Appliance patch installation

Guardium Patches

DAM must ensure the continuity of monitoring database environment which precludes any interruption resulting from the need to update the software.

Guardium contains very well designed the update mechanism of the monitored infrastructure with minimal administrator attendance requirements.

Infrastructure patches (appliance patches) can be categorized due to their functionality (categorization is related with patch numbering):

  • px0,px00 – Guardium Patch Update (GPU), cumulative patch of Ad-Hoc patches, it can contain new features introduced inside current major version. In most cases does not contain any prerequisites
  • p0x-pxxxx – Ad-Hoc patch, contains updates for particular functionality with identified defect – usually related to PMR (Problem Management Resolution). Strictly related with specific GPU. Very often published as a bundle of Ad-Hoc updates
  • p6xxx – Security Patch, related with update the vulnerable parts of the specific elements of RedHat, MySQL and other. Can be combined inside GPU patch
  • p4xxx – Sniffer Patch, update for collector sniffer

ImportantBefore installing the patch, review the documentation that came with it

Many patches require appropriate GPU or specific settings on the appliance. Patch installation can be tied with appliance restart or temporary services unavailability.

Process of patching is very simple. After patch download the Guardium administrator has to upload it on central manager. Later using Central Manager console his is able to schedule patch installation on all other appliances inside management domain.
Internal CM patching uses standalone procedure (described later in the article).

Patch process

Patch process flow

Patch file workflow

Patch file flow

Patch acquisition

All patches are available on IBM Fix Central – http://www.ibm.com/support/fixcentral/
Access to patches and updates requires IBM customer account registration

IBM Fix Central – account registration

The form is simple. You do not need put here any Guardium contract information.

Registration form

To download patch go on Fix Central to “Select Product” tab and point Guardium using content related set of fields

Fix Central – Guardium patch selection

and Browse for fixes

Browse for fixes

Browse for fixes

The list of available patches is presented inside functional categories.
System provides possibility to download patch using FTP, HTTP or IBM Download Director tool (requires Java). Last method allows the upload many files in one session

Patch upload

Patch upload

Patches are archived in ZIP format (unzip it before patch upload on collector or central manager). Here is an example of content the Guardium p01 archive

Patch content

Patch archive content

All appliance patches are encrypted and signed to prevent drive by download infection. In most cases the documentation in PDF format is also included and file with MD5 hashes for archive content.

Downloaded patch file (*.sig) should be moved on FTP or SCP server, DVD or into the directory available for browser with access to Guardium portal.

In Guardium 10, when browser has access to the internet the notification about new available patches will be displayed under message icon on status bar

New patch notification

New patch notification

Message contains also direct link to patch on Fix Central. Notification contains information about patches which are not installed on the appliance where user is actually logged in.

Info: New patch notification in portal uses browser snippet. It does not require internet access for appliance

Patch backup configuration

Guardium provides self-protect technique in case of patch installation failure. For patches which are changing critical system parts it creates additional backup of crucial appliance resources what can allow to restore system to state before patch applying.

Patch backup is stored remotely and transmitted using SCP connection. Storage for patch backup can be configured under (Setup->Tools and Views->Patch Backup)

Patch backup configuration

Patch backup configuration

Storage configuration is validated and left the temporary file on it

Temporary file on patch backup storage

Temporary file on patch backup storage

Patch installation methods

Guardium provides the patch installation invocation from patch file stored locally on the appliance or downloaded remotely over FTP or SCP.

Each method can be divided into two phases: patch upload with registration in patch pool and patch installation. All patches uploaded to the standalone appliance are stored locally and can be used later in case of reinstallation or scheduled installation.
In case of installation by CM the patch file is transmitted to appliance from CM and removed from it after installation.

FTP or SCP patch upload

Installation can be invoked by CLI:

store system patch install ftp
store system patch install scp

Both commands are interactive and we need to insert the account credentials and the location of the patch. In this case, two patches were uploaded from FTP server

Patch upload over FTP

Patch upload over FTP

and this same for SCP, additionally the patch installation sequence was ordered

Patch upload over SCP

Patch upload over SCP

Installation from CD

Only installation from appliance DVD drive allowed

Patch installation from DVD

Patch installation from DVD

Patch upload using Guardium fileserver

Execute fileserver from CLI using command

fileserver <your_browser_ip> <time>

and then go to http://your_appliance_ip_address. Use Browse button to point the patch file and Upload it on the appliance

Patch upload by fileserver

Patch upload by fileserver

After a while the message similar to below will be displayed

Patch upload message

Patch upload message

When all patches will be uploaded close the fileserver – press ENTER in the CLI session. Another message will inform you about correctness of patch registration on the appliance

fileserver session

fileserver session

Now we can review the list of patches available on collector using CLI

show system patch available

or in the portal under Manage->Reports->Install Management->Available Patches report

Available patches

Available patches

Now we can start the patch installation. From CLI execute the interactive command

store system patch install sys

this syntax defines immediate start of patch installation. To schedule it you can use syntax

store system patch install sys <YYYY-mm-dd> <hh:mm:ss>

Status of path installation can be monitored by command

show system patch installed
Patch installation from CLI

Patch installation from CLI

Correctness of installation notices the status “DONE: Patch installation Succeeded

Patch installation status

Patch installation status

We can also invoke installation from Available Patches report. From Action menu select patch_install

Patch installation from report

Patch installation from report

In the pop-up window select patch for installation and schedule time for execution (NOW means immediate start) and push the Invoke now button

Patch installation

Patch installation

Status can be monitored by report Manage->Reports->Install Management->Installed Patches

Installed patches report

Installed patches report

You can also notice that this patch installation invoked patch backup, new file in the archive appears

Patch backup archive

Patch backup archive

Patch installation in Enterprise environment

Guardium is enterprise solution and provides central management for all appliances in the environment.

Info: You do not need upload patch manually to all appliances in managed environment.

The patch installation rules in managed environment:

  1. Upload and install patch on central manager. In HA configuration install patch on CM backup and promote it as primary then install patch on CM master.
  2. Execute remote patch installation on aggregation layer (if it exists)
  3. Move S-TAP’s to backup collector from target of the update and execute remote patch installation
  4. Restore standard connection of STAP’s to updated collector and update remotely the backup collector

Patch installation is not required on CM before installation it on other appliance but best practice suggests update from top to down.

Patch installation on the CM has to be executed manually (described earlier).
Remote patch installation on aggregator or collector is managed from Manage->Central Management->Central Management form. To order patch installation select appliances and press Patch Distribution button

Central Management

Central Management

Then select patch and start installation using Install Patch Now button

Remote patch installation

Remote patch installation

Installation can be scheduled (Schedule Patch). Task execution will be notified by separate message

Message about remote patch installation

Message about remote patch installation

The Patch Installation Status displays current status of task in the pop-up window

Remote patch installation status

Remote patch installation status

Global patch installation review is available in separate view for all appliances managed by CM. From Central Manager form select Patch Installation Status

Central Management

Central Management

Global patch status

Global patch status

Patch failure

Sometimes patching may fail. If the error is associated with the patch preparation to system change the simple patch task removal is possible. Here is example where patch return status ERROR and command

delete scheduled-patch

remove it from the list and patch installation can be repeated

delete scheduled-patch example

delete scheduled-patch example

This command removes patch copy from the appliance. You need to upload patch again.

When patch installation fails (status FAIL) during system modification phase the IBM support should be involved to restore patch backup copy.

restore pre-patch-backup

This command should be executed with IBM support cooperation.

Disk clean-up

The space occupied by the patches may grow over time, so you may need to remove them from the appliance.

There is no direct command or portal functionality for patch files removal on standalone appliance. However the command

support clean log_files /

displays list all large files in the log directory (larger than 10 MB) including patch files. Then we are able to point path to patch file and confirm its deletion

Patch file removal

Patch file removal

On the Central Manager the patch file can be removed from portal. From Patch Distribution form press red X icon in the patch row

Patch file deletion

Patch file deletion

additional pop-up window will request for confirmation

Patch file removal confirmation

Patch file removal confirmation

Then patch will disappear from Available Patches report

Available patch report

Available patches report

Info: Guardium does not provide the patch uninstallation procedure

Summary:

Guardium appliance patch mechanism speed up the update process in large monitoring environments. All tasks can be executed from Central Manager.
Update process can be managed also from CLI for standalone installation and CM layer. Patches are encrypted and signed to avoid drive by download attacks.

Advertisements

WINSTAP (S-TAP, FS-TAP) installation and configuration – Guardium 10

WINSTAP architecture

Guardium 10 introduced new architecture and functionality into agent used to monitor data access (databases and files) on Windows platforms (well-known as a WINSTAP). The most interesting are:

  • Integrated installer for 32- and 64- bit platform
  • Redesigned TCP and SharedMemory drivers
  • File Activity Monitoring with blocking capability
  • File Discovery – integrated view on files stored on managed system
  • File Classification – sensitive data identification

The simplified view on WINSTAP architecture

WINSTAP architecture

WINSTAP architecture

shows that we have many different elements responsible for each data monitoring aspect:

  • GIM (Guardium Installation Manager) – service based on Perl responsible for installation, update and configuration all other elements working on monitored system (separate article here)
  • S-TAP service – communication with collector and data proxy for sniffer drivers (WFP, NPM) – DAM functionality
  • WFP – new sniffer driver for TCP/IP stack
  • NPM – new sniffer driver for shared memory
  • CAS (Change Audit System) – java based service responsible for identification the changes in the critical elements of database and operating system
  • FS-TAP (or STAPat) – service responsible for communication with collector and data proxy for I/O sniffer (FSMonitor) driver – FAM functionality
  • FSMonitor – I/O sniffer driver responsible for audit and blocking access to file operations
  • FAM – Feed service to collector from ICM (IBM Content Classification) infrastructure
  • file crawler – ICM process responsible for scan of file system and file metadata generation
  • analysis engine – rule based classification tool for files
  • ICM server – ICM process responsible for classification task management and configuration upload interface for ICM workbench
  • ICM workbench – Windows application to create own classification rules (decision plans)

This article focus on 2 functionalities – database and file activity monitoring. CAS and FAM (ICM) functions will be described in the separate articles.

GIM packages import

The GIM packages are located in the Guardium_10.0_GIM_WIndows.zip package available on IBM Fix Page, this same where we can find the GIM installer.

New: In G10 the CAS module is separated from WINSTAP and it has to be installed separately. It is separate archive.

Starting from version 10 we have 3 GIM modules:

  • STAP for Database and File Activity Monitoring (GIM-Kit-Windows archive)
  • FAM ICM analysis and classification tools (GIM-Kit-FAM archive)
  • CAS for Windows (CAS archive)

Extract GIM modules and import them on GIM manager appliance (Manage->Module Installation->Upload Modules). Using Browse button to select files and upload them:

Module upload

Module upload

Then import the uploaded modules – click on small “Import this module” icon and confirm this operation. After a while you will be notified that module has been imported.

Note: In this article I assume that GIM is installed on monitored system – GIM installation is described here.

Now we are able to configure modules (Manage->Module Installation->Setup by Client) on your managed system

GIM agents list

GIM agents list

To see all available modules for managed Windows system you need to uncheck “Display Only Bundles” flag

Modules list

Modules list

Now we are ready to install.

S-TAP and FS-TAP installation and configuration

WINSTAP installation

Module configuration screen has not been changed in the G10. The “Common Module Parameters” section contains the preselected parameters (the assumption most widely used). In the comparison to G9 we can notice 4 new fields for Query/Rewrite feature (firewall parameters still unavailable).
However I prefer fewer options in this section than putting them all, what we see in Linux S-TAP configuration.

Common Module Parameters” section is used to simplify module configuration. The “Apply to Selected” button saves data from this form to marked systems inside “Client Modules Parameters” section. It is useful in case when you configure 2 or more managed systems together.

WINSTAP module configuration

WINSTAP module configuration

Minimum information required to install WINSTAP module:

  • WINSTAP_INSTALL_DIR – installation directory of this module in backslash notation (i.e. C:/Guardium/WINSTAP)
  • WINSTAP_SQLGUARD_IP – collector IP assigned to this WINSTAP as a primary
  • WINSTAP_TAP_IP – only if your managed system has many network interfaces (option has to be set directly for particular agent)

Please notice that most parameters have default value and you do not need set them.

Now parameters from “Client Module Parameters” should be assigned to monitored system – Apply to Clients button. Finally installation process can be invoked using Install/Update (define when the process will start or order immediate execution – insert “Now”)

Module installation setup

Module installation setup

Check out installation status using “i” icon

Installation statusStatus “INSTALLED” confirms successful installation of WINSTAP

Installation status

Installation status

WHAT IF I NEED SET UP MORE ADVANCED FEATURES

It is available by using the WINSTAP_CMD_LINE parameter. You can put here any values in format <parameter>=<value> which are corresponds to TAP section of guard_tap.ini. Below example of installation with 3 additional parameters

Parameters in WINSTAP_CMD_LINE

Parameters in WINSTAP_CMD_LINE

and guard_tap.ini content after installation

guard_tap.ini

guard_tap.ini

New: WINSTAP 10 changed the location of guard_tap.ini from c:\Windows\System to <WINSTAP_INSTALL_DIR>\Bin

REMOTE WINSTAP RECONFIGURATION

Standard STAP modification form is available under Manage->Activity Monitoring->S-TAP Control and provides limited manageability

STAP configuration

STAP configuration

but Guardium API delivers interface to manage most existing WINSTAP parameters

grdapi update_stap_config stapHost= updateValue=SECTION.PARAMETER:VALUE waitForResponse=<0|1>

the updateValue parameter can point many WINSTAP configuration changes

updateValue=SECTION.PARAMETER1:VALUE&SECTION.PARAMETER2:VALUE

This method can work with 3 sections of guard_tap.ini

  1. TAP
  2. DB_<inspection_engine_number>
  3. SQLGUARD_<collector_ip>

And here is an example that sets the same three parameters that I used in  WINSTAP_CMD_LINE method

grdapi update_stap_config stapHost=192.168.0.20 updateValue=TAP.FIREWALL_INSTALLED:1&TAP.FIREWALL_DEFAUL_STATE:1&TAP.KRB_MSSQL_DRIVER_INSTALLED:1 waitForResponse=1

Do not forget restart S-TAP after change

grdapi restart_stap stapHost=<stap_ip>
INSPECTION ENGINES

Default installation enables database instance discovery. Current version of S-TAP discoveries installed on monitored system instances of DB2, Couch DB, Informix, Mongo DB, MSSQL and Oracle. If you would like to monitor other supported databases you need add inspection engine manually (edit S-TAP configuration in portal and “Add Inspection Engine” definition. Then push Add and Apply buttons

Inspection engine definition

Inspection engine definition

It is possible to disable instance discovery during WINSTAP installation process. The -NOAUTODISCOVERY flag has to be set in CMD_COMMAND_LINE parameter.

New in G10: Database Instance Discovery does not use Java longer

Instance discovery can be ordered manually from portal. In S-TAP Control view click on “Send Command” icon

S-TAP Control

S-TAP Control

then select “Run Database Instance Discovery” command

Send Command window

Send Command window

Be aware that “Replace Inspection Engines” flag clears all existing IE definitions. Use it if you are running the initial instance scan or intentionally you would like to replace them. Results of instance discovery are stored in “Discovered Instances” report

Discovered instances report

Discovered instances report

To compare discovered instances to actually defined in S-TAP you can use grdapi call from report. In the report bar expand Action menu and select list_inspection_engines command

API invocation from report

API invocation from report

Select one row and insert your S-TAP host IP address

list_inspection_engines call

Now output from grdapi can be compared with the last scan

grdapi output

New in 10: Action menu in the report allows to invoke Guardium API calls for all results in the related report. Very useful feature.

Instance discovery process can be executed periodically using DISCOVERY_INTERVAL=<time_in_hours> parameter. This parameter cannot be modified by grdapi and you should remember to set it during installation or later change it manually.
Base on this refreshed information we can create Audit Process to identify changes of the existing instances or detect new ones available on the host.

Tip: If S-TAP configuration parameter from TAP section cannot be changed remotely by API or does not exist form field in GIM  you always can modify it using CMD_COMMAND_LINE.

Do not forget set up the DAM policy on the collector. Default policy installed on appliance after installation – “Ignore Data Activity for Unknown Connections” – ignores all traffic.

DAM policy creation and installation available at:
Policy Builder – Protect->Security Policies->Policy Builder for Data & Applications
Policy Installer – Protect->Security Policies->Policy Installation

New in 10: Redefined S-TAP architecture in G10 allows monitor database traffic without restart machine or database.

Database activity report

Database activity report

Now you are able to monitor database traffic.

FAM FEATURE

Info: I use here FAM acronym as a reference to FS-TAP functionality. The FAM ICM features are not a part of this article

File Activity Monitoring is separately licensed. Standard installation of WINSTAP activates this feature as default. To prevent its installation put in the CMD_COMMAND_LINE the flag “-FAM OFF” (the guard_tap.ini syntax reference FSM_DRIVER_INSTALLED=0 does not work)

Important: If you do not posses FAM license, please remember switch this feature off to avoid compliance issue

Installed FAM is visible in the “S-TAP Control” list (S-TAP host with “-FAM” suffix)

FAM in S-TAP Control

FAM in S-TAP Control

Important: Default FAM settings switch off the monitoring of Administrator account. FAM policies can block access to particular files or whole file system and to protect against accidentally mistakes the files activity monitoring ignores super-users (root, Administrator). You can enable this functionality using TAP flag in guard_tap.iniFAM_PROTECT_PRIVILEGED=1. Use it on production only when your policies were tested, incorrect use can lead to crash and irreversible damage of the monitored system

FAM does not require any inspection engine definition. File monitoring is defined by separate FAM policy installed parallel to DAM.

FAM policy builder

FAM policy builder (Protect->Security Policies->Policy Builder for Files) delivers new application to create and modify the file monitoring polices. Use + icon to add new policy

FAM policy builder

FAM policy builder

Insert policy name. “Show Templates” option allows use the rules created in the other FAM policies. Add new rule using + icon

New FAM policy

New FAM policy

The rule definition screen uses a new interface logic incorporated in G10 – “End to End scenario”. In this case we are able create rule in 4 steps with the clear context of this task. Now we need insert rule name and go Next

New FAM rule - Rule Name

FAM rule – Rule Name

We define systems where rule will be evaluated. We can select particular system with FAM feature enabled

FAM rule - Datasource

FAM rule – datasource

or select/create group of systems

FAM rule - datasource group

FAM rule – datasource group

Next step defines the action type:

  1. Audit (put event to Access audit domain)
  2. Alert and Audit (1 and additional Guardium Alert event)
  3. Log As Violation and Audit (1 and mark event in the Quick Search as a violation)
  4. Block, Log As Violation and Audit (1, 3 and block I/O operation)
  5. Ignore (do nothing)
FAM rule - action

FAM rule – action

Last step defines rule criteria. We can use maximum 3 of them:

  • File path (required, defines single or group of paths, wildcards allowed)
  • User (not required, one or group of users)
  • File operation (not required, single or set of available operations)

Available qualifiers for File path:

  • = this path
  • != everything except this path
  • In Group – all paths in the group
  • Not In Group – everything except paths in this group
FAM rule - criteria - File Path

FAM rule – criteria – File Path qualifiers

This is example a file path group definition

FAM rule - criteria - file path group defintion

FAM rule – criteria – file path group definition

Criterion for User uses this same four qualifiers but related to user names. If User criterion is not appear in the rule or has no value, each user is monitored.

Access command criterion can refer to one selected operation (=) or their group (In Group). If this criterion has been removed from rule or has no value, all operations are monitored.

FAM rule - criteria - file operations

FAM rule – criteria – file operations

Tip: If you want to see all file system operations including directory structure modification leave Access command criterion empty

Two exclusive options are available in the criteria section:

  • Monitor subdirectories in file path – very useful but consider it influence on performance
  • Removable media – disables File path criterion in the rule and refers to all files on the attached media (pen drive, CD/DVD, etc.)

    FAM rule - Removable media monitoring

    FAM rule – Removable media monitoring

Rules evaluation in FAM policy is similar to DAM. Rules are evaluated from top to down. If rule matches the analyzed file event all the other rules are ignored (you cannot force the evaluation process to next rule). Use arrows icon to reorder rules in your policy

FAM policy - rule order

FAM policy – rule order

FAM policy installation

FAM policy has to be installed on collector. It is completely independent to DAM and must be installed parallel.

In the Protect->Security Policies->Policy Installation point your FAM policy in the Policy Installer section. Then select action

Policy installation

Policy installation

which is executed immediately

DAM and FAM policy installed together

DAM and FAM policy installed together

Tip: When FAM and DAM coexist together you need to manage minimum 2 polices on your collector. Use the names of easy to distinguish policies (DAM- and FAM- prefixes, for example).

Install & Override action used before G10 most frequently is not longer an option in DAM and FAM environments.

Important: Modified policy is not installed automatically on collector, you need reinstall it after change. To avoid policy deinstalation/installation use Run Once Now button in Policy Installer section (installed policy refresh)

FAM reporting

All FAM audited events are stored in the Access domain. It is example of query to provide full information about file access events

Query for FAM

Query for FAM

and report based on it

FAM Report

FAM Report

FAM QuickSearch

QuickSearch for FAM is separated from DAM. You need enable this option using grdapi:

grdapi enable_fam_crawler activity_schedule_units=<MINUTE|HOUR> activity_schedule_interval=<INTERVAL> entitlement_schedule_units=<MINUTE|HOUR> entitlement_schedule_interval=<INTERVAL>

activity_* parameters are related to events audited by policy
entitlement_* parameters are related to metadata gathered by ICM

The FAM and DAM quicksearch window can be invoked from menu bar

QuickSearch type selection

QuickSearch type selection

FAM quicksearch

Summary:
Guardium 10 introduced a lot new features and improvements for monitoring of Windows environment:
– simple installation
– wider support for instance discovery
– no reboots and restarts after agent installation
– remote configuration and management
– file activity monitoring and blocking
– file content analysis and classification

It is significant step to build integrated data governance platform