBS DISCOVERY_DEBUG DISCOVERY_ENABLED DISCOVERY IGNORE DIRS DISCOVERY JAVA DIR E DISCOVERY_ORA_ALT_LOCATIONS DISCOVERY_SCAN_INTERVAL Apply to Selected Client Module Parameters T Input required IABLED DISCOVERY_IGNORE_DIRS DISCOVERY JAVA DIR DISCOVERY ORA ALT LOCATIONS DISCOVERY PACKAGE DISCOVERY_P 3 R 99 al BUNDLE DIS BY mnt cdrom site proc dev devioe E sisvajreteo 22 EY A m lll il i Select All Unselect All Back Apply to Clients instal Update Cancel Instal Update Cancel Uninstall Copyright IBM Corporation 2011 2013 Figure 7 44 Select client GU2022 0 Notes Select the database server s on which you would like to in
292. ight IBM Corporation 2011 2013 Figure 9 82 S GATE overview GU2022 0 Notes In addition to monitoring S TAP can also be configured to work in firewall mode Copyright IBM Corp 2011 2013 Unit 9 Policies Course materials may not be reproduced in whole or in part without the prior written permission of IBM 9 115 Instructor Guide S GATE S TAP settings dbserver01 cat usr guardium modules STAP 8 1 0 0 r24276 1 1298065578 guard tap ini grep firewall firewall default state 0 firewall fail close 0 firewall installed 1 firewall timeout 10 Copyright IBM Corporation 2011 2013 Figure 9 83 S GATE S TAP settings GU2022 0 Notes S GATE must be enabled from S TAP before using S GATE rules firewall installed should the firewall feature be enabled at all 0 No 1 Yes 0 firewall fail close what is the default action when verdict can not be set by the policy rules e g timeout reached 0 let connection through 1 block connection 0 firewall default state What triggers the start of the firewall mode 0 event triggering a rule in the installed policy happens 1 start in firewall mode enabled regardless of a triggering event 0 9 116 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide firewall timeout time in sec
293. in part without the prior written permission of IBM Instructor Guide Guardium components Guardium components include Real time monitoring Built in and custom reporting Compliance Workflow Automation Configuration Auditing System Vulnerability Assessment Database Discovery and Data Classification Copyright IBM Corporation 2011 2013 Figure 1 8 Guardium components GU2022 0 Notes Guardium consists of several components some of them built in to the product and some of them add on The base product includes components for doing real time database access monitoring including options to filter what is being monitored to generate an alert whenever specific access is attempted and to terminate access when needed reporting both built in and customized and compliance workflow which automatically routes reports to the appropriate users Additional add on components provide configuration auditing to monitor access and changes to supporting database objects vulnerability assessment to locate and classify potential areas of risk and database discovery and data classification to automatically detect database existence and locate data artifacts Copyright IBM Corp 2011 2013 Unit 1 InfoSphere Guardium 1 9 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Real time monitoring 1 of 2 Guardium us
294. into further detail on query conditions and we will use an object based query as a demonstration To start a new query Go to Monitor Audit gt Build Reports Press the Track data access button Enter a Query Name and choose Object as the Main Entity Press Next Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 37 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Query conditions 1 of 2 TrainingO1 Objects Uain Ent Object s Cont Blass Dit n 4 Cleuterver erozan mew n gt pee m CATEGORIZED AS CLASSIFIED AS IN ALIASES GROUP IN DYNAMIC ALIASES GROUP IN DYNAMIC GROUP IN GROUP IS NOT NULL IS NULL LIKE LIKE GROUP NOT IN ALIASES GROUP NOT IN DYNAMIC ALIASES GROUP NOT IN DYNAMIC GROUP NOT IN GROUP v Copyright IBM Corporation 2011 2013 Figure 11 28 Query conditions 1 of 2 GU2022 0 Notes Below are definitions of the available query conditions e lt Less than e lt Less than or equal to e lt gt Not equal to Equal to gt Greater than e gt Greater than or equal to CATEGORIZED AS Member of a group belonging to the category selected from the drop down list to the right which appears when a group operator is selected CLASSIFIED AS Member of a group belonging to the classification selected from the drop down list to th
295. inue forwarding responses from the DB Server to the client Responses include SQL Errors and Result Sets Copyright IBM Corp 2011 2013 Unit 9 Policies 9 61 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Ignore SQL per session VET Sniffer instructs STAP to discontinue Client to Server tratfic from specific sessions Database Server For a session marked as 10 10 9 8 Ignored Responses the sniffer Z N receives the following traffic Activity from the database Activity from the from STAP and logs it into the client to the database database server to the database server database client SQL Errors Sessions log in log out Sessions log in log out commands N Result sets SQL Errors Result sets q The following types of traffic are discarded by STAP and never reach the collector SQL Requests commands o Database Client Copyright IBM Corporation 2011 2013 Figure 9 43 Ignore SQL per session GU2022 0 Notes The Ignore SQL Per Session action will cause the collector to continue logging SQL Errors and Result Sets but the sniffer will instruct STAP to discontinue forwarding SQL requests from the client to the database server 9 62 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in pa
296. ion For the Guardium admin user account login is a ways authenticated by Guardium alone For all other Guardium user accounts authentication can be configured to use either RADIUS or LDAP In the latter cases additional configuration information for connecting with the authentication server is required 5 28 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration Query Hint System View Administration Console Tools Daily Monitor Guardium Monitor Tap Moni Administration Console Configuration Query Hint Login D OQ Alerter Please provide password to access query hint OQ Anomaly Detection Password Application User Translation Custom ID Procedures Customer Uploads Flat Log Process Global Profile Guardium for z OS Incident Generation Inspection Engines P to Hostname Aliasing QOO Policy Installation Portal Copyright IBM Corporation 2011 2013 Figure 5 19 Configuration Query Hint GU2022 0 Notes This feature is password protected and can be used only as directed by Technical Support Contact Technical Support if you require more information The Query Hint screen is also used to activate two policy log actions Log full details with values and Log full details with values per session After filling in the Query Hint passwo
297. is e Track users who have viewed the reports signed off on the processes or added comments Calais ia a Copyright IBM Corporation 2011 2013 Figure 1 12 Compliance Workflow Automation GU2022 0 Notes The Guardium solution also includes Compliance Workflow Automation This feature can be configured to deliver reports vulnerability assessments and classification results to the appropriate end users on a periodic basis This process also tracks who has viewed or signed any process and also maintains a trail of any comments made by reviewers Copyright IBM Corp 2011 2013 Unit 1 InfoSphere Guardium 1 13 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration Auditing System CAS tracks changes to eSecurity and access control objects j 7 NI Database structures Critical data values Database configuration files eAnd so on Copyright IBM Corporation 2011 2013 Figure 1 13 Configuration Auditing System GU2022 0 Notes Not all database related activity can be tracked using Database Access Monitoring For example changes to database configuration files like the listener ora file in Oracle are made at the operating system level Guardium s Configuration Auditing System CAS monitors changes to these OS database files as well as changes to environmental variables and actual values
298. is a list of data elements Groups are used to facilitate the creation of queries and policy rules A query without groups would require many OR conditions GAO Addition mode O AND or O Entity The same query using a group only requires one condition WHERE OR OR OR OR OR OR Client Server Client Server Client Server Client Server Client Server Client Server Client Server HAVING Attribute DB User Name DB User Name DB User Name DB User Name DB User Name DB User Name DB User Name Query Conditions Operator X SK Runtime Param Value Value Value Value Value Value Value 1S S 1 I scott a8000 34902 34949 a5710 39449 XO Addition mode O AND 9 OR O Entity WHERE Client Server Agg HAVING Attribute DB User Name Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 IN GROUP Query Conditions v Runtime Param Privileged Users Figure 8 2 Group Definition Notes GU2022 0 A group is a list of data elements For example a group might be a list of users a list of commands or a list of objects Groups are used to facilitate the creation of queries and policy rules Without groups queries and policy rules might require the use of many OR conditions For example when checking to see who th
299. ist of all available commands for GU2022 0 a given category type command or comm plus a keyword or part of a keyword at the command prompt For example comm agg will return all aggregation related commands comm net will return all network related commands comm file will return all file handling commands and so on 3 14 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Additional information If time permits have the students login as the cli user and run some of the commands on this and the following slides Make sure that they do not run restart system as this will reboot their virtual machines Transition statement Copyright IBM Corp 2011 2013 Unit 3 Command Line Interface 3 15 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Navigating the CLI 3 of 4 To display command syntax and usage options enter a question mark as an argument following the command word For example supp show will display all of the options for the support show command vScollector 0l ibm com supp show 3 support show arg where arg is 9 udit_tasks db processlist db status db struct check db top ta les hardware
300. it 8 Group Builder 8 33 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide GuardAPI 1 of 2 GuardAPI can be used to create and poplulate groups You can add a member from the CLI manually grd01 guard swg usma ibm com grdapi create member to group by desc desc Privileged Users member a9940 However it is most effective used in a batch file as shown in the next page Copyright IBM Corporation 2011 20130 Copyright IBM Corporation 2011 2013 Figure 8 28 GuardAPI 1 of 2 GU2022 0 Notes The final method of populating a group is by using GuardAPI GuardAPI provides access to Guardium functionality from the command line or from a batch file This allows for the automation of repetitive tasks which is especially valuable in larger implementations 8 34 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide GuardApi 2 of 2 Create a file with the individual commands repeated for each group member dbserver01 cat group upload txt grdapi create member to group by desc desc Privileged Users member a2342 grdapi create member to group by desc desc Privileged Users member a6732 grdapi create member to group by desc desc Privileged Users member a4345 grdapi cr
301. it objectives GU2022 0 Notes 7 2 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide S TAP overview e S TAP Lightweight agent installed on the database server Monitors Local traffic Network traffic Handles encrypted logins e Supports Windows UNIX Copyright IBM Corporation 2011 2013 Figure 7 2 S TAP overview GU2022 0 Notes Guardium s S TAP is an optional lightweight software agent installed on a database server system It monitors database traffic and forwards information about that traffic to a Guardium appliance S TAP can monitor database traffic that is local to that system This is important because local connections can provide back door access to the database and all such access needs to be monitored and audited S TAP can be used to monitor any network traffic that is visible from the database server on which it is installed S TAP can also handle encrypted logins more effictively than traffic originating from a Span port or network tap Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 3 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide S TAP installation methods e Three ways to install S Tap 1 Interactive S TAP Installer 2 Guard
302. itten permission of IBM Instructor Guide Additional collector for failover IBM InfoSphere Guardium S TAP InstallShie x Setup Status IBM InfoSphere Guardium S TAP is configuring your new software installation CT MEN 3 Computing sp EHE InstallShield Copyright IBM Corporation 2011 2013 Figure 7 14 Additional collector for failover GU2022 0 Notes If you would like to configure a secondary collector for failover or load balancing press the Yes button This can be completed from the Guardium GUI also In most cases you would press No here 7 16 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Start S TAP service Setup Status Question installshield Copyright IBM Corporation 2011 2013 Figure 7 15 Start S TAP service GU2022 0 Notes Press Yes to start the S TAP services Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 17 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Complete installation IBM InfoSphere Guardium S TAP InstallShield Wizard X Guardium STAP Diagnostics Information FS SUCCESS Guardium STAP registered with 192 168 169 9 INFO Guardium_STAP Started IBM Info
303. ium Installation Manager GIM 3 Silent non interactive installation using GuardAPI J Copyright IBM Corporation 2011 2013 Figure 7 3 S TAP installation methods GU2022 0 Notes S TAP can be installed remotely from the command line on both Windows or Unix servers It can also be installed through the Guardium Installation Manager For enterprise deployments the S TAP installation can be scripted and installed non interactively 7 4 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide S TAP ports e 8081 TCP GIM to Appliance traffic for both UNIX and Windows 16016 TCP Unencrypted STAP Unix traffic 16017 TLS Encrypted STAP Unix traffic 9500 TCP Unencrypted STAP Windows traffic 9501 TCP Encrypted STAP Windows traffic 8075 UDP STAP heartbeat Windows only Copyright IBM Corporation 2011 2013 Figure 7 4 S TAP ports GU2022 0 Notes If the database server and collector are on opposite sides of a firewall you must make sure that the appropriate ports are open for the components to communicate correctly A closed firewall port is the most common configuration error when deploying S TAP Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 5 Course materials may not be reproduced in whole or in part
304. ive tasks can be automated using GuardAPI Copyright IBM Corporation 2011 2013 Figure 3 29 Checkpoint solutions GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 3 Command Line Interface 3 37 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 3 38 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit 4 Access Management Estimated time 00 30 What this unit is about This unit describes how to define new Guardium users and assign those user to roles What you should be able to do After completing this unit you should be able to e Create new users e Assign roles to new users Copyright IBM Corp 2011 2013 Unit 4 Access Management 4 1 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit objectives After completing this unit you should be able to Create new users Assign roles to new users Copyright IBM Corporation 2011 2013 Figure 4 1 Unit objectives GU2022 0 Notes 4 2 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide
305. ix DB2 Template Set v8 0 Default Windows DB2 Template Set v8 0 WIN DB2 S AE p Default Windows Informix Template Set WIN INFORMIX Item Type Period Use MD5 Keep Data Default Windows Informix Template Set v8 0 WIN INFORMIX E DB2_HOME login File 1h S Default Windows MSSQL Template Set WIN MS SQL SERVER SDB2_HOME bash_profile File 1h 8 8 C sDB2_HOME bashre File 1h 8 8 C SDB2 HOME cshrc File 1h S S C SDB2 HOME profie File 1h 8 C D0B2_HOME sallib bin File Pattern th S S D Fieratem n SDB2_HOME sqlib cfg File Pattern 1h S S C SDB2 HOME sallb security File Pattern 1h S GS F1 ena unMtE enllik lii22 4 Fila Dattarn 4h x a Copyright IBM Corporation 2011 2013 Figure 10 4 Configuration Auditing System 1 of 3 GU2022 0 Notes CAS Configuration A CAS configuration defines one or more CAS instances each of which identifies a template set to be used to monitor a set of items on that host Default Template Sets For each operating system and database type supported Guardium provides a preconfigured default template sets for monitoring a variety of databases on either Unix or Windows platforms A default template set is one that will be used as a starting point for any new template set defined for that template set type A template set type is either an operating system alone Unix or Windows or a database management system DB2 Informix Oracle etc which is always qualified by an oper
306. l SQL if logging full details Some customers do choose to include the SQL statement in the report which works well if only small SQL statements are issued However many SQL statements can be hundreds of lines and can cause the report to become very difficult to read 3 Query conditions The query conditions filter the data that will appear on your reports the where clause of your query Because we have defined our groups in Step 2 creating the Where clause is very simple As a best practice try to use Groups or Run time Parameters instead of hard coding values whenever possible This allows for much more flexibility later if you need to change your reports Run time parameters also allow you to produce multiple result sets from a single query Below are the fields and conditions for the first report in the requirements list Heport on DDL activity in production A 8 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 8 Monitoring DDL Activity in Production Seq 1 98 99 1D 8 IP IP I CO C Ci 4 CO F3 Entity Access Period Client Server Client Server Client Server Client Server Client Server Session Command Attribute Timestamp Server IP Client IP DB User Name Source Program Service Name Database Name SQL Verb Entity Aggrega
307. le checkbox to enable hostname aliasing A second checkbox displays when the first is marked Update existing Hostname Aliases if rediscovered Mark the Update existing checkbox to update a previously defined alias that does not match the current DNS hostname usually indicating that the hostname for that IP address has changed You may not want to do this if you have assigned some aliases manually For example assume that the DNS hostname for a given IP address is dbserver204 guardium com but that server is commonly known as the QA Sybase Server If QA Sybase Server has been defined manually as an alias for that IP address and the Update checkbox is marked that alias will be overwritten by the DNS hostname Copyright IBM Corp 2011 2013 Unit 5 System View and Administration Console 5 25 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Click the Apply button to save the IP to Hostname Aliasing configuration Do one of the following e Click the Run Once Now button to generate the aliases immediately e Click the Define Schedule button to define a schedule for running this task 5 26 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration Policy Installation System View
308. leged users DBAs everyone What types of actions must be monitored DDL DML selects on specific tables What type of information can safely be ignored What type of activity should prompt alerts What type of activity should prompt more verbose logging that is logging the full SQL string including values What are your sensitive objects Copyright IBM Corp 2011 2013 Appendix A Monitoring Overview A 1 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Reporting What reports do need e What fields do need in my reports e What should prompt an action to appear on my reports query conditions Audit Review Who needs to receive monitoring reports e How frequently should reports be delivered e Should users be required to sign reports or is reviewing reports sufficient sign off of reports can be configured on a per user basis e Should the delivery of reports stop at any receivers until they have reviewed or signed off on them or should they be delivered to all users at once Requirements Example Below are examples of some common monitoring requirements We will use these examples throughout the document to show how your requirements can be met using Guardium s toolset e Report on DDL activity in production Report on all activity by privileged users including the Full SQL string e Report on DML on Sensitive Objects i
309. llow rule informs the sniffer to log the traffic normally log the construct and Access Period timestamp and to not continue to the next rule note that the Continue to next rule checkbox is grayed out and unavailable This is commonly used when you would like to prevent certain activity from reaching specific rules further down in the policy A real world example of when this rule is used is when a customer requirement is to log activity by privileged users only for MS SQL Server 2005 or 2008 database servers To meet such a requirement you would normally create a rule specifying if the user is NOT in the Privileged User group ignore session With most database types this rule would be sufficient However with MS SQL Server 2005 2008 many login packets are encrypted and it takes Guardium a few seconds to resolve the encrypted login to the actual user name While the resolution is taking place the user name appears as an empty string and 9 50 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide being empty it would not be in the Privileged User group and would thus be ignored To prevent privileged user sessions from being ignored incorrectly you would add an Allow rule with a special guardium empty flag in the DB User field before the Ignore Session rule While the user name is empt
310. lnerability Assessment b Generates built in or custom documents e Tests to evaluate the overall security of the database environment c Routes reports to users for comments and g Data Classification sign off f Database Discovery Additional information Transition statement Copyright IBM Corp 2011 2013 Unit 1 InfoSphere Guardium 1 21 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit summary Having completed this unit you should be able to Identify the main functionality InfoSphere Guardium Describe the key components of the InfoSphere Guardium solution Copyright IBM Corporation 2011 2013 Figure 1 19 Unit summary GU2022 0 Notes 1 22 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions 1 of 2 1 List three drawbacks to doing native auditing rather than using a product like Guardium 1 High resource utilization significant impact on the database environment 2 No separation of duties ability of super users to bypass native auditing 3 Inconsistent auditing features difficulty of integrating auditing features of multiple database systems 2 Whatis a rule and what isa policy A rule is a set of filtering criteria
311. m Upload Key File Data Management Copyright IBM Corporation 2011 2013 Figure 5 12 Configuration Guardium for z OS GU2022 0 Notes This screen is used to configure Guardium to monitor traffic from DB2 on z OS 5 20 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration Incident Generation Process ul Incident Generation Processes apanda coapsa Seca C Unsa Delete Seactag EET Guardium Definitions Custom Alerting Module Installation Edit Incident Generation Process e Query Policy Violation Count v Severity INFO w Category Threshold 1 Assign To User tjones Ted Jones M Set Up Runtime Parameter From Date now 1 day FS To Date now Ag Scheduling Incident Generation Process is currently not scheduled for execution Copyright IBM Corporation 2011 2013 Figure 5 13 Configuration Incident Generation Process GU2022 0 Notes The Integrated Incident Management IIM application provides a business user interface with workflow automation for tracking and resolving database security incidents It simplifies incident management by allowing administrators to group a series of related policy violations into a single incident and assign them to specific individuals This reduces the
312. m left to right Navigation buttons arrows allowing you to move from page to page within the displayed report You can also enter a number in the box next to Records to go directly to a specific page e Stop The red x button will stop the report generations Refresh The yellow arrows refreshes the current report e The first disk icon with the white corner will download the data currently displayed on the portal in CSV format The second disk icon downloads the entire report in CSV format e The printer icon will open a printer friendly window e The pdf icon will save the report as a PDF file The paper and pencil icon will open the query builder for this report s underlying query Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 27 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide e The second button from the end will create an ad hoc audit process allowing long running queries to be processed in the background as an audit process e The last button will open the report in a new window 11 28 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint True or false A query can access the data in only one domain Why should you use a das
313. mail server Password Enter the password for the above user if your SMTP server uses authentication Re enter it in the Re enter Password box Return E mail Address Enter the return address for e mail sent by the system This address is usually an administrative account that is checked often Authentication Method Select AUTH if your SMTP server uses authentication Otherwise select None When Auth is selected you must specify the user name and password to be used for authentication Click the Apply button to save the configuration Click Restart to restart the Alerter with the new configuration Note The Alerter will not begin using a new configuration until it is restarted The SNMP section of the Configuration pane is used to configure the Alerter to send SNMP traps You can configure the SNMP connections as follows e IP Address Enter the IP address hostname to which the SNMP trap will be sent e Test Connection Optional Click the Test Connection button to verify the SNMP address and port 22 This only tests that there is access to specified host and port It does not verify that this is a working SNMP server A dialog box is displayed informing you of the success or failure of the operation Trap Community Enter the community name for the trap Retype the community in the Retype Community box Click the Apply button to save the configuration e Click Restart to restart the Alerter with the new configuration N
314. may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details 1 An inspection engine monitors the traffic between a set of one or more servers and a set of one or more clients using a specific database protocol 2 Using the S TAP Status Monitor on the System View pane how can you tell if an inspection engine has been configured or not If it is green an inspection engine is configured and running 3 Which of the following is NOT a function of the Configuration option on the Administration Console a b E d Create and configure Guardium users Create and configure Inspection engines Configure local taps Upload and install software modules 4 Appling license keys is a function of the system configuration option Copyright IBM Corp 2011 2013 Unit 5 System View and Administration Console 5 35 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit summary Having completed this unit you should be able to Configure an IBM InfoSphere Guardium appliance from the Administration Console Copyright IBM Corporation 2011 2013 Figure 5 24 Unit summary GU2022 0 Notes 5 36 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior writ
315. mbinations of commands objects and fields included in a construct can be very complex but each construct basically represents a very specific type of access request Constructs are logged with the values replaced by question marks which makes most SQL requests less unique For example the following statements appear to be unique to each other select from employee_table where employee_id 48 and hire_date 8 2 09 select from employee table where employee id 4940 and hire date 10 29 01 However if you replace the values with questions marks you will see that they are the same basic request select from employee table where employee id and hire date select from employee table where employee id and hire date 9 10 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide The string select from employee_table where employee_id and hire_date is an example of a construct When the sniffer first encounters this SQL request it will log it with an associated construct ID When the sniffer encounters it again it will not log it a second time Instead it will refer back to construct it had logged earlier Copyright IBM Corp 2011 2013 Unit 9 Policies 9 11 Course materials may not be reproduced in whole or in part without the prior
316. me App Event Values Text and or Group ivi P Numeric Date Data Pattern Replacement Character Time Period v 35 Minimum Count 0 Reset Interval 0 minutes Message Template Default Quarantine for 0 minutes Records Affected Threshold 0 Rec Vals Cont to next rule Actions x AUDIT ONLY Copyright IBM Corporation 2011 2013 Figure 9 70 Audit Only rule GU2022 0 Notes When an Audit Only rule fires in a selective audit trail policy the appliance will log the traffic normally constructs with masked SQL and the Access Period timestamp If you need to log the full SQL string Log Full Details rules will work the same as in a non selective audit trail policy Also ignore session rules can be used in a selective audit and still provide tremendous performance benefits 9 96 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 1 Explain what a selective audit trail policy is Copyright IBM Corporation 2011 2013 Figure 9 71 Checkpoint GU2022 0 Notes Write your answers here 1 Copyright IBM Corp 2011 2013 Unit 9 Policies 9 97 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes
317. me VILI System mA 734435 grd01 guard swg usma ibm com w20101107 181624 Fi e 192 168 169 128 2010 10 25 00 00 00 42010 10 25 dbdump enc SCP i M 734436 grd01 guard swg usma ibm com w20101107 181733 o A 192 168 169 128 2010 10 26 00 00 00 d2010 10 26 dbdump enc SCP P 734442 grd01 guard swg usma ibm com w20101107 181842 L1 e 192 168 169 128 2010 11 01 00 00 00 42010 11 01 dbdump enc SCP 734444 grd01 guard swg usma ibm com w20101107 181945 oO e 192 168 169 128 2010 11 03 00 00 00 d2010 11 03 dbdump enc SCP cy a 192 168 169 128 2010 11 04 00 00 00 734445 grd01 guard swg usma ibm com w20101107 182056 scp d2010 11 04 dbdump enc Records 1 To 5 Of 5 Copyright IBM Corporation 2011 2013 Figure 6 7 Data Management Catalog Archive GU2022 0 Notes Guardium s catalog tracks where every archive file is sent so that it can be retrieved and restored on the system with minimal effort at any point in the future A separate catalog is maintained on each appliance and a new record is added to the catalog whenever the appliance archives data or results If archive files are moved to another location after the Guardium archive operation Guardium has no way of knowing what happened to those files For these situations the archive catalog can be maintained manually using the Catalog Archive command to add or remove archive entries Copyright IBM Corp 2011 2013 Unit 6 System View and Administration Console ll 6 9 Course material
318. me parameters enter the appropriate values or enter a percent sign as a wildcard to return everything In the example above Enter Value for Server IP is a run time parameter Clear existing group members before importing check this box if you want to purge all group members before importing from the query 8 30 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Populate from Query 3 of 4 Group Builder Query Results A2840 A4939 A8000 A9404 a am Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 25 Populate from Query 3 of 4 GU2022 0 Notes Choose the members you would like to import and press the Import button Copyright IBM Corp 2011 2013 Unit 8 Group Builder 8 31 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Populate from Query 4 of 4 Group Builder Populate Group from Query Set Up Group Name Privileged Users Group Type USERS Classification Set up Query to Run Query Detailed Sessions List v Fetch Member From Column DB User Name v From Date now 1 week mS fol To Date now 78 ir Remote Source none v Enter Value for Server IP 96 Clear existing group o members before importing Schedulin
319. med Pipes Sniffer MS SOL Shared Memory Sniffer IBM DB2 Shared Memory Monitor PST ap 84 80 MB of space required on the C drive 12828 61 MB of space available on the C drive InstallShield M Description driver DLL and service for picking up encrypted Oracle traffic lt Back Cancel Copyright IBM Corporation 2011 2013 Figure 7 10 Select Features Notes GU2022 0 Confirm that the options that you would like to install are checked and uncheck those that are not needed If a specific database type is not hosted on the database server be sure to uncheck those boxes so that the drivers are not installed In this example we are installing S TAP on a Microsoft SQL Server so the options to pick are e MSSQL encryption plugin CAS optional Local Host Monitor Named Pipes Sniffer e MS SQL Shared Memory Sniffer 7 12 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Copy Files IBM InfoSphere Guardium S TAP InstallShield Wizard Start Copying Files Review settings before copying files Installshield Copyright IBM Corporation 2011 2013 Figure 7 11 Copy Files GU2022 0 Notes Confirm that the Current Settings are correct and press Next Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 13 Cour
320. ment tests updated by IBM a b C d Annually Quarterly Monthly Weekly 6 True or false You need only CAS or only VA not both 10 24 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit summary Having completed this unit you should be able to Understand the major components of the Configuration Auditing System CAS Understand the value of Vulnerability Assessment Understand why Database Discovery is needed Copyright IBM Corporation 2011 2013 Figure 10 16 Unit summary GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 10 CAS VA and Discovery 10 25 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Exercise At this point you should complete Exercises 8 and 9 in the Exercise Guide PyiyhighNeOd pamadikarti a 2012013 Figure 10 17 Exercise GU2022 0 Notes 10 26 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions 1 of 2 1 ACAS template set is taylored to a An Operating System such as Unix b An Operating System and Database such as Unix and DB2 c Both
321. n Module Parameters ATAP ENABLED KTAP_DEBUG KTAP_ENABLED KTAP LIVE UPDATE STAP_DEBUG STAP_ENABLED STAP_FAILOVER_TLS STAP_FIREWALL_DEFAULT_STATE STAP_FIREWALL_FAIL_CLOSE STAP_FIREWALL_INSTALLED STAP FIREWALL TIMEOUT STAP SQLGUARD IP STAP USE TLS TEE DEBUG E7 E TEE ENABLED E Client Module Parameters Input required EN ATAP DisksPACE ArAP ENABLED ATAP_PACKAGE ATAP PART OF BUNDLE ATAP SYMVERSION TEJA 1 EZ 2 dbserver01 INSTALL 2 Pr SelectAll Unselect All Back Apply to Clients Instawupdate _ Cancel instalvUpdate Uninstall JL Cancer uninstall Copyright IBM Corporation 2011 2013 Figure 7 36 Common modules GU2022 0 Notes Step 2 High light the module that you would like to install and press Next In general you should choose to install bundles rather than individual components such as STAP amp KTAP 7 44 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Client Module Parameters 1 of 2 Module Parameters w Step 3 Config install Update Uninstall BUNDLE STAP Common Module Parameters ATAP ENABLED KTAP DEBUG g Y KTAP_ENABLED KTAP_LIVE_UPDATE z g STAP_DEBUG STAP_ENABLED g g STAP_FAILOVER_TLS STAP_FIREWALL_DEFAULT_STATE g g STAP_FIREWALL_FAIL_CLOSE STAP_FIREWALL_INSTALLED g
322. n a Guardium environment is one 10 There could be a time lag of up to one hour between the time users roles or permissions are added to the Central Manager and the time they are applied to the managed units Copyright IBM Corporation 2011 2013 Figure 6 29 Checkpoint solution 2 of 2 GU2022 0 Notes Write your answers here 7 8 9 10 6 34 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit 7 S TAP and GIM Estimated time 01 30 What this unit is about This unit describes S TAP and how to install it on either a Windows or a Linux system What you should be able to do After completing this unit you should be able to e Understand S TAP e Install S TAP on Windows interactively e Install S TAP on Linux using GIM Understand the non interactive installation methods Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 1 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit objectives After completing this unit you should be able to Understand S TAP Install S TAP on Windows interactively Install S TAP on Linux using GIM Understand the non interactive installation methods Copyright IBM Corporation 2011 2013 Figure 7 1 Un
323. n a corporate environment including e Database servers Data Access Monitoring via STAP SPAN port or Network TAP Configuration Auditing System CAS Enterprise Data Correlation Guardium can upload data from external databases and integrate it into its internal database File Servers CSV exports Unix Only Enterprise Data Correlation Guardium can upload data from flat files and integrate it into its internal database FTP Servers Copyright IBM Corp 2011 2013 Unit 2 Guardium Architecture 2 27 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide CSV exports e Backup Servers SCP FTP TSM amp Centera Daily Archives and System Backup e Email Servers Alerts and Audit Processes e SIEM Servers Alerts and reports send via Syslog forwarding e LDAP Active Directory Servers Pass through authentication Group member import e SNMP servers SNMP polling SNMP traps 2 28 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Topic summary Having completed this topic you should understand Data aggregation Central management Hardware and software configuration options Integration options yriiniglt NB foanatienti ad 2012013 Figure 2 20
324. n the Guardium appliance Use this function to upload open source drivers for Oracle and MS SQL which will appear after upload in the Database Type drop down menu in Datasources Definition menu Upload one driver at a time Click the Upload button You are notified when the operation completes and the file uploaded will be displayed This action brings the uploaded file to Central Manager For the Oracle JDBC and SQL Server JDBC driver files go to Central Management choice within Admin Console to manage distribution of these Jar file to the managed units Click to import or click to remove the uploaded file without importing You will be prompted to confirm either action Click the Done button when finished Note If you will be exporting and importing definitions from one appliance to another be aware that subscribed groups are not exported When exporting definitions that reference subscribed groups you must ensure that all referenced subscribed groups are installed on the importing appliance or central manager in a federated environment Note When uploading DB2 z OS License jar files the license will take effect after restart of the GUI Copyright IBM Corp 2011 2013 Unit 5 System View and Administration Console 5 15 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration Flat Log Process System View Administration Console
325. n this unit A presentation parameter describes a physical characteristic the report for example whether a graphical report includes a legend or labels or what colors to use for an element All presentation parameters are provided with initial settings when you define a report Standard run time parameters e QUERY FROM DATE The starting date and time for the report e QUERY TO DATE This is the ending date for the report 11 24 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide e REMOTE SOURCE In a Central Manager environment you can run a report on a managed unit by selecting that Guardium appliance from the Remote Data Source list Standard presentation parameters fetchSize The number of rows to display in the report portal panel refreshRate The number of seconds after which the data is to be refreshed Zero means that the data will not be refreshed Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 25 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Pane buttons Training01 7 i i uox Start Date 2010 12 08 13 18 12 End Date 2010 12 08 16 18 12 2 Aliases OFF Server IP Client IP DB User Name Source Program Count of Sessions 192 16
326. n whole or in part without the prior written permission of IBM Instructor Guide 11 2 Query conditions Instructor topic introduction What students will do How students will do it What students will learn How this will help students on their job Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 35 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Query conditions After completing this topic you should be able to Add conditions to queries Use AND and OR clauses Use parentheses in queries Add a query to a pane Create custom run time parameters GofyrirynigEINBIVo Gpampadicari ao 2002013 Figure 11 26 Query conditions GU2022 0 Notes 11 36 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide New query Object main entity View Quick Start Monitor udit Discover Assess Harden Comply Protect Reports Build Audit Policies Build Reports My New Reports Privacy Sets Custom Reporting New Query Overall Details t Query Name Training01 Objects Main Entity z Back wet Copyright IBM Corporation 2011 2013 Figure 11 27 New query Object main entity GU2022 0 Notes The next pages will go
327. n whole or in part without the prior written permission of IBM Instructor Guide System View Default tab for admin users Includes S TAP Status Monitor Aliases OFF Current Status B E ue euge moe Monitor am mmm RequestRate i CPU Usage _ Logins to Guardium ru ada Scheduled Job See m na ze EZZE Exceptions g aan P prp T conn s Fr mm OQ es 7622420 0X ls IG E O0xchH20re Figure 5 2 System View GU2022 0 Notes System View is the default tab that is displayed whenever the admin User or any user in the admin role logs into the Guardium Console web interface System View provides a dashboard of the appliance s current state and includes the following S TAP Status Monitor The S TAP Status Monitor area shows a report listing each of the S TAPs directed to this appliance along with its current status Green indicates an inspection engine has been configured and is running for the S TAP Current Status Monitor The Current Status Monitor area includes a graphic that displays key system information such as the number of requests logged and free disk space Notice the numbers indicating a DB2 instance is being monitored Request Rate The Request Rate area shows is a chart highlighting the number SQL requests logged over a period of time CPU Usage The CPU Usage area is a a chart displaying CPU utilization over a period of
328. name To J server IP Server H collapse the D fieid entity click it again Attributes fields that will be part of the where clause Entity List Query Conditions Delete Clone Roles J Save Back J Generate Tabular Regenerate Add to Pane Add to My New Reports J Copyright IBM Corporation 2011 2013 Figure 11 14 Custom query builder GU2022 0 Notes The custom query builder is composed of three panes Entity List allows you to select attributes to add the to query either as fields in the report or query conditions Query Fields are the fields that will appear in the report Query Conditions contains the where clause of the query Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 17 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Adding fields rur Trainingo1 Actient server Main Entity Session Add Count Add Distinct Oo Sort by count i sain Query Fields e Seq Entity Attribute Field Mode Order by Sort Rank Descend Timestamp Date 1 1 Client Server Server IP Value v o G3 Timestamp Time os Fi 2 Client Server Client IP Value M o Q Timestamp WeekDay o Client Server DB User Name Value v o G Timestamp Year E Sener Tyoe 123 Client IF 321 Server IP E Network Protocol 6 73 DB Protocol i DB Protocol Version x
329. name postfix 0 Session pattern 0 Session prefix 0 Session postfix 0 Session ID pattern 0 Session ID prefix 0 Session ID postfix 0 Guardium Hosts E Inspection Engines F Add Inspection Engine Copyright IBM Corporation 2011 2013 Figure 7 21 S TAP Configuration CAS and Application Server User ID GU2022 0 Notes Change Auditing these settings will affect how CAS sends data to the collector Generally these should not be changed Application Server User Identification this is used only when S TAP is installed on the application server Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 25 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide S TAP Configuration Guardium Hosts S TAP Control jJ S TAP Host Status Last Response A o E EY i 192 168 169 8 9060 2010 12 04 00 53 07 0 Details Change Auditing Application Server User Identification El Guardium Hosts Active Guardium Host J 192 168 169 9 Inspection Engines Copyright IBM Corporation 2011 2013 Figure 7 22 S TAP Configuration Guardium Hosts GU2022 0 Notes This pane lists all Guardium appliances defined as hosts for the S TAP Additional hosts can be defined to provide a failover and load balancing capability Guardium S TAP hosts are referred to using three terms Active Host the host to which this S TA
330. ncluding the Full SQL string Alert on three or more failed logins by the same user within five minutes e Alert on DML against Sensitive Objects gnore activity by applications backup jobs and other scheduled processes e Reports should be delivered to Information Security IS group and signed by the IS manager After the IS Manager has signed the reports the reports should be delivered to the Audit and Database Manager groups for review Delivery of reports should be broken down by database type MS SQL Server or Oracle A 4 Building Groups Groups simplify policy and query creation by allowing users to organize Guardium data elements based on their reporting requirements It is much easier to create your reports and policy after you have defined your groups For example assume that your company has 25 separate data objects containing sensitive employee information and you need to report on all access to these items You could formulate a very long query testing for each of the 25 items Alternatively you could define a single group called sensitive objects containing those 25 objects That way in queries or policy rule definitions you only need include the group in the where clause instead of each separate object There are six ways to populate groups Generally manual entry is sufficient but if you need to load a large number of members or want to update a group on a scheduled basis one of the other methods might be more app
331. network configuration on an appliance Understand S TAP and how to install it Create a policy or set of policies to meet your requirements Install and manage policies Understand the major components of the Configuration Auditing System CAS Explain how to create custom queries and reports Understand how to consolidate and automate audit activities into a compliance workflow Copyright IBM Corp 2011 2013 Course description xix Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide xx InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Agenda Day 1 00 30 00 30 00 30 00 30 00 15 00 30 00 15 Welcome Unit 1 InfoSphere Guardium Unit 2 Guardium Architecture Unit 3 CLI Command Line Interface Exercise 1 Using the Guardium CLI Unit 4 Access Management Exercise 2 Creating Guardium Users Unit 5 System View and Administration Console Unit 6 System View and Administration Console II Exercise 3 Archiving Collected Data Unit 7 S TAP and GIM Exercise 4 Installing GIM and S TAP 00 45 00 45 00 30 01 30 00 45 wa o o o o o o o o o o Day 2 01 15 Unit 8 Group Builder 00 30 Exercise 5 Creating Guardium Gro
332. nges such as ownership access permission and path for a file In a federated environment where all units collectors and aggregators are managed by one manager all templates are shared by both collectors and aggregators and CAS data can be used in reporting or vulnerability assessments When the collector and aggregator or host where archived data is restored are not part of the same management cluster the 10 8 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide templates are not shared and therefore CAS data cannot be used by vulnerability assessments even when the data is present to remedy this use export import of definitions to copy the templates from the collector to the aggregator or restore target Monitored Entity The actual entity being monitored can be a File its content and properties Value of an Environment Variable or Windows Registry Output of an OS command or Script or SQL statement CAS Instance Application of a CAS Template Set on a specific Host creating an Instance of that Template Set and applying it on a specific host Copyright IBM Corp 2011 2013 Unit 10 CAS VA and Discovery 10 9 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration Auditing System
333. nit 12 Compliance Workflow Automation Estimated time 00 30 What this unit is about This unit describes how to automate audit activities into a compliance workflow What you should be able to do After completing this unit you should be able to Understand how to consolidate and automate audit activities into a compliance workflow e Determine who needs to review the audit results and manage the signoffs e Establish a schedule for delivery Copyright IBM Corp 2011 2013 Unit 12 Compliance Workflow Automation 12 1 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit objectives After completing this unit you should be able to Understand how to consolidate and automate audit activities into a compliance workflow Determine who needs to review the audit results and manage the signoffs Establish a schedule for delivery Copyright IBM Corporation 2011 2013 Figure 12 1 Unit objectives GU2022 0 Notes 12 2 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Compliance Workflow Automation Compliance Workflow Automation provides facilities to automate and integrate audit activities into a compliance workflow Group multiple audit tasks reports vulne
334. nit 6 System View and Administration Console II 6 29 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers 7 True or false The current day s data cannot be archived 8 The opposite of an archive is a restore 9 The maximum number of Central Managers in a Guardium environment is one 10 There could be a time lag of up to one hour between the time users roles or permissions are added to the Central Manager and the time they are applied to the managed units Additional information Transition statement 6 30 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit summary Having completed this unit you should be able to Configure an IBM InfoSphere Guardium appliance from the Administration Console Copyright IBM Corporation 2011 2013 Figure 6 26 Unit summary GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 6 System View and Administration Console II 6 31 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Exercise At this point you should complete Exercise 3 in the Exercise Guide Copyright IBM Corporation 2011 2013
335. nos eee updated by backend automated Request This is recommend if you are escis pice i t ided A ranularity usually processe Is not recommen logging full details Sait A 18 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM
336. not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers 4 How can you supply runtime values to a query a By using Run Time Parameters b By using Dynamic Groups c Bothaand b d Neither a nor b amp escape backslash t 5 The character used as a wildcard in Guardium queries is 6 True or false Adding runtime parameters to reports enables drill down reports as well 11 56 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Exercise At this point you should complete Exercise 11 in the Exercise Guide Alternately you can wait and do Exercises 10 11 and 12 at the end of this unit Pihi ENBE Qparpadicarti a0 2012013 Figure 11 42 Exercise GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 57 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions 1 of 2 1 Which of the following is NOT a valid conditional operator in Guardium a REGEXP b IN GROUP c NOT IN GROUP d All of these are valid operators 2 True or false To add a second condition to a query you would first select the entity and drop it in the condition f
337. ns and can provide an equivalent sign off that is Bob and Jane are both Information Security Officers Bob will primarily sign off on Guardium reports but Jane should be able to so as well in Bob s absence Each job function should be added as a role and each receiver as a Guardium user The users should be added to the appropriate role based on their job function 2 Create your roles as shown below This must be performed by a user with the accessmgr role Guardium User Etats Role Browser 3 v Security Ro OWS Role Permissions Role llame Actions LDAP Import A user admin accessmgr dba Remove infosec Remove netadm Remoye appdev From the Access Manager tab Security Role Browser link uk OC Click Add Role Onthe next screen enter the role name and press Add Role cas Repeat for each required role inv Add Role A 12 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 3 Create your users and assign the appropriate role This must be performed by a user with the accessmgr role 3uardium Access Management 12 25 Edit Account accessmgr Customize ser Browser User Browser 4 69 v ecurity Role Browser ole Permissions Filter string case sensitive User Name v Filter JAP Import Username First Hame Last Ham
338. nt Prfeged Users Log Full Details ses Login Admin Uses Admin Users Sessions Vulnerability amp Threats Management Admin Object by non DBA Alert Execution Of DML Command Usa Of Administartse Objects Vulnerabilty amp Threats Management Admin Commands Log Full Details Vulnerab ty amp Threats Management Admin Commands by non D NA Alert Administratsm Commands Usage Assessment 8 Use of Administratne Commands n Administrative Objects Administration Console Tools Daily Monitor Guardium Monitor amp Tap Monitor Incident Management Reports Aggregation Archive Log AME Files Application Objects Summary Audit Process Log Guardium Group Details Start Date 2002 05 30 14 43 51 End Date Group Description LIKE monitored Aliases OFF Group Type LIKE 2010 09 30 14 43 51 Available Patches Group Description Group Type Group Subtype Timestamp Group Member of Members Monitored Commands COMMANDS 2010 09 30 14 30 43 0CREATE ALIAS 1 Biser Usage Montor Monitored CommandsCOMMANDS 2010 09 30 14 30 43 0DROP TABLE 1 Cls Asmt Job Queue Monitored Commands COMMANDS 2010 09 30 14 30 43 0CREATE PROCEDURE 1 Current Status Monitor Monitored Commands COMMANDS 2010 09 30 14 30 43 0ALTER CLUSTER 1 Definitions Export Import Log Monitored Commands COMMANDS 2010 09 30 14 30 43 0DROP DEFAULT 1 Enterprise Buffer Usage Monitor Monitored Commands COMMANDS 2010 09 30 14 30 43 0DROP INDEX
339. number of separate policy violations that oversight teams need to review Copyright IBM Corp 2011 2013 Unit 5 System View and Administration Console 5 21 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration Inspection Engines 1 of 2 System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Repo Administration Console Configuration Inspection Engine Configuration OQ Alerter Log Request Sql String Log Sequencing Anomaly Detection Log Exception Sql String Log Records Affected Application User Translation Log timestamp per second Compute Avg Response Time Custom ID Procedures Inspect Returned Data Record Empty Sessions Customer Uploads Parse XML Flat Log Process Logging Granularity 60 v Max Hits per Returned Data 64 Global Profile Ignored Ports List Guardium for z OS en Incident Generation mre SS Inspection Engines Restart Inspection Engines Add Comments Apply P to Hostname Aliasing Add Inspection Engine OO Policy Installation Name Oracle Portal Query Hint Protocol Oracle vi Session Inference DB Client IP Mask 0 0 0 0 0 0 0 0 p Port 1521 Upload Key File _ E DB Server IP Mask 192 168 169 8 255 255 255 255 Data Management Active on startup iv Central Management Exclude DB Client IP Local Taps Add
340. o options beyond starting the Alerter The Alerter can be configured in the GUI under Administration Console gt Configuration gt Alerter Copyright IBM Corp 2011 2013 Unit 3 Command Line Interface 3 23 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration and control commands Use the configuration and control CLI commands to Check the installed licenses Ping remote systems Restart the GUI interface Reboot the Guardium appliance Set the user timeout value And soon Copyright IBM Corporation 2011 2013 Figure 3 17 Configuration and control commands GU2022 0 Notes The configuration and control CLI commands cover a large number of configuration settings within the Guardium appliance Remember that the STORE command is used to set a configuration setting and the SHOW command is used to display a current configuration setting 3 24 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide File handling commands Use the file handling CLI commands to Backup and restore configuration information Backup and restore the Guardium database Backup and restore profile information Export and import audit data Display exported audit
341. o this Process Tm Copyright IBM Corporation 2011 2013 Figure 12 10 Roles Process Management GU2022 0 Notes Press the Roles button to allow access to the audit process definition to other users The remaining buttons are used to manage the audit process Delete Deletes the audit process e Clone Copy the audit process with a new name e Add Comments Add notes for reference e Refresh Updates the contents e Apply Save changes to the audit process e Back Exit the audit process without saving changes Copyright IBM Corp 2011 2013 Unit 12 Compliance Workflow Automation 12 15 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Activating and running an audit process The audit process can now be activated and either run or scheduled Compliance Automation Audit Process Definition W Description Training01 Active V There is no schedule associated with this process Archive Results Keep for a minimum of 0 days or 5 runs CSVICEF File Label Training Zip CSV for mail Email Subject Guardium Workflow please review Modify Schedule Copyright IBM Corporation 2011 2013 Figure 12 11 Activating and running an audit process GU2022 0 Notes Once the process receivers and tasks are complete the Audit Process can now be marked as Active and scheduled Also you could press Run Once Now to execute
342. o training01 coll col2 values 12929 484 DB200001 The SQL command completed successfully SQL Start Date 2010 11 30 23 30 59 End Date 2010 12 02 02 30 59 Aliases OFF a1ServerlP LIKE a2ClientIP LIKE a3DBUserName LIKE a4SQLLike LIKE aSSQLNotRegExp NOT REGEXP from dba_db_links ivyom sys link parameter controlfile datafile SY SIBM SYSTABLES SET Timestamp Server IP Client IP DB User Name Event Value Str Sq Successful Sqis Total access 2010 12 01 02 29 31 0192 168 169 8192 168 169 8A8000 2010 12 01 02 29 03 0192 168 169 8192 168 169 8A8000 CQ ORecor s 3 to20 12 0 O X l Ed e OFA Copyright IBM Corporation 2011 2013 Figure 7 51 Confirm Inspection Engine creation GU2022 0 Notes Next go to Administration Console Local Taps S TAP Control and click the Inspection Engines button to confirm that the inspection engine was created correctly Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 59 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Topic summary Having completed this topic you should be able to Install the Guardium Installation Manger GIM Use GIM install to installed S TAP on a Linux database server Install the Discovery module Use the Discovery module to automatically configure an inspection engine Copyright IBM Corporation 2011 2013 Figure 7 52 Verify t
343. ods used to build and populate Guardium groups Manual Entry Auto Generate Calling Prox LDAP Populate from Query Classifier GuardAPI 3 Which of the following is not a built in Guardium group a b e d Sensitive Objects DML DDL DCL 4 True or False Manual entry of lists always includes a drop down list of items 5 True or False The Auto Generated Calling Prox option Populate a Group Using Database Sources is available on all database types Additional information Transition statement Copyright IBM Corp 2011 2013 Unit 8 Group Builder 8 41 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 2 of 2 6 True or False GuardAPI can be used to script the populating of groups A n is a group of groups 8 consolidates sub groups in a hierarchy into a single group 9 List the two types of group reports available under the Guardium Monitor tab a Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 35 Checkpoint 2 of 2 GU2022 0 Notes Write your answers here 6 7 8 9 8 42 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers 6 True
344. of Guardium processes are running at all times and restarting them if they fail The GIM and GIM Supervisor processes can communicate with a collector or a Central Manager Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 35 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide GIM installers directory dbserverOl dbserver01 dbserverO01 dbserver01 tmp stap cd STAP Suse Discovery and GIM Agents tmp stap STAP Suse Discovery and GIM Agents tmp stap STAP Suse Discovery and GIM Agents tmp stap STAP Suse Discovery and GIM Agents 1s guard bundle DISCOVERY guard 8 guard bundle DISCOVERY guard 8 guard bundle DISCOVERY guard 8 guard bundle DISCOVERY guard 8 guard bundle DISCOVERY guard 8 guard bundle DISCOVERY guard 8 guard bundle DISCOVERY guard 8 xx_r20992 1 suse 10 linux i686 gim xx r20992 1 suse 10 linux ppc64 gim xx r20992 1 suse 10 linux x86 64 gim xx r20992 1 suse 11 linux i686 gim xx r20992 1 suse li linux x86 64 gim Xx r20992 1 suse 9 linux i686 gim XX r20992 1 suse 9 linux x86 64 gim OcouUoooso guard bundle GIM guard 8 0 xx r20992 1 suse 10 linux i686 gim guard bundle GIM guard 8 0 xx r20992 1 suse 10 linux i686 gim sh guard bundle GIM guard 8 0 xx r20992 1 suse 10 linux ppc64 gim guard bundle GIM guard 8 0 xx r20992 1 suse 10 linux ppc64 gim sh guard bundle GIM guard 8 0 xx r20992 1 suse 10 linux x8
345. of the report When defining a Query in the Query Builder the system uses the main entity among other parameters to determine which time fields will be used when defining the Period From and Period To of the report alert using this query When applicable the Period Start Period End from the Access Period entity is usually used in other cases it will chose period values according to the main entity Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 15 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide New query steps summary View Quick Start Monitor Audit amp Discover Assess Harden Comply Protect 2 Build Audit Policies Build Reports My New Reports Privacy Sets Custom Reporting fe Track data access Query Finder cu Query Name Select s Query m Track exceptions Report Title Select a Report m hod Main Entity Select an Entity Track policy violations Define how information Place report Search should be presented on portal page y Track sent alerts Track rogue connections View Quick Start MenierAudE 4 Discover Assessmarden Comply Protect 3 But Auat Pokies Duid Reports uy New Reports Privacy Sets 4 View Quick Start Monitor Audit Discover Assess Harden Comply Protect Custom Reporting E Build Audit Policies Build
346. ok like this Using BO WI Business Objects Web Intelligence set application property user name JohnDoe In a custom procedure mapping described later you can tell Guardium to e Watch for a stored procedure named set application property with a first parameter value of user name e Set the application user to the value of the second parameter in the call JohnDoe in the example above Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Unit 5 System View and Administration Console 5 13 Instructor Guide Configuration Customer Uploads System View Administration Console lt f Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Reports Administration Console Configuration Customer Uploads v OQ Alerter DPS Upload OQ Anomaly Detection Application User Translation Custom ID Procedures Customer Uploads Flat Log Process Global Profile Guardium for 70S Upload DB2 z OS License jar Incident Generation Inspection Engines OO P to Hostname Aliasing Upload Oracle JDBC driver Policy Installation Portal Query Hint Upload MS SQL Server JDBC driver Session Inference System Upload Key File Import DPS File Name Size None currently uploaded Browse Copyright IBM Corporation 2011 2013 Figure 5 9 Configuration Customer Uploads GU2022 0 Notes
347. ole or in part without the prior written permission of IBM Instructor Guide No formal tests are administered in the class Course materials Student Notebook Instructor Guide PowerPoint visuals in PDF form e Student Exercises Instructor Exercises Guide Summary of changes in this edition The updates in this version of the course are designed to introduce Guardium v9 and to improve the readability of the materials and the instructions for the exercises xviii InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Course description InfoSphere Guardium V9 Technical Training Duration 3 days Purpose This three day course offers a balanced mix of lectures hands on lab work case studies and testing Students will learn how to create reports audits alerts metrics compliance oversight processes and database access policies and controls Students will also learn about system administration archiving purging and back ups Audience This course is for Information Security professionals Database Administrators Auditors Prerequisites There are no prerequisites for this course Objectives After completing this course you should be able to Identify the methods that Guardium uses to capture database traffic Navigate the CLI Update the
348. omain controller It does not forward any traffic from that user to the Guardium appliance until it has the actual database user name On Demand Async Like the above option except that messages are not held while waiting to obtain the database user name e TLS Use Mark to use a TLS encrypted connection This applies to both the S TAP and CAS agents Before changing this setting verify that the ports used for this purpose are not being blocked by a firewall between the server and the Guardium appliance See the Guardium Port Requirements table in the S TAP Overview Failover Mark to indicate that if no TLS connection can be established a non TLS connection can be used 7 24 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide S TAP Configuration CAS and Application Server User ID S TAP Configuration a Host 192 168 169 104 Last response 2010 11 30 09 43 15 0 Version 8 21066 Details E Change Auditing Task checkpoint TASK_CHECKPOINT Client checkpoint CLIENT CHECKPOINT Checkpoint period 60 Fail over file FAIL OVER FILE ail over file size limit 50000 Max rec attempts 5000 Reconnect interval 80 Raw data limit 1000 Md5 size limit 1000 zi Application Server User Identification Session timeout 0 Ports 0 Login pattern 0 Username prefix 0 User
349. ommand The generate new layout command generates a new web GUI layout for an existing role IBM InfoSphere Guardium View amp Quick Start Monitor Audit Discover Assess Harden Comply Protect Capture Replay User01 Reports Overview Ls View Installed Policy d B i o X Numberoldb pertype 2 Bi n 9 Overview Currently Installed Policies a AGB Start Date 2013 08 11 09 26 30 End Date 2013 08 12 09 26 30 Installed Policy 1 Installed Policy Exercise 6 Date Installed 7 31 13 5 07 PM isn This is nota selective audit policy Not Rules don fire on flat DB2 Installed Rules 4 Baseline records 0 a View Details Report 0 2 4 6 8 10 m Count of Servers Count of Client Sources Request Rate 2B8wi nx a e 8 Aliases OFF Start Date 2013 08 12 07 26 30 End Date 2013 08 12 09 26 30 LE if FEE E d 4 II Done 192 168 169 9 8443 Copyright IBM Corporation 2011 2013 Figure 3 22 Generate new layout command GU2022 0 Notes The Guardium portal window web interface GUI contains one or more panes or tabs Each pane defines the layout of some portion of the window Each pane may contain one or more other panes The Guardium administrator or access manager can generate via the CLI a default layout for a role After that any new user who is assigned that role will have that layout after logging in for the first time Copyright IBM Corp 2011 2013 Unit 3 Command Line Inter
350. ommands Generate New Layout Command Certificate Commands Copyright IBM Corporation 2011 2013 Figure 3 13 Reminder CLI command categories GU2022 0 Notes The CLI commands are grouped into 10 different categories We will now take a very high level look at each of these categories Copyright IBM Corp 2011 2013 Unit 3 Command Line Interface 3 19 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Network configuration commands Use the network configuration CLI commands to Identify a connector on the back of the appliance Reset networking after installing or moving a network card Set IP addresses Enable or disable high availability Configure the network card if the switch it attaches to will not auto negotiate the settings And so on ma Copyright IBM Corporation 2011 2013 VJ Figure 3 14 Network configuration commands GU2022 0 Notes When an InfoSphere Guardium appliance is first received it must be racked powered and connected to the network Once the appliance is physically connected it must be initially configured to make it accessible over the network This configuration will need to be completed with physical access to the appliance or remotely through a KVM solution or an optional DRAC card installed in the appliance The following commands are used to configure to configure the n
351. onds to wait on a verdict from the appliance if timed out look at firewall fail close value to know whether to block or allow the connection 10 seconds Copyright IBM Corp 2011 2013 Unit 9 Policies 9 117 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide S GATE ATTACH DETACH DB Name and or Group MT DB User and or Group Public Authorized LDAP Imported Users iy Client IP Src App DB User Server IP Svc Name v App User and or Group ik OS User and or Group 4A Src App and or Group E Field and or Group v 4 7 Object and or Group l4 Command and or Group s Dbject Cmd Group Ms Object Field Group v oh Pattern XML Pattern fas App Event Exists Event Type Event User Name App Event Values Text and or Group 4 Numeric Date Data Pattern 8 Replacement Character Time Period 0 Minimum Count 0 Quarantine for 0 Actions 8 5 Add New Action Reset Interval 0 minutes Records Affected Threshold 0 minutes Rec Vals V Cont to next rule V ALERT DAILY ALERT ONCE PER SESSION ALERT PER MATCH ALERT PER TIME GRANULARITY ALLOW IGNORE RESPONSES PER SESSION Add Action Back Save _ IGNORE S TAP SESSION IGNORE SESSION IGNORE SQL PER SESSION LOG FULL DETAILS LOG FULL DETAILS PER SESSION LOG MASKED D
352. only IBM InfoSphere Guardium System View Administration Console amp Tools Daily Monitor Guardium Monitor Tap Monitor Incident Administration Console Configuration Data Import sDelaManagemenioeeeeww Configuration OQ Data Archive Import data from Source Directory var importdir 2 ata F xpon 2 Catalog Archive Scheduling Catalog Export z Q Data Import is currently not scheduled for execution Catalog Import Results Archive audit Modify Schedule Q Results Export files Copyright IBM Corporation 2011 2013 Figure 6 5 Data Management Data Import Aggregator only GU2022 0 Notes On the aggregator side to import data from a collector you simply need to press Apply and Modify Schedule to complete the import process Copyright IBM Corp 2011 2013 Unit 6 System View and Administration Console II 6 7 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Data Management Data Restore System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Administration Console Configuration Data Archive Data Export Data Restore Catalog Archive Gia Catalog Export Cataloq Import Data Restore Search Criteria EN From 2010 10 25 00 00 00 To 2010 10 27 00 00 00 Host Name Data Restore Search Results e Configuration
353. ons Java classes Packages Procedures Synonyms Tables Triggers and or Views Oracle and MS SQL Server only Populate a Group Using Reverse Dependencies And Generate Selected Object These options from the Group auto populate menu compute a set of objects used when starting from a set of objects For example starting from a set of Copyright IBM Corp 2011 2013 Unit 8 Group Builder 8 17 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide stored procedures compute all the tables that these procedures use Oracle only Populate a Group Using Observed Procedures Guardium will populate the group by inspecting all changes or additions to stored procedures This keeps the mapping information up to date through continuous analysis of changes to stored procedures Therefore this function can be used to augment the Database Sources option described above 8 18 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Auto Generated Calling Prox Using DB sources Source Group This group will contain objects or commands in which you are interested For example you might be interested in stored procedures that access a group of sensitive tables A group of objects should be created that con
354. opyright IBM Corporation 2011 2013 Figure 11 46 Report builder GU2022 0 Notes The previous sections focused on the queries that underlie the reports that you view To modify the actual reports go to Monitor Audit Build Report and click on Report builder Define how information should be presented Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 63 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Searching for a report View Quick Start Monitor Audit Discover Assess Harden Comply Protect Reports Build Audit Policies Build Reports e My New Reports Privacy Sets Custom Reporting Report Finder Query Report Title Monitor Chart Type none v Copyright IBM Corporation 2011 2013 Figure 11 47 Searching for a report GU2022 0 Notes To find a specific report you can select its name from Query or Report Title pull down menus and press Search Or simply press Search with no parameters to return all reports 11 64 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Report builder buttons Custom Reporting Report Search Results 1 Training02 Access policy violations Access to Sensitive Objects
355. or False GuardAPI can be used to script the populating of groups 7 A hierarchy is a group of groups 8 Flattening consolidates sub groups in a hierarchy into a single group 9 List the two types of group reports available under the Guardium Monitor tab 1 Group Usage Report 2 Guardium Group Details Additional information Transition statement Copyright IBM Corp 2011 2013 Unit 8 Group Builder 8 43 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit summary Having completed this unit you should be able to Understand all of the options to create groups Create groups using the manual entry and populate from query methods Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 36 Unit summary GU2022 0 Notes 8 44 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Exercise At this point you should complete Exercise 5 in the Exercise Guide Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 37 Exercise GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 8 Group Builder 8 45 Course materials may not be reproduced in whole or in part without the prior written permission of I
356. or Guide CLI password requirements All CLI accounts have the following password requirements Password Expiration Enforced expiration periods default 90 days Required password change at next login Password Validation Minimum of eight characters in length Contain at least one character from three of the following four classes Any upper case letter Any lower case letter Any numeric 0 1 2 Any non alphanumeric special character LDAP CLI users cannot be authenticated through LDAP Copyright IBM Corporation 2011 2013 Figure 3 5 CLI password requirements GU2022 0 Notes Guardium enforces password hardening on each of the CLI accounts cli and guardcli1 thru guardclib When installing or rebuilding a Guardium system from an installation DVD the Guardium system will have a Guardium cli user with a default password of guardium This password should be changed immediately to insure the security of the system All CLI accounts must abide by the following regulations An expiration period for CLI passwords is enforced by the system The default expiration period is 90 days When a password expires a required change of password will be invoked during the next login process Passwords must be a minimum of eight characters in length and must contain at least one character from three of the following four classes Any upper case letter Any lower case letter Any nume
357. or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers 1 The three elements of a Compliance Automation Workflow process are a distribution plan a set of tasks and a schedule 2 True or false A user can optionally be notified of pending work in the Compliance Automation Workflow through a To Do list link 3 The receiver table controls who receives the reports and what action s they must take 4 True or false A Workflow can be either activated and scheduled to run or it can be run once now but not both 5 Which button takes you to a particular item in your To Do list i GOTO ii VIEW iii OPEN iv SAVE Additional information 12 22 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit summary Having completed this unit you should be able to Understand how to consolidate and automate audit activities into a compliance workflow Determine who needs to review the audit results and manage the signoffs Establish a schedule for delivery Copyright IBM Corporation 2011 2013 Figure 12 17 Unit summary GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 12 Compliance Workflow Automation 12 23 Course materials may not be reproduced in whole or in part without
358. or local processing Groups and Group members Audit processes Aliases and more are also copied The managed units then update their internal databases on an hourly basis which means that there may be a delay of up to an hour between the time users roles or permissions are added or modified on the Central manager and the time that the managed unit applies those updates 6 20 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Local Taps System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Re Administration Console Configuration S TAP Control Data Management Central Management S TAP Host Status Last Response xX 6 BY i 192 168 169 8 2010 11 15 12 38 22 0 CAS Status Details SSH Public Key Management 3 Change Auditing Application Server User Identification Guardium Hosts Inspection Engines Copyright IBM Corporation 2011 2013 Figure 6 18 Local Taps GU2022 0 Notes See the S TAP and CAS units for detail on configuring Local Taps Copyright IBM Corp 2011 2013 Unit 6 System View and Administration Console II 6 21 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instr
359. oration 2011 2013 Figure 5 4 Administration Console Configuration GU2022 0 Notes The Administration Console pane includes a link to the Configuration options We will look at each of the options on the upcoming pages 5 6 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration Alerter System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Incident Manager Administration Console Configuration Alerter 4 Active on startup D Anomaly Detection Polling Interval seconds 60 Application User Translation SMTP Custom ID Procedures Customer Uploads IP Address Host Name smtp ibm com Flat Log Process Port 25 Global Profile Hisar A Guardium for z OS Incident Generation Inspection Engines Re enter password P to Hostname Aliasing Return Email Address guardium ibm com Policy Installation Authentication method None Portal SNMP Query Hint Session Inference IP Address Host Name 192 168 169 8 System Trap Community eeeeee Upload Key File Retype Community eeesee Central Mananement Copyright IBM Corporation 2011 2013 Figure 5 5 Configuration Alerter GU2022 0 Notes The Alerter enables the use of email messages SNMP traps and alert related Syslog messages No e mail messages SN
360. orp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Group Builder screen overview Group Builder Modify Existing Groups iot Filtered Account Management Commands J Account Management Procedures Active Users Admin Users Administration Objects Administrative Commands Administrative Programs ALTER Commands Application Privileged Commands v Flatten All Hierachichal Groups Scheduling Fiattening All Hierachichal Groups is currently not scheduled for execution Create New Group Application Type Public v Group Description Privileged Users Group Type Description USERS v Group Sub Type Description Category Classification Hierarchical L1 Add Copyright IBM Corporation 2011 20139 Copyright IBM Corporation 2011 2013 Figure 8 5 Group Builder screen overview GU2022 0 Notes The group builder is comprised of two panes e Modify Existing Groups Create New Group Modify Existing Groups allows you to update a preexisting group Create New Group allows you to define a new group to Guardium Copyright IBM Corp 2011 2013 Unit 8 Group Builder 8 7 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Modify existing groups 1 of 2 Modify Existing Groups Not Filtered Credentials Related Entities Data Transfer Command
361. ote The Alerter will not begin using a new SNMP configuration until it is restarted 5 8 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration Anomaly Detection System View Administration Console Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Reports Administration Console Configuration Anomaly Detection D OQ Alerter Active on startup Polling Interval minutes 30 Application User Translation Active Alerts Locally Disabled Alerts Custom ID Procedures Inactive S TAPs Since Customer Uploads Aggregation Archive Errors Flat Log Process Global Profile Guardium for z OS Incident Generation Inspection Engines Q0 P to Hostname Aliasing Policy Installation Portal Query Hint Session Inference System Upload Key File a Bag Copyright IBM Corporation 2011 2013 Figure 5 6 Configuration Anomaly Detection GU2022 0 Notes The Anomaly Detection process executes correlation alerts according to the schedule defined for each alert A correlation alert looks back over a specified period of time to determine if a condition has been satisfied for example an excessive number of failed logins for a single user In a Central Manager environment the Anomaly Detection panel is used to turn off correlation ale
362. otes GU2022 0 All Ignore Session actions should only have session based fields as criteria otherwise you will experience unexpected results Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Unit 9 Policies 9 59 Instructor Guide Ignore STAP session example db2 gt connect to localtcp user appuser using appuserabc Database Connection Information Database server DB2 LINUX 9 7 1 SQL authorization ID APPUSER Local database alias LOCALTCP gt select from abc record s selected gt Sessions Start Date 2010 10 20 05 22 54 End Date 2010 10 20 08 22 54 Aliases OFF a1ServerlP LIKE a2ClientIP LIKE a3DBUserName LIKE a4SourceProgram LIKE a5SemiceName LIKE a6DatabaseName LIKE Timestamp Session Start Server IP ClientIP DB User Name Source Program Service Name Database Name Session Ignored 2010 10 20 08 22 24 02010 10 20 08 22 21 0192 168 169 8192 168 169 8 A2840 DB2BP DB2INST1 SAMPL No 2010 10 20 08 22 18 02010 10 20 08 22 21 0192 168 169 8192 168 169 8 A8000 DB2BP DB2INST1 SAMPLE No 2010 10 20 08 21 22 02010 10 20 08 21 19 0192 168 169 8192 168 169 8 HR DB2BP DB2INST1 SAMPLE Yes STAP 2010 10 20 08 21 17 02010 10 20 08 21 19 0192 168 169 8192 168 169 8 APPUSER DB2BP DB2INST1 SAMPLE Yes STAP 2010 10 20 08 21 03 02010 10 20 08 17 38 0192 168 169 8192 168 169 8 DB2INST1 DB2BP DB2INST1 SAMPLE No 2010
363. ou should be able to do After completing this unit you should be able to Understand domains entities and attributes Create custom queries and reports Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 1 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit objectives After completing this unit you should be able to Understand domains entities and attributes Create custom queries and reports Copyright IBM Corporation 2011 2013 Figure 11 1 Unit objectives GU2022 0 Notes 11 2 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 11 1 Query overview and creating a simple query Instructor topic introduction What students will do How students will do it What students will learn How this will help students on their job Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 3 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Query overview and creating a simple query After completing this topic you should be able to Create a simple query Add fields and conditions to a query Understand the domains entities and
364. ount Password and Authentication Commands Generate New Layout Command Certificate Commands Copyright IBM Corporation 2011 2013 Figure 3 3 CLI overview 2 of 2 GU2022 0 Notes The CLI commands are grouped into 10 different categories CLI Command Catagories 1 Network Configuration Aggregator Alerter Configuration Configuration and Control File Handling Diag nostics Inspection Engine User Account Password and Authenticatoin New Layout 0 Certificate c de 0 ee ge eS 3 4 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Each of these categories will be summarized later in this unit Copyright IBM Corp 2011 2013 Unit 3 Command Line Interface 3 5 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide CLI users Default user accounts cli guardcli1 through guardcli5 cli logs on directly guardclix requires a second Guardium user id entered via the set guiuser command Terminal set guiuser example File Edit View Terminal Tabs Help dbserver01 ssh guardclil 10 60 185 13 Copyri Figure 3 4 CLI users GU2022 0 Notes Access to the CLI and its commands is limited to a small group of Guardium u
365. oups in the system Group Usage Report details where each group is used with the solution Guardium Group Details provides a list of all groups that can be filtered by description and or group type Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Unit 8 Group Builder 8 39 Instructor Guide Checkpoint 1 of 2 1 True or False A Guardium group is always defines a group of users 2 List the six methods used to build and populate Guardium groups 3 Which of the following is not a built in Guardium group a Sensitive Objects b d DML DDL DCL 4 True or False Manual entry of lists always includes a drop down list of items 5 True or False The Auto Generated Calling Prox option Populate a Group Using Database Sources is available on all database types Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 34 Checkpoint 1 of 2 GU2022 0 Notes Write your answers here 1 a e wy 8 40 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers True or False A Guardium group is always defines a group of users 2 List the six meth
366. ourse materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Confirm installation from the GUI System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Administration Console Configuration Process Monitoring Data Management Status Module Name Client IP Central Management ooQ GM 192 168 169 8 ooQ SUPERVISOR 192 168 169 8 Local Taps Guardium Definitions Custom Alerting Module Installation Process Monitoring Setup By Client Setup By Module Upload Copyright IBM Corporation 2011 2013 Figure 7 31 Installing GIM GU2022 0 Notes To install GIM run the following command Jguard bundle GIM guard OS Version gt sh dir install directory sqlguardip collector or Central Manager IP address gt tapip database server IP address gt Note The command is case and space sensitive In our example we will be using the GIM installer for Suse 10 i686 in the directory usr gim The collector IP is 192 168 169 9 and the database server IP is 192 168 169 8 So our command will appear as follows Jguard bundle GIM guard 8 0 xx r20992 1 suse 10 linux i686 gim sh dir usr gim sglguardip 192 168 169 9 tapip 192 168 169 8 After running this command scroll through the licensing agreement and if the installation was successful you will see the following messages Ins
367. out the prior written permission of IBM Instructor Guide Compliance Automation screen Anew compliance automation process consists of four parts Audit Process Definition Receiver Table Audit Tasks eo Archive Results Compliance Automation Audit Process Definition i Keep for a minimum of 0 days or 5 runs Roles Process Eze CSV tor met Management Receiver Table Receiver Action Req To Do List Email Notif Cont Appv if Empty Add Receiver Receiver name v Action Required Review Sign To Do List V Add Email Notification None Link Only Full Results Continuous v Approve if Empty Add Audit Tasks XEM B8 os AddNew Task Description Task Type Report Security Assessment Entity Audit Trail Privacy Set Classification Process Roles No roles have been assigned to this Process Refresh Apply Bak Copyright IBM Corporation 2U11 2013 Figure 12 6 Compliance Automation screen GU2022 0 Notes Create a new compliance automation process by selecting NEW from the Define an Audit Process screen The Compliance Automation screen is composed of four sections e Audit Process Definition e Receiver Table e Audit Tasks e Roles Process Management Each section will be discussed on the upcoming pages 12 8 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011
368. p Builder Viewer Alert Builder Alias Builder Audit Process Builder Audit Process To do List Auto discovery Configuration Policy Definition W Policy category Policy baseline Log flat Baseline Builder CAS Host Config CAS Template Set Config Classification Policy Builder Classification Process Builder Roles Datasource Definitions No roles have been assigned to this policy Group Builder Policy Builder Edit Rules Apply Portlet Editor Privacy Set Builder Security Assessment Ruilder Selective audit trail iv Audit pattern Copyright IBM Corporation 2011 2013 Figure 9 68 Creating a Selective Audit Trail policy GU2022 0 Notes Some implementations require that only a small subset of SQL requests be monitored for example sensitive object access only or DML and DDL activity only In these situations a Selective Audit Trail policy can provide tremendous benefits both in collector performance and data retention Copyright IBM Corp 2011 2013 Unit 9 Policies 9 93 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Selective Audit Trail default behavior Database Server 10 10 98 The sniffer receives all of the database traffic from STAP then analyzes parses Activity from the database Activity from the and logs the data client to the database database server to the server datab
369. pU ice Wa wece i M edeiwe Nese saber 6 26 Checkpoint 1 of 2 iru sexes Sed xq eset uae UE GUSEGORE NU E HB QE Me SURE d 6 27 Checkpoint 2 of 2 uio unu adu aieo bond od Doha dun db Supe wobei ed deed run adu d 6 29 Bakd uli ECT T m 6 31 zip m PET 6 32 Checkpoint solution 1 of 2 llli 6 33 Checkpoint solution 2 of 2 us zem ed WERE mERRqRRERPES AEST EA E eames 6 34 Unit 7 S TAP and OIM 4s d xU RR ERE de oe diese tw RR RR CR QR SRL RC RR 7 1 Unit ODIBCRVES oe EX ia seed pe e EEDIESqUGENE SC XE PEE E I 7 2 ge L rr 7 3 S TAP installation methods 0 0 2 cece eee eee 7 4 SI dog ias sadia ia a a n a es diatiiect teenth deus aaa Ea a ne 7 5 Installation resources unuan 7 6 7 1 Interactive installation Windows 0000 0c eee eee 7 7 Interactive installation Windows aasan anaana 7 8 Windows STAP interactive installation setup exe nnana nnana nnan 7 9 Setup type CUSIDITI utens cpi seniu e Eee dew da VER 7 10 Choose Destination Location liliis 7 11 Select FGdllllBS 22s suas 9p rte Ies uhR SUPREMO ERE ad a ceduerdus is Boi s 7 12 CODY HICS 26s eana a E a E E 7 13 STAP OS tas piece E bas ee ee E ee E A E EE ee 7 14 Collector IP address 22353 tahoe verse ERE re RU techie eteusseareusaenees 7 15 Additional collector for failover 00 2 2 c ee ees 7 16 Start S PAP SeWiCe wi sce eho bU E neue ce eu epu qe eu MR ei cobre
370. password and authentication commands 3 28 Generate new layout command lllllllleee lee 3 29 Certificate commandS uxo 3 i o RR e Re CR E Com a ae ae de E d ap 3 30 GuardAPI TOf 2 cuum dde quer dados e PE k TEE RUN ohh Pob SO ER E aC ede da ed 3 31 G ardAP 2 OI 2 vere de center DESEE eR bie POL DELIS LER tans 3 32 Wired TP 3 33 Unit SUMMATY ccacceusewtindes nenna qoe dh ohan ar Ug EEES A a A uh imer an 3 35 icr i et gehen Oe ha ch a a eben et tele ne ge ah eh en deo te eee esa an ebm a 3 36 Checkpoint solutions a cu cca oSehe mbes eae oe eee eee Rhee wane RU 3 37 Unit 4 Access Manageme nt oi cic cece ee eee eae eee RR ewe 4 1 Unit OBJeCtiV S MEMOREM TI T 4 2 BacDeSSITIOE iie AE e aca iei ui dro de b Rr Li OR QE Rea e pra p M Qr e E Qoo NR bea 4 3 iv InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Access Management GUI panes 00 02 es 4 4 Access Management tab 0 000 tee 4 5 User Browser usse acus SUE E ACE ARP RE UR RAS HUS Sup de HEURE des cake Bul S 4 6 User Browser adding a user 1 Of 2 2 0 ce ee 4 8 User Browser adding a user 2 of 2 0 0 ee 4 10 User Browser editing a user iios i ide RR Rm xd Deed 4 11 User Browser modifying roles 000 c cee eee 4 12 User Browse
371. period For example if the logging granularity is set to one hour notifications will be sent for only the first match for the rule during each hour Receivers e Email messages which must be addressed to Guardium users and will be sent via the SMTP server configured for Guardium 9 46 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide e SNMP traps which will be sent to the trap community configured for the Guardium appliance e Syslog messages which will be written to syslog This is commonly used to a SIEM such as Tivoli Security Operations Manager Custom notifications which are user written notification handlers implemented as Java classes Rec Values e The Record Values check box indicates whether the full unmasked SQL string will be included with the alert Copyright IBM Corp 2011 2013 Unit 9 Policies 9 47 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Alert example db2 gt connect to localtcp user Ja8000 using a8000abc Database Connection Information Database server DB2 LINUX 9 7 1 SQL authorization ID A8000 Local database alias LOCALTCP db2 gt select from db2insti g employees E ID E FIRSTNAME E LASTNAME 1001 Henry Xavier 1 record s
372. pose of S GATE 2 Which S GATE option is utilized to put a user in firewall mode a S GATE ATTACH b S GATE FIREWALL c S GATE JOIN d S GATE BEGIN 3 Explain what REDACTion does 4 What happens to a user s session when it is S GATE TERMinated Copyright IBM Corporation 2011 2013 Figure 9 89 Checkpoint GU2022 0 Notes Write your answers here 1 p e Ie Copyright IBM Corp 2011 2013 Unit 9 Policies 9 123 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers 1 Explain the purpose of S GATE S GATE acts proactively as a firewall examining incoming messages before they reach the database server 2 Which S GATE option is utilized to put a user in firewall mode a S GATE ATTACH b S GATE FIREWALL c S GATE JOIN d S GATE BEGIN 3 Explain what REDACTion does Redaction marks out or masks all or part of a result set value 4 What happens to a user s session when it is S GATE TERMinated The user s session is dropped or disconnected from the database server 9 124 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit summary Having completed this unit you should be able to Understand how Info
373. ps Copyright IBM Corporation 2011 2013 Figure 5 3 Administration Console Notes GU2022 0 The Administration Console tab is the starting point for many activities performed by admin or users in the admin role It includes Configuration Data Management Central Management Local Taps e Guardium Definitions Custom Classes e Module Installation In this module we will look at the Configuration options Copyright IBM Corp 2011 2013 Unit 5 System View and Administration Console 5 5 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Administration Console Configuration Configuration options Alerter Configuration Anomoly Detection n Wd isda QO Alerter Application User Translation GO Anomaly Detection Custom ID Procedures Application User Translation Customer Uploads Custom ID Procedures Flat Log Process IEEE Global Profile Hec ra o rotile Guardium for z OS a ae Incident Generation ae EIE Inspection Engines Inspection Engines P to Hostname Aliasing OQ P to Hostname Aliasing Policy Installation Policy Installation Portal Portal g Support Maintenance Support Maintenance Session Inference Session Inference System System Upload Key File Upload Key File OO Unit Utilization Levels Unit Utilization Levels Copyright IBM Corp
374. pyright IBM Corp 2011 2013 Unit 2 Guardium Architecture 2 33 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 2 34 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit 3 Command Line Interface Estimated time 00 30 What this unit is about This unit give an introduction to the command line interface for IBM InfoSphere Guardium What you should be able to do After completing this unit you should be able to e Understand how to find the correct CLI commands appropriate to you needs e Navigate the CLI Update the network configuration on an appliance e Understand the GuardAPI Copyright IBM Corp 2011 2013 Unit 3 Command Line Interface 3 1 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit objectives After completing this unit you should be able to Understand how to find the correct CLI commands appropriate to you needs Navigate the CLI Update the network configuration on an appliance e Understand the GuardAPI Copyright IBM Corporation 2011 2013 Figure 3 1 Unit objectives GU2022 0 Notes 3 2 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013
375. q Entity Attribute Field Mode Order by Sort Rank Descend fll Access Period uu 1 Client Server DB User Name Value v n sar n 2 Object Cbject Name Value v r Query runt sat r PL sal Value gt i EI FULL sat values L 4 FULL SOL Full Sql Value v r B ul l d er for C Application Events r 5 FULL SOL Timestamp Value v K El Job Into Custom Dann User tane L Command Reports ma L Object Command Moin 41 CjFiela GJ JJ Addition mode AND OR HAVING Query Conditions object Fietd Entity Agg Attribute Operator Runtime Param auatitied Object WHERE bject Object Name IN GROUP Sensitive Objects z C Fieid SQL Value Copyright IBM Corporation 2011 2013 Figure 1 11 Built in and custom reporting Notes GU2022 0 Once the database traffic has been logged into the Guardium appliance database users can access over 80 pre built reports for an overview of the database activity The Guardium solution also includes a flexible query builder allowing users to create custom reports that meet their specific needs 1 12 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Compliance Workflow Automation Compliance Workflow Automation provides options to e Deliver reports vulnerability assessments and classification results to the appropriate users on a periodic bas
376. quirements which do not have the same criteria but do have some overlap use the Cont to next rule checkbox Ignore session rules In general ignore session rules should be the first access rules An Exception to this rule of thumb would be a catch all rule at the end of your policy that ignores all sessions that did not match the previous Also as described on the Allow slide sometimes you may need to temporarily prevent an ignore session rule from being fired by placing it after an allow rule Copyright IBM Corp 2011 2013 Unit 9 Policies 9 103 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Remember once a session is ignored no activity within that session will be processed Exceptions and Access rules Exceptions and access rules are generally mutually exclusive because they are examining different sides of the traffic flow Usually these rules types do not have much affect on each other 9 104 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Policy logic D 8 WA Exception Rule Alert on 3 failed logins in 5 minutes Cat Classi Sev ClientiP ServeriP SrcApp O08 Name App User Client IP Src App DB User Server IP Svc Name ANY i ANY ANY ANY AN
377. r Incident Management Reports Administration Console Configuration OQ Alerter OQ Anomaly Detection Application User Translation Custom ID Procedures Customer Uploads Flat Log Process Global Profile Guardium for z OS Incident Generation Inspection Engines IP to Hostname Aliasing OO Policy Installation Portal Query Hint Session Inference Upload Key File Data Management Central Management Local Taps Guardium Definitions Custom Alerting Module Installation System Configuration Unique global identifier 690501318 System Shared Secret Retype Secret License Key Number of datasources 1 Metered scans left 1 License valid until 2099 01 01 00 00 00 Network Address System Hostname Domain System IP Address 192 168 169 9 SubNet Mask 255 255 255 0 Hardware MAC Address 00 0C 29 28 36 C6 Secondary Management Interface System IP Address SubNet Mask Routing Default Route 192 168 169 2 Secondary Route Primary Resolver 9 32 193 141 Test Connection Secondary Resolver Test Connection Tertiary Resolver Test Connection DNS Copyright IBM Corporation 2011 2013 Figure 5 21 Configuration System Notes System Configuration GU2022 0 Unique global identifier This value is used for collation and aggregation of data The default value is a unique value derived from the MAC address of the machine It is strongly recommended that you do not change this value after the system begins monitoring opera
378. r changing layouts 00 0 eee eee 4 13 User Browser deleting a user 00 00 e eee eee 4 14 User Role Browser o 4n uscceiashaeerien bas bagedeeesbautetideeeieas 4 15 User Role Permissions 00 0 0c cee tee tees 4 17 User LDAP IMpOnl 2 lt ceecey eddie he EE er ERREUR EE E SCR weed 4 18 User amp Hole Reports ucc si eee ees ee ete ERE DIRE ee eee eee ee eae 4 19 Data Security tab dada eurer Uo RPEETE ER dS Gece ae we 08s TIG ee dake ae a VUE 4 20 Checkpoint 1 of 2 sccc sc decuntncudeows Gabon souk aureveeendwagise sake 4 21 Checkpoint 2 of 2 acu uve ux Me Eg rg a wea eri dde e b e Mama fees 4 23 Unit s MMary S osten ted asad ule da io de em arg ra nasin bg SA E Ded rdc dois signees 4 25 mco EUMDEM 4 26 Checkpoint Solution 1 of 2 iesus nue Pee RR ee ORARE RR eoe dc 4 27 Checkpoint solution 2 of 2 uem kates ce ERU RE eee eee eee ERE EE 4 28 Unit 5 System View and Administration Console l 5 1 Unit ODICCHVES sio na ki piega boisi dai a 1207021715 2757 1 01 1170215221 5 2 System View a nn annann nnen 5 3 Administration Console i 2 usos once aeaaaee 5 5 Administration Console Configuration liliis 5 6 Configuration Alerter 0 02 c cee e 5 7 Configuration Anomaly Detection llli 5 9 Configuration Application User Translation liliis 5 11 Configuration Custom ID Procedures 000 eee 5 13 Configuration
379. r E Add Mapping OQ Anomaly Detection udis MEE Application User Translation P Custom ID Procedures Procedure Maine Customer Uploads Action Set_ w Flat Log Process Condition1 Location 0 Global Profile Condition Value Guardium for z OS x Condition2 Location 0 Incident Generation Inspection Engines Condition2 Value P to Hostname Aliasing DANN HOSSN Q0 Policy Installation A m Portal Application Username Position Query Hint Event String Value Position 0 Session Inference Event Number Value Position 0 System Event Type Position 0 Upload Key File Event Date Position 0 Data Management Server Information Central Management Server type Local Taps DB Username Guardium Definitions Dolsduno Mns Custom Alerting Server IP Module Installation Saver Got Mask Server IP Group vis Add Copyright IBM Corporation 2011 2013 Figure 5 8 Configuration Custom ID Procedures GU2022 0 Notes In many existing applications all of the information needed to identify an application user can be obtained from existing database traffic using stored procedure calls Once Guardium knows what calls to watch for and which parameters contain the user name or other information of interest users can be identified automatically In the simplest case an application might have a single stored procedure that sets a number of property values one of which is the user name A call to set the user name might lo
380. r Group v h Numeric Date Data Pattern Replacement Character Time Period _______ vla Minimum Count 0 Reset Interval 0 minutes Message Template Defaut v Quarantine for 0 minutes Records Affected Threshold 0 Rec Vals v Cont to next rule Actions 8 amp Add New Action ALERT DAILY ALERT ONCE PER SESSION ALERT PER MATCH ALERT PER TIME GRANULARITY ALLOW IGNORE RESPONSES PER SESSION IGNORE S TAP SESSION IGNORE SESSION IGNORE SQL PER SESSION Copyright IBM Corporation 2011 2013 Figure 9 36 Ignore STAP Session rule GU2022 0 Notes In the example above all sessions will be ignored except for those in the Privileged Users group Copyright IBM Corp 2011 2013 Unit 9 Policies 9 55 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Ignore sessions and sizing Ignored session rules can positively affect The number of collectors required The performance of each collector Data retention Copyright IBM Corporation 2011 2013 Figure 9 37 Ignore sessions and sizing GU2022 0 Notes Choosing which sessions to be ignored depends on how the Guardium solution was sized in the sales process For example some implementations are defined as Privileged user only In this situation the customer will define a group of privileged users and create a rule to Ignore STAP Session when
381. r Name Source Program Service Name Database Name SQL Verb Full Sal Attribute Server Type DB User Name Ouery Fields Field Mode Value Value v Value Value Value Value Value Value v wv v wv v v v wv Value Ouery Conditions Operator LIKE IN GROUP Runtime Param Main Entity Command Sorted by occurrences Order by Sort Rank Descend ER 99 PI I PE IPIE I Parameter v DB Server Type J Monitoring Privileged Users v The final reporting requirement Report on DML on Sensitive Objects including the Full SQL string is similar to the second but must be created with Object as the main entity because the user is interested in Sensitive Objects A 10 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 8 Monitoring DML on Sensitive Objects Main Entity Object C Sorted by occurrences Seq Entity Attribute Field Mode Order by Sort Rank Descend g 1 FULL SQL Timestamp Value v go L1 2 Client Server Server IP Value V Fj l 3 Client Server Client IP Value V go Fi 4 Client Server DB User Name Value V Fi Fi 5 Client Server Source Program Value w go F 6 Client Server Service Name Value V go L 7
382. r example and is one of two types Operating System Only Unix or Windows e Database Unix Oracle Windows Oracle Unix DB2 Windows DB2 etc A database template set is always specific to both the database type and the operating system type Copyright IBM Corp 2011 2013 Unit 10 CAS VA and Discovery 10 5 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration Auditing System 1 of 3 Configuration Auditing System CAS CAS Configuration Default Template Sets Database Templates CAS Application CAS Configuration Navigator Default Unix Template Set UNX N A lal Default Unix informix Template Set UNX INFORMIX Default Unix informix Template Set v8 0 UNX INFORMIX Default UnivyMySQL Template Set UNX MYSQL Default Unix MySQL Template Set v8 0 UNX MYSQL Default UnbuNetezza Template Set UNX NETEZZA Default Unix Oracle Template Set UNX ORACLE Default Unix Oracle Template Set v8 0 UNX ORACLE Default Unix PostgreSQL Template Set UNX POSTGRESQL Default Unix Sybase Template Set UNX SYBASE AS Application Default Unix Sybase Template Set v8 0 UNX SYBASE Monitored Item Template Definitions Default Unix TERADATA Template Set UNX TERADATA OS Type UNX Default Windows Template Set WIN N A DB Type DB2 Default Windows DB2 Template Set WIN DB2 T late Set N Default Un
383. r expression Press the question mark button will provide a help page with example regular expression to cover many types of date credit card numbers social security numbers etc e Replacement Character if you would like to use something other than as asterisk to mask the string enter it here Action extrusion rules can write to the policy violations domain through Alert or Log Only rules or to the access domain through Log Full Details rules In the example above it will write to the policy violation domain which is visible on the Incident Management tab 9 84 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Extrusion rule results example UZUUU sTanaaione ur System View Administration Console Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management c Reports Policy Violations Incident Management nai ox Start Date 2010 10 28 09 00 28 End Date 2010 10 28 12 00 28 2 Aliases OFF DB Count of Mola 2 Timestamp C2 d Access Rule Description Clienti Server IP User Full SQL String v epe poen Name nn Wicket select from v cc Extrusion Values rF guardium CREDIT_CARD 11156 m 7 B Privileged users 192 168 169 8192 168 169 8A2840 a EE NFO 0 1 10 00 15 0 3344 accessing credit cards ifa REE ere 1564 1677 15th 1662
384. rability assessments and so on into a single process Schedule the process to run on a regular basis in background mode Assign the process to its originator for viewing Assign the process to other users or to a group of users or a role Create the requirement that the assignees sign off on the result Allow users to add comments and notations Allow escalation of the results Copyright IBM Corporation 2011 2013 Figure 12 2 Compliance Workflow Automation GU2022 0 Notes Guardium s compliance workflow automations provides the ability to transform the management of database security from time consuming manual activities performed periodically to a continuous automated process that supports company privacy and governance requirements such as PCI DSS SOX Data Privacy and HIPAA It includes the capabilities to e Streamline the compliance workflow process by consolidating in one spot database activity monitoring tasks including asset discovery vulnerability assessment and hardening reports and database audit reports Distribute reports to a specific list of recipients in a specific order and optionally require sign off by key stakeholders e Allow recipients to escalate delivery of reports following specified criteria Export audit results to external repositories for additional forensic analysis Syslog CSV CEF files and or external feeds Copyright IBM Corp 2011
385. raffic GU2022 0 Notes Finally confirm that the collector is capturing traffic The System View pane can be used for this verification as can various reports 7 60 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide S TAP installation Non interactive methods After completing this topic you should be able to Understand the non interactive installation methods for UNIX and Linux Understand how to use GuardAPI to configure inspection engines Copyright IBM Corporation 2011 2013 Figure 7 53 Topic summary GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 61 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 7 62 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 7 3 S TAP installation Non interactive methods Instructor topic introduction What students will do How students will do it What students will learn How this will help students on their job O Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 63 Course materials may not be reproduced in whole or in part withou
386. raining Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide want to group the servers by location You would define a separate group of database servers for each location and define all three groups with the same sub type e Category This is an optional label used to group items like policy violations and groups for reporting Classification This is another optional label used for policy violations and groups Hierarchical The Hierarchical check box will cause the group to be defined as a group of groups This will be discussed later in this unit Copyright IBM Corp 2011 2013 Unit 8 Group Builder 8 11 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Manual entry 1 of 2 Group Builder 9 Manage Members for Selected Group Group Name Frivileged Users Group Type USERS w Modify Group Type Category Modify Category Group Members Filter O2 scott Please select one of the following options Create amp add a new Member named 28000 Add an existing Member to Group M Rename selected Member to Delete selected Member Delete rom Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 9 Manual entry 1 of 2 GU2022 0 Notes One way to
387. rame and then select either AND or OR 3 True or false The HAVING option is only available when the SELECT clause includes one or more aggregate values such as COUNT AVG and so on Copyright IBM Corporation 2011 2013 Figure 11 43 Checkpoint solutions 1 of 2 GU2022 0 Notes Write your answers here 1 2 3 11 58 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions 2 of 2 4 How can you supply runtime values to a query a By using Run Time Parameters b By using Dynamic Groups c Both a and b d Neither a nor b 5 The character used as a wildcard in Guardium queries is a b n d 6 True or false Adding runtime parameters to reports enables drill down reports as well Copyright IBM Corporation 2011 2013 Figure 11 44 Checkpoint solutions 2 of 2 GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 59 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 11 60 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 11 3 Report Builder Ins
388. ration 2011 2013 Figure 10 1 Unit objectives GU2022 0 Notes 10 2 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide CAS The Configuration Auditing System Defines and runs tests at the operating system level on the database server Compares results against predefined and expected values Checks items including Database configurations File permissions Directory existence Etc Copyright IBM Corporation 2011 2013 Figure 10 2 CAS GU2022 0 Notes Configuration Auditing System CAS Databases can be affected by changes to the server environment for example by changing configuration files environment or registry variables or other database or operating system components including executables or scripts used by the database management system or the operating system CAS tracks such changes and reports on them The data is available on the Guardium appliance and can be used for reports and alerts Copyright IBM Corp 2011 2013 Unit 10 CAS VA and Discovery 10 3 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide CAS Components Configuration Auditing System CAS CAS includes CAS Agent CAS Server Authentication Template Sets
389. rchical groups 3 of 3 Group Builder Modify Existing Groups Not Filtered se A Privileged Users credit card objects DBAs Monitored Commands PI Objects test Account Management Commands Account Management Procedures Active Users v Flatten All Hierachichal Groups Scheduling QOO Flattening All Hierachichal Groups is currently not scheduled for execution Modify Schedule RunOnceNow m The page at https 9 32 29 104 8443 says A Flattening Hierarchital Groups Is Successful Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 32 Hierarchical groups 3 of 3 GU2022 0 Notes To consolidate all of the sub groups under the group of groups the groups must be flattened e From the Group Builder press Run Once Now under the Flatten All Hierarchical Groups Scheduling e The group of groups will now encompass all of the members of the DDL Commands group and the DML Commands group This process should also be scheduled by pressing the Modify Schedule button so that any changes made to either sub group will be reflected in the hierarchical group To see the list of individual members in the hierarchal group go to the Guardium Monitor tab and click the Guardium Group Details link as shown on the next page 8 38 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course material
390. rd an additional button will appear Add value logging option to policies Copyright IBM Corp 2011 2013 Unit 5 System View and Administration Console 5 29 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration Session Inference System View Administration Console lt Tools Daily Monitor Guardium Monitor Tar Administration Console Configuration Session Inference OQ Alerter Active on startup OQ Anomaly Detection Polling Interval minutes 120 Application User Translation Custom ID Procedures Customer Uploads rip Global Profile Guardium for z OS Incident Generation Inspection Engines IP to Hostname Aliasing Q9 Policy Installation Portal Query Hint OQ Session Inference ystem Figure 5 20 Configuration Session Inference GU2022 0 Max Inactive Period minutes 720 Copyright IBM Corporation 2011 2013 Notes Session Inference checks for open sessions that have not been active for a specified period of time and marks them as closed These settings should not be changed 5 30 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Configuration System System View Administration Console Tools Daily Monitor Guardium Monitor Tap Monito
391. re than one collector 2 12 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Failover provides failover to one or more collectors Load Balancing sends traffic across multiple collectors Prevention blocks activity or terminate connection e Clusters supports migrating floating unavailable databases Encryption communicates over an encrypted channel to the collector TLS Copyright IBM Corp 2011 2013 Unit 2 Guardium Architecture 2 13 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Raw network traffic The Guardium collector receives network and local traffic as raw data parses and analyzes the data logs the data in a MySQL database based on configured rules C WINDOWS system32 cmd exe C Documents and Settings Administrator gt sqlplus scott tiger xenet SQL Plus Release 10 2 8 1 0 Production on Tue Aug 18 11 31 33 2018 Copyright lt c 1982 2005 Oracle All rights reserved Connected to Oracle Database 1 g Express Edition Release 10 2 0 1 0 Production SQL gt create table tcpdumpexample coli int col2 int Table created H row created SQL gt exit 8 i diu umpexamp le coli Col2 values 2 00 9494 2 Figure 2 8
392. red data 6 24 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Custom Alerting System View Administration Console lt J Tools Daily Monitor Guardium Monitor Tap Monitor Incident M Administration Console Configuration Configure Permission To Socket Connection Data Management Central Management Add Permission To Socket Connection Host Local Taps Port Guardium Definitions Description Communication Permissions Save Delete Update Upload Copyright IBM Corporation 2011 2013 Figure 6 22 Custom Alerting GU2022 0 Notes Custom alerting allows users to upload custom Java classed to be used in policy and correlation alerts Copyright IBM Corp 2011 2013 Unit 6 System View and Administration Console II 6 25 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Module Installation System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Mon Administration Console Configuration Data Management Central Management Client Name Client IP Local Taps Client OS Guardium Definitions Custom Alerting Process Monitoring Setup By Client Setup By Module Upload Copyright IBM Corporation 2011 2013
393. required by industry standards or regulations In other cases monitoring is needed to conform to local business rules 1 4 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Native auditing Without a solution like Guardium companies must rely on built in auditing methods also known as native auditing within each of their database platforms to meet monitoring requirements Native database auditing is not appropriate in many organizations for a number of reasons including High resource utilization Native auditing often consumes 10 to 12 of a servers CPU No separation of duties Because native auditing must be configured from within the database DBAs have the ability to turn it off and manipulate the log files These same DBAs and other privileged users often require the highest levels of monitoring because they have open access to the database Inconsistent auditing features Each DBMS has a different method of logging and reporting on database activity making unified reporting difficult if not impossible Copyright IBM Corporation 2011 2013 Figure 1 4 Native auditing GU2022 0 Notes Guardium is the ideal solution to the database monitoring needs of companies However many companies try to do the monitoring using the native auditing c
394. ric digit 0 1 2 3 8 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Any non alphanumeric special character 96 e CLI users cannot be authenticated through LDAP as these are considered administrative accounts and should be able to login regardless of connectivity to an LDAP server As mentioned earlier the special CLI accounts guardclit through guardcli5 require use of an additional user id The CLI audit trail will show the CLI account CLI USER and the additional account GUI USER in all entries generated for the user Copyright IBM Corp 2011 2013 Unit 3 Command Line Interface 3 9 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide CLI user login 1 of 2 The CLI user login is always a secure login t can be done one of three ways Through the console on the Guardium appliance Through an ssh security shell connection Through an ssh tool such as Putty or SecureCRT Copyright IBM Corporation 2011 2013 Figure 3 6 CLI user login 1 of 2 GU2022 0 Notes Logging on with one of the CLI accounts is always done through a secure connection If the user has physical access to the Guardium appliance the logon can be through the system
395. rior written permission of IBM Instructor Guide Installing GIM dbserver01 tmp stap STAP Suse Discovery and GIM Agents mkdir usr gim dbserver01 tmp stap STAP Suse Discovery and GIM Agents Each party waives any right to a jury trial in any proceeding arising ou t of or related to this Agreement Installing modules Installation completed successfully dbserver01 tmp stap STAP Suse Discovery and GIM Agents dbserver01 tmp stap STAP Suse Discovery and GIM Agents ps ef grep guard root 7024 1 0 08 49 00 00 00 usr bin perl usr guardium modu les GIM 8 0 r20992 1 1291211388 gim client pl root 7062 7024 0 08 49 00 00 00 perl guard gimd pl root 7260 1 0 08 49 00 00 00 usr guardium modules perl usr guardium modules SUPERVISOR 8 0 r20992 1 1291211390 dbserver l etc f end of etc inittab fmc 2345 respawn opt ibm db2 V9 7 bin db2fmcd DB2 Fault Monitor Coordinator gim 2345 respawn usr bin perl usr guardium modules GIM 8 0 r20992 1 1291211388 gim client pl gsvr 2345 respawn usr guardium modules perl usr guardium modules SUPERVISOR 8 0 r20992 1 1291211390 guard supervisor dbserver01 etc Copyright IBM Corporation 2011 2013 Figure 7 30 GIM installers directory GU2022 0 Notes Next move to the Disovery and GIM Agents directory which will show you all of the GIM installers available for Suse Linux Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 37 C
396. rior written permission of IBM Instructor Guide Topic summary Having completed this topic you should be able to Understand the report builder Modify reports Copyright IBM Corporation 2011 2013 Figure 11 53 Topic summary GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 71 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 1 True or false A query needs a report and a report needs a query 2 What format s are available for Guardium reports 1 Tabular 2 Chart 3 Both a and b 4 Neither a nor b Copyright IBM Corporation 2011 2013 Figure 11 54 Checkpoint GU2022 0 Notes Write your answers here 1 2 11 72 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers 1 True or false A query needs a report and a report needs a query 2 What format s are available for Guardium reports a Tabular b Chart c Bothaandb d Neither a nor b Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 73 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide
397. rivilege Object creation usage rights Privilege grants to DBA and individual users System level rights e Authentication User account usage Remote login usage Password regulations e Configuration Database specific parameter settings System level parameter settings e Version Database versions Database patch levels Object Installed sample databases Recommended database layouts Database ownership What are Query Based Tests Query based tests are important as they allow a user to define tests that will be run against a database datasource and compare results against a predefined and expected value allowing the user to check items such as database internals structures parameters and even application data A query based tests are user defined tests that can be quickly and easy created by defining or modifying a SQL query which will be run against database datasource and results compared to a predefined test value Copyright IBM Corp 2011 2013 Unit 10 CAS VA and Discovery 10 17 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Vulnerability Assessment 4 of 4 Integration with CAS Pre configured and user defined CAS templates play an important role in the identification of vulnerabilities and threats With CAS Guardium can identify vulnerabilities to the database in the OS level such as file permissions ownership and en
398. ropriate A 2 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Methods to Populate Groups 1 2 3 Manual Entry LDAP Imports group members from you LDAP or Active Directory Servers Populate from Query Adds group members based on data in Guardium s database this data can be imported from an external data source Auto Generated Calling Prox Analyzes stored procedures and updates an object group based on the what the procedure does or the data it accesses Classification Analyzes databases and updates groups based on patterns in the data for example it can search for text patterns in tables that could contain credit card numbers and then add the tables to a sensitive object group Guard Allows you to import a large number of group members from a flat file via SSH Example Groups Below are the necessary groups based the example requirements from Step 1 REQUIREMENT GROUP All DDL activity in production Name DDL Commands Type Commands Members Built in group with over 70 members Name Monitoring Productions Servers Type Server IP Members 10 10 9 1 10 10 9 80 10 10 9 173 Ignore activity by backup and Name Monitoring Scheduled Processes other scheduled processes Type Source Programs Members RMAN MSBackup SQSH users Log
399. roup Name DDL Commands Group Type COMMANDS Category Modify Category Group Members Filter n o a ALTER CLUSTER ALTER DIMENSION ALTER FUNCTION ALTER INDEX ALTER INDEXTYPE ALTER MATERIALIZED VIEW ALTER MATERIALIZED VIEW LOG ALTER NICKNAME ALTER OPERATOR ALTER PACKAGE ALTER PROCEDURE ALTER SEQUENCE ha Please select one of the following options Create amp add a new Member named J TRUNCATE Rename selected Member to Update Delete selected Member Delete zm Copyright IBM Corporation 2011 20139 Copyright IBM Corporation 2011 2013 Figure 8 7 Modify existing groups 2 of 2 GU2022 0 Notes e Type in the new group member name in the Create amp add a new Member named field and press Add Other options You can choose to rename existing members by highlighting the member typing the new name in the Rename select Member to field and pressing Update To delete members highlight the member and press the Delete button e Press Back when complete Copyright IBM Corp 2011 2013 Unit 8 Group Builder 8 9 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Create New Group Group Builder Modify Existing Groups Not Filtered Account Management Commands Account Management Procedures Active Users Admin Users Administration Objects Administrative Commands Administrative Programs
400. roups T A hierarchy is a group of groups 8 Flattening consolidates sub groups in a hierarchy into a single group 9 List the two types of group reports available under the Guardium Monitor tab 1 Group Usage Report 2 Guardium Group Details Copyright IBM Corporation 2011 20139 Copyright IBM Corporation 2011 2013 Figure 8 40 Checkpoint solution 2 of 2 GU2022 0 Notes 8 48 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit 9 Policies Estimated time 02 30 What this unit is about This unit describes how to define and administer policies What you should be able to do After completing this unit you should be able to e Understand how InfoSphere Guardium logs traffic Create a policy or set of policies to meet your requirements e Install and manage policies Note The following topics will not be covered during this training Baselines Flat logging Copyright IBM Corp 2011 2013 Unit 9 Policies 9 1 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit objectives After completing this unit you should be able to Understand how InfoSphere Guardium logs traffic Create a policy or set of policies to meet your requirements Install and mana
401. rowser User Role Permissions User LDAP Import User amp Role Reports accessmgr accessmgr accessmgr Edit Roles Change Layout admin admin admin Edit Roles Change Layout Figure 4 4 Access Management tab GU2022 0 Notes The Access Management pane menu contains all of the links required to manage users roles and access to applications and will be covered in detail in this unit Access Management contains the following menu items User Browser User Role Browser User Role Permissions User LDAP Import User amp Role Reports Copyright IBM Corp 2011 2013 Unit 4 Access Management 4 5 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide User Browser The User Browser link is used to create modify and delete Guardium user accounts Access Management Data Security User Browser User Role Browser Filter string case sensitive User Name Filter Add User Search Users User Role Permissions User LDAP Import Username FirstName LastName Email Actions User amp Role Reports accessmgr accessmgr accessmgr Edit Roles Change Layout admin admin admin Edit Roles Change Layout Copyright IBM Corporation 2011 2013 Figure 4 5 User Browser GU2022 0 Notes The User Browser link is used to create modify and delete Guardium user accounts Anyone in the access management role has access to this pan
402. rt Each individual command that a user issues will have its own line on the report Object Used if the actual object name accessed is required Each object accessed will appear on separate line Generally this will result in multiple lines per SQL requests one for each object referenced in the SQL requests e SQL or Full SQL if logging full details Used to provide one line per unique SQL statement This is appropriate if you require the SQL statement in your report d Note S A complete SQL statement can be hundreds of lines long and can make reports very difficult to read Nm V Copyright IBM Corp 2011 2013 Appendix A Monitoring Overview A 7 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 2 Query Attributes Query Attributes are the fields that will appear in the report The most commonly used attributes include e Time Stamp From Access Period if using Command or Object main entity and you are not logging full details From Full SQL if you are logging full details e Session Start Client Server Server IP e Client Server Client IP Client Server DB User Name e Client Server Source Program Session Database Name Client Server Service Name if Oracle e Command SQL Verb If using a Main Entity of Command or lower Object Object Name if using a Main Entity of Object or lower SQL SQL or Ful
403. rt Field Session Start Session End Copyright IBM Corporation 2011 2013 Figure 11 7 New query Name and main entity GU2022 0 Notes To create a new query you must Enter a Query Name Note you should use a naming a convention to differentiate your custom queries from the built in queries In this example we will simply add a dash This will also cause the query to appear at the top of the list e Choose a Main Entity which will be explained in the next few pages Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 9 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Main entity About entities Entity List Cl Session C Application Events CI FuLL SQL Values Ci FuLL soL C sa Cl Access Period id Command lobiectiCommand lobiect lJoin Field SQL Value Cl objectiField lQualified Object Server IP Server Port Ci Field I client server gt Actientiserver Timestsmo E Timestamp Date amp Timestamp Time 123 Anab nt IP Mg Server IP DB User D Server IP Sve Name DB User lg Client IP Src Apo DB User Server IP Sve Name client IP Src App User Copyright IBM Corporation 2011 2013 Figure 11 8 Main entity About entities Notes Each domain contains one or more entities An entity is a set of related attributes attribute is b
404. rt without the prior written permission of IBM Instructor Guide Data collection methods After completing this topic you should understand Guardium s data collection methods SPAN ports Network taps STAP Copyright IBM Corporation 2011 2013 Figure 2 2 Data collection methods GU2022 0 Notes 2 4 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Collector Guardium Collector emo eth1 eth2 eth3 Copyright IBM Corporation 2011 2013 Figure 2 3 Collector GU2022 0 Notes The basic component of the InfoSphere Guardium solution is a network appliance called a collector The Collector is also called a G2000 is a hardened Linux server running on a Dell R610 computer with 12GB of RAM and a 300 GB hard drive e contains four network ports The management port ethO acts a standard network card It has an IP address and is used the access the server over the network Eth1 through eth3 are configured as promiscuous by default They do not have IP addresses and are designed to capture network traffic However one of these additional ports can be configured as a secondary network interface with an IP address or can be used in network teaming Copyright IBM Corp 2011 2013 Unit 2 Guardium Architectur
405. rt without the prior written permission of IBM Instructor Guide Ignore session Database Server Activity from the database client to the database server Sessions log in log out commands Qag Database Client database server to the Sniffer For a session marked as Ignored the sniffer receives the following traffic from STAP and logs it into the database Activity from the database client SQL Errors Sessions log in log out Result sets The sniffer continues to receive the following type of traffic from the Span port or network tap However it is discarded SQL Errors Result sets Copyright IBM Corporation 2011 2013 Figure 9 44 Ignore session Notes GU2022 0 The gnore Session rule should only be used when a hardware solution span ports or network taps is used to capture traffic In this instance all traffic reaches the sniffer which then discards it Copyright IBM Corp 2011 2013 Unit 9 Policies 9 63 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Session ignored values Server IP Client IP DB User Name Source Program Service Name Database Name Session Ignore N 192 168 169 8192 168 169 8A2840 DB2BP DB2INST1 SAMPLE o ALERT DAILY 192 168 169 8192 168 169 8A8000 DB2BP DB2INST1 SAMPLE ALERT ONCE PER SESSION 192 168 169
406. rts that are not appropriate for a particular appliance Under Central Management all correlation alerts are defined on the Central Manager and when activated will be activated on all appliances by default Anomaly Detection options include Active on startup checkbox automatically starts Anomaly Detection on startup Polling Interval sets the frequency that Anomaly Detection checks for appliance issues This should not be changed without consulting with Guardium support because increasing the frequency can cause performance issues Copyright IBM Corp 2011 2013 Unit 5 System View and Administration Console 5 9 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide The Active Alerts allows you to enable or disable Active Alerts To disable an alert globally in a Central Manager environment it will be easier to clear the Active checkbox from the alert itself To enable or disable an alert on a single appliance in a Central Management environment follow the procedure outlined below To disable an alert select it from the Active Alerts box and click Disable To enable an alert select it from the Locally Disabled Alerts box and click Enable 5 10 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide
407. rusion rule a b c blank d Copyright IBM Corporation 2011 2013 Figure 9 66 Checkpoint solutions continued GU2022 0 Notes Write your answers here 1 a e wy 9 90 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 9 5 Selective Audit Trail policy Instructor topic introduction What students will do How students will do it What students will learn How this will help students on their job Copyright IBM Corp 2011 2013 Unit 9 Policies 9 91 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Selective Audit Trail policy After completing this topic you should be able to Understand the Selective Audit Trail policy Create an Audit Only policy rule Copyright IBM Corporation 2011 2013 Figure 9 67 Selective Audit Trail policy GU2022 0 Notes 9 92 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Creating a Selective Audit Trail policy System View Administration Console Daily Monitor Guardium Monitor Tap Monitor Incic Config amp Conto Policy Builder Access Ma
408. s Data Transfer Procedures DB Predefined Users DB2 Allowed Grants to Public DB2 Database Version Patches DML Commands DROP Commands v Flatten All Hierachichal Groups Scheduling rFlattening All Hierachichal Groups is currently not scheduled for execution Voy Schedule Auto Generated Calling Prox Populate from Query LDAP Group Filter Roles Clone Delete Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 6 Modify existing groups 1 of 2 GU2022 0 Notes There are a large number of built in groups These are provided for user convenience and are the basis for some of the built in reports Some groups are based on industry standards such as the DDL and DML groups Others are placeholders such as the Sensitive Objects group that allow you to enable built in reports by simply populating the appropriate groups In both cases these groups can be modified Example Some companies consider Truncate command to be DDL which is not included in the built in group To add the command to the DDL Group highlight the group name and press the Modify button Continued on next page 8 8 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Modify existing groups 2 of 2 Group Builder Manage Members for Selected Group G
409. s User amp Role Reports accessmgr accessmgr accessmgr Edit Roles Change Layout admin admin admin Edit Roles Change Layout Data Security Access Managerfent Data Security 3 z Datasources Associated mces Associated Datasources Not Associated Aliases OFF DataSourceNameLike LIKE Servers Associated LoginName LIKE Servers Not Associated Datasource Name Host Service Name Login Name Assoc Type User Hierarchy No data found User DB Association C Records t0000 OX 5 In H E B Yad c Copyright IBM Corporation 2011 2013 Figure 4 3 Access Management GUI panes GU2022 0 Notes The GUI layout for users in the access management role include two panes Access Management and Data Security The functions on these two panes will be discussed on the next few pages 4 4 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Access Management tab The Access Management pane contains all of the links required to manage users roles and access to applications including User Browser User Role Browser User Role Permissions User LDAP Import User amp Role Reports ment d Data Security User Browser Filter string case sensitive User Name Username FirstName LastName Email Actions User Browser User Role B
410. s App Event Exists App Event Text Val Event Type App Event Num Val App Event Date Event User Nar Oo ANY ANY ANY ANY This command triggers the policy mm rules ser ount Name Timestamp Timestamp Sal FULL SQLs A9404 2010 10 20 insert into db2inst1 g_employees e_id 2010 10 20 insert into db2inst1 G_EMPLOYEES E_ID E_FIRSTNAME 1 15 01 46 0 e firstname e lastname values 2009 Peggy Olsen 14 54 02 0 E LASTNAME values 2010 10 20 2010 10 20 A9404 45 02 35 0 select from db2inst1 g employees 14 54 51 0 select from db2inst1 g_employees 1 2010 10 20 2010 10 20 r n A9404 15 03 21 0 create table a9404 col1 int col2 int 14 55 37 0 create table a9404 col1 int col2 int 1 2010 10 20 2010 10 20 P fees 45 03 35 0 select Sm DAT CTE 14 55 51 0 select from db2inst1 g_customers 1 Once the rule is triggered by the first DML command against a sensitive object by a privileged user all subsequent commands within the session will be logged with full details Copyright IBM Corporation 2011 2013 Figure 9 48 Log full details per session GU2022 0 Notes Log Full Details will log the Full SQL string and Full SQL Timestamp for only those SQL requests matching the rule criteria Log Full Details Per Session will log the Full SQL string Timestamp for the request that triggers the action AND all subsequent SQL request made during the remainder of the session Copyright IBM Corp 2011 2013 Course material
411. s such as mergers and acquisitions some companies do not have a full inventory of their database servers and do not understand where all of their sensitive data resides Database Discovery probes a network to identify servers running database services Data Classification scans databases to find and classify any objects or fields containing sensitive data 10 20 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 1 of 2 1 ACAS template set is taylored to a An Operating System such as Unix b An Operating System and Database such as Unix and DB2 c Both a and b d Neither a nor b 2 True or false You can modify one or more of the CAS default templates 3 CAS has been configured with a period of 2 hours The last set of tests ran at 10 30 am When will the next set of tests run a At 11 30 am b At 12 30 pm c Between 11 30 am and 12 30 pm d Between 10 30 am and 12 30 pm Copyright IBM Corporation 2011 2013 Figure 10 14 Checkpoint 1 of 2 GU2022 0 Notes Write your answers here 1 2 3 Copyright IBM Corp 2011 2013 Unit 10 CAS VA and Discovery 10 21 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answ
412. s information as well as sending out an email or some other kind of notification 5 What is the effect of an Ignore Session action on an SQL statement The SQL is NOT sent on to the database server 6 What is the effect of a Log Full Details action on an SQL statement The entire SQL statement including any values it contains are logged Figure 9 55 Checkpoint solutions GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 9 Policies 9 75 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 9 76 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 9 4 Exception and Extrusion Rules Instructor topic introduction What students will do How students will do it What students will learn How this will help students on their job Copyright IBM Corp 2011 2013 Unit 9 Policies 9 77 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Exception and Extrusion rules After completing this topic you should be able to Create exception rules within a policy Create a failed logins alert Enable extrusions rules Create an extrusion rule PypiyhightNGUb pampadicari 20 2012013 Figure 9 5
413. s may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Data Management Catalog Export System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Reports Administration Console Configuration E Data Management we OQ Data Archive Bas ug Catalog Q0 Data Export Definitions to Export Data Restore Catalog Archive Catalog Import Results Archive audit Results Export files system Backup Central Management Local Taps Guardium Definitions Custom Alerting Module Installation Export Copyright IBM Corporation 2011 2013 Figure 6 8 Data Management Catalog Export GU2022 0 Notes Catalog export allows you to export either the data or results catalog 6 10 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Data Management Catalog Import System View Administration Console lt G2000 Standalc Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Reports Administration Console ic t Configuration Definitions Import Data Management Upload Exported Definitions Data Archive Administrator Desktop exp 2010 11 07 18h47m06s csv Upload Q0 Data Export IER Data Restore
414. s may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Group reports System View Administration Console Aggregation Archerm Log AME Files Application Objects Summary Audit Process Log Available Patches Bufer Usage Monitor amt Job Queue Currant Status Mongar Definitions xport empor Log age Montor Logins to Gi Number of Active Audit Processes Tool Groups Usage Report Alizses OFF grupDesc LIKE Group Description crest card abject Class amp cation Polic Active Users Query Activo Users Query Adrun Users Artass Rida Admin Users Je Admin Users Access Rude Admin Users Access Rule Admin Utars Query Admin Users Query Admin Users Query Administration Objecte Access Rule Admunistraton Objects Query Admunistraben Objects Administrative Commar Administrative C Adm omemands Query Administrativo Commands Query Once 192 Daty Monitor Guardum Mantar z Used By Entity Troe System View lecident Management Ri Entity Description Cre t Card search Rule Credit Card Action Add to credit card objects tive Users Last Login Active Users with no Actmty Prasad Utars Meritenng whea Vit ignore non admin usara Vulnerab ty amp Threats Management Admin Commands by non DBA Alert Vulnerability amp Threats Management Admin Object by non DGA Alert Vulnerab ty amp Threats Manageme
415. s may not be reproduced in whole or in part without the prior written permission of IBM Unit 9 Policies 9 67 Instructor Guide Log masked details Cat Classif Sev ClientIP ServerIP SrcApp DBName DB User App User Client IP Src App DB User Server IP Svc Name ANY ANY i ANY ANY ANY ANY rivileged Users ANY ANY OS User Svc Name Net Protocol Field Pattern XML Pattern DB Type Client MAC ANY ANY ANY ANY ANY ANY ANY ANY Object Command Object Field Xl Replacement Min Reset Quarantine Message Rec Object Command Group Group Affected pattern Character 7 94 ct int Min Template Action vals Threshold Objects Commands ANY ANY 0 ANY ANY 0 0 0 Default LOG MASKED DETAILS App Event Exists App Event Text Val Event Type App Event Num Val App Event Date Event User Name Fi ANY ANY ANY ANY ANY DB User Countof m z Timestamp Full Sal Timestamp Sal FULL SQLs scott 2010 10 20 insert into db2inst1 g employees e id 2010 10 20 insert into db2inst1 G EMPLOYEES E ID 1 15 23 35 0 e_firstname e_lastname values 15 17 25 0 E_FIRSTNAME E_LASTNAME values scott 2010 10 20 insert into db2inst1 g employees e id 2010 10 20 insert into db2inst1 G EMPLOYEES E ID 1 15 23 59 0 e firstname e lastname values 15 17 25 0 E_FIRSTNAME E_LASTNAME values SCOTT 2010 10 20 insert into db2inst1 g employees e id 2010 10 20 insert into db2inst1 G EMPLOYEES E ID 1 15 24 17 0 e firstname e lastname values 15
416. s same construct within an hour from the same session a It will count the number of times the construct occurred b It will update the Access Period Timestamp with the time of the most recent occurrence this will be the most precise timestamp under these circumstances Copyright IBM Corp 2011 2013 Unit 9 Policies 9 13 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 1 A is a set of rules applied by the sniffer collector against every request received 2 The three types of rules are 3 A and with a primary key is created for each new SQL request that the collector encounters Copyright IBM Corporation 2011 2013 Figure 9 8 Checkpoint Notes Write your answers here 1 2 GU2022 0 9 14 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers 1 A policy is a set of rules applied by the sniffer collector against every request received 2 The three types of rules are access exception and extrusion 3 A construct with a primary key is created for each new SQL request that the collector encounters Copyright IBM Corp 2011 2013 Unit 9 Policies 9 15 Course materials may not be r
417. s so specific users will only be able to see information from specific databases d Filtering results so specific panes will only be visible to specific users Copyright IBM Corporation 2011 2013 Figure 4 22 Checkpoint solution 2 of 2 GU2022 0 Notes Write your answers here 1 4 28 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit 5 System View and Administration Console Estimated time 00 45 What this unit is about This unit describes how to use the administration console to configure a Guardium appliance What you should be able to do After completing this unit you should be able to e Configure an IBM InfoSphere Guardium appliance from the Administration Console Copyright IBM Corp 2011 2013 Unit 5 System View and Administration Console 5 1 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit objectives After completing this unit you should be able to Configure an IBM InfoSphere Guardium appliance from the Administration Console Copyright IBM Corporation 2011 2013 Figure 5 1 Unit objectives GU2022 0 Notes 5 2 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced i
418. s the traffic from the STAP it performs three functions against the data 1 It analyzes the data to verify that it is valid SQL traffic 2 lt parses the data for easy reporting a For example the SQL string insert into emp_salary id salary values 2049 185000 would be parsed as follows i Sentence SQL insert into emp_salary id salary values ii SQL Verb insert iii Object emp salary iv Fields id salary v Values 2049 185000 not logged by default 3 It logs the parsed data into Guardium s internal database 9 8 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide The sniffer logs the sentence with question marks instead of the actual values entered by the user This is done for two reasons 1 These values can be highly sensitive and Guardium should not log this information automatically and risk exposing it to unauthorized users 2 Masking the values allows Guardium to greatly increase the data retention on the collectors and aggregators The next few slides will explain the concept of constructs and how masking values increases data retention Copyright IBM Corp 2011 2013 Unit 9 Policies 9 9 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Constr
419. se policies in your environment make sure that you understand what each rule does Copyright IBM Corp 2011 2013 Unit 9 Policies 9 25 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide e New will create a new policy Clone copies the highlighted policy allowing you to save it with a new name e Modify allows you to change the policy definition Delete removes the policy from the appliance e Edit Rules take you directly to the rules screen Comment allows you to leave notes for your self or other users The next slides will demonstrate the steps taken after pressing the New button to create a new policy 9 26 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Policy Definition 1 of 2 Policy Builder Policy Definition Policy description Policy category Training Policy baseline Log flat Rules on flat d Selective audit trail L Audit pattern Roles No roles have been assigned to this policy Emus oom Copyright IBM Corporation 2011 2013 Figure 9 16 Policy Definition 1 of 2 GU2022 0 Notes To create a new policy you must enter a Policy description You should name the policy something that differentiates it from
420. se materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide S TAP host IBM InfoSphere Guardium S TAP InstallShield Wizard x S Tap Configuration Enter the IP address or host name of the S T ap host IP Host 192 168 169 104 InstallShield Back Zancel Copyright IBM Corporation 2011 2013 Figure 7 12 S TAP host GU2022 0 Notes For the P address or host name of the S Tap host enter the IP Address or Fully Qualified Domain of the database server on which you are installing S TAP in the P Host field 7 14 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Collector IP address IBM InfoSphere Guardium S TAP InstallShield Wizard xj SQL Guard Configuration Enter the IP address or host name of the SQL Guard ipsios fis2 1681653 InstallShield Bact Cancel Copyright IBM Corporation 2011 2013 Figure 7 13 Collector IP address GU2022 0 Notes For the P address or host name of the SQL Guard enter the IP Address or Fully Qualified Domain of the collector to which you would like to forward database traffic Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 15 Course materials may not be reproduced in whole or in part without the prior wr
421. se server Copyright IBM Corporation 2011 2013 Figure 9 92 Checkpoint solutions GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 9 Policies 9 127 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 9 128 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit 10 CAS VA and Discovery Estimated time 00 30 What this unit is about This unit describes the components of the Configuration Auditing System and explains the value of Vulnerability Assessment What you should be able to do After completing this unit you should be able to e Understand the major components of the Configuration Auditing System CAS e Understand the value of Vulnerability Assessment e Understand why Database Discovery is needed Copyright IBM Corp 2011 2013 Unit 10 CAS VA and Discovery 10 1 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit objectives After completing this unit you should be able to Understand the major components of the Configuration Auditing System CAS Understand the value of Vulnerability Assessment Understand why Database Discovery is needed Copyright IBM Corpo
422. search terms 3 12 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Additional information If time permits have the students login as the cli user and run some of the commands on this and the following slides Make sure that they do not run restart system as this will reboot their virtual machines Transition statement Copyright IBM Corp 2011 2013 Unit 3 Command Line Interface 3 13 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Navigating the CLI 2 of 4 To generate a list of all available commands for a given topic type command or comm plus a keyword or part of a keyword For example commi file will return all file handling commands v9collector 0l ibm com comm file aggregator backup keys file aggregator restore keys file export file fileserver import file show backup profile show system cpu profile show timeout fileserver session store backup profile store system cpu profil store cle sho supp ort Suppor t ok timeout e r sessi fileserve an log files w large files Copyright IBM Corporation 2011 2013 Figure 3 9 Navigating the CLI 2 of 4 Notes To generate a l
423. sed on roles Roles can be assigned to an application by checking the box roles can be unassigned from an application by removing the check mark Some applications have All Roles assigned You may find that you need to uncheck the All Roles box and apply the individual roles as appropriate Copyright IBM Corp 2011 2013 Unit 4 Access Management 4 17 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide User LDAP Import User definitions can be imported from LDAP Active Directory LDAP User Import LDAP host name 192 168 169 8 Port 389 Server type Open LDAP Y Use SSL connection Base DN dc my domain dc com Import mode Keep existing attributes Override existing attributes Disable user if not on the import list Enable new Imported Users User Import Configuration Advanced Loginas _cn Manager dc my domain dc com Password Search filter scope One Level Sub Tree Limit Attribute To Import as User Login uid Configurable through Portal Search filter Object Class for User Import roles Attribute To Import As Role Role Search Base DN Role filter Object Class for Role Attribute In User To Associate Role Attribute In Role To Associate User Scheduling This LDAP import configuration is currently not scheduled for execution Modify Schedule J Run Once Now Copyright IBM Corporation
424. selected Oct 20 14 00 56 grd01 guard sender 3326 Alert based on rule ID Privileged us ers accessing sensitive objects a Alert Per Match 012Category Classificatio n Severity INFO 012Rule 20001 Privileged users accessing sensitive ob jects Alert Per Match 012Request Info Session start 2010 10 20 01113 5 4 56 Server Type DB2 Client 192 168 169 8 DBSERVERO1 Server 192 168 169 8 Client PORT 39442 Server Port 50001 Service Name DB2INST1 Net Protocol TCP DB Protocol DRDA DB Protocol Version 3 0 DB User A8000 012Application User Name 012Source Program DB2BP Authorization Code 0 Request Type SQL L BiG Last Error 01250n select F oe dicjuscl q euploveash012 Te add co base line Copyright IBM Corporation 2011 2013 Figure 9 31 Alert example GU2022 0 Notes This is an example of a triggered alert going to syslog Note that the alert contains the policy rule name and it includes the full SQL statement because the Hec Values box was checked 9 48 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Policy violation db2 gt connect to localtcp user a8000 using a8000abc Database Connection Information Database server DB2 LINUX 9 7 1 SQL authorization ID A8000 Local database alias LOCALTCP db2 gt select from db2instl g
425. sers The main administrator for the Guardium appliance would utilize the user id cli Additionally Guardium includes five other user accounts guardcli1 guardcli5 which can be assigned to different users These additional accounts provide for separate administration and better accountability Logging on to the CLI as the main administrative user cli requires only the appropriate password Logging on to the CLI as one of the additional CLI accounts requires the appropriate password AND an additional user id and password The additional user id and password are entered using the set guiuser command For example to use one of the additional CLI user ids Login via ssh as guardcli1 Issue the set guiuser command passing in a second Guardium user id and password 3 6 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide The second Guardium user id must have either admin or cli as one of its roles to be able to utilize the CLI All activity performed by this login will be tracked as CLILUSER GUI_USER for example guardcli shirley within Guardium s internal audit trail Copyright IBM Corp 2011 2013 Unit 3 Command Line Interface 3 7 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instruct
426. sion 06 0 c eee eee 9 67 Log masked details 00 0 c eee ee 9 68 OO OEY are Dr 9 69 UICE DANO ty cece a da oto oY Pee eae un a de ei eee de ER Laks 9 70 Skip logging sas CIT te eee ee eee tees 9 71 Sud ae TTT T 9 72 TOPIC SUMMA eei a e DL 111 77 7021 25 27 51 DLL TRTEERT 9 74 Checkpoint solutions uuum uten RE hr vinnm aed E n RR CER d a 9 75 9 4 Exception and Extrusion BUl s 2 ui eet Redondo C Eee tenter 9 77 Exception and Extrusion rules seg uu edo mE RR ERR EUR Ren Eph Rec RE 9 78 Exception Rule overview 1522 s wach ee ede mk soon e E CORO ROS RR RR oa 9 79 Exception Rule Definition 20 0000 eee ee 9 80 Fall d OCI alert cnt access wed veeaGek ne Rh E ao DER Ra 22 nie n e al aie uc esse 9 81 zig mM 9 82 Extrusion Rule example dde sorebac max s qoa Roe oc ES RE E dur SUR e dup nyos 9 83 Extrusion rule results example 2249559 RE RR RREXSEDESERCER RE E US 9 85 ues cM D Lr 9 86 Topic summary e dais un ieget arm HIER E L8 GR eur Rol UE Rs EXE v de dod rae uds ah 9 88 Checkpoint solutions 0 0 000 ee eh 9 89 Checkpoint solutions continued 0 0c eee ee 9 90 9 5 Selective Audit Trail polity x avec xe m m tee ed sche xm RO TR shad eae 2 9 91 Selective Audit Trail policy 0 0 02 cee ee 9 92 Creating a Selective Audit Trail policy 0 000 e eee eee 9 93 Selective Audit Trail default behavior 00 0c ee 9 94 A dit Only r
427. sk start and end times A report called the Audit Process Log of information in the activity log is available from the Guardium Monitor tab 12 6 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Define an Audit Process Defined and maintained by members of the infosec role Available on the Comply pane under Define an Audit Process View Quick Start Monitor Audit Discover Assess Harden Comply c Protect Reports Compliance Automation Use an existing Report Assessment or Privacy Set to Define an Audit Process Track data access Define how information d i T Track exceptions should be presented M _ me i Assess data access Define an rs Audit Process Track privacy e Audit Process builder of Access tracking builder Report builder P Tarn lict m Eveantinne trarkinn hiildar Copyright IBM Corporation 2011 2013 Figure 12 5 Define an Audit Process GU2022 0 Notes Workflow processes are created and maintained by members of the infosec role To create a new workflow audit process go to the Comply pane and Select Define an Audit Process Copyright IBM Corp 2011 2013 Unit 12 Compliance Workflow Automation 12 7 Course materials may not be reproduced in whole or in part with
428. st as Ignore STAP Session However if you use a SPAN Port or Network TAP you would need to use gnore Session rules for network traffic 9 54 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Ignore STAP Session rule Policy Builder Description Not Priviledged User Ignore STAP Session Category Classification Severity INFO v Server IP 1 and or Group v Client IP 1 and or Group 4 Client MAC Net Prtcl and or Group mE s DBType v Sve Name and or Group inj J DB Name and or Group m DB User Client IP Src App DB User ServerIP Svc Name M aes App User and or Group v A OS User and or Group v Src App and or Group x Field and or Group v amp Object and or Group vi P Command and or Group v Object Cmd Group 4 ObjectiField Group vid Pattern ag XML Pattern at App Event Exists Event Type Event User Name App Event Values Text and o
429. stall the module and press Next 7 52 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Schedule installation IBM InfoSphere Guardium Schedule Mozilla Fire ES M1 ECHR COR E httos 192 168 169 9 8443 gm gmInstalljsp targetSche 7 2 Schedule pate now Fa fel Copyright IBM Corporation 2011 2013 Figure 7 45 Java installation directory GU2022 0 Notes Again there will be Common Module Parameters and Client Module Parameters Scroll over to the DISCOVERY JAVA DIR field and enter location of Java installation directory on the database server for example usr java jre1 6 0 22 Java is required to run this module After entering the java installation directory press Apply to Clients and Install Update Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 53 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide GIM Events List System View Administration Console Tools Daily Monitor Guardium Monitor 2 Tap Monitor Incident Management Reports Aggregation Archive Log GIM Events List AME Files Start Date 2010 12 01 01 54 26 End Date 2010 12 01 01 54 30 Aliases OFF Application Objects Summary Audit Process Log Event Generator Event Description Even
430. structor Guide e Generating reports and recommendations provide guidelines on how to meet compliance changes and elevate security of the evaluated database environment What are the Essential Security Testing Methods Guardium s Database Vulnerability Assessment combines three essential testing methods to guarantee full depth and breadth of coverage It leverages multiple sources of information to compile a full picture of the security health of the database and data environment 1 Agent based Using software installed on each endpoint e g database server They can determine aspects of the endpoint that cannot be determined remotely such as administrator s access to sensitive data directly from the database console 2 Passive detection Discovering vulnerabilities by observing network traffic 3 Scanning Interrogating an endpoint over the network through credentialed access What are Predefined Assessment Tests Predefined tests are designed to illustrate common vulnerability issues that may be encountered in database environments Because of the highly variable nature of database applications and the differences in what is deemed acceptable in various companies or situations some of these tests may be suitable for certain databases but totally inappropriate for others even within the same company Most of the predefined tests are customizable to meet requirement of your organization Additionally to keep your assessments current wi
431. t To display the parameters for a particular command enter the command followed by help yes e To search for GuardAPI commands given a search string use the grdapi commands lt search string gt command structure To display a values list for a parameter enter the command followed by get param values parameter 3 32 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 1 How does the CLI user differ from the GUARDCLI1 user 2 True or False CLI users can be authenticated through LDAP 3 List three ways a CLI user can make a logon connection with the Guardium appliance 4 What CLI command could you use to list all of the commands that fall into the Aggregator category 5 The command is used to display the value of a Guardium configuration option The command is used to set the value of a Guardium configuration option 6 Which Guardium CLI command is normally used only under the guidance of Technical Support 7 The commands needed for repetitive tasks can be automated using Copyright IBM Corporation 2011 2013 Figure 3 26 Checkpoint GU2022 0 Notes Write your answers here 1 ao Ol cm ee Ie Copyright IBM Corp 2011 2013 Unit 3 Command Line Interface 3 33 Course materials may not be reproduced in whole or in part wi
432. t L1 Command Object Cmd Group Object Field Group Pattern XML Pattern App Event Exists App Event Values Data Pattern Time Period Minimum Count Quarantine for Actions ALERT DAILY ALERT ONCE PER SESSION ALERT PER MATCH ALERT PER TIME GRANULARITY ALLOW IGNORE RESPONSES PER SESSION IGNORE S TAP SESSION IGNORE SESSION IGNORE SQL PER SESSION LOG FULL DETAILS LOG FULL DETAILS PER SESSION LOG MASKED DETAILS jos PARSE S GATE ATTACH S GATE DETACH S GATE TERMINATE S TAP TERMINATE SKIP LOGGING and or Group Ec Event Use or Group Replacement d es reshold 0 Mes Copyright IBM Corporation 2011 2013 Figure 9 87 Quarantine Notes GU2022 0 The QUARANTINE action will quarantine a user access until specified date Copyright IBM Corp 2011 2013 Unit 9 Policies 9 121 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Topic summary After completing this topic you should be able to Describe the use of S GATE Copyright IBM Corporation 2011 2013 Figure 9 88 Topic summary GU2022 0 Notes 9 122 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 1 Explain the pur
433. t Attribute You have set SQL as your Access Domain Can you still ask for a count of something in the Session entity Yes since Session is above SQL In terms of an SQL select statement Query Fields go on the SELECT clause and Query Conditions go on the WHERE clause True or false On the customization screen you can change the date range for the main entity 11 30 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Topic summary Having completed this topic you should be able to Create a simple query Add fields and conditions to a query Understand the domains entities and attributes Add a query to a pane View a report and change the reports run time parameters GP ppynighN BM fanatic ad 2002013 Figure 11 23 Topic summary GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 31 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions 1 True or false A query can access the data in only one domain 2 Why should you use a dash or other special character as part of your query s name To differentiate them from built in queries and to move them to the top of the sorted list 3 Which of the following r
434. t Module Installation Press Browse and locate the file Press Upload Repeat the above steps for all of the files which you would like to upload Press the check icon for each of the uploaded files Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 41 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Select clients System View Administration Console amp Tools Daily Monitor Administration Console Configuration Clients Data Management Central Management Local Taps Guardium Definitions Custom Alerting Module Installation Process Monitoring Setup By Client Setup By Module Upload Mo Client Name dbserver01 Step 1 Select client s and click on Next Guardium Monitor Tap Monitor Incident Management Reports 9 Client IP Client OS Client OS Version 192 168 169 8 Linux 2 6 16 21 0 8 default Records 1 To 1 Of 1 Select All Unselect All Copyright IBM Corporation 2011 2013 Figure 7 34 Setup By Client Notes GU2022 0 The next step is to apply the S TAP Bundle to the client Click the Setup By Client link and press Search Optionally you may filter the search by Client Name Client IP or Client OS 7 42 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM
435. t IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 51 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Topic summary Having completed this topic you should be able to Add conditions to queries Use AND and OR clauses Use parentheses in queries Add a query to a pane Create custom run time parameters Copyright IBM Corporation 2011 2013 Figure 11 39 Topic summary GU2022 0 Notes 11 52 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 1 of 2 1 Which of the following is NOT a valid conditional operator in Guardium a REGEXP b INGROUP c NOT IN GROUP d All of these are valid operators 2 True or false To add a second condition to a query you would first select the entity and drop it in the condition frame and then select either AND or OR 3 True or false The HAVING option is only available when the SELECT clause includes one or more aggregate values such as COUNT AVG and so on Copyright IBM Corporation 2011 2013 Figure 11 40 Checkpoint 1 of 2 GU2022 0 Notes Write your answers here 1 2 3 Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 53 Course materials may not be reprod
436. t Time Available Patches meas x 192 168 169 8 pipi E DISCOVERY 8 0 120992 1 INSTALLED 2010 12 01 01 54 26 0 Cls Asmt Job Queue DISCOVERY 8 0 20992 1 INSTALLED Current Status Monitor C C Records oir i Q O X 5 lk I4 9 Ub EV Definitions Export Import Log Enterprise Buffer Usage Monitor GIM Clients Status GIM Events List RIM Installed Marilee Copyright IBM Corporation 2011 2013 Figure 7 46 Schedule installation GU2022 0 Notes In Schedule Date enter now and press the Apply button 7 54 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Create S TAP inspection engine System View Administration Console Tools Daily Monitor lt Guardium Monitor Tap Monitor Incident Management Reports Admin User Logins Discovered Instances Connections Quarantined Start Date 2010 11 30 01 57 45 End Date 2010 12 02 01 57 45 G2000 Standalone Unit JAL oK Databases by Type Aleses OFF Databases Discovered KTAP um DB2 DB2 DataSources t P Port Port Instance Cli Exclude Proc Named 3 N e n i a S Informix DB Users Mapping List Times Host Min Max Ri name 777 Client Names Pipe e Mem Version m t Dropped Requests 2010 12 01 Ihome db2inst1 Exception Count 01 57 17 0 192 88 169 8D82
437. t the prior written permission of IBM Instructor Guide UNIX non interactive installer guard stap setup modules lt module bundles gt ni tls lt O 1 gt k t dir lt dir gt tapip lt tapip gt sqlguardip lt sqlguardip gt tapfile lt file gt presets lt presets file gt lt preset option list gt Copyright IBM Corporation 2011 2013 Figure 7 54 S TAP installation Non interactive methods GU2022 0 Notes 7 64 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Windows non interactive installer setup s z lt key gt lt install_dir gt lt install_table_file gt lt options gt Example Assume that the following configuration table file 192 168 1 201 shareFolder stap_configuration Contains the following two entries hostname IP Guardium Appliance raven 192 168 2 20 192 168 3 113 seagull 192 168 2 22 192 168 3 113 The following command with no line breaks can be used to install S TAP on the raven server 192 168 2 20 Please note that the actual command contains no line breaks setup s z raven c program files guardium guardium_stap 192 168 1 201 shareFolder stap_configuration MSSQLSharedMemory 1 DB2SharedMemory 1 CAS 1 NamedPipes 1 Lhmon 1 LhmonForNetwork 1 TLS 1 START 1 Copyright IBM Corporation 2011
438. t1 informixVersion 9 encryption 0 api target host Required parameter Log level 0 v Parameter Encryption not enabled shared secret not set Copyright IBM Corporation 2011 2013 Figure 7 48 Create S TAP inspection engine GU2022 0 Notes To view any instances found by the Discovery module go to Daily Monitor and click the Discovered Instances link From here you can also quickly create an S TAP inspection engine based on any newly discovered instance To create a new inspection engine e In the report Double click in the line of the instance on which you would like to create an inspection engine and choose Invoke e Then choose create stap inspection engine 7 56 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Complete process Api Call Output create_stap_inspection_engine Call Output ID 4 Close Copyright IBM Corporation 2011 2013 Figure 7 49 Invoke now GU2022 0 Notes On the next screen confirm that the settings appear correct and press Invoke now Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 57 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Confirm Inspection Engine creation System View Administration Console lt Tools
439. tain these sensitive tables which will serve as your source group The Auto Generated Calling Prox will create a new object group or append to an existing object group that will contain all the stored procedures that access these tables This will be the target Continued on next page Copyright IBM Corporation 2011 20139 Copyright IBM Corporation 2011 2013 Figure 8 14 Auto Generated Calling Prox Using DB sources GU2022 0 Notes We ll now examine the Using DB Sources option within Auto Generated Calling Prox Refer to the online Help Guide for details of the other options that were listed on the previous page To begin the process you must have a source group This group will contain objects or commands in which you are interested For example you might be interested in stored procedures that access a group of sensitive tables A group of objects should be created that contain these sensitive tables which will serve as your source group The Auto Generated Calling Prox will create a new object group or append to an existing object group that will contain all the stored procedures that access these tables This will be the target Copyright IBM Corp 2011 2013 Unit 8 Group Builder 8 19 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Auto Generated Calling Prox example 1 of 6 Group Builder Modify Existing Groups
440. talling modules Installation completed successfully 7 38 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide The database server will now have two new running processes gim client pl and guard supervisor which can be viewed using the following Unix Linux command ps ef grep guard To prevent any gaps in the audit data GIM is maintained by the Unix Linux init process so there will be two new entries in the etc inittab file These entries can be viewed using the following Unix Linux command tail 5 etc inittab Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 39 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Module Upload System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Reports Administration Console Configuration Module Upload Data Management Upload Module Central Management Browse_ Local Taps uz Guardium Definitions Custom Alerting Import Uploaded modules File Name Size Module Installation Q9 FZibusra sundte STAP guard 8 0 x 120992 1 suse 10 linux ie86 gim 7007238 Process Monitoring x Buard bundle DISCOVERY guard 8 0 xx r20992 1 suse 11 linux i686 gim 2644011 Setup By
441. te Attribute o WHERE Command AND Client Server AND Client Server SOL Verb Server IP Server Type Jill Operator IN GROUP IN GROUP LIKE Main Entity Command Field Mode Value Value Value Value Value Value Value v v v v v v v v Value oO Sorted by occurrences Order by Sort Rank Descend 990 99 190 99 PO 8 IPC II Runtime Param DDL Commands v Monitoring Production Servers v Parameter v DB Server Type Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Appendix A Monitoring Overview A 9 Instructor Guide The second reporting requirement Report on all activity by privileged users including the Full SQL string will have slightly different attributes because the Full SQL String is requested Also logging full details allows us to use the Full SQL Timestamp which is more precise than the Access Period Timestamp 8 Monitoring All Activity by Privileged Users x fe 9 Seq Entity FULL SQL Client Server Client Server Client Server Client Server Client Server Session Command FULL SQL ER 9 IPSO DP DPI PL IP DPI O CD d OO N lt Entity Aggregate C WHERE Client Server AND Client Server Attribute Timestamp Server IP Client IP DB Use
442. te Se We EE caw ees ee Bae ae A aa 9 126 x InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions 22 2 93 S ox Roe b RO Da SEN LACE ere e duobus Dg 9 127 Unit 10 CAS VA and Discovery eseeseeeeeeeeeeee enn 10 1 Unit objectives C xvv 10 2 s Seer eT eee ae TCT e a re ee ee er ee ere ee 10 3 CAS COMDONGING accu C PRECII PTT 10 4 Configuration Auditing System 1 of 3 0 2 2 00 ee 10 6 Configuration Auditing System 2 of 3 0 2 0 10 8 Configuration Auditing System 3 of 3 anaua aaaea 10 10 VA a ERGO ORG ean aha GOOG hewubua mane nd 10 12 Vulnerability Assessment 1 of 4 2 2 ee 10 13 Vulnerability Assessment 2 of 4 2 00 ee 10 14 Vulnerability Assessment 3 of 4 naasna anaana 10 15 Vulnerability Assessment 4 of 4 naasna annann aana 10 18 Database Discovery and classification 1 of 2 000 eee eee 10 19 Database Discovery and classification 2 of 2 00 0c eee eee 10 20 Checkpoint 1 of 2 oc cedee re sccadaks pe RR EE EG 8 GbR 6 GES edie ek vis eS 10 21 Checkpoint Z 0f 2 nugis sa terrin Vr ERE be ERE ES dM E ow EE Ede bd d Dune 10 23 Unit summary dee dres exile dvi condam ent dc ranee aero ead a loto fad 10 25 lcg ll ai a a a a o a aa
443. te be seine Ropa o keene poh eee RLENR ae pos 7 41 Selub By CHEM x vaca kids RESORT ade doh ee 6 ne een kad e Re 7 42 Select clients aues sd decade eb bbakedtoaodevedtioay DIE d epos ae heeds 7 43 Common modules uu xu iussu orco ei ad ardere dc eru UR Ead ure pluie 7 44 Module Parameters ses occ RR RR REAEE ERR RR RENE Ie T E ERE 7 45 Client Module Parameters 1 of 2 0 20022 ees 7 46 Client Module Parameters 2 of 2 ieeezekes lag RE RR RR RTL 7 47 Schedule installation dt ee de eek aad Seeded ed eee Rene ae ee Se deca 7 48 GIM Events LISl PTT 7 49 Discovery Setup By Module 000 eee eee 7 50 Bundle discovery 2 da oes xe beee es mode sone ERA Pebuedee dae t eee RR E ars 7 51 Select COM NP TM oS ek Boas 7 52 Java installation directory ui cisci Roo ce cney ss saved POR a8 caos ooo 7 53 Schedule installation nce 2 49 E d Se EO ES Cd Ve Eo el e be kl da ed 7 54 GIM Events LISE 4 uuo d o dir Ole alive Dod ad cba Ta n d ue ca ve 3d ode cid 7 55 Create S TAP inspection engine llllllllllslllllsseleen 7 56 INVOKE NOW A 7 57 Complete DIODBSS uci deed ep rat ede eke See ee eR Edo es speed 7 58 Confirm Inspection Engine creation 002 c eee ees 7 59 Verniy WAUIC 252 otacews seen a aa e ea a m 7 60 TOPIC SUMMA sass ac denis boe toe e quU V Mae s en KERRE TERE EE RE EE 7 61 7 3 S TAP installation Non interactive methods
444. tegy Teaching strategy Each classroom session uses a combination of facilitated lecture discussions group exercises and demonstrations to convey the material Introduce the material Inform the students of the objectives of the unit and topic Give them a brief scenario that helps them understand how the presented material helps them do their jobs Facilitate the learning experience Involve the students in the learning process Ask them questions and present classroom scenarios in which students use the available resources to solve situations that involve process procedure or content on the job Review the material Review objectives at the conclusion of each unit to ensure that the students have a thorough understanding of the material Group exercises and labs are used to reinforce knowledge and skills that the students learned in the previous classroom topics The instructor serves as a mentor in checking results answering questions and providing constructive feedback and evaluation Course evaluation Evaluation measures the quality effectiveness and impact of the course It enables students to answer the question Does the course meet its requirements and objectives For all classes students will provide feedback on course quality by completing an end of course questionnaire Measurement plan Copyright IBM Corp 2011 2013 Instructor course overview xvii Course materials may not be reproduced in wh
445. ten permission of IBM Instructor Guide Checkpoint solutions 1 A n inspection engine monitors the traffic between a set of one or more servers and a set of one or more clients using a specific database protocol 2 Using the S TAP Status Monitor on the System View pane how can you tell if an inspection engine has been configured or not If it is green an inspection engine is configured and running 3 Which of the following is NOT a function of the Configuration option on the Administration Console a Create and configure Guardium users b Create and configure Inspection engines c Configure local taps d Upload and install software modules 4 Appling license keys is a function of the system configuration option Copyright IBM Corporation 2011 2013 Figure 5 25 Checkpoint solutions GU2022 0 Notes Copyright IBM Corp 2011 2013 Unit 5 System View and Administration Console 5 37 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 5 38 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit 6 System View and Administration Console I Estimated time 00 45 What this unit is about This unit describes how to use the administration console for additional Guardium appliance
446. terials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Show and store The SHOW command displays the value of the indicated argument The STORE command changes the value of the indicated argument Examples SHOW PASSWORD EXPIRATION GUI v9collector0l ibm com show password expiration gui sword expires after 90 days STORE PASSWORD EXPIRATION GUI 100 vScollector l ibm com store password expiration gui 100 ok SHOW PASSWORD EXPIRATION GUI collector l ibm com show password expiration gui V 2 9c Password expires after 100 days ok Copyright IBM Corporation 2011 2013 Figure 3 12 Show and store GU2022 0 Notes The SHOW command displays the value of the indicated argument and the STORE command changes the value of the indicated argument 3 18 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Reminder CLI command categories The CLI commands are arranged in 10 different categories Network Configuration Commands Aggregator Commands Alerter Configuration Commands Configuration and Control Commands File Handling Commands Diagnostic Commands Inspection Engine Commands User Account Password and Authentication C
447. th industry best practices and protect against newly discovered vulnerabilities Guardiums distribute new assessment tests and updates on quarterly bases as part of its Database Protection Subscription Service Please refer to Guardium Administration Guide for more details What are Behavioral Tests This set of tests assesses the security health of the database environment by observing database traffic in real time and discovering vulnerabilities in the way information is being access and manipulated As an example some of the behavioral vulnerability tests included are Default users access Access rule violations Execution of Admin DDL and DBCC commands directly from the database clients Excessive login failures Excessive SQL errors After hours logins Excessive administrator logins Checks for calls to extended stored procedures Checks that user ids are not accessed from multiple IP addresses 10 16 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide What are Configuration Vulnerability Tests This set of assessments checks security related configuration settings of target databases looking for common mistakes or flaws in configuration create vulnerabilities As an example the current categories with some high level tests for configuration vulnerabilities include P
448. that can completely change the methods used to log data These methods include Selective Audit Trail Flat Logging and Baselines Please refer to the user manual or ask your Professional Services Consultant for further details on these options Example Policy based on the example requirements from Step 1 If a requirement is not listed here it means that no special policy action is required By default all data is logged without values Rule Rule Type Requirement Rule Criteria Action Continue to Description next Rule 1 Exception Alert on three or Failed Exception Type ALERT No more failed logins Logins LOGIN_FAILED PER within five minutes Alerton3 Min Ct 3 MATCH Failed Reset Interval 5 Logins in 5 minutes 2 Access Ignore activity by Scheduled Source Program IGNORE No applications backup Processes Group STAP jobs and other Ignore Monitoring SESSION scheduled Session Scheduled processes Processes 3 Access Report on all activity Privileged DB User Group ILOG FULL Yes by privileged users Users Log Monitoring DETAILS including the Full Full Details Privileged Users SQL string 4 Access Alert on DML DML on Object Group ALERT Yes against Sensitive Sensitive Monitoring PER Objects Objects Sensitive Objects MATCH Alert Command Group DML Commands 5 Access Report on DML DML on Object Group LOG FULL No against Sensitive Sensitive Monitorin
449. that has been captured by an appliance during a given time period 2 A data purge deletes the data that has been captured by an appliance during a given time period 3 A data export sends the data that has been captured by an appliance during a given time period to an aggregator 4 The Guardium catalog tracks every archive file and where it is stored so that the file can be easily retrieved and restored 5 True or false Only an aggregator can perform a data import operation 6 Once a system has been added to a central management environment the status of the appliance will change from standalone unit to mangaged by Additional information Transition statement 6 28 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 2 of 2 7 True or false The current day s data cannot be archived 8 The opposite of an archive is a n 9 The maximum number of Central Managers in a Guardium environment is 10 There could be a time lag of up to one between the time users roles or permissions are added to the Central Manager and the time they are applied to the managed units Copyright IBM Corporation 2011 2013 Figure 6 25 Checkpoint 2 of 2 GU2022 0 Notes Write your answers here 7 8 9 10 Copyright IBM Corp 2011 2013 U
450. the Audit Process immediately 12 16 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide To Do notification Auser s To Do list includes the number of work items waiting and a clickable link to those items IBM InfoSphere Guardium You have 1 item on your To do list View Quick Start Monitor Audit Discover Assess Harde Overiew View Installed Policy Overview Currently Installe Installed Policy 1 Inst Dat Copyright IBM Corporation 2011 2013 Figure 12 12 To Do notification GU2022 0 Notes After an audit process has be run receivers will be notified of new results via e mail or through a link when logging into the appliance To view an audit process click on the link then press the View button Copyright IBM Corp 2011 2013 Unit 12 Compliance Workflow Automation 12 17 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Viewing an audit process The To Do list may contain multiple items View allows you go to to a particular item IBM InfoSphere Guardium Audit Process To Do List Process Name Date Executed Action B Trainingdt 122110 11 44 AMReview and Sign View Download POF Records 1totof1 Processes With No Pending Results Pro
451. the data that has been captured by the appliance within a given time period When configuring Data Archive a purge operation can also be configured Typically data is archived at the end of the day on which it is captured which ensures that in the event of a catastrophe only the data of that day is lost The purging of data depends on the application and is highly variable depending on business and auditing requirements Typically Archive data older than should be set to 1 Day and Ignore data older than set to 2 days This will always create an archive of the previous day s data In an environment with collectors and aggregators it is recommended to archive from the collectors and if backup space allows the aggregator It is very important to configure the purge process If data is not purged from the system the database will eventually become full and logging will stop The Purge data older than setting indicates the maximum number of daysthe data will be kept on the appliance Allow purge without exporting or archiving controls whether the system will allow data 6 4 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide to be purged before it is archived or exported This may be necessary if for example you are archiving data from your collectors but not your aggregators Other s
452. the prior written permission of IBM Instructor Guide 9 7 S GATE Instructor topic introduction What students will do How students will do it What students will learn How this will help students on their job Copyright IBM Corp 2011 2013 Unit 9 Policies 9 113 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide S GATE After completing this topic you should be able to Describe the use of S GATE Copyright IBM Corporation 2011 2013 Figure 9 81 S GATE GU2022 0 Notes 9 114 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide S GATE overview Y Cross DBMS policies v Block privileged user actions Y Nodatabase changes Y Noapplication changes Y Without risk of inline appliances that can interfere with application traffic Application Servers Privileged Users Check Policy On Appliance LT aloixi root osprey 8 sqlplus system E SQL Plus Release 10 2 0 1 0 Production on Tue May 27 01 13 32 20 Copyright c 1982 2005 Oracle All rights reserved Enter password Connected to Oracle Database 10g Express Edition Release 10 2 0 1 0 Production a s E ERROR at D 08A 03113 sq Session Terminated Copyr
453. the prior written permission of IBM Instructor Guide Exercise At this point you should complete Exercise 13 in the Exercise Guide Copyright IBM Corporation 2011 2013 Figure 12 18 Exercise GU2022 0 Notes 12 24 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solutions 1 The three elements of a Compliance Automation Workflow process are a distribution plan a set of tasks and a schedule True or false A user can optionally be notified of pending work in the Compliance Automation Workflow through a To Do list link The receiver table controls who receives the reports and what action s they must take True or false A Workflow can be either activated and scheduled to run or it can be run once now but not both Which button takes you to a particular item in your To Do list 1 2 d 4 GOTO VIEW OPEN SAVE Copyright IBM Corporation 2011 2013 Figure 12 19 Checkpoint solutions Notes GU2022 0 O Copyright IBM Corp 2011 2013 Unit 12 Compliance Workflow Automation Course materials may not be reproduced in whole or in part without the prior written permission of IBM 12 25 Instructor Guide 12 26 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course mater
454. thout the prior written permission of IBM Instructor Guide GIM overview e GIM Guardium Installation Manager e Gim Supervisor Supervises Guardium processes Copyright IBM Corporation 2011 2013 Figure 7 27 GIM installation UNIX Linux GU2022 0 Notes 7 34 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Download and extract GIM installer dbserver01 tmp stap ls CZM3TEN tgz STAP Suse dbserverUIl tmp stap 4j dbserver01 tmp stap dbserver01 tmp stap Copyright IBM Corporation 2011 2013 Figure 7 28 GIM overview GU2022 0 Notes In the previous example we used the interactive installation method to install S TAP on Windows A similar process is available for Unix and is well documented in the S TAP help book and the S TAP checklist The Guardium Installation Method GIM is a newer method available since version 8 0 that will allow you to more easily install and maintain S TAP GIM is available for both Unix and Windows GIM is made of two components GIM responsible for such duties as registering to the GIM server initiating a request to check for software updates installing the new software updating module parameters and uninstalling modules GIM Supervisor responsible for starting stopping and making sure all
455. thout the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers 1 How does the CLI user differ from the GUARDCLI1 user The CLI user signs on with a password the guardcli1 user signs on with a password and then issues the set guiuser command to complete the logon 2 True or False CLI users can be authenticated through LDAP 3 List three ways a CLI user can make a logon connection with the Guardium appliance Console ssh ssh tool like Putty 4 What CLI command could you use to list all of the commands that fall into the Aggregator category comm agg 5 The show command is used to display the value of a Guardium configuration option The store command is used to set the value of a Guardium configuration option 6 Which Guardium CLI command is normally used only under the guidance of Technical Support Diag 7 The commands needed for repetitive tasks can be automated using GuardAPI 3 34 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit summary Having completed this unit you should be able to e Understand how to find the correct CLI commands appropriate to you needs Navigate the CLI Update the network configuration on an appliance Understand the GuardAPI Copyright IBM Corporation 2011 2
456. tion Console Data Management 200 cee eee eee 6 3 Data Management Data archive and purge 00 cee eee eee eee 6 4 Data Management Data Export 0 000 cee eee 6 6 Data Management Data Import Aggregator only 200 0 eae 6 7 Data Management Data Restore 0 200 c eee ees 6 8 Data Management Catalog Archive 00 00 cece eee 6 9 Data Management Catalog Export 2 0002 ee 6 10 Data Management Catalog Import liliis 6 11 Data Management Results Archive audit llli 6 12 Data Management Results Export files lille 6 13 Administration Console Central Management 20000 eee eee 6 14 Registering to a CM from a collector 0c c eee ees 6 15 Registering a unit from the Central Manager 0000 cece eae 6 16 Standalone versus Managed By 000 cece eee eee 6 17 Central Management screen 0 cece eee 6 18 Portal User Sync cade ra buceiue 9o E eeqequ mann ME tie se degeeekece eed au 6 20 Local Taps x cues ek des ER meteo tm Roh n e e eere ene Re e dos doe oe d 6 21 Export definitions 3 tede REPRE EES NE d Passel ReekGueedeandccsad 6 22 Import d fiNtioNS CE DT 6 23 Distributed Interface dep ERAT ERE RO RA RES RP EAR EON CER A RR m dog Rod 6 24 CUSIOM ACHING no RECEN en De eb Y evene eed 6 25 Module Installation vu aces e Sartre ola e
457. tion crashes to Microsoft Event Log Enables event log messages issued by Windows based programs and com Sa File Replication Service Allows Files to be automatically copied and maintained simultaneously on DR 3 GUARDIUM Database Monitor Service For monitoring DataBase Server instances activity Sa GUARDIUM_STAP Tap DataBase activity and sends it to the Guard machine Copyright IBM Corporation 2011 2013 Figure 7 17 Confirm services GU2022 0 Notes After completing the installation confirm that the GUARDIUM_STAP and the GUARDIUM Database Monitor services are running Also if you installed CAS confirm that the Change Audit System is running Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 19 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide S TAP Control status System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Administration Console Configuration S TAP Control Data Management Central Management S TAP Host Status Last Response Local Taps x 9 sE 192 168 169 104 2010 11 30 09 41 50 0 CAS Status Details Change Auditing SSH Public Key Management S TAP Control Application Server User identification Guardium Hosts Inspection Engines j Copyright IBM Corporation 2011 2013 Figure 7 18
458. tion methodS 22 cece cccde secede Exe ER ESRSCERER E RR dE E ded 2 3 Data collection methods 00 e eee tees 2 4 essen MET 2 5 Span port collection method 2 susce ER nones Ro e EOD x ER CR e Ewe eS 2 7 Network tap collection method 02 cee ee es 2 9 STIAP bocalmobltor 3 22 e Ser n RR EDISqEEED QUERER sce a aie 2 11 STAP Local and network monitoring lille 2 12 Haw network traffic died cee wena cab h eben x nn hee eREREERE SEE ETEEEe 2 14 Topic summary TTF T 2 15 2 2 Aggregation Central Management and Integration 4 2 17 Aggregation central management and integration slsuu 2 18 Copyright IBM Corp 2011 2013 Conients iii Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Hardware and SoIIWalG iode es AERE RR RE HOG de eee ee Re ge wie 2 19 Collection m O 2 20 Aggregation 22 03 2002 mies seatee ne debe ehh ncee ttea ELT 2 21 Central management 1 of 2 5 2 zoe Re eee E da a Steere eee heeded eee 2 22 Central management 2 of 2 iis okss drRx CER eeu Send E EROR RE ERR Rm RE es 2 23 Small environments PPP 2 24 Medium sized environments 00 0c eee eee eee 2 25 Larger sized environments 0 000 eee 2 26 yiri MM rr etn eeeked ep eee keene eee ek a Poe 2 27 Topic SUMMA teu peack
459. tional Group B V an IBM Company Other product and service names might be trademarks of IBM or other companies September 2013 edition The information contained in this document has not been submitted to any formal IBM test and is distributed on an as is basis without any warranty either express or implied The use of this information or the implementation of any of these techniques is a customer responsibility and depends on the customer s ability to evaluate and integrate them into the customer s operational environment While each item may have been reviewed by IBM for accuracy in a specific situation there is no guarantee that the same or similar results will result elsewhere Customers attempting to adapt these techniques to their own environments do so at their own risk Copyright International Business Machines Corporation 2011 2013 This document may not be reproduced in whole or in part without the prior written permission of IBM US Government Users Restricted Rights Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp Instructor Guide Contents Trademarks TP xv Instructor course overview eelseeseeeeeeerr RR nnn xvii Course descripllOD aua uh o kie cac ab doo e ao i ER Ee we xix Upon T cds hewn ie ee ee Cow en ne eee te eee end was xxi Unit 1 InfoSphere Guardium 200 eee eee eee 1 1 Unit objectives 2 ct gece dL rreRr WR hoe EQUES EEREWQuESaEA hada sas
460. tional database On the upcoming pages various Guardium configurations will be discussed Copyright IBM Corp 2011 2013 Unit 2 Guardium Architecture 2 19 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Collection A collector monitors and gathers data multiple database servers on multiple physical devices Database Server Database Server Database Server Database Server Figure 2 12 Collection GU2022 0 Notes A collector also called a G2000 is one type of Guardium appliance It collects traffic directly from database servers One collector might monitor and gather data from one database server or it might monitor and gather data from several database servers 2 20 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Aggregation An aggregator merges the data from multiple collectors into a single database Aggregator Copyright IBM Corporation 2011 2013 Figure 2 13 Aggregation GU2022 0 Notes There are limits on the amount of traffic that a single collector can log effectively After this limit has been reached the internal buffers become full and the process that handles the traffic that is the sniffer will restart resulting in a loss of data So in man
461. tions Guardium Definitions Exported From Type Set Members x E20 1 15 12 42 54 grd01 guard swg usma ibm com v8 0 Report Full SQL Sessions SQL poi Distributed Interface Copyright IBM Corporation 2011 2013 Figure 6 20 Import definitions GU2022 0 Notes The Import link allows you to import definitions exported from another appliance Copyright IBM Corp 2011 2013 Unit 6 System View and Administration Console II 6 23 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Distributed Interface System View Administration Console lt Tools Daily Monitor Guardium Monitor Tap Mo Administration Console Configuration Distributed Interface Finder Data Management Py Central Management Local Taps Guardium Definitions import Export Distributed Interface Copyright IBM Corporation 2011 2013 Figure 6 21 Distributed Interface GU2022 0 Notes Use this configuration screen to define the Distributed Interface and upload the Protocol Buffer proto file to the DIST_INT database From this database Query Domain metadata is built automatically After the metadata is built the user can go to Custom Domain Builder to modify or clone the data and build custom reports The distributed interface data uses protocol buffers Protocol buffers are a flexible efficient and automated mechanism for serializing structu
462. tions e System Shared Secret Any value you enter here does not display Each character you type displays as an asterisk The system shared secret is used for archive restore operations and for Central Management and Aggregation operations When used its value must be the same for all units that will communicate This value is null at installation time and can change over time The system shared secret is used When secure connections are being established between a Central Manager and a managed unit Copyright IBM Corp 2011 2013 Unit 5 System View and Administration Console 5 31 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide When an aggregated unit signs and encrypts data for export to the aggregator When any unit signs and encrypts data for archiving When an aggregator imports data from an aggregated unit When any unit restores archived data Depending on your company s security practices you may be required to change the system shared secret from time to time Because the shared secret can change each system maintains a shared secret keys file containing an historical record of all shared secrets defined on that system This allows an exported or archived file from a system with an older shared secret to be imported or restored by a system on which that same shared secret has been replaced with a newer one
463. tructor topic introduction What students will do How students will do it What students will learn How this will help students on their job Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 61 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Report builder After completing this topic you should be able to Understand the report builder Modify reports GofyrirynigEINBIVo Ganaticrti ao 2002013 Figure 11 45 Report builder GU2022 0 Notes 11 62 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Report builder View Quick Start Monitor Audit Discover Assess Harden Comply Protect Reports Build Audit Policies Build Reports lt My New Reports Privacy Sets Custom Reporting eee Track data access BN Track exceptions u Track policy violations Define how information Place report should be presented on portal page N E 2 Track sent alerts J Track rogue connections E Access tracking builder Report builder amp Group builder Exceptions tracking builder WV Alias builder amp Policy violations tracking builder C Time period builder g Flat Log tracking builder C
464. ts Query based Missing patches weak passwords misconfigured privileges etc Behaviorial Failed logins after hour logins administrative commands etc Configuration and OS level Copyright IBM Corporation 2011 2013 Figure 10 8 Vulnerability Assessment 1 of 4 GU2022 0 Notes Guardium s Vulnerability Assessment tool uses three types of tests to evaluate the security of your database Query based tests check for vulnerabilities such as missing patches weak passwords misconfigured privileges and default accounts Behavioral tests are based on data gathered by Data Access Monitoring and look for items like excessive failed logins clients executing administrative commands and after hours logins CAS based tests look for OS level configuration vulnerabilities When the tests have completed Guardium presents an overall report card along with details on each result including recommendations on resolving any issues Copyright IBM Corp 2011 2013 Unit 10 CAS VA and Discovery 10 13 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Vulnerability Assessment 2 of 4 Vulnerability Assessment Security assessments allow organizations help identify and address database vulnerabilities in an automated fashion which proactively improves configurations and hardens infrastructures Security Assessment Builder 5 a x v
465. uced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Answers 1 Which of the following is NOT a valid conditional operator in Guardium a REGEXP b INGROUP c NOT IN GROUP d All of these are valid operators 2 True or false To add a second condition to a query you would first select the entity and drop it in the condition frame and then select either AND or OR 3 True or false The HAVING option is only available when the SELECT clause includes one or more aggregate values such as COUNT AVG and so on Additional information Transition statement 11 54 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint 2 of 2 4 How can you supply runtime values to a query a By using Run Time Parameters b By using Dynamic Groups c Both a and b d Neither a nor b 5 The character used as a wildcard in Guardium queries is a b 96 n d 6 True or false Adding runtime parameters to reports enables drill down reports as well Copyright IBM Corporation 2011 2013 Figure 11 41 Checkpoint 2 of 2 GU2022 0 Notes Write your answers here 4 5 6 Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 55 Course materials may
466. uctor Guide Export definitions System View Administration Console lt J Tools Daily Monitor Guardium Monitor Tap Monitor Incident Management Reports Administration Console Configuration Data Management Central Management Local Taps Guardium Definitions Import Distributed Interface Definitions Export Type Report Definitions to Export Select multiple items using Shift or Ctrl click Full SQL Acoess to Sensitive Objects Active S TAPs Changed Activity By Client IP Activity Summary By Client IP Admin Users Login Admin Users Login Graphical Admin Users Sessions Administration Objects Usage Administrative Commands Usage Aggregation Errors Opening exp_2010 11 15_12h42m54s sql X You have chosen to open exp 2010 11 15 12h42m54s sql which is a Microsoft SQL Server Query File from https 9 7N 145 185 8443 What should Firefox do with this file Open with SSIS SQL Server Management Studio de Save File Do this automatically for files like this from now on Aggregstion Archive Log All Guardium Applications Role All Roles Application Acoess All Roles User ALTER Commands Execution AME Files Applicstion Objects Summary Archive number T Archive results attempted Custom Alerting Archive results number Module Installation Copyright IBM Corporation 2011 2013 Figure 6 19 Export definitions GU2022 0
467. uctor Guide LDAP 2 of 2 Group Builder Set Up LDAP Import Group name DBAs Group type USERS Configuration General Status LDAP import currently set up for this group as follows LDAP hostname 192 168 169 8 Port 389 Server type Active Directory v Use SSL connection Base DN ou people dc my domain dc com Attribute to import uid Clear existing group o members before importing Group Member Import Configuration Advanced Loginas cn Manager dc my domain dc com Password Search filter scope One Level Sub Tree Limit Search filter memberof dba ou people dc my domain dc com Scheduling This LDAP import configuration is currently not scheduled for execution Copyright IBM Corporation 2011 2013 Copyright IBM Corporation 2011 2013 Figure 8 22 LDAP 2 of 2 GU2022 0 Notes e Enter the appropriate information to connect to the LDAP server Press Run Once Now to immediately generate a list of users to import You can pick and choose which users you would like to import from the list Or you can choose to schedule the process If you choose the schedule the process it will import all of the users found Copyright IBM Corp 2011 2013 Unit 8 Group Builder 8 27 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Populate from Query 1 of 4 Group Builder Modify Existing Groups a NotFiltered EE
468. ucts 1 of 2 E t EE grd construct This is the first time that this Start Date 2010 08 20 04 58 34 End Date 2010 08 20 07 58 34 SQL request has been Aliases OFF a1Construct LIKE 2841adb675d1d6b2adb19e9ba1935e4957f005e9 encountered by the collector Timestamp Construct Id Sal a acce It is logged as a construct 2010 08 20 07 54 46 0 2841adb675d1d6b2adb19e9ba1935e4957f005e9 insert into grd construct col1 col2 values 1 with an associated Construct ID CQ OReors to1o0 10 O X 5l EH E UFAG grd construct When the collector receives this Start Date 2010 08 20 05 06 01 End Date 2010 08 20 08 06 01 SQL request again it does not Aliases OFF aiConstruct LIKE 2841adb675d1d6b2adb19e9ba1935e4957f005e9 log the SQL string again Timestamp Construct Id Sql Total access Instead it refers back to the 02 20 07 54 46 0 2841adb675d1d6b2adb19e9ba1935e4957f005e9 insert into grd construct col1 col2 values 1 original Construct ID 08 20 08 05 58 02841adb675d1d6b2adb19e9ba1935e4957f005e9 insert into grd construct col1 col2 values 1 CQ QRecords 1 to020 2 0 OD X ES E Shara Copyright IBM Corporation 2011 2013 Figure 9 6 Constructs 1 of 2 GU2022 0 Notes When the sniffer encounters a SQL request that it has not previously seen it logs the request as a construct with an associated primary key Constructs are basically prototypes of requests that Guardium detects in the traffic The co
469. ude just one Aggregator which also acts as a Central Manager that would handle all aggregation definitions and user management 2 24 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Medium sized environments Ina medium sized environment the central manager might act as an aggregator in conjunction with other aggregators in the environment Collectors Users Roles Group Members Esc Aggregator Collectors Seas Se el ea fa 9 em 9 Copyright IBM Corporation 2011 2013 Figure 2 17 Medium sized environments GU2022 0 Notes In a medium sized environment usually 10 to 15 collectors a Central Manager will continue to function as an aggregator for a subset of collectors and perform central management functions for all of the managed units collectors and aggregators Copyright IBM Corp 2011 2013 Unit 2 Guardium Architecture 2 25 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Larger sized environments e In a larger enterprise environment there may be a dedicated central manager that does not perform aggregation functions Users Roles Group gt Definitions CX Dedicated Central Manager r aa a cm v Aggregator and Coll
470. ule ETT degessa suina aknen nagpah aa pah ia k 9 96 Checkpoint T 9 97 TOPIC SUMMAY cuscece tene were rS RR qure ie eR E deo atado nd 9 99 CGh heckp int SCION essuie des be x HER CR Der ti Pe eo ds So ERRORI e te e eu dun 9 100 9 6 Rule Order and Logic 2 02 eee 9 101 Rule order and logic a uiuieceezaemneexu una Ose badantuadweee eewens dt 9 102 Rule order and policy logie vezes e eeu dees REC ede 9 103 luolie Aro EM TUTTI 9 105 ChECKOOIN aure eekcethe tee se QE TE DE Cx ekE be nPYRa D xo Sox dex Re a ded 9 107 Topic summary AMT CT IET I E OT LIST DS ve nets eee 9 109 Checkpoint solutions s sess ks xu Sie PE KG Meee eae Vela rupe ad RE Rede pd 9 110 lur 9 111 mM c Imp 9 113 S DOATE 12225 Wn ORA R8 8 5 E Rn DR a d UR Up de Seka d oe eee ced oe 9 114 S GATE DVOLVIBW 1 204 2 3 298 4995 93 Pob 1 978 aoe SCR ORO E ee SARE e DD ER RQR B 9 115 GATE S TAP Settings i22 ER REE E CERE dade RARE E ES a a 9 116 S GA IE ATTAGEUDETAGE o porama peaa aa EP a IE Ya E Re eher 9 118 S GATE Terminate 50 5 an eddie ke tSeotenses ae wade Gigueeer sworn wae 9 119 RedaCt M TMTTP 9 120 Quarantine 3 eX e iral da o aba d d ERU UR ONERE UAE saat RU ROR URN E 9 121 TOPIC SUMMIMAIY sias ne e ween de oko VERE Ree eee a whee eee eed oe 9 122 eure ERR er 9 123 Dra SUITE y ous aiosesacebERIeESERSRPSPP ER RIDE Ra EMEN SdESER ERE 9 125 miel Syeda ath a eee ed
471. ultiple objects A single object contains multiple fields This is important because when creating a query you must choose one entity as the main entity and what you choose as the main entity will affect how the data is presented 11 14 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Main entity Effects The main entity that you select for a query determines The level of detail for the report The total count The time fields against which the Period From and Period To run time parameters will be compared Copyright IBM Corporation 2011 2013 Figure 11 12 Main entity Effects GU2022 0 Notes The main entity determines The level of detail for the report There will be one row of data for each occurrence of the main entity included in the report The location of the main entity within the hierarchy of entities is important in terms of what values can be displayed The attributes for any entities below the main entity can be counted but not displayed since there may be many occurrences for each row The total count added as the last column of the report which is a count of instances of the main entity included on that row of the report The time fields against which the Period From and Period To run time parameters will be compared to select the rows
472. umns Changes the column names Report Parameter Description Changes the description of the run time parameters Copyright IBM Corp 2011 2013 Unit 11 Custom Query and Report Building 11 67 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Modify report Tabular 2 of 2 Custom Reporting Report Attributes Query Training01 Report Title Training01 Attributes Refresh Rate 0 seconds Graph Types Tabular Chart Custom Reporting Report Color Mapping Query Training01 Report Title Training01 Background Color Column Operator Value Color DB User Name IN GROUP AdminUsers P G Source Program sqlplus Ezy x select a column w v Back Cancel Next J Custom Reporting Submit Report e Query Training01 Report Title Training01 Copyright IBM Corporation 2011 2013 Figure 11 50 Modify report Tabular 2 of 2 GU2022 0 Notes e Report Attributes Changes the report title and default refresh rate This screen also allows you to change the report from a tabular report to a chart e Report Color Mapping Allows you to color code report rows based on a field value or group membership e Submit Report Saves any changes made 11 68 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior
473. up vi amp Numeric Date Data Pattern Replacement Character Time Period v d Minimum Count 0 Reset Interval 0 minutes Message Template Default v Quarantine for 0 minutes Records Affected Threshold 0 Rec Vals Cont to next rule Actions x E E ALERT ONCE PER SESSION 3 B LOG FULL DETAILS Copyright IBM Corporation 2011 2013 Figure 9 29 Access Rule Example This is an example of a complete Access rule Actions Alert Once Per Session AND Log Full Details GU2022 0 Description Privileged users accessing sensitive objects Log Full Details Criteria DB User IN GROUP Privileged Users AND Object IN GROUP Sensitive Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Unit 9 Policies 9 45 Instructor Guide Alert rules iz Access Rule Definition U Rule 2 of policy Training01 Description Privileged users accessing sensitive objects Alert Per Match Category Classification Severity INFO v Server IP 1 and or Group v Client IP 1 and or Group vl Client MAC Net Prtcl and or Group vise DB Type v Svc Name and or Group v dh DB Name and or Group v amp DB User and
474. ups 01 15 Unit 9 Policies 00 45 Exercise 6 Creating a Policy 01 15 Unit 9 Policies 00 30 Exercise 7 Updating a Policy 00 30 Unit 10 CAS VA and Discovery 00 30 Exercise 8 Installing and Configuring CAS 00 30 Exercise 9 Running a Vulnerability Assessment Day 3 01 45 00 45 00 45 Unit 11 Custom Query and Report Building 00 45 Exercise 10 Creating a Simple Query and Report Exercise 11 Creating a Query with Drill down Exercise 12 Creating Multiple Queries Unit 12 Compliance Workflow Automation Exercise 13 Creating a Compliance Workflow 01 00 01 00 we o was was ass a Copyright IBM Corp 2011 2013 Agenda xxi Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide xxii InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unit 1 InfoSphere Guardium Estimated time 00 30 What this unit is about This unit gives an introduction to IBM InfoSphere Guardium What you should be able to do After completing this unit you should be able to e Identify the main functionality InfoSphere Guardium e Describe the key components of the InfoSphere Guardium solution Copyright IBM Corp 2011 2013 Unit 1 InfoSphere Guardium 1 1
475. ust sign the results electronically by clicking the Sign Results button when viewing the results online To Do List A receiver can be notified of the report s delivery via the user s audit process To Do List Checked Indicates the receiver should be notified through the To Do list Copyright IBM Corp 2011 2013 Unit 12 Compliance Workflow Automation 12 11 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Unchecked Indicates the receiver should not be notified through the To Do list Email Notification A receiver can be notified of the report s delivery via email None E mail will not be sent to the receiver Link Only E mail will contain a hypertext link to the results which can be accessed from the Guardium appliance Full Results E mail will contain a copy of the results in PDF or CSV format Be aware that the results from Classification or Assessment tasks may return sensitive information e Continuous The Continuous flag controls whether or not distribution of results continues to the next receiver the default or stops until this receiver has taken the appropriate action Review or Review and Sign Checked If the Continuous box is checked and the receiver is an individual user that user must take the indicated action before the results will continue on to the next receiver in the list If
476. ut the prior written permission of IBM Instructor Guide Checkpoint solution 1 An S TAP is installed on and monitors traffic on a server a Guardium b Network c DNS d Database 2 Listthree ways an S TAP can be installed 1 Interactive S TAP installer 2 Guardium Installation Manager 3 GuardAPI non interactive installation 3 There are two ways GIM can install additional modules by client and by module Copyright IBM Corporation 2011 2013 Figure 7 62 Checkpoint solution GU2022 0 Notes Write your answers here 1 2 3 4 5 7 76 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Checkpoint solution continued 4 What is the difference between a Common Module Parameter and a Client Module Parameter Common Used when there are multiple database servers being configured at once parameters apply to all of them Client Used when there is just one database server being configured parameters apply to just that server 5 True or false GuardAPls are designed to run in an executable script and provide a method of performing non interactive installs Copyright IBM Corporation 2011 2013 Figure 7 63 Checkpoint solution continued GU2022 0 Notes Write your answers here 1 2 3 4 5 Copyright IBM Corp 2011 20
477. ut the prior written permission of IBM Instructor Guide Run Time Parameters Dynamic groups 3 OQ Addition mode S AnD or L HAVING Query Conditions Entity Agg Attribute Operator Runtime Param C WHERE Client Server DB User Name LIKE W Parameter v DBUser O AND Command SQL Verb IN DYNAMIC GROUP v Parameter Command x asa en pc EAR Title z params Run Time Parameters Command IN DYNAMIC GROUP Choose A Group Choose Group For SQL Verb DBUser LIKE Enter Value for DB User Name QUERY FROM DATE gt NOW 3 HOUR ES Enter Period From QUERY_TO_DATE lt NOW rs E Enter Period To REMOTE_SOURCE none v Remote Data Source SHOW ALIASES On Off default Show Aliases Presentation Parameters fetchSize 20 v Max records per page refreshRate 0 Refresh rate seconds Copyright IBM Corporation 2011 2013 Figure 11 33 Run Time Parameters Dynamic groups GU2022 0 Notes Runtime parameters and dynamic groups allow you to supply query conditions each time you run the report Choose parameter in the Runtime Param column to create a parameter based on a single value Generally you should use LIKE as your operator when creating runtime parameters Instead of entering a value in the query field you will be entering the name of the parameter In the example above DBUser is the name of the parameter To create a runtime parameter based on group membership choose
478. uthorizationCode Rea Incident Generation SQ KASALI Inspection Engines To add to baseline addBaselineConstruct Q0 iP to Hostname Aliasing z gt Policy Installation sum Portal QUII Disable accordion menus OQ session Inference Ino epee Em System CSV separator Comma C Semicolon Tab Other Upload Key File HTML left a Data Management i Central Management Local Taps Guardium Definitions Custom Alerting Module Installation HTML right a Login message Show login message Concurrent login from different IP not allowed Data level security filtering Default filtering Show all Include indirect records Online viewer default setting and for audit process results distribution Escalate result to all users V Apply Upload logo image File name Copyright IBM Corporation 2011 2013 Figure 5 11 Configuration Global Profile GU2022 0 Notes The Global Profile panel Below are details on eac defines defaults that apply to all users h of the options contained within this screen Note Use Aliases in Reports unless otherwise specified and Message template are the most commonly accessed settings Use Aliases in Reports unless otherwise specified allows you to display aliases by default on all reports addresses This is especially helpful with displaying hostnames instead of IP e The PDF Footer Text changes the text displayed at the bottom of each page for each PDF document gene rated
479. uto discovery application can be configured to probe the network searching for and reporting on all databases discovered Once an auto discovery process has been defined it can be run on demand or scheduled to be run on a periodic basis There are two types of jobs that can be scheduled for each process Ascan job scans each specified host or hosts in a specified subnet and compiles a list of open ports from the list of ports specified for that host A scan job must be run before running the second type of job A probe job uses the list of open ports compiled during the latest completed scan only The probe job determines if there are database services running on those ports You can view the results of this job on the Databases Discovered predefined report Copyright IBM Corporation 2011 2013 Figure 10 12 Database Discovery and classification 1 of 2 GU2022 0 Notes Database Auto discovery Sometimes a new database is introduced into a production environment outside of the normal control mechanisms For example the new database might be part of an application package from a software vendor In older installations some databases may have been left unmonitored and forgotten because the data and or activities performed on it were not seen as a risk when the database was implemented Or in another case a rogue DBA might create a new instance of the database and do with it as he or she pleases without being monitor
480. vileged Users Monitoring white list SOx SOX Oracle EBS Vulnerability amp Threats Management Select an installation action M Add Comments Scheduling Policy installation is currently not scheduled for execution Modify Schedule Run Once Now Copyright IBM Corporation 2011 2013 Figure 9 13 Currently Installed Policies Notes GU2022 0 After the policy has been installed you can view the basic attributes date installed number of rules etc of the policy from the Currently Installed Policies screen You can also directly access the policy by pressing Edit Installed Policy Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Unit 9 Policies 9 23 Instructor Guide Accessing the Policy Builder User with the admin role ror inclined langem Data A y A ien User with the E z user role Create a new Create a new Policy Install Policy 7 Baseline based on Baseline gt Create a new Policy with no Baseline Modify clone a Baseline vals land dios e Time Period builder Copyright IBM Corporation 2011 2013 Figure 9 14 Accessing the Policy Builder GU2022 0 Notes To access the Policy Builder As a user with the admin role go to Tools gt Policy Builder As a user with the user role go to Protect gt Security Policies
481. violations Define how information Place report should be presented on portal page Js e Track sent alerts N EN s Track rogue connections of Access tracking builder Q Report builder amp Group builder g Exceptions tracking builder Alias builder amp Policy violations tracking builder Time period builder g Flat Log tracking builder al Alert tracking builder Copyright IBM Corporation 2011 2013 Figure 11 4 Track data access GU2022 0 Notes To build a new custom query go to Monitor Audit Build Reports On the left hand column there are a number of buttons that begin with Track or contain the phase tracking builder These buttons open the query builder for a specific domain For example Track data access will open the query builder for the Access Domain Domains will be discussed on the next page 11 6 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Domain A domain is a view of the data There are 3 domains e Standard Domains for example Access all monitored SQL requests Exceptions from database servers or appliance components Alerts Policy Violations and so on Administrator Domains for example Aggregation Archive archive backup restore and so on Logins
482. vironment variables These tests can be seen through the CAS Template Set Definition panel and have the word Assessment in their name Copyright IBM Corporation 2011 2013 Figure 10 11 Vulnerability Assessment 4 of 4 GU2022 0 Notes CAS based Tests A CAS based test is either a pre defined or user defined test that is based on a CAS template item of type OS Script command and uses CAS collected data Users can specify which template item and test against the content of the CAS results Guardium also comes pre configured with some CAS template items of type OS Script that can be used for creating a CAS based test These tests can be seen through the CAS Template Set Definition panel and have a name which contains the word Assessment For instance the Unix Oracle set for assessments is named Guardium Unix Oracle Assessment Additionally any template that is added that involves file permissions will also be used for permission and ownership checking Whether using a Guardium pre configured or defining your own once defined these tests will appear for selection during the creation or modification of CAS based tests 10 18 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Database Discovery and classification 1 of 2 Database Auto discovery Guardium s A
483. was reso ioci ian B an cae Rule 4 of policy Training01 CER or nausea Lu me Build Regular Expression E 2 Description guardium CREDIT CARD Privileged users accessing credit cards DES T Category Classification C Server iP and or Group O Client iP I and or Group C Client MAC Net Prtcl andlor Group lea E DB Type v Test Accupt Bad C Sve Name and or Group M C DB Name and or Group C DB User and or Group Client IP Src App DB User Server IP Svc Name L1 App User and or Group CO Os user and or Group CO src App and or Group 0 9 43 T 0 9K43 I 0 9K43 C Replacement Character v eda Sql Pattern RE Time Period v 35 Minimum Count 0 Reset Interval 0 minutes Message Template Default v Quarantine for 0 minutes Matched Returned Data Threshold 0 Rec Vals Revoke 7 Actions x E LOG ONLY Add Action Copyright IBM Corporation 2011 2013 Figure 9 61 Extrusion Rule example GU2022 0 Notes Extrusion rules examine data being returned from the database server to the client based on patterns in the data matching a Regular Expression To create an extrusion rule searching for credit card numbers being returned to privileged users populate the fields as follows Description guardium CHEDIT CARD Privileged users accessing credit cards When a rule name begins with
484. wing BS 96B Update User Back Copyright IBM Corporation 2011 2013 Figure 4 8 User Browser editing a user GU2022 0 Notes All of the settings on an existing user can be modified except for the username To modify an existing user select User Browser and then click on EDIT next to the user to be modified If the list of users is too long you can narrow it down by using a FILTER which includes a filter string and the field to which it applies username email address etc Copyright IBM Corp 2011 2013 Unit 4 Access Management 4 11 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide User Browser modifying roles The Roles link is used to modify a user s role membership The user becomes a member of any role that is checked The user does not become a member of any role that is unchecked Access Management lt Data Security Access Management 7 Data Security User Browser User Role Form User Role Browser User Browser User Browser User Role Browser Filter string case sensitive User Name v Filter Jl Add User J Search Users E User LDAP Import User Role Permissions User LDAP Import Username FirstName LastName Email Actions User amp Role Reports Role Name Assign User amp Role Reports a
485. with in the database itself With Guardium s CAS organizations can track all changes to Security and access control objects such as users roles and permissions Database structures such as tables triggers and stored procedures CAS can also detect accidental deletions or insertions of critical tables that can impact data governance Critical data values such as data that affects the integrity of financial transactions Database configuration objects that can affect security posture such as OS and database configuration files e g sqlnet ora environment registry variables and executables such as shell scripts Java and XML programs 1 14 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Vulnerability Assessment VA evaluates the security of the database environment Query based tests Patches passwords privileges defaults Behavioral tests Exceeding thresholds executing administrative commands CAS based tests Operating system configuration vulnerabilities J hitps 192 168 169 5 8441 IBM InfoSphere Guardium Security Assessment Results Mozilla Firetos IBM InfoSphere Guardium fne Va Tivi Am 5 082 Security Assessment a mrg 100 eser rreg Copyright IBM Corporation 2011 2013 Figure 1 14 Vulnerability Assessment GU20
486. without the prior written permission of IBM Instructor Guide Checkpoint 2 of 2 3 Match the following Guardium components with their correct usage a Real time monitoring b Reporting c Compliance Workflow Automation d Configuration Auditing System e Vulnerability Assessment f Database Discovery g Data Classification Tracks changes to database setup files and security objects Locates operating databases Performs database access filtering alerting and prevention Locates sensitive data Generates built in or custom documents Tests to evaluate the overall security of the database environment Routes reports to users for comments and sign off Copyright IBM Corporation 2011 2013 Figure 1 18 Checkpoint 2 of 2 Notes Write your answers here 3 GU2022 0 1 20 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Instructor notes Purpose Details Match the following Guardium components with their correct usage d Tracks changes to database setup files a Real time monitoring and security objects b Reporting f Locates operating databases e Compliance a Performs database access filtering VYOIRONE alerting and prevention Automation 9 p d Configuration Auditing System g Locates sensitive data e Vu
487. without the prior written permission of IBM Instructor Guide Log full details Access Rule Definition w Rule 7 of policy Training01 Description Priv Users peforming DML on Sens Objs Log Full Details Category Classification Severity INFO w Server IP 1 and or Group MFS Client IP 1 and or Group v Client MAC Net Prtcl and or Group v DB Type Svc Name and or Group v DB Name and or Group 3 C dB user and or Grou Client IP Src App DB User Server IP Svc Name amp App User and or Group vl s OS User and or Group vis Src App and or Group v Field and or Group Object and or Group Command and or Group Object Cmd Group v 4 ObjectiField Group Pattern XML Pattern zE App Event Exists Event Type Event User Name App Event Values Text and or Group OF S Numeric Date Data Pattern Replacement Character Time Period via Minimum Count 0 Reset Interval 0 minutes Message Template Defaut v Quarantine for 0 minutes Records Affected Threshold 0 Rec Vals V Cont to next rule Actions ALERT ONCE PER SESSION ALERT PER MATCH ALERT PER TIME GRANULARITY ALLOW IGNORE RESPONSES PER SESSION IGNORE S TAP SESSION IGNORE SESSION NORE SOL PER ON LOG FULL DETAILS LOG FULL DETAILS PER SESSION L
488. wo entries oracle exe tnslsnr exe For MS SQL Server the list is usually just one entry sqlservr exe Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 69 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide e namedPipe Windows only Specifies the name of a named pipe If a named pipe is used but nothing is specified here S TAP retrieves the named pipe name from the registry e ktapDbPort Under Unix used only when the K Tap monitoring mechanism is used Identifies the database port to be monitored by the K Tap mechanism e dbinstallDir Unix only Enter the full path name for the database installation directory For example home oracle10 e procName For a Unix Server For a DB2 Oracle or Informix database enter the full path name for the database executable e instanceName Used only for MQSQL or Oracle encrypted traffic Either the MSSQL or ORACLE encryption flag must be turned on before the this parameter can be used 7 70 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide InfoSphere Guardium T ren E HIDHBLEUEDP UIS software Copyright IBM Corporation 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Fi
489. written permission of IBM Instructor Guide Constructs 2 of 2 The default method of logging saves a tremendous amount of disk space In the example below the sniffer logged three entries If each occurrence was separately logged 7992 lines would be logged grd_construct 3 Start Date 2010 08 20 05 32 34 End Date 2010 08 20 08 32 34 If the sniffer receives the same Aliases OFF aiConstruct LIKE 2841adb675d1d6b2adb19e9ba1935e4957f005e9 construct multiple times within the Timestamp Construct Id Sal Totalaccess S2 Me session and same Access 2010 08 20 07 54 46 02841adb675d1d6b2adb19e9ba 193564957 f00Se9insert into gr construct colt co values 1 Period usually 1 hour it will ig 264 1adb675dd6b2adb 9e9ba1935e4957f005e9insert into grd_construct colt col values 2 2 count the number times that the SQL request was made and update the Access Period time stamp with the latest request It will not write a separate line for each time the SQL request is issued Anew entry reference to the construct will be made in the database under two conditions 1 Anew session is started ee consue 2 Anew Access Period begins fst Date 2010 08 20 07 06 33 End Date 2010 08 20 09 06 33 Aliases OFF alConstruct LIKE 2841adb675d1d6b2adb19e9ba1935e4957f005e9 Peri jon Start Time Construct Id Sal Total access 2841adb675d1d6b2adb19e9ba1935e4957f005e9 insert into grd construct coll col2 values 7 1 284
490. y implementations multiple collectors are required The number of required collectors is usually a factor of the number of CPUs on each database server and the type and quantity of traffic to be monitored Whenever two or more collectors are utilized one or more aggregators are included in the solution An aggregator also called a G5000 is a separate type of appliance It does not collect traffic directly from database servers Instead each collector sends its data to an aggregator on a periodic basis usually nightly The aggregator then merges the data from all of the collectors into its own internal database This allows users to view all of the data from multiple collectors in a central location Copyright IBM Corp 2011 2013 Unit 2 Guardium Architecture 2 21 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Central management 1 of 2 One aggregator also functions as a central manager The central manager stores most definitions including queries reports policies and alerts r Definitions Definitions Aggregator Central Manager Definitions Collector Collector Collector Copyright IBM Corporation 2011 2013 Figure 2 14 Central management 1 of 2 GU2022 0 Notes One aggregator also functions as a Central Manager The Central Manager stores most definitions including queries reports policies and alerts
491. y the traffic will be logged normally When the user name is resolved this rule would not be triggered because it will not longer be empty allowing the session to be evaluated by the gnore Session rule Copyright IBM Corp 2011 2013 Unit 9 Policies 9 51 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide Ignore session rules Rule 4 of policy Training01 Description Not Priviledged User Ignore STAP Session Category Classification Severity INFO v Server IP I and or Group s Client IP I and or Group v Client MAC Net Prtcl and or Group v 48 DB Type v Svc Name and or Group vh DB Name and or Group v Not V DB User and or Group Public Privileged Users vi FA Client IP Src App DB User Server IP Svc Name Y App User and or Group v a OS User and or Group v Src App and or Group ee v4 Field and or Group v A Object v Command ALERT DAILY v ae come ave AE ne Objectfield Group a ERT PER TIME GRANULARITY LE Pattern ALLOW XML Pattern IGNORE RESPONSES PER SESSION App Event Exists User Name App Event Values TY IGNORE SQL PER SESSION aprou ml al N TOCTULLDETA Data Pattern LOG
492. yright IBM Corporation 2011 2013 Figure 7 25 Verify traffic GU2022 0 Notes Finally confirm that the S TAP is logging traffic successfully You can use a report for this purpose Note The Reports tab and the reports it contains are not out of the box OOTB They were built separately in our Guardium environment Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 31 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide GIM installation UNIX Linux After completing this topic you should be able to Install the Guardium Installation Manger GIM Use GIM install to installed S TAP on a Linux database server Install the Discovery module Use the Discovery module to automatically configure an inspection engine Copyright IBM Corporation 2011 2013 Figure 7 26 Topic summary GU2022 0 Notes 7 32 InfoSphere Guardium V9 Technical Training Copyright IBM Corp 2011 2013 Course materials may not be reproduced in whole or in part without the prior written permission of IBM Instructor Guide 7 2 GIM installation UNIX Linux Instructor topic introduction What students will do How students will do it What students will learn How this will help students on their job Copyright IBM Corp 2011 2013 Unit 7 S TAP and GIM 7 33 Course materials may not be reproduced in whole or in part wi

Download Pdf Manuals

image

Related Search

Related Contents

INSTRUCTION SHEET FOR SET #7.3115  WINDY BOY 1200 / 1700 - Installation Guide  NS-105 User`s Manual  Sanho iUSBportCAMERA  06. Pelacable  RBC38SB  Handbuch - Acronis  Gaggia 10002008 Use and Maintenance Manual  Quatech USB Ethernet Gigabit Adapter  Valueline VLAB22200B10  

Copyright © All rights reserved.
Failed to retrieve file