Similar to most patches it has to be installed from top to down within existing Guardium domain:
- Central Manager
- Backup Central Manager (do synchronization)
The GPU 200 requires that the healthcheck patch 9997 is installed. 10.1.2 update can be installed on the top of any version of Guardium 10.
GPU will reboot appliance. Existing VM Tools will be automatically assign to new RedHat kernel.
Note: Consider appliance rebuild in case to use EXT-4 filesystems introduced with new ISO installer
View/Edit Mode in Dashboards
Now each dashboard opened in the GUI session works in View mode.
Dashboard in View mode
The view mode is useful in order to better use the GUI space for data, especially when dashboard is informational only.
From my point of view the Guardium administrators will not happy with that because it is not ergonomic in case of data investigation. However if dashboard has been switched to Edit mode this settings are saved in the current session.
Much more usable would be the possibility to store dashboard settings permanently per dashboard.
Deployment Health Dashboard extensions
Each new GPU adds more to Deployment Health view. Besides existed:
Deployment Health Table – notifies simple way the overall appliance status
Deployment Health Table
Deployment Health Topology – shows connectivity and topology
Deployment Health Topology
Enterprise S-TAP View – displays information about S-TAP’s across whole Guardium infrastucture
Enterprise S-TAP view
the new GPU provides:
System Resources – located in Manage->Central Management which collates information about key resources on appliances.
Deployment Health Dashboard – customizable dashboard focused on appliance resources and performance statistics
Deployment Health Dashboard
Owing to Managed Unit Groups it is possible to create dynamic views filtered by group of appliances or focus on selected one. Statistics contain reference to Analyzer and Logger queues, buffer space, memory and disk usage and sniffer restarts.
Additionally Events timeline report presents discovered issues, it can be enriched by alerts gathered from appliances. The alert definition contains additional fields to set up result for dashboard:
Data Classification Engine – task parallelization
In large environment with hundreds of databases the Guardium classification engine limitation to execute only one job in queue was very painful. Current version allows parallelize this tasks on appliance. In most cases the classification is managed on aggregators or central manager where CPU utilization is on low level, so now with new flag configured by GRDAPI we can faster and more frequently review data content.
grdapi set_classification_concurrency_limit limit=<your_limit>
The maximum limit has to be lower than 100 and not higher that numbers of available on appliance CPU cores multiplied by 2.
If you created classification policy based on many databases like this:
you should change it to set of separate policies executed concurrently:
Separated datasources to different policies
Then if you start a few classification processes together they will executed parallel:
Classification Job Queue
File Activity Monitoring update
Policy builder for Files allows to create many actions per monitored resource. Now we can define different behavior in case of read, modify of file deletion.
File policy rule
The UID chain field from Session entity provides the context of user and process which is responsible for file operation.
File Activity Report
At least we have File Activity reports available out of the box
File Activity Reports
but I suggest to create the clone of the File Activities report and sort values in descending order using timestamp and sqlid (session timestamp does not ensure that events will displayed in correct order)
File Activity query definition
New appliance installer
New ISO installer simplifies the installation process of new appliances (no need to apply GPU 100 and 200). It also removes problem with new GDP licenses support on appliance below GPU 100.
The 10.1.2 installer creates EXT-4 linux filesystems and extends maximum size of supported storage. If you would like to use larger disks on the appliance the rebuild procedure is needed (GPU200 does not convert EXT-3 to EXT-4).
FSM driver deactivation on Linux/Unix
New STAP’s for Linux/Unix supports support new TAP section parameter in guard_tap.ini:
where 0 means that FSM driver is not activated.
Only manual guard_tap.ini modification is supported at this moment.
Outlier detection (behavioral analysis) – new capabilities
Outlier detection is available for file activity now. On the appliance only one, DAM or FAM, functionality can be activated.
Behavioral analysis can be switched on aggregators. It allows analyze user behavior from wider view.
View, reports and new anomaly types introduced – significant update.
This GPU introduces completely new user authorizations analysis engine. Besides the old Entitlement Reports we can utilize the Entitlement Optimization tool which retrieves user roles and privileges based on direct connection to database and identified DDL commands. The tool presents the changes in the the database authorizations,
Entitlement Optimization – What’s New
reports all existing users and theirs authorizations,
Entitlement Optimizations – Users & Roles
recommends changes and vulnerabilities,
Entitlement Optimizations – Recommendations
shows entitlements per user, object or DML operation and provides possibility to analyze what-if scenarios.
Very promising extension which clarifies the view on authorizations. It supports MSSQL and Oracle (in first release) and the analysis is based from collector perspective.
New GDPR accelerator simplifies Guardium configuration to comply with new EU regulation which focuses on EU citizens rights in the protection of their personal data.
According to GDPR Guardium helps with:
- personal data identification
- monitoring of the personal data processing
- vulnerabilities identification
- identification of breaches
- active protection of access by unauthorized users or suspicious sessions
- keep the whole compliance policy updated and working as a process
New Data Nodes support
GPU 200 introduced the STAP support for HP Vertica Big Data platform, Cloudera Navigator monitoring using Kafka cluster and HortonWorks with Apache Ranger – another step to supreme Guardium in Big Data platform monitoring.
Also MemSQL – very fast in-memory DB – is supported now.
New type of audited data representation available – Data In-Sight – in the Investigation Board (formerly QuickSearch) . Data access in motion in 3D-view – simple example
Summary: Important step to manage data access monitoring easier and more transparent for non-technical users. GPU mainly focused on extensions exiting functionalities and make them more usable and stable.