...

Tips and Tricks… Information Management Joe DiPietro

by user

on
Category: Documents
84

views

Report

Comments

Transcript

Tips and Tricks… Information Management Joe DiPietro
Tips and Tricks…
Joe DiPietro
[email protected]
Information Management
© 2011 IBM Corporation
Information Management
Agenda
Resources
GIM Details
 Red Book
 "Discovery Agent"
 Developer works
 "CAS"
 Tech talks
 How to Guides
Helping DBA's get more visibility:
 YouTube
 Long running queries
 GUI Layout
 Active user last login
 Dashboard
 Active User with No Activity
Operations
 What CLI commands are available?
 Failed User login attempts
 SQL Errors
– Comm <string>
 GRDAPI – Datasource
Reporting
 UID Chain
 Difference reports
 Review 9.x Release Highlights
 Customize change management
 Enterprise reports
 Customize and drill down report
 Silent Installs*
 Application User Identification
 LDAP/Active directory integration
 VA Tests
 SGATE vs STAP Terminate
– Text Exceptions
 Global Profile – SIEM integration
 Guardium Grid
 Change Management Reconciliation
 Dormant Accounts
 The GIM client can now be installed using Tivoli Provisioning
Manager (TPM) as of 8.2
 Linking Guardium Reporting Domain
2
– Oracle Dormant User Report
© 2011 IBM Corporation
Information Management
Guardium Red Book
 http://www.redbooks.ibm.com/abstracts/sg248129.html?Open
3
© 2011 IBM Corporation
Information Management
Resources
 DeveloperWorks
– http://www.ibm.com/developer
works/data/library/techarticle/d
m-1304pcidiss/
– Great resource for
white papers, tech
notes, best practices
 Guardium Tech Talks
–
https://www.ibm.com/developerworks/co
mmunity/wikis/home?lang=en#!/wiki/Wf3
2fc3a2c8cb_4b9c_83e4_09b3c6f60e46/
page/Guardium%20Tech%20Talks
 Guardium YouTube
Channel
– http://www.youtube.com/user/Inf
oSphereGuardium
– IBM InfoSphere Guardium 101
TechTalk
– Guardium demos
– Monitoring SAP with IBM
InfoSphere Guardium (5:53)
Product Enhancements
http://www.ibm.com/developerworks/rfe/
 Teradata Hardening
Guide
4
– http://www.teradata.com/whitepapers/hardening-a-teradatadatabase-best-practices-accessrights-management/?type=WP
© 2011 IBM Corporation
Information Management
Tech Talks – It’s Worth The Time!!!
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Wf32fc3a2c8cb_4b9c_
83e4_09b3c6f60e46/page/Guardium%20Tech%20Talks
InfoSphere Guardium: What's new in V9.0
InfoSphere Guardium 101
Roadmap to a successful V9 upgrade
Take Control of Your InfoSphere Guardium Appliance
Implementing DAM for DB2 for z/OS
Guardium and QRadar Integration
Deploying Guardium Part 1: Planning the deployment
Deploying Guardium Part 2: Monitoring setup and guidelines
Database Discovery and Sensitive Data Finder (classifier)
Implementing a data security and compliance solution for IBM i
How to audit and protect SAP systems with InfoSphere Guardium Data Activity Monitor
What's new in InfoSphere Guardium for z/OS 9.1
Let's catch on what's new with InfoSphere Guardium (9.0GPU 50 and 9.1)
A Big Data Security Use case: A Holistic Approach to Data Protection
Reporting 101
Advanced Reporting
Using Guardium APIs to speed deployment and automate repetitive tasks
Taking a RESTful look at InfoSphere Guardium APIs
Tech Talk - Getting Started with InfoSphere Guardium Vulnerability Assessment
5
© 2011 IBM Corporation
Information Management
Recent YouTube Videos
 http://youtu.be/YttdsKErXCs
– Guardium Overview Presentation
 http://youtu.be/M0P12R2Kkjc
– Guardium / QRadar Integration
 http://youtu.be/uiiD2FTaL_s
– Securing SAP
 http://youtu.be/yRoRkAExVz0 (Connection Profiling Part 1 of 3)
– Demo of how Connection profiling works in Guardium V9 GPU 50
 http://youtu.be/bm6nnATDzeU (Connection Profiling Part 2 of 3)
– How to Guide on configuring connection profiling
 http://youtu.be/NwndWdCmAic (Connection Profiling Part 3 of 3)
– Shows audit process approval on how to authorize new connections to the database
 http://youtu.be/1gJIacBCaLM
– Guardium Ecosystem with other IBM products
 http://youtu.be/MB0Eeyry9SU
– Quick Search Demonstration - New in V9 GPU 50
 http://youtu.be/Zc43fTaoacU
– Create a server risk dashboard using InfoSphere Guardium
6
© 2011 IBM Corporation
Information Management
Recent YouTube Videos - RestAPI
– http://youtu.be/sQppCzTr2-M
– Auditor access to reports through InfoSphere Guardium through RestAPI
– http://youtu.be/Fsitbdg6H-8
– Allowing Application Owners insights into database information to help
resolve application issues
– http://youtu.be/ZH8l_sEZZ28
– Updating groups and managing security policies through RestAPI
– http://youtu.be/Zc43fTaoacU
– Create a server risk dashboard using InfoSphere Guardium
7
© 2011 IBM Corporation
Information Management
CLI Commands
Show me all the commands that have the following string
tlab> comm
policy
show installed security policy
Show me all the
commands with
“policy” for example…
store installed security policy
ok
tlab> sh
installed security policy
Z Policy
ok
You only need to type
in “enough” of the
command to be unique
“sh” vs “show”
tlab>
8
© 2011 IBM Corporation
Information Management
Useful Assets
 HowToGuides (in the product)
9
© 2011 IBM Corporation
[email protected]
Guardium Creating Dashboards in Five
Information Management
© 2011 IBM Corporation
Information Management
Dashboards…
 Dashboard Overview
 Collection architecture to gather data
 Method for creating reports
 Summary
3
Key Take Aways
• Data Activity Monitoring (DAM)
information needs to be
incorporated with other
“dashboard” information
• Flexibility of the audit repository
will allow for many different types
of dashboard reports
• Integrating dashboard information
with RestAPI and other
mechanisms is critical to
presenting DAM information with
other important infrastructure
© 2011 IBM Corporation
Information Management
Dashboard Report with Most Common Information
Database Types Monitored
SQL Accesses Per Server
Sessions Per Server
SQL Errors
Users Per Server
Type of Connections
Failed Logins
VA Tests Per Server
Client IP Per Server
© 2011 IBM Corporation
Information Management
Collection Architecture Allows for Flexibility in Reports
 Dashboards require summary
information
Analysis
engine
 Parsing the SQL statements
can allow for great risk reports
Parse SQL
Statements
Select name, cardid
from Creditcard
 Failed Logins
Read Only
Hardened Repository
(no direct access)
 SQL Errors
 SQL constructs
 Sessions
 Users
 Etc
Sessions
Commands
Joe
Select
SQL
Select name, cardid
from Creditcard
Columns/Fields
name
cardid
Objects
Creditcard
© 2011 IBM Corporation
Information Management
Dashboard Process
 Identity report criteria
 Create the query
 Produce the report
Add Count means – count the entity
Add Distinct – means
get rid of duplicates
Add additional
columns as needed





Sometimes less information is more information
Try creating some “counts” of information
How many Sessions per Server?
How many Users per Server?
“Read” access (selects) vs “Write access”
(insert, update, delete) to data
Count vs Value…
You can “count” any
attribute in a report
© 2011 IBM Corporation
Information Management
Summary: Integration With Other Dashboards
 Industry standard restAPI can be used to
integrate dashboard data
 Audit processes can automatically
distribute information to relevant
dashboard repositories
 Collection architecture can allow for
ultimate flexibility in creating dashboards
and reports
 Dashboard information is an easy process
with Guardium
© 2011 IBM Corporation
[email protected]
Guardium Connection Profiling in Five
Information Management
© 2011 IBM Corporation
Information Management
Agenda
 Understanding Database Risk
 The Ideal Solution Architecture
 Guardium Solution
 Summary
3
Key Take Aways
• Data Security is essential to
ensure regulatory compliance and
to prevent unauthorized access to
sensitive and confidential data.
• Visibility allows you insights to
who is accessing your data
• InfoSphere Guardium can help
proactively block unauthorized
connections to provide extra
security and eliminate
unnecessary risk
© 2011 IBM Corporation
Information Management
Ideal Solution Gives “Total” Visibility
Unauthorized
Connection
 Unauthorized database connections
have high risk
 Do you know how many people access
information within the database?
– Developers
– DBA’s
– Application Servers
– Others?
Authorized
Connection
 How do you classify the risk of these
connections?
 Visibility is the key to understanding risk
10.10.9.240
10.10.9.56
© 2011 IBM Corporation
Information Management
Guardium Solution – A Simple Policy To Eliminate
Unnecessary Risk
 Identify connections to the database
 Classify the connections as “authorized” vs “unauthorized”
Alert or Block
 Add new “authorized” connections for valid business reasons
 Drop connections NOT in the Authorized Group “Connection
Profiling List”
© 2011 IBM Corporation
Information Management
UnAuthorized Connections Report
 These connections do not appear in the (Connection Profiling
List) group
 Valid these connections with Security, and the business
owner to identify risk of each connection
© 2011 IBM Corporation
Information Management
Summary – Use Connection Profiling to Reduce Risk!
 Identify “all” connections to the database
 Monitor authorized connections
– Apps from the application server
– Add connections as required for appropriate business
reasons
 Block “unauthorized” connections
 Proactively eliminate risk!
© 2011 IBM Corporation
Information Management
GRDAPI Example – Get Entitlement Reports Automatically
 Create datasource
 Create entitlement report reference and link it to datasource
 Upload information from database
22
© 2011 IBM Corporation
Information Management
Alter System Privileges
23
© 2011 IBM Corporation
Information Management
GRDAPI Example – Get Entitlement Reports Automatically
create the datasource
G82.ibm.com> grdapi create_datasource type=ORACLE name=10.10.9.56-sqlguard
description=< > host=10.10.9.56 port=1521 serviceName=xe user=joe password=guardium
dbName=< > shared=true conProperty=< > dbInstanceDirectory=< > dbInstanceAccount=< >
application=Classifier owner=admin customURL=< > severity=< > api_target_host=< >
ID=20017
ok
G82.ibm.com>
Create the datasource bindings for Oracle Entitlement reports
G82.ibm.com> grdapi create_datasourceRef_by_name application=CustomTables
objName="ORA Accnts of ALTER SYSTEM" datasourceName="10.10.9.56-sqlguard"
ID=7
ok
G82.ibm.com>
Upload custom data into the entitlement reports
G82.ibm.com> grdapi upload_custom_data
tableName=ORA_ACCNTS_ALTER_SYSTEM_AND_SESSION
ID=7
ok
G82.ibm.com>
24
© 2011 IBM Corporation
Information Management
GRDAPI Example – Get Entitlement Reports Automatically
create the datasource (Only once)
grdapi create_datasource type=ORACLE name=10.10.9.56-sqlguard description=< > host=10.10.9.56 port=1521 serviceName=xe user=joe
password=guardium dbName=< > shared=true conProperty=< > dbInstanceDirectory=< > dbInstanceAccount=< > application=Classifier owner=admin
customURL=< > severity=< > api_target_host=< >
Create the datasource bindings for Oracle Entitlement reports
grdapi create_datasourceRef_by_name application=CustomTables
grdapi create_datasourceRef_by_name application=CustomTables
grdapi create_datasourceRef_by_name application=CustomTables
grdapi create_datasourceRef_by_name application=CustomTables
grdapi create_datasourceRef_by_name application=CustomTables
grdapi create_datasourceRef_by_name application=CustomTables
grdapi create_datasourceRef_by_name application=CustomTables
sqlguard"
grdapi create_datasourceRef_by_name application=CustomTables
grdapi create_datasourceRef_by_name application=CustomTables
grdapi create_datasourceRef_by_name application=CustomTables
sqlguard"
objName="ORA Accnts of ALTER SYSTEM" datasourceName="10.10.9.56-sqlguard"
objName="ORA Accnts with BECOME USER" datasourceName="10.10.9.56-sqlguard"
objName="ORA All Sys Priv and admin opt" datasourceName="10.10.9.56-sqlguard"
objName="ORA Obj And Columns Priv" datasourceName="10.10.9.56-sqlguard"
objName="ORA Object Access By PUBLIC" datasourceName="10.10.9.56-sqlguard"
objName="ORA Object privileges" datasourceName="10.10.9.56-sqlguard"
objName="ORA PUBLIC Exec Priv on SYS Proc" datasourceName="10.10.9.56objName="ORA Roles Granted" datasourceName="10.10.9.56-sqlguard"
objName="ORA Sys Priv Granted" datasourceName="10.10.9.56-sqlguard"
objName="ORA SYSDBA and SYSOPER Accnts" datasourceName="10.10.9.56-
Upload custom data into the entitlement reports
grdapi upload_custom_data tableName=ORA_OBJECT_PRIVELEGES_BY_DB
grdapi upload_custom_data tableName=ORA_HIERARCHICAL_SYS_PRIV_GRANTED debug=5
grdapi upload_custom_data tableName=ORA_ALL_SYSTEM_PRIVILEGE
grdapi upload_custom_data tableName=ORA_OBJECT_ACCESS_BY_PUBLIC
debug=5
grdapi upload_custom_data tableName=ORA_EXEC_PRIV_ON_SYS_PROC debug=4
grdapi upload_custom_data tableName=ORA_SYSDBA_SYSOPER_PRIV_ACCNT
grdapi upload_custom_data tableName=ORA_ACCNTS_ALTER_SYSTEM_AND_SESSION
grdapi upload_custom_data tableName=ORA_ACCOUNTS_WITH_BECOME_USER
grdapi upload_custom_data tableName=ORA_OBJECT_AND_COLUMNS_PRIVILEGES
grdapi upload_custom_data tableName=ORA_ROLES_TO_USERS_AND_ROLES
25
© 2011 IBM Corporation
Information Management
Heterogeneous Database Entitlement Reports – Oracle Sample Reports
© 2011 IBM Corporation
Information Management
Managing the information…
28
© 2011 IBM Corporation
Information Management
Schedule, Purge, Overwrite, etc…
29
© 2011 IBM Corporation
Information Management
UID Chaining to Identify Unique Individual with “Generic” Accounts
 Problem:
– Generic accounts like “System”, “SA”, “Sys” don’t have individual accountability
to identify who performed the database transacations
• Etc
 Solution
– Use Guardium UID Chain feature. Need (hunter_trace=1) in guard_tap.ini
 Use Case
– Uniquely identify “joe” as the user that logged into Oracle using the “system”
account, from the OS User of “Oracle”
30
© 2011 IBM Corporation
Information Management
Developers/SAs/Analysts - Access to Live Production Systems
hunter_trace=1
© 2011 IBM Corporation
Information Management
Customizing And Clone The GUI
 Do you have many users that you want to have the same look and feel?
 Do you want to simplify the GUI for some people?
 Try customizing it…
Steps:
32
1.
Create a role (SimpleView)
2.
add a new user (joe2)
3.
customize your layout
4.
run the CLI command: generate-role-layout joe2 SimpleView
5.
add another user (joe3)with the new role (SimpleView)
© 2011 IBM Corporation
Information Management
Cloning a GUI Layout For Other Users
Assign new role
33
© 2011 IBM Corporation
Information Management
New User Has The Same Portlet
34
© 2011 IBM Corporation
Information Management
Login as “joe2” and customize the GUI
generate-role-layout joe2 SimpleView
where joe2 is the user and SimpleView is the role
35
v9GA.ibm.com> generate-role-layout joe2 SimpleView
Stopping guiStopping.......
...
....
GUI stopped. Now copying the layout of user 'joe2' to a new layout
for the role 'SimpleView'.
...
Layout copied. New users with role 'SimpleView' will begin with this layout,
if logging in for the first time.
Please stand by for the Portal to be reset and restarted.
Assign new role to
all “desired” users
© 2011 IBM Corporation
Information Management
Creating A Dashboard – Using the Reporting Capability
 Sometimes less information is more information
 Try creating some “counts” of information
 How many Sessions per Server?
 How many Users per Server
 “Read” access vs “Write access”
36
© 2011 IBM Corporation
Information Management
Dashboard Process
 Identity what you want to report on
 Create the query
 Modify the report
Add Count means – what is the
entity, then I’ll add a column
with the count of “entity”
Add Distinct –
means get rid of
duplicates
Count vs Value…
You can “count” any
attribute in a report
37
© 2011 IBM Corporation
Information Management
Customize the Portlet Dashboard
 Add a New Pane
 Select Layout
 Add Portlets
38
© 2011 IBM Corporation
Information Management
From This…
39
© 2011 IBM Corporation
Information Management
To This…Your New Dashboard…
40
© 2011 IBM Corporation
Information Management
Historical Releases…
41
© 2011 IBM Corporation
Information Management
8.2 Release Highlights
42
© 2011 IBM Corporation
Information Management
Version 8.2 Release Highlights
43
© 2011 IBM Corporation
Information Management
Version 8.2 Release Highlights (continued)
44
© 2011 IBM Corporation
Information Management
Version 8.2 Release Highlights (continued)
45
© 2011 IBM Corporation
Information Management
Version 8.2 Release Highlights (continued)
46
© 2011 IBM Corporation
Information Management
Version 8.2 Release Highlights (continued)
47
© 2011 IBM Corporation
Information Management
9 Release Highlights
http://www-01.ibm.com/support/docview.wss?uid=swg27036227&aid=1
 InfoSphere Guardium V9.0 highlights


Introduces Hadoop Activity Monitoring to protect sensitive data
in Big Data environments (IBM BigInsights Hadoop, Cloudera
Hadoop).
Enhances data security for System z with improved
performance, resiliency and scalability.
 Further reduces TCO and provides simplified scalability with
Guardium grid/load balancing.
 Introduces Security Content Automation Protocol (SCAP)
reporting in Vulnerability Assessment.
 Extends in-depth data security with new security solutions
integrations, such as Security Intelligence with QRadar, and
IDS (intrusion detection system) insight with F5.
 Scalability enhancements:
– InfoSphere Guardium Grid enables transparent deployment of
servers
– New GuardAPIs allows sending reports via email on demand
– New Operational Dashboard provides real time statistics of
each of the collector
– (CPU utilization, disk space etc.)
 Platform Coverage: Support for additional platforms including
the native System i
– S-TAP, the latest versions of MSSQL, DB2, Netezza, and other
platforms
– DB2_EXIT will work with DB2 10.1.1 (also known as Fixpack 1).
 Enhancements to InfoSphere Guardium Vulnerability
Assessment (VA) module:
 Introducing SCAP reports and exports in SCAP format
 Operational dashboard (green/red light)/ Change Buffer Used
and Analysis Report
 Use the operational dashboard to evaluate collectors’ capacity
utilization and to identify of under- and over-utilized collectors.
This information comes from the Buffer Usage report and can
be used for real-time alerting, correlation alerting, and
periodical review for deployment evaluation, trending and
capacity planning for expansion.
 This function is a summary of utilization parameters on a
Central Manager by hour and managed unit. This utilization
data will not be available on systems other than Central
Managers.
 The data will be based on the Enterprise Central Manager
Sniffer buffer usage table. A process will summarize the data
from this table into the new utilization table. Summary will be
done always per hour.
48
© 2011 IBM Corporation
Information Management
V9 Integration
 SCAP - Security Content Automation Protocol
(set by NIST) is a protocol that allows
describing the security attributes of a system
in a machine readable xml format. The new
functionality is to allow export of Vulnerability
Assessment results in SCAP format to other
systems.
 XACML import-export for policies
 XACML is a declarative access control policy
language implemented in XML and a
processing model that describes how to
interpret the policies.
 Allow import and export of Guardium policies
in XACML format. This will allow importing
and exporting policies between Guardium
systems as well as between Optim and
Guardium.
 STAP statistics - New table, so user can
create alerts based on results. This table is
used to store the statistics sent by STAP to
sniffer. For V9.0, available only for UNIX STAP.
 Send alive messages both in response to
UDP heart beat and every 5 seconds if TCP
port 9500 connection is alive
– End dependency on the open UDP port that is
often blocked by the firewall.
– VA metrics enhancement
– Enhanced Vulnerability Assessment
(VA_SUMMARY) table, with additional report
values, added. Includes such information as:
When the test was first/last executed; Current
status; Cumulative failed / pass age; Last first
time pass / failed; In current status since.
– Must Gather commands
– CLI commands that can be
– HTTP Analyzer
– Include HTTP in list of supported protocols, so
Guardium can monitor and audit HTTP traffic.
49
© 2011 IBM Corporation
Information Management
General V9 Updated Content
 New Predefined Content in V9.0
 Predefined groups
 DB2 Default Users
 IBM iSeries Default Users
 Informix Default Users
 MS-SQL Server Default Users
 MYSQL Default Users
 Netezza Default Users
 Oracle Default Users
 PostgreSQL Default Users
 Sybase Default Users
 Teradata Default Users
 Hadoop Skip Commands
 Hadoop Skip Objects
 Not Hadoop User
 Replay - Exclude from Compare
 Replay - Include in Compare
50
© 2011 IBM Corporation
Information Management
CLI Commands

New CLI commands and GuardAPI commands for V9.0

show system public key tomcat

V9.0 CLI commands

show va_test_show_query

store aggregator static_data


restart network

store archive_table_by_date
show aggregator static_data

store gui xss_status

show archive_table_by_date

store last_used interval

show audit-data

store last_used logging

show full-bypass

store last_used size

show gui xss_status

store monitor custom_db_usage

show inspection-engines type HTTP

store monitor gdm_statistics

show last_used interval

store network interface remap

show last_used logging

store network interface reset

show last_used size

store pdf-config multilanguage_support

show monitor custom_db_usage

store record_password_value

show monitor gdm_statistics

store sender_encoding

show network verify

store system cpu profile

show pdf-config multilanguage_support

store system custom_db_max_size

show record_password_value

store va_test_show_query

show sender_encoding

support analyze sniffer

show system cpu profile

support analyze tap_property

show system custom_db_max_size

support logrotate agg

show system custom_db_usage

show system ntp diagnostics

show system public key cli

show system public key grdapi
51
© 2011 IBM Corporation
Information Management
Additional grdAPI commands V9.0

Related to F5 interface

add_receiver_to_rule_action

add_time_period

create_rule

create_rule_action

create_rule_set

f5_add_apps_config

f5_add_data_params

f5_delete_apps_config

f5_delete_data_params

f5_list_apps_config

f5_list_data_params

f5_update_data_params

get_istap_config

get_istap_status

list_compatibility_modes

list_utilization_thresholds

modify_va_summary_key

reset_unit_utilization_data

reset_va_summary_by_id

reset_va_summary_by_key

start_istap_monitor

stop_istap_monitor

update_istap_config

update_utilization_thresholds
52
© 2011 IBM Corporation
Information Management
Enterprise Views…
53
© 2011 IBM Corporation
Information Management
Enterprise Buffer Usage Monitor Report
54
© 2011 IBM Corporation
Information Management
GIM Client Status
55
© 2011 IBM Corporation
Information Management
GIM Client Status
56
© 2011 IBM Corporation
Information Management
Managed Unit Report
57
© 2011 IBM Corporation
Information Management
LDAP/Active Directory integration
58
© 2011 IBM Corporation
Information Management
Access Control Workflow
Group information
updated in policy
LDAP Server
(Active Directory)
Regularly scheduled
upload of users into group
definition on the
Guardium appliance
Guardium heterogeneous
DB access control policy
New user added or
deleted from LDAP
(Active Directory)
Validate group
information in
security policy
Oracle,
DB2,
MySQL,
Sybase,
etc.
S-GATE
User deleted
Access denied
Access permitted
User added
Session Terminated
© 2011 IBM Corporation
Information Management
LDAP Group Import
 Samaccountname import
60
© 2011 IBM Corporation
Information Management
Successful Import of Users
61
© 2011 IBM Corporation
Information Management
Regular Schedule of LDAP Upload
62
© 2011 IBM Corporation
Information Management
 Updated group content will
be installed into the policy
 If not in the group, they will
be prevented from executing
any transactions in the
database
63
© 2011 IBM Corporation
Information Management
Policy Installation
Schedule as often as you need to satisfy your time requirements
64
© 2011 IBM Corporation
Information Management
–test1 in LDAP
• Transaction OK
–test2 not in LDAP
• No transactions
65
© 2011 IBM Corporation
Information Management
Policy Configuration
Policy has 3 components
–Enforcement
Enforcement
–Audit/Logging Control
Audit/Logging
–Alerting
Alerting
• Network
• S-TAP
• Network
• S-TAP
• Network
• S-TAP
© 2011 IBM Corporation
Information Management
Enforcement Configuration Options
S-TAP Terminate – No Latency, limits risk
Check Policy
On Collector
Mostly used with quarantine
Policy Violation
Drop Connection
Critical business
Application servers
Database
Server
Connection
Terminated
Partial results set
No latency
SQL
S-TAP
SQL
Connection terminated
S-GATE Terminate– High security, some latency
Prevent DBA’s from accessing
sensitive data
Hold SQL
Database
Check Policy
On Collector
Policy Violation
Drop Connection
© 2011 IBM Corporation
Information Management
Enforcement Policy Configuration Options
S-GATE
Terminate
S-TAP
Terminate
Affects
Applications
No
No
Immediate
Enforcement
Yes
No
Minimal
None
No
Yes
Unix
Windows
Unix
Windows
Latency
Enforcement on
result set
Platform
Support
© 2011 IBM Corporation
Information Management
S-GATE Configuration: Two modes of operation
The firewall feature is per session so when enabled it will
only affect the specific user and not everyone connected
to the database.
 Default guard_tap.ini
 Initial State: Firewall everything 
– Detach authorized connections
– (Closed mode)
 Initial State: Allow everything 
– Attach un-authorized connections
– (Open mode)
Default Settings:
firewall_installed=0
firewall_fail_close=0
firewall_default_state=0
firewall_timeout=10
Firewall Everything:
firewall_installed=1
firewall_fail_close=1
firewall_default_state=1
firewall_timeout=10
Allow Everything:
firewall_installed=1
firewall_fail_close=0
firewall_default_state=0
firewall_timeout=10
*Detach IP Addresses new in V9
© 2011 IBM Corporation
Information Management
S-GATE Overview – Block DBA from accessing credit card information
 Prevent privileged user from accessing creditcard
Client Connection – “System” DB User
SQL
S-TAP
Drop Connection
Hold SQL
Check Policy
On Collector
Session Terminated
Policy Violation
Drop Connection
DBA tries to access sensitive data, session terminated
© 2011 IBM Corporation
Information Management
Sybase  S-GATE Terminate
© 2011 IBM Corporation
Information Management
Customizing Alerts
 Problem:
– You need to integrate the real-time alert with external SIEM systems (ArcSight,
Envision, QRadar, etc)
 Solution
– Guardium V8 has templates for ArcSight, Envision & QRadar
– You can customize the Global profile for custom applications
 Use Case
– Need to send an alert that is color coded to highlight certain issues
73
© 2011 IBM Corporation
Information Management
Rule Definition
 Default template
 ArcSight
 EnVision
 Qradar (LEEF)
74
© 2011 IBM Corporation
Information Management
Global Profile Default
75
© 2011 IBM Corporation
Information Management
Change Global Profile
Here's the Global Profile:
<table bgcolor=#FFFF00><tr><td><b>Alert based on rule ID %%ruleDescription </b></td></tr></table>
Category: %%category Classification: <b>%%classification </b> Severity <font color=FF0000><b> %%severity
</b></font>
Rule # %%ruleID [%%ruleDescription ]
Request Info: [ Session start: %%sessionStart Server Type: <b>%%serverType </b>Client: <b>%%clientIP
(%%clientHostname)</b> Server: <b>%%serverIP (%%serverHostname)</b> Client PORT: <b>%%clientPort
</b>Server Port: <b>%%serverPort </b>Service Name: <b>%%serviceName </b>Net Protocol: <b>%%netProtocol
</b>DB Protocol: <b>%%DBProtocol </b>DB Protocol Version: <b>%%DBProtocolVersion </b>DB User:
<b>%%DBUser </b>
Application User Name %%AppUserName
Source Program: <font color=FF0000><b>%%SourceProgram </b></font>Authorization Code:
%%AuthorizationCode Request Type: %%requestType Last Error: %%lastError
SQL: <font color=FF0000><b>%%SQLString </b></font>
76
© 2011 IBM Corporation
Information Management
Q1 Labs
© 2011 IBM Corporation
Information Management
© 2011 IBM Corporation
Information Management
Differences Report
 Problem:
– Manage by exception reporting. Only provide reports if there is a difference
•
•
•
•
Entitlement Reports
Classification (finding sensitive data)
Discovered Databases
etc
 Solution
– Audit Guard process definition allows for “differences only” or “differences and
full report”
 Use Case
– Only provide differences in entitlement report if there is a change to database
accounts on a weekly basis
79
© 2011 IBM Corporation
Information Management
Automating Sign-offs & Escalations for Compliance
80 80
© 2011 IBM Corporation
Information Management
Guardium Installation Manager (GIM)
 Problem:
– Security wants an automated way to discover and define inspection engines and
datasources when a new Oracle instances is enabled in production. On occasion,
operations enables a new instance without going through the approval process (I
know it doesn’t happen to anyone in this room…)
– Enterprise deployments / upgrades
 Solution
– Guardium Installation Manager (GIM) with Discovery
– GIM allows for “component” level (KTAP, STAP, Discovery, etc) upgrades
– Deployment of components and upgrades to large number (>10) of database
servers / Scheduled deployment
– Discovery will automatically run and discover new database instances
 Use Case
– Adding oracle instance for new custom application, but will take too long for DBA
operational group assistance to add inspection engine parameters for monitoring
new instance.
– Adding oracle instance for new custom application and new to run classification
process against database to ensure there is no PCI data inside the database.
Requires automatically adding a datasource for new instance
81
© 2011 IBM Corporation
Information Management
Installation
 Command line install, specify:
– Install directory
– Local host primary IP address
– Guardium primary Collector IP address
 Example:
– ./guard-bundle-GIM-v81_r24276_1-rhel-4-linux-i686.gim.sh ---dir /usr/local
--tapip 10.10.9.56
--sqlguardip 10.10.9.248
\
\
\
 Software will install and then establish communication with Collector.
82
© 2011 IBM Corporation
Information Management
GIM Status
83
© 2011 IBM Corporation
Information Management
Upload the desired module
 Modules will have a “.gim” extension
84
© 2011 IBM Corporation
Information Management
GIM / S-Tap Files Provided
 Discovery_and_GIM_Agents – contains the Discovery modules, and GIM
shell installers.
 There are also specific GIM agent files with .gim extensions. These are
used to update the GIM agent from a previous version.
85
© 2011 IBM Corporation
Information Management
S-Tap install using GIM
 GIM_Packages – contains the S-Tap modules to install using GIM.
86
© 2011 IBM Corporation
Information Management
Native Install of S-Tap
 Native_Installers – contains the native installer for installing S-Tap directly
(not using GIM) using the AIX native installer.
87
© 2011 IBM Corporation
Information Management
Native Install of S-Tap
 Shell_Installers – contains the shell installer for installing S-Tap directly
(not using GIM, and not using the AIX native installer).
88
© 2011 IBM Corporation
Information Management
Upload S-Tap Agent
 Go to Administration Console – Module Installation - Upload
89
© 2011 IBM Corporation
Information Management
Complete Upload with Import
 The file is uploaded, the next step is to import – click the green check
mark to complete the process.
90
© 2011 IBM Corporation
Information Management
Install the Module – Step 1
 Next go to Module Installation – Setup By Client, click Search on the first
screen.
 Select the host or hosts to manage – normally these will all be the same
OS and version.
91
© 2011 IBM Corporation
Information Management
Install the Module – Step 2
 Select the module to install, normally one of the bundles. In this case, the
S-Tap, build r33264.
92
© 2011 IBM Corporation
Information Management
Install the Module – Step 3
 Here you select the install parameters.
 Holding the mouse over a field will provide options, or click the help (“?”)
for more information.
93
© 2011 IBM Corporation
Information Management
Install the Module – Step 4
 Click “Apply to Selected” to apply these parameters to all selected
servers.
 Click “Apply to Clients” to apply these to the GIM client(s).
 Click “Install/Update” to install module.
 You can install immediately or at a later time.
94
© 2011 IBM Corporation
Information Management
Install Status
 Click the “i” button to view the status, the install will take a few minutes
95
© 2011 IBM Corporation
Information Management
Complete!
 Now just create the Inspection Engines as normal
96
© 2011 IBM Corporation
Information Management
GIM – Instance Discovery
 Install “GIM” module on DB Server
97
GIM client on database server
registers with the appliance
© 2011 IBM Corporation
Information Management
GIM – Instance Discovery
98
© 2011 IBM Corporation
Information Management
GIM – Instance Discovery
 Import “GIM” Discovery module on DB Server
99
© 2011 IBM Corporation
Information Management
GIM – Instance Discovery
 Now, Install “GIM” module on DB Server
100
© 2011 IBM Corporation
Information Management
GIM – Instance Discovery
 “Discovery module” available, now install on DB Server
101
© 2011 IBM Corporation
Information Management
/usr
102
© 2011 IBM Corporation
Information Management
Discovery Module Installed Successfully
103
© 2011 IBM Corporation
Information Management
New Report…Discovered Instances…
104
© 2011 IBM Corporation
Information Management
Discovered New “instances”…Now create inspection engines…
105
© 2011 IBM Corporation
Information Management
Linkage of Reports to GRDAPI…
106
© 2011 IBM Corporation
Information Management
Linked API’s
107
© 2011 IBM Corporation
Information Management
Create_stap_inspection_engine
# A template script for invoking Sqlguard API function create_stap_inspection_engine :
# Usage: ssh [email protected]<create_stap_inspection_engine_api_call.txt
# replace any < > with the required value
#
grdapi create_stap_inspection_engine stapHost=jumbo protocol=Oracle portMin=1521
portMax=1575 teeListenPort=< > teeRealPort=< > connectToIp=127.0.0.1 client=0.0.0.0/0.0.0.0
excludeClient=< > procNames=< > namedPipe=< > ktapDbPort=1521
dbInstallDir=/home/oracle11 procName=/home/oracle11/product/11.1/db_1/bin/oracle
db2SharedMemAdjustment=0 db2SharedMemClientPosition=0 db2SharedMemSize=0
instanceName=on1jumbo informixVersion=9 encryption=0 api_target_host=< >
108
© 2011 IBM Corporation
Information Management
No Inspection Engines Defined
109
© 2011 IBM Corporation
Information Management
Check the status and inventory…Upgrade just one component if needed
110
© 2011 IBM Corporation
Information Management
Change Audit System (CAS)
 Problem:
– Databases can be affected by changes to the server environment; for example,
• Configuration files
• Environment or registry variables
• Other database or operating system components, including executables or scripts used by
the database management system or the operating system.
• Any file you specify
 Solution
– Tracks all changes that can affect the security of database environments outside
the scope of the database engine
– Complements Guardium's Database Activity Monitoring module to provide
comprehensive database monitoring
– Tracks changes to database configuration files and other external objects that can
affect your database security posture
 Use Case
– Monitoring Database Configuration files (e.g., SQLNET.ORA, NAMES.ORA)
111
© 2011 IBM Corporation
Information Management
CAS Status
112
© 2011 IBM Corporation
Information Management
CAS Templates
113
© 2011 IBM Corporation
Information Management
CAS Templates
114
© 2011 IBM Corporation
Information Management
Unix / Oracle Template
115
© 2011 IBM Corporation
Information Management
CAS Hosts
116
© 2011 IBM Corporation
Information Management
CAS Hosts
117
© 2011 IBM Corporation
Information Management
Change Reports
118
© 2011 IBM Corporation
Information Management
Help your DBAs : Performance
119
© 2011 IBM Corporation
Information Management
Help your DBAs : DB user accounts recent activity
120
© 2011 IBM Corporation
Information Management
Breach possibilities – Failed Logins
121
© 2011 IBM Corporation
Information Management
Breach possibilities – SQL Errors
122
© 2011 IBM Corporation
Information Management
Guardium Grid
 Problem:
– Seamlessly add audit capacity when adding/changing your database
infrastructure
– Enterprise deployments / upgrades
– Environment constantly changes
– Need to lower the need for planning and of need to balance/monitor
– Focus is on STAP and collectors
 Solution
– Guardium Grid
– Simplify configuration management for STAP’s to a primary Virtual IP and a
secondary, etc Virtual IP
 Use Case
– Automate the relationship between STAP’s and the Collectors
– Add or remove collectors with no effect on the deployment.
– Simply and consistently configure STAPs.
– Provide a high degree of failover and load balancing.
– Reduce deployment planning to ensuring that the number of collectors is
sufficient, monitoring collector load, or both.
– From a capacity management perspective, add resources, monitor
infrastructure, adjust capacity as needed (or when something fails )
123
© 2011 IBM Corporation
Information Management
Pre – Guardium Grid Deployment
DB Server 1
Collector 1
...
STAP 1
...
DB Server 101
Collector 2
...
STAP 101
...
...
...
DB Server 901
Collector 10
...
STAP 901
...
IBM Confidential
124
© 2011 IBM Corporation
Information Management
Failover deployment example
 For example, to configure an STAP to report to primary, secondary, and tertiary collectors
(should the primary and secondary become unavailable), the guard_tap.ini is configured to:
[SQLGuard_0]
sqlguard_ip=guard01
sqlguard_port=16016
primary=1
[SQLGuard_1]
sqlguard_ip=guard02
sqlguard_port=16016
primary=2
[SQLGuard_2]
sqlguard_ip=guard03
sqlguard_port=16016
primary=3
 In this example, if the guard01 collector becomes unavailable, the STAP reports to guard02.
 If guard02 is also unavailable the STAP reports to guard03.
 If guard01 subsequently becomes available, the STAP moves back to it, making the overall
system self-correcting and simplifying capacity planning.
125
© 2011 IBM Corporation
Information Management
Pre – Guardium Grid deployment with failover
(most enterprise implementations)
DB Server 1
Collector 1
...
STAP 1
...
DB Server 101
Collector 2
...
STAP 101
...
...
...
DB Server 901
Collector 10
...
STAP 901
...
IBM Confidential
126
© 2011 IBM Corporation
Information Management
Load Balancing deployment example
 For example, to configure an STAP to report to primary, secondary, and tertiary collectors
(should the primary and secondary become unavailable), the guard_tap.ini is configured to:
 participate_in_load_balancing=1
[SQLGuard_0]
sqlguard_ip=guard01
sqlguard_port=16016
primary=1
[SQLGuard_1]
sqlguard_ip=guard02
sqlguard_port=16016
primary=2
[SQLGuard_2]
sqlguard_ip=guard03
sqlguard_port=16016
primary=3
 In this example, if the guard01 collector becomes unavailable, the STAP reports to guard02.
 If guard02 is also unavailable the STAP reports to guard03.
 If guard01 subsequently becomes available, the STAP moves back to it, making the overall
system self-correcting and simplifying capacity planning.
127
© 2011 IBM Corporation
Information Management
Pre – Guardium Grid with load balancing
DB Server 1
Collector 1
STAP 1
...
DB Server 101
Collector 2
STAP 101
...
...
...
DB Server 901
Collector 10
STAP 901
...
IBM Confidential
128
© 2011 IBM Corporation
Information Management
Guardium Grid
Collector 1
Collector 2
guard_tap.ini
…
[SQLGuard_0]
sqlguard_ip=guard01
sqlguard_port=16016
primary=1
[SQLGuard_1]
sqlguard_ip=guard02
sqlguard_port=16016
primary=2
[SQLGuard_2]
sqlguard_ip=guard03
sqlguard_port=16016
primary=3
guard01
guard02
guard03
Load Balancer
(VIP)
DB Server 1
STAP 1
...
DB Server 101
STAP 101
...
...
Collector 10
129
...
Load balancer algorithm
determines which collector
gets audit data
DB Server 901
STAP 901
...
© 2011 IBM Corporation
Information Management
Reporting
 UID Chaining
 Computed attribute
 Difference reports
 Customize change management
 Customize and drill down report
 Application User Identification
130
© 2011 IBM Corporation
Information Management
UID Chaining to Identify Unique Individual with “Generic” Accounts
 Problem:
– Generic accounts like “System”, “SA”, “Sys” don’t have individual accountability
to identify who performed the database transacations
• Etc
 Solution
– Use Guardium UID Chain feature. Need (hunter_trace=1) in guard_tap.ini
 Use Case
– Uniquely identify “joe” as the user that logged into Oracle using the “system”
account, from the OS User of “Oracle”
131
© 2011 IBM Corporation
Information Management
Developers/SAs/Analysts - Access to Live Production Systems
hunter_trace=1
© 2011 IBM Corporation
Information Management
Computed Attributed
 Problem:
– Captured information needs to be messaged for a different format for a variety
of reasons:
•
•
•
•
Auditor readability
SIEM Integration
Joining with external information
Etc
 Solution
– New GRDAPI allows for “subset” of captured information to create a “new”
attribute in the query for custom reporting
 Use Case
– Need Operating System User on AIX for Sybase to determine individual
credentails. Problem is that OS User is not sent during the login with isql, but
UID chain will capture this information
133
© 2011 IBM Corporation
Information Management
Computed Attributes
 New feature that allows for
easy “subset” of a column
information
 For example, with Sybase
on AIX there is no OS User
transmitted by default
134
© 2011 IBM Corporation
Information Management
Computed Attributes
 Guardium can capture this information with UID Chain, but you will not
see the "UID chain compressed" because no one "su" to a different user.
Auditor needs easy to read report…For some reason,
doesn’t like the user friendly UID Chain 
135
© 2011 IBM Corporation
Information Management
Computed Attributes continued…
Overview
1.
Create a new attribute with “GRDAPI” command
2.
Add the attribute to the query for the report
1.
Create a new attribute in the session layer via the grdapi
create_computed_attribute command
– Here's an example to capture just the "sybase12" OS user:
– Reverse the string, find “lqsi,”- get the index and only show that portion until the next
comma…
g1> grdapi create_computed_attribute attributeLabel="Sybase_OS_User"
entityLabel="Session" expression="SUBSTRING_INDEX(
SUBSTRING(REPLACE(UID_CHAIN,' ',''),1,LENGTH(REPLACE(UID_CHAIN,' ',''))
- LOCATE('lqsi,',REVERSE(REPLACE(UID_CHAIN,' ','')))-4),',',-1)"
ID=20001
Attribute for Expression SUBSTRING_INDEX( SUBSTRING(REPLACE(UID_CHAIN,'
',''),1,
LENGTH(REPLACE(UID_CHAIN,' ','')) LOCATE('lqsi,',REVERSE(REPLACE(UID_CHAIN,' '
,'')))-4),',',-1) Created
ok
g1>
136
© 2011 IBM Corporation
Information Management
Computed Attributes continued…
New attribute appears, add to columns
137
© 2011 IBM Corporation
Information Management
Computed Attributes continued…
 Notice the Sybase_OS_User field which extracts just the Sybase OS user
138
© 2011 IBM Corporation
Information Management
Change Management Reconciliation
 Problem:
– Changes to the database were required prior to obtaining a change
management ticket
– Need to reconcile the ticket after the changes occurred
 Solution
– Audit Guard process definition allows for extension of information in reports
through advanced workflow
 Use Case
– DBA’s had a break glass situation to resolve database issues. Now they must
provide change ticket through custom workflow to reconcile database changes
before moving to auditor verification
139
© 2011 IBM Corporation
Information Management
Change Management Reconciliation Definition
140
© 2011 IBM Corporation
Information Management
141
© 2011 IBM Corporation
Information Management
Application User Identification
 Problem:
– Identify the actual user that performed a transaction to the database through a
pooled user account
 Solution
– Depending on the application architecture, Guardium can help identify the
actual user through the pooled connection
 Use Case
– Need to identify the SAP user that performs that transactions and the SAP
transaction codes
– Out of the box, SAP, Siebel, Oracle EBS, etc
– Custom Applications
• Depends on the architecture, but there are different methods that we can use.
Stored Procedure Scraping, Custom API’s, etc
142
© 2011 IBM Corporation
Information Management
Identifying the End User of the Transaction Through a Pooled
Database User
Joe
143
Bob
DB User: “SAP”
© 2011 IBM Corporation
Information Management
SAP Transactions to G/L Account
• User activity is based on transactions
• G/L Account Posting = FB50 transaction
Pooled SAP
Database User
Unique SAP User that
executed the transaction
© 2011 IBM Corporation
Information Management
Application User Identification Example
145
© 2011 IBM Corporation
Information Management
Application User Identification
 http://www.ibm.com/developerworks/data/library/techarticle/dm1105fivemethods/index.html
 Different methods of application user identification
– Built-in application user translation
– Identifying user switching using the Guardium Application Event API
– Analyzing patterns in stored procedures
– Database and application server APIs
146
© 2011 IBM Corporation
Information Management
Credential Scanning
 Problem:
– Test a set of default database users (and potentially customer defined DB
users) and associated passwords to ensure:
• Default username/credentials have been changed
• Enterprise accounts have been changed
• etc
 Solution
– New VA feature “GRDAPI allows for credential scanning based on
• User/PWD Group – type="DB User/DB Password"
• DB Instances Group - type="Server IP/Instance Name/Port"
• grdapi non_credential_scan serversGroup="Servers-to-scan" usersGroup="defaultcredentials" databaseType=ORACLE
 Use Case
– Scan new database deployments prior to production activation to ensure DB
configuration conforms to Corporate Security Policy
• Include credential scan for security group…
147
© 2011 IBM Corporation
Information Management
Credential Scanning – Looking for default username/password
combination
 This report shows the scan findings, two users with credentials that were
in the default credentials group we defined in step 2 b): scott and hr.
 Use an entitlement to get the list of user ids and generate the credentials
population API to use the same password as the user ids for all users.
This will show users who are using the same userid as their password.
148
© 2011 IBM Corporation
Information Management
Vulnerability Assessment Test Justification
 Problem:
– Corporate security policy must run vulnerability assessment on a regular basis.
Some VA tests will fail, but you want to “justify” the risk for a temporary time
period so that your overall VA test score can meet requirements
 Solution
– New VA “GRDAPI” to allow justification on reports
• grdapi create_test_exception datasourceName="OracleProd2"
testDescription="CONNECT_TIME is limited" fromDate="2011-07-15 08:00:00"
toDate="2011-08-15 08:00:00" explanation="Required for Business Application until
new version is installed in 1 month" api_target_host=< >
 Use Case
– Justify the “CONNECT_TIME is limited” assessment test for a 1 month period
until the new version of the application is installed which is more flexible to the
remote access connection time window
149
© 2011 IBM Corporation
Information Management
Vulnerability Text Exception
 One test fails, but you want to justify this to the auditors/information
security team because it’s severity is not high and you can “justify” the risk
for one month
grdapi create_test_exception datasourceName="Oracle - TSELab - System" testDescription="CONNECT_TIME
is limited" fromDate="2011-07-15 08:00:00" toDate="2011-08-15 08:00:00" explanation="Required for Business
Application until new version is installed in 1 month" api_target_host=< >
151
© 2011 IBM Corporation
Information Management
How to Configure this?  GRDAPI - create_test_exception
 create_test_exception
– Use this command to add records to the Tests Exceptions. This effects the behavior for vulnerability
assessments, if a test on a specific datasource fails it will check the last record of the test exceptions
table for that test/datasource such that if the execution date is contained within the from and to dates
of the last record the test will be set to PASS, the recommendation will be set to the explanation (from
the exceptions record) and the result text will be set to: "Test passed, based on exception approved
by: .... effective from date to date"
• Note: The API only adds records to remove an exception a new record should be
created with new dates according to the needs.
 Example
 grdapi create_test_exception datasourceName="Oracle - TSELab - System"
testDescription="CONNECT_TIME is limited" fromDate="2011-07-15 08:00:00"
toDate="2011-08-15 08:00:00" explanation="Required for Business Application until new
version is installed in 1 month" api_target_host=< >
 Start with a Security Assessment Report
152
© 2011 IBM Corporation
Information Management
What’s new in Version 8 – Security Assessments Highlights
Separate Reporting
Domain
External
Reference
Any test that didn’t
pass or had an error
153
© 2011 IBM Corporation
Information Management
GRDAPI - create_test_exception continued…
 One test that we want to “justify” to pass…
154
© 2011 IBM Corporation
Information Management
Use Report Builder to Link the API to the Report
Create the linkage…
155
© 2011 IBM Corporation
Information Management
Create The Linkage for GRDAPI
API Assignement allows
you to take action and
pass parameters from
reports to GRDAPI
156
Drill Down Control allows you
to “nest” high level reports
and drill down into the weeds
© 2011 IBM Corporation
Information Management
Assign Appropriate API to the Report
Select and move to
“Functions Assigned to Report”
Notice parameters in the
report can be
automatically populated
157
© 2011 IBM Corporation
Information Management
Use the API Assignment Within a Report to Automate Actions
158
© 2011 IBM Corporation
Information Management
Linkage Created In The Report…
 Now you have an Invoke option which allows you to link to the GRDAPI
actions…
 The goal is to put an exception in the CONNECT_TIME is limited VA test
because a certain application needs this to have a large connection
window because of the remote access has a long latency to establish the
connection
Click Integration can
be defined and used
to connect ANY
report in the system
with any GRDAPI
159
© 2011 IBM Corporation
Information Management
Automation Available Now…
 Now we have linkage to the GRDAPI – “create_test_exception”
160
© 2011 IBM Corporation
Information Management
GRDAPI – Invoke Now or Generate Script for Non-GUI Automation
161
© 2011 IBM Corporation
Information Management
Invoke Now or Generate Script To Perform Action
# A template script for invoking Sqlguard API function create_test_exception :
# Usage: ssh [email protected]<create_test_exception_api_call.txt
# replace any < > with the required value
#
grdapi create_test_exception datasourceName="Oracle - TSELab
- System" testDescription="CONNECT_TIME is limited"
fromDate="2011-07-15 08:00:00" toDate="2011-08-15 08:00:00"
explanation="Required for Business Application until new version
is installed in 1 month" api_target_host=< >
Exception Created
162
© 2011 IBM Corporation
Information Management
Validate Results
 Run Security Assessment again…
163
© 2011 IBM Corporation
Information Management
Assessment Test Justification…
Previous Run
164
After Justification
© 2011 IBM Corporation
Information Management
Justification for Assessment Failure
Configurable for each database
(datasource) justification for
assessment test failure
165
© 2011 IBM Corporation
Information Management
Operations
 Silent Installs
 Upgrade STAP’s without reboot
 Instance discovery
 LDAP/Active Directory integration
 Global Profile – SIEM integration
 Change Management Reconciliation
 GRDAPI - Datasource
166
© 2011 IBM Corporation
Information Management
Thank You
167
© 2011 IBM Corporation
Information Management
Oracle Dormant User Report
 select username, created, user_id, account_status, lock_date,
expiry_date, profile from dba_users
168
© 2011 IBM Corporation
Information Management
Dormant Users
169
© 2011 IBM Corporation
Information Management
Custom Domain
170
© 2011 IBM Corporation
Information Management
171
© 2011 IBM Corporation
Information Management
Create a new upload
172
© 2011 IBM Corporation
Information Management
Tools  Report Building  Custom Table Builder
173
© 2011 IBM Corporation
Information Management
Retrieve the Table Definition
 After “Retrieve” table definition on the appliance is configured
174
© 2011 IBM Corporation
Information Management
Now get the data from the DataSource to be imported into the
appliance
New Custom Table is
built, now go get the data
175
© 2011 IBM Corporation
Information Management
Upload the data
176
© 2011 IBM Corporation
Information Management
Run Once now to get the data…
177
© 2011 IBM Corporation
Information Management
Create a Custom Domain to provide a “report” on the uploaded data
178
© 2011 IBM Corporation
Information Management
Tools  Report Building  Custom Domain Builder
179
© 2011 IBM Corporation
Information Management
Select the Domains of Interest - OracleDormantAccounts
180
© 2011 IBM Corporation
Information Management
181
© 2011 IBM Corporation
Information Management
Need to select a timestamp for the reports
Use the Guardium Timestamp
182
© 2011 IBM Corporation
Information Management
Make a Copy of the [Custom] Access domain so you can link the
oracle dormant account reports with activity Guardium captures
183
© 2011 IBM Corporation
Information Management
Link DB User Name from [Custom] Access Domain with
“USERNAME” from OracleDormantAccount
This creates a join with the Guardium Domain
184
© 2011 IBM Corporation
Information Management
Now Build a Report to put on your Portlet
185
© 2011 IBM Corporation
Information Management
Tools Report Building  Custom D
186
© 2011 IBM Corporation
Information Management
187
© 2011 IBM Corporation
Information Management
188
© 2011 IBM Corporation
Information Management
189
© 2011 IBM Corporation
Information Management
If a Dormant User accessed information…
 Joining information
from 2 domains
Information from Guardium Monitoring Domain
Information from System Catalog Table
190
© 2011 IBM Corporation
Information Management
191
© 2011 IBM Corporation
Fly UP