Data classification (Part 2) – Classification policy rules

Continuation of the article – Data classification (Part1)

Classification policy builder

In this place we can create a new classification policy which is an element of classification process. One policy can be a member of many different processes.

Classification policy groups rules and manages relationship between them. To add a new policy go to Discover->Classifications->Classification Policy Builder opens Classification Policy Definition window

Classification process structure

where Name and policy Description can be specified.

Tip: Policy is not directly related with database where it will be executed. Use for name the literal which describe the analysis logic (for example: Find Sensitive Data in SAP environments)

Tip: Category and Classification labels are element of event content generated by Action rules. Use them to simplify the distinction events on this level

Info: List of categories is managed by Categories group (Group Type: Category)

Select Category, define Classification literal and Push Apply button

New Classification Policy

New Classification Policy

then push the activated Edit Rules button (Roles allows to define access to this policy by defined group of users, Add Comments provides possibility to add remarks in case of policy change)

New Rule invocation

New Policy

Classification Policy Rules manages the current list of rules inside particular policy. We will focus on this in the another section of this article

1

List of classification rules

Classification policy management

The Classification Policy Finder window displays list all existing policies. For each policy we can add comment or go to rules edition

1

Policy list

Four icons above policy list1.PNGallow add new policy, edit, create copy or remove selected one respectively. Policy copying opens Classification Policy Clone window where name of the source policy is preceded by Copy of literal. Save Clone button adds new policy to the list

1

Policy clone

We can remove policy which is not attached to classification process. In case of removal policy related with process a message will be displayed1In this situation you must first remove the process related with this policy or change policy reference in process to another one.

Policies trailed by time stamp in square brackets originated from end-to-end discovery process scenario1

Classification policy rules in detail

Each rule contains some identification fields: Name, Category, Classification and Description. Classification rule is an atomic element and his name should strictly defines its functionality (for example: e-mail address, US zip code). Classification Rule Type defines type of data which will be analyzed using this rule

1

Rule description and type selection

In most cases our DAM classification policies will refer to Search for Data rule.

Rules types:

  • Search for Data – tables, views, synonyms content analysis
  • Catalog Search – check existence of particular table or column name
  • Search for Unstructured Data – CSV, Text, HTTP|S, Samba in no DAM audit data (it is not related with FAM functionality)

Info: Do not mix rule type in the classification policy. It is not forbidden but it does not make sense in most cases

This simple rule will match AMEX credit card numbers using regular expression in the all tables, views and synonyms inside columns defined as a text (any text type supported by DB). Apply button adds rule to the policy

2

Simple rule definition

It activates New Action button in the Classification Rule Action section. Actions are described in third part of this article. Button Back returns context to the list of rules in the policy

1

Rules Action section

Each rule visible in the rule list can be quickly reviewed using small plus icon (show details)

1

Classification Policy Finder

1

Rule review – show details

To modify existing rule select the pencil icon

1

Edit rule icon

The balloon icon allows to add comments to rule (very useful for change management process)

2

Add comment icon

Order of rules in the policy can be changed easily, using move up/move down icons. These icons are active when policy contains minimum two rules

1

Policy list

The standard policy behavior is the processing of rules from top to down and policy makes verdict when some rule matches pattern. If rule is matched, the rest of them is not evaluated for currently object. Additional rule parameters can change this concept.

Buttons Unselect All and Select All allow group or ungroup rules in the view – used for rules removal (Delete Selected button).

Collapse All and Expand All help with fast review all rules.

Rule parameters review

Logically we can split parameters into 3 groups:

  • search scope
  • pattern
  • search behaviour

Search scope parameters

Table Type – defines types of objects included in the analysis:

  • Tables
  • Views (consider the performance influence on production environment in case of existence a huge number of unused and complex views)
  • Synonyms (not available for some database types)
  • System Tables (includes system objects)

Table Name Like – limits scope of search to defined object name pattern. Two wildcards allowed – % means string of any length, _ refers to one sign. Examples:

  • CARS – object with exact name CARS
  • C% – object names started from C
  • CAR_ – object names started from CAR and ended with any other sign (CARS, CARO, CARP)

If this parameter is empty all tables are analyzed.

Data Type – defines data type of columns which will be analyzed. They correspond with supported data type inside particular database engine (binary objects type are not analyzed at all)

  • Date
  • Number
  • Text

Column Name Like – limits scope to column names covered by defined pattern. Two wildcards allowed: % and _. Empty fields refer to all columns in the table.

Minimum Length, Maximum Length – refer to defined size of column (is not related with length of data stored in particular row). Sometimes used together to point the particular column size. Good practice is definition of minimum length to reduce number of analyzed columns when the minimum length of searched value can be assumed (for example 16 characters in credit card number).

Exclude Schema – restricts the scan area defined by data source on schema level. The parameter value points the group (Application Type – Classifier or Public, Group Type – Schema) contains list of schemes excluded from search.

In this example credit cards have been detected in 3 columns in dbo and glo schemas

3

Classification report

Rule modification excludes glo schema from search scope

1

Classification rule and schema exclusion group

and changes the classification results (lack any objects from glo schema)

2

Classification report

Exclude Table – restricts list of scanned tables defined by data source (if Table Name Like parameter is used in rule it is evaluated on the list tables created after Exclude Table evaluation). Exclusions defined by group reference (Application Type – Classifier or Public, Group Type – Object).

The classification returns 3 columns in 2 tables

1

Classification report

and after rule modification which excludes CC_NOK table

3

Classification rule and table exclusion group

the results report contains only two records from one table

2

Classification report

Exclude Table Column – restricts list of scanned columns defined by data source (if Column Name Like parameter is used in rule it is evaluated on the column list created after Exclude Table Column evaluation). Exclusions defined by group reference (Application Type – Classifier or Public, Group Type – Object/Field).

The classification returns 3 columns in including table CC_1 with column CC

1

Classification report

and after rule modification which excludes CC column from CC_1 table

2

Classification rule and table column exclusion group

excluded column disappeared from results report

1

Classification report

Limitation: The wildcards % and _ are prohibited in the all exclusion groups

Pattern parameters

Info: Only one pattern parameter can be used in a rule. Behavioral parameters can provide functionality to analyze this same column using different patterns.

Search Like – simple pattern based on two wildcards (% and _). Useful for constants, specific values or the part a more complex analysis based on set of rules.

Search Expression – analysis based on regular expression compliant with POSIX 1003.2 specification. Description and some examples available in the internal Guardium Help system – https://<appliance_IP:>8443/guardhelp/topic/com.ibm.guardium.doc/discover/regular_expressions.html

Expression can be inserted directly to field or validated using Regular Expression builder invoked by RE icon

1

Regular Expression builder icon

In the Regular Expression field we can insert pattern and check it correctness – put the value in Text to match against area and press Test
button

1

Regular expression builder

Message Match Found indicates that evaluated expression matches string, otherwise the message No Match Found is displayed.
The Accept button adds expression to the rule

1

Regular expression in rule builder

Regular expression builder offers also predefined patterns for credit cards and citizen identification number (for several countries). Select category

1

Predefined expression categories

and then select one of defined expression

2

List of predefined expressions

3

Selected expression

Guardium offers also special pattern tests for limited types of data related to parity or sumcheck control. For example check of credit card number according Luhn algorithm. This functionality can be switched on using special naming of classification rule – name has to start from guardium://CREDIT_CARD string.

For example in the two tables CC_OK and CC_NOK

CC_OK CC_NOK
4556237137622336 4556237137622335
4929697443528339 4929697443528338
3484057858101867 3484057858101866
4824520549635491 4824520549635490
3767010431320650 3767010431320659
4532861697794380 4532861697794389
5352437717676479 5352437717676478
4539522376654625 4539522376654624
5547728204654151 5547728204654150
5292779270461374 5292779270461373

we have strings represent 16-long numbers. Table CC_OK contains credit cards with correct checksum according Luhn algorithm in the opposition to table CC_NOK.

The policy based only on regular expression only

1

Find Credit Card (regexp only)

discovers both tables as a credit card numbers

1

Classification process structure

For policy with additional check the Luhn algorithm conformity

1

Find Credit Card (with checksum)

only CC_OK table has been recognized as an object with valid credit card numbers

1

Classification process structure

Other special patterns in rule name are described in Guardium Help system https://<appliance_IP:>8443/guardhelp/topic/com.ibm.guardium.doc/protect/r_patterns.html

Evaluation Name – the most powerful option in the classification analysis. It allows to create own validation function coded in Java (1.7 in G10 initial release) and implement any checks which cannot be covered by regular expressions.

For example we would like to find banking account numbers in IBAN notation (widely used in Europe) with control of sumcheck (modulo 97 from transformed number). This task cannot be managed by regular expression at all.

More about IBAN available on Wiki: IBAN

We need to create and compile class for package com.guardium.classifier.custom and implement interface Evaluation which must have one method evaluate() returning false or true.

This is example of code for IBAN evaluation

package com.guardium.classifier.custom;
import java.math.BigInteger;

public class iban implements Evaluation {
    public static final int IBANNUMBER_MIN_SIZE = 15;
    public static final int IBANNUMBER_MAX_SIZE = 34;
    public static final BigInteger IBANNUMBER_MAGIC_NUMBER = new BigInteger("97");
    public boolean evaluate(String accountNumber) {
        String newAccountNumber = accountNumber.trim();
        if (newAccountNumber.length() < IBANNUMBER_MIN_SIZE || newAccountNumber.length() > IBANNUMBER_MAX_SIZE) {
            return false;
        }
        newAccountNumber = newAccountNumber.substring(4) + newAccountNumber.substring(0, 4);
        StringBuilder numericAccountNumber = new StringBuilder();
        for (int i = 0;i < newAccountNumber.length();i++) {
            numericAccountNumber.append(Character.getNumericValue(newAccountNumber.charAt(i)));
        }
        BigInteger ibanNumber = new BigInteger(numericAccountNumber.toString());
        return ibanNumber.mod(IBANNUMBER_MAGIC_NUMBER).intValue() == 1;
    }
}

Compiled class must be uploaded to appliance (Setup->Custom Classes->Evaluations->Upload). Insert class Description and point file with compiled class. Approve upload using Apply button

1

Custom class upload

confirmation message about success should be displayed1 I have in my database table glottery.glo.bank_accounts where American (non-IBAN) and Polish (IBAN) bank accounts appear

1

glottery.glo.bank_accounts table

Now we can create new rule to find IBAN’s (full name of class)

2

Classification rule

which correctly identifies bank accounts including sumcheck

 

 

Tip: Use self-design evaluations to build the best-fit policy of identifying sensitive data.

Compare to Values in SQL – allows compare values in the sample with respect to the dictionary defined by SQL query.

Limitation: Dictionary has to exist on database where classification process is executed

For example we would like to find columns which contain short name of US states. The table dbo.CC_MAIL_STATE contains STATE column

1

Inside this same database engine exist table glo.STATES with list all states

2

This classification rule uses the list defined by SQL instruction:

SELECT short_name FROM Glottery.glo.States WHERE country=1
1

Classification rule

and identifies STATE column

1

Classification results

Please notice that classification process worked on CLEXAMPLES database only (scope defined by data source) and the dictionary source table is not in the result because is located in GLOTTERY database.

Use SQL instruction here has some limitations:

  • must start from SELECT (you cannot send DML or DDL)
  • should not contain semi-colon (you cannot group instructions)
  • referred object must use fully qualified name (for example database.schema.object for MS SQL)

Compare to Values in Group – compares column values to the list stored in Guardium group. The group must belong to Application Type PUBLIC or CLASSIFIER and Group Type OBJECTS. Small icon at the right side of group list allows create or modify dictionary

1

Create/Modify group

In this example the group GL_US_STATES is a list of all US states

3

Dictionary group

referred inside classification rule

1

Classification rule

returns list of columns where US states appear

1

Classification results

Search behavior parameters

“Fire only with” Marker – allows identify tables where two or more columns fulfill certain conditions.

For example we have two tables: CC_MAIL with credit cards and mail adresses

2

and the table CC_NAME where user names exist instead of mail address

1

If we will create two independent rules looking for credit card and mail address

1

Classification policy

the classification process returns only CC columns from both tables

1

Classification results

because first rule matched table and second one was not evaluated.

This time Continue on Match flag has been switched on

1

Rules list

and all credit card and mail columns has been identified

1

Classification results

In next policy both rules has been updated with this same Marker – CC_AND_MAIL

1

Rules list

and classification policy returns credit card and mail address columns from CC_MAIL table because only this table contains this patterns together

1

Classification process structure

Hit Percentagedetermines the percentage threshold of values in a sample that must meet the pattern that the rule will be classified as satisfied. If this field is empty the column will be classified even only one value in the sample matches the pattern.

Important: This parameter allows minimize number of false positive results in process of data classification.

The use of this parameter also adds in the results the information about the number of unique values in the sample that fulfill the requirements of the rule

1

Classification results

Show Unique Values, Unique Value Mask – attach the matched values to classification report. Only unique values are displayed and maximum 2000 of them per column can be included in the report

1

Classification rule

2

Classification report

If the attached values have sensitive nature that Unique Value Mask field allows to mask this data.

Mask must be regular expression which cover expected values and strictly defines the part which should be visible. Regular expression builder is also available to define and check its correctness. Part of regexp inside brackets () defines content of value which will be displayed in the report (for example .*([0-9]{4})[ ]{0,20}$ means that only last four meaningful digits will be displayed)

1

Classification rule

2

Classification report

Continue on Match, One match per column – the classification process flow focuses default on the identification of tables with sensitive data. Please consider the table with credit card, mail address and state

1

and Classification Policy with 4 rules (Continue on Match is switched off)

Document

Classification policy

Only one column from CC_MAIL_STATE table has been identified

1

Classification results

because first rule covered requirements and policy shift to next table. To change this situation the Continue on Match flags must be switched in the rule sequence on

1

Classification policy

what leads to expected behavior. All sensitive columns in CC_MAIL_STATE table have been discovered

2

Classification results

You should also notice that STATE column has been matched two times because two rules meet the requirements on it (what was expected here). However we can suppress multiple matching on one column using One match per column flag. To do that mark it in the first rule in the sequence worked on that column

1

Classification policy

Find State PL rule has not been matched the STATE column this time

1

Classification report

 Tip: In most cases the sensitive data classification procedure should point all columns where this type of data reside and Continue on Match flag should be switched for all rules in policy on.

Relationship discovery

Using simple trick we can also identify relationship between source data and other objects.

I have source table with users stored in glottery.glo.users table

1

glottery.glo.users table

where the primary key is id column and correct reference to users from other tables should refer to this value. I have created a rule

1

Rule classification

looking for numeric column with values must be matched with the list of id from source table (SELECT id FROM glottery.glo.users WHERE id<>0 AND id<>1). Clause WHERE omits values 0 and 1 which can be logical values in some referential tables. I have set the Hit Percentage on very high level 98% to ensure real relationship between analyzed object and users table.

 

Results clearly show that Users table is referred in 6 other tables

1

Classification results

 

Summary:

Guardium provides many different techniques to identify sensitive data. Good implementation relies on that. If we know where critical data resides the real time policies, correlations alerts, SIEM events will work correctly and point real threats.

Article continuation:

  • Part 3 – Action rules (soon)
  • Part 4 – Classification process and data sources (tbd)
  • Part 5 – End to End scenarios and Classification Automation (tbd)
Advertisements

Data classification (Part 1) – Overview

Sensitive data discovery is a key element to create the accurate Data Governance policy. Knowledge about data location (on table and column level), relationship (how the critical data are referred) and movement (change in schema definition) are crucial in the monitoring and access protection.

Guardium provides many enhancements to identify and manage information about sensitive data both within databases, as well as the analysis of files. This article focus on data classification inside databases.

Classification process

Classification process

Classification process structure

Classification processmanually or periodically executed search job for specific data (classification policy) within defined scope (data source)

Data source – defines access to a database and scope of analyzed schemes

Classification policydefined set of classification rules with their order and relations

Classification rule – data search pattern based on supported rule type associated with rule actions

Rule action – action invoked when rule has been matched

Classification process discovers sensitive data described by classification policies within data sources and provides output for:

  • content of group of sensitive objects used in monitoring policies
  • monitoring policy modification
  • event notification (policy violation, remote system notification)
  • sensitive data reporting

Classification process flow

Classification process flow

Analysis flow

 

  1.  Guardium appliance connects to database (data source) using JDBC driver
  2. Creates list of tables, views and synonyms
  3. Gets sample of data from object
  4. Tries to match any column to defined pattern-rule
  5. For matched rule executes defined actions
  6. Repeats 4 and 5 for each rule
  7. Close connection
  8. Repeats from 1 for each data source
  9. Returns results

Classification process setup flows

Guardium 10 provides two scenarios for construction of the classification process:

  • from scratch – each element created separately, wider elements can invoke more specialized tasks. Useful for people with good Guardium skills, allows configure all existing classification features (Discover->Classification->Classification Policy Builder, Discover->Classification->Classification Process Builder)
  • end-to-end – streamline process facilitates and making easier the classification process creation and its automation. Some features are not available, can be edited later using first scenario (Discover->Classification->Classification Sensitive Data)
1

Classification menu

 Simple Classification Process – from scratch

Task description:

Find all tables and columns names where credit cards numbers are stored inside MS-SQL engine.

My database database Glottery contains table Credit_Cards in glo schema with credit card information stored inside

1

Table with sensitive data

Process creation:

Go to Classification Process Finder (Discover->Classifications->Classification Process Builder) and add a new process (+ icon)

1

Add new process

Insert process name in Process Description field and push Modify button

1

Process definition

it opens pop-up window Classification Policy Finder. Add new policy using + icon

2

Policy selection

In Classification Policy Definition view insert policy Name, Category and Classification type and save your policy using Apply button

1

Policy description

it will activate Edit Rules button, select it

1

Policy description

In Classification Policy Rules view select Add Rule button

2

Rule list

In rule view insert its name and select from Rule Type list – Search for Data

3

Rule definition

it will refresh the view and then put in Search Expression field the pattern:

^[0-9]{16}[ ]{0,20}$

which is simple representation of credit card number (16 digits, trailed by maximum 20 spaces). Then save rule using Apply button

4

Rule definition

we will return to the rule list with new created one
1Close the pop-up window. New created policy is not refreshed in process view that we need to reopen process creation window. Select again Discover->Classifications->Classification Process Builder, put name and select our policy – Find CC in Tables and press Add Datasource button

1

Policy definition

another pop-up window – Datasource Finder – displays list of existing database definitions. Use + icon to add a new one

1

Data source list

Insert Name, from Database Type select appropriate engine, put database account credentials and address IP with port on which database operates. Save definition using Apply button and return to data source list – Back

1

Data source definition

now a newly created data source is on the list. Select it and Add to process definition

2

Data source list

Now classification process contains policy and data source. We can save it – Apply button

3

Classification process

It activates Run Once Now button – process manual execution. Run it

1

Classification process

We can wait for a while or review status of process execution. Go to Discover->Classifications->Guardium Job Queue. Our job will be on the top of the list

2

Job list

Refresh report and wait for its completion. Then return to Classification process list, select Find CC process and push View Results button

3

Process list

the pop-up window will contain classification process execution results

4

Classification process results

Finally our process discovered all tables containing strings that matched simple regular expression. Notice glottery.glo.passwords table in the results which is probably has nothing to do with the credit cards data. The article continues identified various techniques for the elimination of false positive results.

 

Article continuation:

  • Part 2 – Classification rules
  • Part 3 – Action rules (soon)
  • Part 4 – Classification process and data sources (tbd)
  • Part 5 – End to End scenarios and Classification Automation (tbd)

Appliance patch installation

Guardium Patches

DAM must ensure the continuity of monitoring database environment which precludes any interruption resulting from the need to update the software.

Guardium contains very well designed the update mechanism of the monitored infrastructure with minimal administrator attendance requirements.

Infrastructure patches (appliance patches) can be categorized due to their functionality (categorization is related with patch numbering):

  • px0,px00 – Guardium Patch Update (GPU), cumulative patch of Ad-Hoc patches, it can contain new features introduced inside current major version. In most cases does not contain any prerequisites
  • p0x-pxxxx – Ad-Hoc patch, contains updates for particular functionality with identified defect – usually related to PMR (Problem Management Resolution). Strictly related with specific GPU. Very often published as a bundle of Ad-Hoc updates
  • p6xxx – Security Patch, related with update the vulnerable parts of the specific elements of RedHat, MySQL and other. Can be combined inside GPU patch
  • p4xxx – Sniffer Patch, update for collector sniffer

ImportantBefore installing the patch, review the documentation that came with it

Many patches require appropriate GPU or specific settings on the appliance. Patch installation can be tied with appliance restart or temporary services unavailability.

Process of patching is very simple. After patch download the Guardium administrator has to upload it on central manager. Later using Central Manager console his is able to schedule patch installation on all other appliances inside management domain.
Internal CM patching uses standalone procedure (described later in the article).

Patch process

Patch process flow

Patch file workflow

Patch file flow

Patch acquisition

All patches are available on IBM Fix Central – http://www.ibm.com/support/fixcentral/
Access to patches and updates requires IBM customer account registration

IBM Fix Central – account registration

The form is simple. You do not need put here any Guardium contract information.

Registration form

To download patch go on Fix Central to “Select Product” tab and point Guardium using content related set of fields

Fix Central – Guardium patch selection

and Browse for fixes

Browse for fixes

Browse for fixes

The list of available patches is presented inside functional categories.
System provides possibility to download patch using FTP, HTTP or IBM Download Director tool (requires Java). Last method allows the upload many files in one session

Patch upload

Patch upload

Patches are archived in ZIP format (unzip it before patch upload on collector or central manager). Here is an example of content the Guardium p01 archive

Patch content

Patch archive content

All appliance patches are encrypted and signed to prevent drive by download infection. In most cases the documentation in PDF format is also included and file with MD5 hashes for archive content.

Downloaded patch file (*.sig) should be moved on FTP or SCP server, DVD or into the directory available for browser with access to Guardium portal.

In Guardium 10, when browser has access to the internet the notification about new available patches will be displayed under message icon on status bar

New patch notification

New patch notification

Message contains also direct link to patch on Fix Central. Notification contains information about patches which are not installed on the appliance where user is actually logged in.

Info: New patch notification in portal uses browser snippet. It does not require internet access for appliance

Patch backup configuration

Guardium provides self-protect technique in case of patch installation failure. For patches which are changing critical system parts it creates additional backup of crucial appliance resources what can allow to restore system to state before patch applying.

Patch backup is stored remotely and transmitted using SCP connection. Storage for patch backup can be configured under (Setup->Tools and Views->Patch Backup)

Patch backup configuration

Patch backup configuration

Storage configuration is validated and left the temporary file on it

Temporary file on patch backup storage

Temporary file on patch backup storage

Patch installation methods

Guardium provides the patch installation invocation from patch file stored locally on the appliance or downloaded remotely over FTP or SCP.

Each method can be divided into two phases: patch upload with registration in patch pool and patch installation. All patches uploaded to the standalone appliance are stored locally and can be used later in case of reinstallation or scheduled installation.
In case of installation by CM the patch file is transmitted to appliance from CM and removed from it after installation.

FTP or SCP patch upload

Installation can be invoked by CLI:

store system patch install ftp
store system patch install scp

Both commands are interactive and we need to insert the account credentials and the location of the patch. In this case, two patches were uploaded from FTP server

Patch upload over FTP

Patch upload over FTP

and this same for SCP, additionally the patch installation sequence was ordered

Patch upload over SCP

Patch upload over SCP

Installation from CD

Only installation from appliance DVD drive allowed

Patch installation from DVD

Patch installation from DVD

Patch upload using Guardium fileserver

Execute fileserver from CLI using command

fileserver <your_browser_ip> <time>

and then go to http://your_appliance_ip_address. Use Browse button to point the patch file and Upload it on the appliance

Patch upload by fileserver

Patch upload by fileserver

After a while the message similar to below will be displayed

Patch upload message

Patch upload message

When all patches will be uploaded close the fileserver – press ENTER in the CLI session. Another message will inform you about correctness of patch registration on the appliance

fileserver session

fileserver session

Now we can review the list of patches available on collector using CLI

show system patch available

or in the portal under Manage->Reports->Install Management->Available Patches report

Available patches

Available patches

Now we can start the patch installation. From CLI execute the interactive command

store system patch install sys

this syntax defines immediate start of patch installation. To schedule it you can use syntax

store system patch install sys <YYYY-mm-dd> <hh:mm:ss>

Status of path installation can be monitored by command

show system patch installed
Patch installation from CLI

Patch installation from CLI

Correctness of installation notices the status “DONE: Patch installation Succeeded

Patch installation status

Patch installation status

We can also invoke installation from Available Patches report. From Action menu select patch_install

Patch installation from report

Patch installation from report

In the pop-up window select patch for installation and schedule time for execution (NOW means immediate start) and push the Invoke now button

Patch installation

Patch installation

Status can be monitored by report Manage->Reports->Install Management->Installed Patches

Installed patches report

Installed patches report

You can also notice that this patch installation invoked patch backup, new file in the archive appears

Patch backup archive

Patch backup archive

Patch installation in Enterprise environment

Guardium is enterprise solution and provides central management for all appliances in the environment.

Info: You do not need upload patch manually to all appliances in managed environment.

The patch installation rules in managed environment:

  1. Upload and install patch on central manager. In HA configuration install patch on CM backup and promote it as primary then install patch on CM master.
  2. Execute remote patch installation on aggregation layer (if it exists)
  3. Move S-TAP’s to backup collector from target of the update and execute remote patch installation
  4. Restore standard connection of STAP’s to updated collector and update remotely the backup collector

Patch installation is not required on CM before installation it on other appliance but best practice suggests update from top to down.

Patch installation on the CM has to be executed manually (described earlier).
Remote patch installation on aggregator or collector is managed from Manage->Central Management->Central Management form. To order patch installation select appliances and press Patch Distribution button

Central Management

Central Management

Then select patch and start installation using Install Patch Now button

Remote patch installation

Remote patch installation

Installation can be scheduled (Schedule Patch). Task execution will be notified by separate message

Message about remote patch installation

Message about remote patch installation

The Patch Installation Status displays current status of task in the pop-up window

Remote patch installation status

Remote patch installation status

Global patch installation review is available in separate view for all appliances managed by CM. From Central Manager form select Patch Installation Status

Central Management

Central Management

Global patch status

Global patch status

Patch failure

Sometimes patching may fail. If the error is associated with the patch preparation to system change the simple patch task removal is possible. Here is example where patch return status ERROR and command

delete scheduled-patch

remove it from the list and patch installation can be repeated

delete scheduled-patch example

delete scheduled-patch example

This command removes patch copy from the appliance. You need to upload patch again.

When patch installation fails (status FAIL) during system modification phase the IBM support should be involved to restore patch backup copy.

restore pre-patch-backup

This command should be executed with IBM support cooperation.

Disk clean-up

The space occupied by the patches may grow over time, so you may need to remove them from the appliance.

There is no direct command or portal functionality for patch files removal on standalone appliance. However the command

support clean log_files /

displays list all large files in the log directory (larger than 10 MB) including patch files. Then we are able to point path to patch file and confirm its deletion

Patch file removal

Patch file removal

On the Central Manager the patch file can be removed from portal. From Patch Distribution form press red X icon in the patch row

Patch file deletion

Patch file deletion

additional pop-up window will request for confirmation

Patch file removal confirmation

Patch file removal confirmation

Then patch will disappear from Available Patches report

Available patch report

Available patches report

Info: Guardium does not provide the patch uninstallation procedure

Summary:

Guardium appliance patch mechanism speed up the update process in large monitoring environments. All tasks can be executed from Central Manager.
Update process can be managed also from CLI for standalone installation and CM layer. Patches are encrypted and signed to avoid drive by download attacks.

WINSTAP (S-TAP, FS-TAP) installation and configuration – Guardium 10

WINSTAP architecture

Guardium 10 introduced new architecture and functionality into agent used to monitor data access (databases and files) on Windows platforms (well-known as a WINSTAP). The most interesting are:

  • Integrated installer for 32- and 64- bit platform
  • Redesigned TCP and SharedMemory drivers
  • File Activity Monitoring with blocking capability
  • File Discovery – integrated view on files stored on managed system
  • File Classification – sensitive data identification

The simplified view on WINSTAP architecture

WINSTAP architecture

WINSTAP architecture

shows that we have many different elements responsible for each data monitoring aspect:

  • GIM (Guardium Installation Manager) – service based on Perl responsible for installation, update and configuration all other elements working on monitored system (separate article here)
  • S-TAP service – communication with collector and data proxy for sniffer drivers (WFP, NPM) – DAM functionality
  • WFP – new sniffer driver for TCP/IP stack
  • NPM – new sniffer driver for shared memory
  • CAS (Change Audit System) – java based service responsible for identification the changes in the critical elements of database and operating system
  • FS-TAP (or STAPat) – service responsible for communication with collector and data proxy for I/O sniffer (FSMonitor) driver – FAM functionality
  • FSMonitor – I/O sniffer driver responsible for audit and blocking access to file operations
  • FAM – Feed service to collector from ICM (IBM Content Classification) infrastructure
  • file crawler – ICM process responsible for scan of file system and file metadata generation
  • analysis engine – rule based classification tool for files
  • ICM server – ICM process responsible for classification task management and configuration upload interface for ICM workbench
  • ICM workbench – Windows application to create own classification rules (decision plans)

This article focus on 2 functionalities – database and file activity monitoring. CAS and FAM (ICM) functions will be described in the separate articles.

GIM packages import

The GIM packages are located in the Guardium_10.0_GIM_WIndows.zip package available on IBM Fix Page, this same where we can find the GIM installer.

New: In G10 the CAS module is separated from WINSTAP and it has to be installed separately. It is separate archive.

Starting from version 10 we have 3 GIM modules:

  • STAP for Database and File Activity Monitoring (GIM-Kit-Windows archive)
  • FAM ICM analysis and classification tools (GIM-Kit-FAM archive)
  • CAS for Windows (CAS archive)

Extract GIM modules and import them on GIM manager appliance (Manage->Module Installation->Upload Modules). Using Browse button to select files and upload them:

Module upload

Module upload

Then import the uploaded modules – click on small “Import this module” icon and confirm this operation. After a while you will be notified that module has been imported.

Note: In this article I assume that GIM is installed on monitored system – GIM installation is described here.

Now we are able to configure modules (Manage->Module Installation->Setup by Client) on your managed system

GIM agents list

GIM agents list

To see all available modules for managed Windows system you need to uncheck “Display Only Bundles” flag

Modules list

Modules list

Now we are ready to install.

S-TAP and FS-TAP installation and configuration

WINSTAP installation

Module configuration screen has not been changed in the G10. The “Common Module Parameters” section contains the preselected parameters (the assumption most widely used). In the comparison to G9 we can notice 4 new fields for Query/Rewrite feature (firewall parameters still unavailable).
However I prefer fewer options in this section than putting them all, what we see in Linux S-TAP configuration.

Common Module Parameters” section is used to simplify module configuration. The “Apply to Selected” button saves data from this form to marked systems inside “Client Modules Parameters” section. It is useful in case when you configure 2 or more managed systems together.

WINSTAP module configuration

WINSTAP module configuration

Minimum information required to install WINSTAP module:

  • WINSTAP_INSTALL_DIR – installation directory of this module in backslash notation (i.e. C:/Guardium/WINSTAP)
  • WINSTAP_SQLGUARD_IP – collector IP assigned to this WINSTAP as a primary
  • WINSTAP_TAP_IP – only if your managed system has many network interfaces (option has to be set directly for particular agent)

Please notice that most parameters have default value and you do not need set them.

Now parameters from “Client Module Parameters” should be assigned to monitored system – Apply to Clients button. Finally installation process can be invoked using Install/Update (define when the process will start or order immediate execution – insert “Now”)

Module installation setup

Module installation setup

Check out installation status using “i” icon

Installation statusStatus “INSTALLED” confirms successful installation of WINSTAP

Installation status

Installation status

WHAT IF I NEED SET UP MORE ADVANCED FEATURES

It is available by using the WINSTAP_CMD_LINE parameter. You can put here any values in format <parameter>=<value> which are corresponds to TAP section of guard_tap.ini. Below example of installation with 3 additional parameters

Parameters in WINSTAP_CMD_LINE

Parameters in WINSTAP_CMD_LINE

and guard_tap.ini content after installation

guard_tap.ini

guard_tap.ini

New: WINSTAP 10 changed the location of guard_tap.ini from c:\Windows\System to <WINSTAP_INSTALL_DIR>\Bin

REMOTE WINSTAP RECONFIGURATION

Standard STAP modification form is available under Manage->Activity Monitoring->S-TAP Control and provides limited manageability

STAP configuration

STAP configuration

but Guardium API delivers interface to manage most existing WINSTAP parameters

grdapi update_stap_config stapHost= updateValue=SECTION.PARAMETER:VALUE waitForResponse=<0|1>

the updateValue parameter can point many WINSTAP configuration changes

updateValue=SECTION.PARAMETER1:VALUE&SECTION.PARAMETER2:VALUE

This method can work with 3 sections of guard_tap.ini

  1. TAP
  2. DB_<inspection_engine_number>
  3. SQLGUARD_<collector_ip>

And here is an example that sets the same three parameters that I used in  WINSTAP_CMD_LINE method

grdapi update_stap_config stapHost=192.168.0.20 updateValue=TAP.FIREWALL_INSTALLED:1&TAP.FIREWALL_DEFAUL_STATE:1&TAP.KRB_MSSQL_DRIVER_INSTALLED:1 waitForResponse=1

Do not forget restart S-TAP after change

grdapi restart_stap stapHost=<stap_ip>
INSPECTION ENGINES

Default installation enables database instance discovery. Current version of S-TAP discoveries installed on monitored system instances of DB2, Couch DB, Informix, Mongo DB, MSSQL and Oracle. If you would like to monitor other supported databases you need add inspection engine manually (edit S-TAP configuration in portal and “Add Inspection Engine” definition. Then push Add and Apply buttons

Inspection engine definition

Inspection engine definition

It is possible to disable instance discovery during WINSTAP installation process. The -NOAUTODISCOVERY flag has to be set in CMD_COMMAND_LINE parameter.

New in G10: Database Instance Discovery does not use Java longer

Instance discovery can be ordered manually from portal. In S-TAP Control view click on “Send Command” icon

S-TAP Control

S-TAP Control

then select “Run Database Instance Discovery” command

Send Command window

Send Command window

Be aware that “Replace Inspection Engines” flag clears all existing IE definitions. Use it if you are running the initial instance scan or intentionally you would like to replace them. Results of instance discovery are stored in “Discovered Instances” report

Discovered instances report

Discovered instances report

To compare discovered instances to actually defined in S-TAP you can use grdapi call from report. In the report bar expand Action menu and select list_inspection_engines command

API invocation from report

API invocation from report

Select one row and insert your S-TAP host IP address

list_inspection_engines call

Now output from grdapi can be compared with the last scan

grdapi output

New in 10: Action menu in the report allows to invoke Guardium API calls for all results in the related report. Very useful feature.

Instance discovery process can be executed periodically using DISCOVERY_INTERVAL=<time_in_hours> parameter. This parameter cannot be modified by grdapi and you should remember to set it during installation or later change it manually.
Base on this refreshed information we can create Audit Process to identify changes of the existing instances or detect new ones available on the host.

Tip: If S-TAP configuration parameter from TAP section cannot be changed remotely by API or does not exist form field in GIM  you always can modify it using CMD_COMMAND_LINE.

Do not forget set up the DAM policy on the collector. Default policy installed on appliance after installation – “Ignore Data Activity for Unknown Connections” – ignores all traffic.

DAM policy creation and installation available at:
Policy Builder – Protect->Security Policies->Policy Builder for Data & Applications
Policy Installer – Protect->Security Policies->Policy Installation

New in 10: Redefined S-TAP architecture in G10 allows monitor database traffic without restart machine or database.

Database activity report

Database activity report

Now you are able to monitor database traffic.

FAM FEATURE

Info: I use here FAM acronym as a reference to FS-TAP functionality. The FAM ICM features are not a part of this article

File Activity Monitoring is separately licensed. Standard installation of WINSTAP activates this feature as default. To prevent its installation put in the CMD_COMMAND_LINE the flag “-FAM OFF” (the guard_tap.ini syntax reference FSM_DRIVER_INSTALLED=0 does not work)

Important: If you do not posses FAM license, please remember switch this feature off to avoid compliance issue

Installed FAM is visible in the “S-TAP Control” list (S-TAP host with “-FAM” suffix)

FAM in S-TAP Control

FAM in S-TAP Control

Important: Default FAM settings switch off the monitoring of Administrator account. FAM policies can block access to particular files or whole file system and to protect against accidentally mistakes the files activity monitoring ignores super-users (root, Administrator). You can enable this functionality using TAP flag in guard_tap.iniFAM_PROTECT_PRIVILEGED=1. Use it on production only when your policies were tested, incorrect use can lead to crash and irreversible damage of the monitored system

FAM does not require any inspection engine definition. File monitoring is defined by separate FAM policy installed parallel to DAM.

FAM policy builder

FAM policy builder (Protect->Security Policies->Policy Builder for Files) delivers new application to create and modify the file monitoring polices. Use + icon to add new policy

FAM policy builder

FAM policy builder

Insert policy name. “Show Templates” option allows use the rules created in the other FAM policies. Add new rule using + icon

New FAM policy

New FAM policy

The rule definition screen uses a new interface logic incorporated in G10 – “End to End scenario”. In this case we are able create rule in 4 steps with the clear context of this task. Now we need insert rule name and go Next

New FAM rule - Rule Name

FAM rule – Rule Name

We define systems where rule will be evaluated. We can select particular system with FAM feature enabled

FAM rule - Datasource

FAM rule – datasource

or select/create group of systems

FAM rule - datasource group

FAM rule – datasource group

Next step defines the action type:

  1. Audit (put event to Access audit domain)
  2. Alert and Audit (1 and additional Guardium Alert event)
  3. Log As Violation and Audit (1 and mark event in the Quick Search as a violation)
  4. Block, Log As Violation and Audit (1, 3 and block I/O operation)
  5. Ignore (do nothing)
FAM rule - action

FAM rule – action

Last step defines rule criteria. We can use maximum 3 of them:

  • File path (required, defines single or group of paths, wildcards allowed)
  • User (not required, one or group of users)
  • File operation (not required, single or set of available operations)

Available qualifiers for File path:

  • = this path
  • != everything except this path
  • In Group – all paths in the group
  • Not In Group – everything except paths in this group
FAM rule - criteria - File Path

FAM rule – criteria – File Path qualifiers

This is example a file path group definition

FAM rule - criteria - file path group defintion

FAM rule – criteria – file path group definition

Criterion for User uses this same four qualifiers but related to user names. If User criterion is not appear in the rule or has no value, each user is monitored.

Access command criterion can refer to one selected operation (=) or their group (In Group). If this criterion has been removed from rule or has no value, all operations are monitored.

FAM rule - criteria - file operations

FAM rule – criteria – file operations

Tip: If you want to see all file system operations including directory structure modification leave Access command criterion empty

Two exclusive options are available in the criteria section:

  • Monitor subdirectories in file path – very useful but consider it influence on performance
  • Removable media – disables File path criterion in the rule and refers to all files on the attached media (pen drive, CD/DVD, etc.)

    FAM rule - Removable media monitoring

    FAM rule – Removable media monitoring

Rules evaluation in FAM policy is similar to DAM. Rules are evaluated from top to down. If rule matches the analyzed file event all the other rules are ignored (you cannot force the evaluation process to next rule). Use arrows icon to reorder rules in your policy

FAM policy - rule order

FAM policy – rule order

FAM policy installation

FAM policy has to be installed on collector. It is completely independent to DAM and must be installed parallel.

In the Protect->Security Policies->Policy Installation point your FAM policy in the Policy Installer section. Then select action

Policy installation

Policy installation

which is executed immediately

DAM and FAM policy installed together

DAM and FAM policy installed together

Tip: When FAM and DAM coexist together you need to manage minimum 2 polices on your collector. Use the names of easy to distinguish policies (DAM- and FAM- prefixes, for example).

Install & Override action used before G10 most frequently is not longer an option in DAM and FAM environments.

Important: Modified policy is not installed automatically on collector, you need reinstall it after change. To avoid policy deinstalation/installation use Run Once Now button in Policy Installer section (installed policy refresh)

FAM reporting

All FAM audited events are stored in the Access domain. It is example of query to provide full information about file access events

Query for FAM

Query for FAM

and report based on it

FAM Report

FAM Report

FAM QuickSearch

QuickSearch for FAM is separated from DAM. You need enable this option using grdapi:

grdapi enable_fam_crawler activity_schedule_units=<MINUTE|HOUR> activity_schedule_interval=<INTERVAL> entitlement_schedule_units=<MINUTE|HOUR> entitlement_schedule_interval=<INTERVAL>

activity_* parameters are related to events audited by policy
entitlement_* parameters are related to metadata gathered by ICM

The FAM and DAM quicksearch window can be invoked from menu bar

QuickSearch type selection

QuickSearch type selection

FAM quicksearch

Summary:
Guardium 10 introduced a lot new features and improvements for monitoring of Windows environment:
– simple installation
– wider support for instance discovery
– no reboots and restarts after agent installation
– remote configuration and management
– file activity monitoring and blocking
– file content analysis and classification

It is significant step to build integrated data governance platform

Everything you always wanted to know about DAM but were afraid to ask

#1 – What exactly the DAM is?

You can find many DAM definitions and be a little bit confused about dozens different features mentioned there but some of them is always indicated and can be considered as key requirements (DAM sensu stricto):

  • 100% visibility of the access to data
  • monitoring completely independent of database administrators
  • analysis made on SQL level
  • real time and correlated incident identification
  • audit of events related with incidents
  • support of forensic analysis

Some other features are not native for DAM but its popularity is now widely recognized as a DAM (DAM sensu lato):

  • access blocking (this feature is generally part of DAMP – Database Activity Monitoring & Protection known also as DBF – Database Firewall)
  • database user authorizations reporting
  • sensitive data identification
  • dynamic data masking (on database level)
  • vulnerability management (whatever does it mean for requestor 😉 )

We can also identify some non-functional requirements related for any security solution:

  • minimal influence on performance the monitored system
  • support the heterogeneous database environment
  • support for the enterprises

It is very difficult to compare solutions. Be sure that you compare “apples” to “apples” instead of “apples” to ” pears”. Very often the requested DAM feature works on different layer and it is covered by other solution (WAF, IPS, NG-Firewall, CM management).
Ask rather for solution support of your case and requirements than for the list the functions included in the vendor box.

#2 – Agent-base or Agent-less monitoring?

In case of DAM the answer on this question can be only one. 100% data traffic visibility is not possible if we will base on network sniffer (agent-less) because you are not able to monitor local sessions.

How your database is accessed:

  • remotely (TCP, network pipes, encrypted connection)
  • locally (TCP, shared memory, network pipes)

Only agent resided on managed environment can see local session and non-tcp protocols. It is hard to start up the polemics with this obvious statement. However some remarks are important:

  • agent installed on monitored system has affect on it – but the question is about acceptable level of this performance influence and not about choice between agent-base and agent-less architecture
  • agent requires updates, reconfiguration, database and system restarts – it can be true for particular solution but is false in case of Guardium

Only the agent-base monitoring ensures the DAM requirements coverage. Check your platform and protocols supportability. Check performance overload on your database.

Even you will be able to disable any local access to database you still assume that your network configuration is stable and all session are visible for sniffer what is not true at all.

#3 – Does your DAM prevent SQL Injection?

I love this stuff. This question is completely unrelated to SQL level, it is question about protection of web application.
If you would like to stop SQL Injection attacks the solution is easy – use WAF or IPS/NG Firewall. These types of solution work on network layer and are able to HTTP/S data de-encapsulation, parsing and identification of dangerous content (injected SQL string or its meta-form).

It is clinical example how use the one common known word in the name leads to misunderstanding the clue of the problem and its resolution.

SQL Injection must be analysed on HTTP/S layer. It has not related to DAM protection.

If your WAF or IPS will not able block the attack, the DAM will be still able to analyse the SQL syntax, session context and data reference. It is normal DAM task and should not be mistaken with SQL injection protection.

#4 – Can we build the Virtual Patch protection with DAM?

In many parts the answer is similar to SQL injection case but I will describe it deeper.

VP is a security approach to create protection outside vulnerable system. Some examples:

  • system can be exploited but patch does not exist or it cannot be installed
  • vulnerable functionality has to be available for particular subject only
  • service has low reputation and whitelisting for activity required

There is many possibilities where DAM can provide VP protection:

  • blocking access to vulnerable store procedure
  • restrict access only from defined clients
  • acceptance only defined list of SQL’s and operations on object

but if vulnerable element resides on database we need to consider situation that exploitation can lead to uncover other vector of attack. That is why VP should be defined on network layer using IPS and NG-firewall primarily.

DAM can act as an auxiliary in building VP. Network in-line protection should be considered mainly

#5 – What is your DAM data collection architecture?

Some solutions do not work in real-time and use DB logs or additional event collection mechanism to provide SQL visibility. If we do not need blocking this architecture could be accepted but this logging is dependent on DB administrators and does not provide any segregation of duties (for example, insider can modify or switch off the logging mechanism).

How the audit data are stored and managed by DAM is another architectural question. Would you like to switch from one audit console to another to check status of your monitored environment? Would like to remember which DAM box contains data required to current analysis? And the most important do you know what kind of stored audited data will be a key in your forensic searches?
DAM solution usually monitors heterogeneous environments, cover dozens databases and gathers terabytes audit archives in the retention period.
That is why I suggest consider this:

  • possibility to manage DAM environment from one console
  • possibility to aggregate data in case of de-duplication and performance distraction
  • central reporting from all DAM boxes
  • cross-reporting based on any parameter of the audit event
  • offline forensic on restored archives

DAM is a key element of your security infrastructure. Be sure that its architecture limitation will not close possibility of development and integration

#6 – Why I do not see user names in DAM?

On SQL session level we see DB user name only. If you would like to get information about application user name related to particular SQL you need understand that this relation is created and managed by application server (queue manager).

Each DAM faces with this challenge and provides different solutions but every time it requires deeper analysis and sometimes application modification.

Guardium delivers many different solutions for Application User Translation in the pool of connection which are described here – “Guardium – App User Translation”.

Application User Translation (AUT) is a correlation process between application user and his SQL’s inside anonymised pool of connection.
Be sure that AUT does not work on simple correlation between time stamps in application and database. This kind of mapping in the multi-session channel is incredible and have no legal value.

#7 – I have SIEM, why I need DAM?

Security Information and Event Management (SIEM) systems are responsible for correlation the security events in the IT infrastructure to identify incidents. These tools base on the monitored system security logs, network activity, recognized vulnerabilities and reputation lists.

SIEM manages the security events delivered to it in the predefined schema, it is not able to understand HTTP requests of your appplication, SQL logic of your database transactions, commands executed by your administrator and so on. It expects that the monitored system will prepare the standardized output included relevant information which can be normalized and analyzed over the incident identification rules inside SIEM correlation engine.

Only DAM has ability to analyze each SQL and identify access to sensitive data, monitor privileged activity, correlate access to tables, predict the effect of taken by DML/DDL/DCL actions.

In most cases the SIEM licensing is based on EPS (Event per Second) metric. Even SIEM will contain the DAM intelligence and we would like to analyze all SQL’s inside it the cost of such a solution will be astronomical.

DAM delivers to SIEM analyzed security events in a constant data format, which enables their correlations with other monitored sources

#8 – Does your DBF work on the session or SQL level?

DAM blocking capability is often requested but it should be considered very carefully. Most application traffic to database is related to transactional statements, where set of SQL’s and their order affects the analysis carried out and its effect. If we block one of calls in this sequence we can get an exception or worse, loss of data consistency.

The business security primates – confidentiality, integrity and availability (CIA) – leads to one possible conclusion that only session reset is safe method to block access because it avoids execution incomplete transactions.
However this method is useless in the pool of connection – reset of the SQL session kills the transactions from different application sessions.
That is why blocking was actively used only for non-application access to database while the application access was monitored with whitelisting.

Guardium 10 with Query/Rewrite feature redefined this approach. Now we can analyze SQL and replace it but not in order to change transaction’s body but to inform that it is suspicious activity and cancel its execution.

from:

BEGIN TRANSACTION
...
END TRANSACTION

to:

BEGIN TRANSACTION
...
(suspicious SQL) -> (redacted to set @PARAMETER)
...
(@PARAMETER validation to cancel execution)
END TRANSACTION

It requires small changes in the application but provides “blocking” on transaction level.

Only connection reset is acceptable form of blocking in most cases. For application traffic use Query/Rewrite

PICTURES BY ULABUKA

Entitlement Reports

Each security incident analysis must answer the question of who is responsible for it. The question seems simple but the answer is not.
Who they are used to attack the credentials, who have granted them, and most importantly, whether the person who served them their own?

In the case of databases, the problem becomes further complex due to the multi-dimensional matrix of privileges.
This problem manages separate kind of security solution – Privileged Identity Management (PIM) – and provides the access accountability and session recording but even we have it we still opened to account take ownership (ATO) and service exploitation.
In these cases we should be able to answer on few important questions:
  1. What privileges had the user in the particular (incident) point of time?
  2. Whether authorizations were consistent with change management or bypassed it?
  3. Whether they were sufficient to attack?
  4. Is used account was related to the operation of the account owner?

Answer to the first question requires implementation of the full process of identity management what is not simple at all and mainly covers the database access management on the role level only.

The Guardium Entitlements Reports (ER) functionality is simple but very useful feature to quickly determine the account authorizations in the defined point of time.

New: Guardium 10 ER contains new set of reports for DB2 on iSeries.

ER Prerequisites

ER works outside the standard activity monitoring and bases on scheduled data upload to customized audit data domains. Similar to Data Classification and Vulnerability Assessment uses direct data connection to the monitored database to collect required information.

We need create appropriate technical accounts for each database where ER data will be gathered. On each Guardium appliance there are SQL scripts with role definition with all required credentials to get ER content.

You can download them over fileserver, they are located in /log/debug-logs/entitlemnts_monitor_role/

Entitlement scripts

Entitlement scripts

When the role is already created and attached to a technical account we can create a data source (Setup->Tools and Views->Datasource Definitions) for “Custom Domain

Datasource definition

Data source definition

Use plus icon to add a new data source, the example below defines MSSQL access using SSL without authentication

MSSQL datasource

MSSQL data source

Test Connection button is activated when datasource configuration will be saved (Apply).

Tip: The data source creation process can be invoked directly from ER process but for clarity was presented as separate task

Data Upload

Now we can define the data upload process. For each database we have the set of ER reports. All are located inside custom tables. For example for Oracle we can find out 14 prepared tables (all names which starts at ORA) – Reports->Report Configuration Tools->Custom Table Builder

Custom table builder

Custom table builder

We need configure data upload for each interesting us report.
Select report and push the Upload Data button

Data upload

Data upload

Add Datasource button allows add the data source for which we will create entitlement snapshots. We can point multiple data sources from earlier defined or create a new one.

Overwrite flags (per upload, per datasource) defines how the data will be stored:

  • if both flags are unselected old data will not be removed when new snapshot will arrive (each ER data record contains time stamp, that we are able to identify them in time)
  • per upload means that the old data will be rerased every time when upload will be executed – it makes sense only when particular report contains only one datasource or we would like to remove old data intentionally
  • per datasource flag ensures that the old data for currently updated datasource only will be erased – it protects the old data for datasource which are not available during current data upload

Default Purge for custom domains is executed for every day and removes data older that 60 days. This behavior can be changed (described later)

Now we can upload data manually (Run Once Now) or/and define how often the snapshot or authorization will be created (Modify Schedule)

Configured data upload

Configured data upload

It is user decision how often snapshots will be created. However some recommendation here:

  • if you overwrite data you need archive them before (using audit process)
  • data upload gets data directly from database, it is not heavy task but for large databases with thousands roles and tables the quantity of data can be huge
  • snapshots provide authorization state in the particular time, to cover forensics requirements we need also audit the DCL (grant, revoke) transactions
  • 6-24 hours schedule for snapshot is usually sufficient

    Data upload scheduler

    Data upload scheduler

The data upload configuration steps described here should be repeated for all the interesting ER custom tables.
Now we can review the uploaded data (add ER reports to your dashboard)

Predefined ER list for Informix

Predefined ER list for Informix

ER report - MSSQL - objects visible for everyone

ER report example – MSSQL objects visible for everyone

Predefined ER reports have raw format and cannot be modified so I suggest redefined them to receive the expected appearance.

ER report customization

This standard report presents all privileges and roles assigned to user on MSSQL server. You can notice that in the last 3 hours has been created 2 snapshots and we cannot filter them as the other parameters

2 snaphots in standard report

2 snaphots in standard report

I placed below some reports variations:

#1 – Last snapshot with quick data filtering

Query

Query

Report

Report

We see last snapshot from define time frame and we can filter data by user, authorization, authorization type and database

New: Guardium 10 allows hide particular columns from query. No longer query reconstruction for this purpose 🙂

Column configuration

Column configuration

#2 – List of snapshots

Query and Report

Query and Report

New: “Runtime Parameter Configuration” window separates the user defined parameters from others. No more searching the parameter list for our own 🙂

Report runtime parameters

Report runtime parameters

#3 – Number of authorization for user

Query

Query

Graphical report

Graphical report

#4 – Authorizations from particular snapshot

Unfortunately the report parameter based on time stamp can be defined with one day granularity only. It does not allow us to point specific snapshot. Really?

We can use computed attribute to create snapshot id based on snapshot time stamp:

grdapi create_computed_attribute attributeLabel="Snapshot ID" entityLabel="MSSQL2005/2008 Role/Sys Privs Granted To User" expression="MD5(SQLGUARD_TIMESTAMP)"

This command creates a new dynamically created attribute as MD5 hash string based on time stamp value.

Now I can modify snapshot list report to see this unique id

Query and Report

Query and Report

and add the snapshot id to the parameter list of any report to filter data by time stamp. Easy!

Report wit computed attribute

Report wit computed attribute

Below the example of dashboard for incident analysis inside ER report

Forensics

Forensics

We can notice in this example that badguy user authorizations have been changed between 00:45 and 00:49. Using snapshot id parameter we can present parallel these two snapshots and identify change quickly.

How to create own ER report?

Guardium delivers many different ER reports for DB2, Informix, MSSQL, MySQL, Netezza, Oracle, PostgreSQL, SAP ASE, SAP IQ and Teradata. The custom domain mechanism allows to create own reports for other databases or add additional report to cover information unavailable in the predefined ones.

The good example is MSSQL where user login status is not visible in the predefined tables. From incident management perspective this information is crucial and should be gathered.

I have prepared the SQL to get this information:

select loginname AS 'user', CASE denylogin WHEN 0 THEN 'ACTIVE' WHEN 1 THEN 'INACTIVE'END AS status, CASE isntuser WHEN 0 THEN 'LOCAL' WHEN 1 THEN 'ACTIVE DIRECTORY' END AS 'user type', dbname as 'default database' from master..syslogins order by loginname

Next, we need create a new custom table (Reports->Report Configuration Tools->Custom Table Builder). We have two possibilities, define table from scratch or import structure from SQL. I prefer the second method:

Custom table creation

Custom table creation

In the “SQL Statement” we need insert the SQL which returns sample of reference data. Add Datasource lets specify the database where sample exists. Finally we are ready to Retrive table definition

Table structure import

Table structure import

If the import was successful we return to “Custom Tables”. To review structure push Modify button

Custom table selection

Custom table selection

We can modify fields, define keys and syntax reference to the Guardium groups.

Custom table modification

Custom table modification

Now we can Apply changes and set the Upload data configuration

Data upload

Data upload

Note: Custom table definition can be modified until it does not contain data

We have data but they are not available for reporting till we create a new report domain (Report->Report Configuration Tool->Custom Domain Builder). Plus (+) icon allows create new domain. Insert “Domain name” and find out the created earlier custom table. Move it from “Available entities” to “Domain entities“. Then select default time stamp from “Timestamp Attribute” list and Apply

Custom domain selection

Custom domain creation

Our new domain is visible now in the custom query builder (Report->Report Configuration Tools->Custom Query Builder). Select domain and create all demanded queries and reports. Below report with all MSSQL logins and their status

MSSQL logins

MSSQL logins

ER data management

If we have the ability to use data collected by forensic analysis will need to set their proper retention (archive and restore). These settings are available in “Custom Table Builder” – Purge/Archive button. Archive check box ensures attach data from a custom table to data archived in the standard archive process. We can define how long data will be available locally  (Purge data older than) and schedule purge process (60 days is default value)

Custom table archive

Custom table archive

Tip: Do not forget archive the data stored in custom tables

Summary: ER is a useful tool in the forensic analysis and significantly shorten the time needed to identify permissions held by the subject of incident. The ability to customize the data presentation, scheduled data load and expansion of the area of collected information makes this tool indispensable element of SO in his duty. These data can also be used to identify privileged accounts for the proper definition of audit policy.

K-TAP installation failure on Linux is not a problem longer

One of the most important value of Guardium system is its enterprise architecture. Whether that installed to monitor one or one hundred databases we can manage the environment from one place, reconfigure it with appropriate segregation of duties and role base access control.

Monitoring of database on system to cover Database Activity Monitoring (DAM) expectations requires visibility of the all sessions (local and remote) and support all database protocols (TCP, shared memory, pipes, etc.). That is why the Guardium monitoring agent (STAP) is deeply integrated with operating system kernel (KTAP module). However the Linux distribution diversity leads to necessity to support every existing kernel version on customer sites. Before version 9.1 of Guardium this process required time (2-3 weeks) for module development and tests. Now the redeveloped KTAP can be easily recompiled and the support of the particular kernel version is not problem longer.

When should I worry about KTAP?

KTAP compilation is the installation process task and usually we do not need to pay attention on it. However, sometimes the system environment prevents the proper compilation and it is necessary to analyze the situation and take the appropriate steps.

How to check whether KTAP is switched on?

Review the “STAP Status” report and notice the value in the “KTAP Installed“. Value No means that kernel driver is not installed and activated.

STAP status

STAP status

Also the “GIM Event List” report points more detailed information.

GIM Event List

GIM Event List

We have here information that STAP does not contain module for kernel on this machine (3.10.0-229.11.1).
Then the explanation the reason of the failure – the development tools has not been installed.
The last marked message points that KTAP_ALLOW_MODULE is not set to Y. It means that STAP does not try to load other modules which are nearing to target kernel. It is accurate configuration for production environments where any errors on the kernel level are unacceptable.

KTAP compilation process reinitialization

The KTAP compilation process requires on the Linux box the cc compiler (gcc), make tool and kernel development files. Check out their existence on your machine – for RedHat use these commands:

yum list installed gcc
yum list installed make
yum list installed kernel-devel

Install missing packages

Package installation

Package installation

Now we need to reinitialize KTAP compilation process. The simplest method uses GIM to reconfigure the KTAP module. Open module selection screen and unselect “Display Only Bundles” option. Then select KTAP module and go forward – Next button

KTAP module selection

KTAP module selection

Set the KTAP_ENABLED field to 1 and Apply to Client. Execute update using Install/Update

KTAP update

KTAP update

Review update status. After a while you should receive information that KTAP is installed. If you will receive status – FAILED restart analysis again from “GIM Events List” report or analyse the log files (described later).

Update status

Update status

Now we can review “GIM Events List” report again

GIM events

GIM events

and “STAP Status

STAP Status

STAP Status

The STAP has been installed and we can start data monitoring. A careful observer will notice the appearance of an additional entryGuardium-FSM related with FAM functionality.

Important: FAM agent works on kernel level. This functionality requires the KTAP installation.

More detailed information about KTAP status we can find out in the <GIM_HOME/module/KTAP/current/KTAP.log file
This sequence points STAP installation and lack of development tools

[Fri Sep 11 20:42:21 2015] -I- Installing KTAP 10.0.0_r79963_1
[Fri Sep 11 20:42:22 2015] -I- Starting KTAP 10.0.0_r79963_1
[Fri Sep 11 20:42:23 2015] -I- Informing GIM on an event : *** KTAP MODULE WARNING MESSAGE ***
Searching for modules in /opt/guardium/GIM/modules/KTAP/10.0.0_r79963_1-1441996935/modules-*.tgz
guard_ktap_loader: File /lib/modules/3.10.0-229.11.1.el7.x86_64/build/.config not found.  Local build of KTAP will not
guard_ktap_loader: be attempted.  Please install kernel development packages for 3.10.0-229.11.1.el7.x86_64 if you wish
guard_ktap_loader: to build KTAP locally.
guard_ktap_loader: ===================================================================
guard_ktap_loader: You have elected not to load close fitting module combinations.
guard_ktap_loader: To enable close fitting combinations, reinstall bundle STAP while setting the
guard_ktap_loader: KTAP_ALLOW_MODULE_COMBOS to 'Y'
guard_ktap_loader: The in-kernel functionality will now be disabled.

and here is the fragment after compilation reinitialization

[Fri Sep 11 21:49:06 2015] -I- KTAP_ENABLED changed its value to 1 ... updating guard_tap.ini)
[Fri Sep 11 21:49:06 2015] -I- checking is ktap 79963 is loaded as part of update()
[Fri Sep 11 21:49:06 2015] -I- Starting KTAP ... for the first time
[Fri Sep 11 21:49:06 2015] -I- Informing GIM on an event : *** KTAP MODULE INSTALLER PLATFORM CHECKS MESSAGE ***

[Fri Sep 11 21:49:06 2015] -I- SEOS check - ok !
[Fri Sep 11 21:49:06 2015] -I- Trying to load KTAP as part of a start request (invoker=)
[Fri Sep 11 21:49:14 2015] Searching for modules in /opt/guardium/GIM/modules/KTAP/10.0.0_r79963_1-1441996935/modules-*.tgz
Attempting to build KTAP module using dir /lib/modules/3.10.0-229.11.1.el7.x86_64/build
guard_ktap_loader: Custom module ktap-79963-rhel-7-linux-x86_64-xCUSTOMxdblin-3.10.0-229.11.1.el7.x86_64-x86_64-SMP.ko built for kernel 3.10.0-229.11.1.el7.x86_64.

In this same directory the ktap_install.log notices additional remarks

=== Fri Sep 11 21:49:07 CEST 2015 ===
Attempting to build KTAP module using dir /lib/modules/3.10.0-229.11.1.el7.x86_64/build
Custom module ktap-79963-rhel-7-linux-x86_64-xCUSTOMxdblin-3.10.0-229.11.1.el7.x86_64-x86_64-SMP.ko built for kernel 3.10.0-229.11.1.el7.x86_64.
/sbin/modprobe  ktap ktap_build_number=79963 sys_call_table_addr=ffffffff8161c3c0 kernel_toc_addr= kernel_gp_addr=   
Install OK
Load OK

What if I cannot install development packages on system?

This situation is related with production environments but we can create package on other system (test environment) with this same kernel and later install in on the target.

Method 1 – manual INSTALLATION ON TARGET SYSTEM

The list of embeded KTAP modules in the STAP release we can review in module-<STAP-release>.tgz file:

[root@dblin current]# tar tvf modules-10.0.0_r79963_trunk_1.tgz | grep .ko | awk '{print $6}'
dummy.ko
ktap-10.0.0_r79963_trunk_1-rh7x64m-3.10.0-123.9.2.el7.x86_64-x86_64-SMP.ko
ktap-10.0.0_r79963_trunk_1-rh7x64m-3.10.0-123.el7.x86_64-x86_64-SMP.ko

After recompilation the new KTAP module is located in this same KTAP directory:

[root@dblin current]# ls *.ko
ktap-79963-rhel-7-linux-x86_64-xCUSTOMxdblin-3.10.0-229.11.1.el7.x86_64-x86_64-SMP.ko

Now we can create custom module archive – guard_ktap_append_modules command

[root@dblin current]# ./guard_ktap_append_modules 
Original MD5SUM: c467e40397957a81916e0b4f6bfb2864  ./modules-10.0.0_r79963_trunk_1.tgz

The following modules will be added to ./modules-10.0.0_r79963_trunk_1.tgz
     ./ktap-79963-rhel-7-linux-x86_64-xCUSTOMxdblin-3.10.0-229.11.1.el7.x86_64-x86_64-SMP.ko

New MD5SUM: 3718924d80ee6dbbea81594521f7fc1a  ./modules-10.0.0_r79963_trunk_1.tgz

This command adds the compiled module to modules archive. Then we can manually upload modules-<STAP_release>.tgz file on the target machine to the temporary directory and execute

guard_ktap_loader retry <tmp_dir>/modules-<STAP-release>.tgz

Then restart STAP and the new KTAP module should be recognized and installed.

METHOD 2 – KTAP MODULE TRANSFER OVER GIM

Important: If STAP_UPLOAD_FEATURE parameter is set to 1 the module recompilation process creates custom STAP GIM file and transfers it to the collector which manages this STAP

The KTAP compilation process automatically creates the STAP bundle on the appliance which manages this STAP (not to GIM server). This module can be downloaded from appliance over fileserver command from /log/gim-dist-packages directory

Fileserver

Fileserver

Tip: In the version 10 the fileserver has an additional parameter and current syntax is:
fileserver ip_address_fileserver_client duration

Then you can upload this module to GIM server and install on the target machine.

Summary:
Guardium KTAP driver can be easily created for the kernel resided on the target system. Module creation process assumes existence of Quality/Assurance procedure.

Update 25.10.2017

Please remember that KTAP module installation using GIM will be allowed on system if you installed GIM client with option –install_customed_bundles. You cannot change this parameter later remotely by GIM (I have no idea why).

The KTAP modules created on source system will receive in the name the increasing prefix starting from 800 each time when new kernel module will be compiled on it.