Guardium 10 introduced new architecture and functionality into agent used to monitor data access (databases and files) on Windows platforms (well-known as a WINSTAP). The most interesting are:
- Integrated installer for 32- and 64- bit platform
- Redesigned TCP and SharedMemory drivers
- File Activity Monitoring with blocking capability
- File Discovery – integrated view on files stored on managed system
- File Classification – sensitive data identification
The simplified view on WINSTAP architecture
shows that we have many different elements responsible for each data monitoring aspect:
- GIM (Guardium Installation Manager) – service based on Perl responsible for installation, update and configuration all other elements working on monitored system (separate article here)
- S-TAP service – communication with collector and data proxy for sniffer drivers (WFP, NPM) – DAM functionality
- WFP – new sniffer driver for TCP/IP stack
- NPM – new sniffer driver for shared memory
- CAS (Change Audit System) – java based service responsible for identification the changes in the critical elements of database and operating system
- FS-TAP (or STAPat) – service responsible for communication with collector and data proxy for I/O sniffer (FSMonitor) driver – FAM functionality
- FSMonitor – I/O sniffer driver responsible for audit and blocking access to file operations
- FAM – Feed service to collector from ICM (IBM Content Classification) infrastructure
- file crawler – ICM process responsible for scan of file system and file metadata generation
- analysis engine – rule based classification tool for files
- ICM server – ICM process responsible for classification task management and configuration upload interface for ICM workbench
- ICM workbench – Windows application to create own classification rules (decision plans)
This article focus on 2 functionalities – database and file activity monitoring. CAS and FAM (ICM) functions will be described in the separate articles.
GIM packages import
The GIM packages are located in the Guardium_10.0_GIM_WIndows.zip package available on IBM Fix Page, this same where we can find the GIM installer.
New: In G10 the CAS module is separated from WINSTAP and it has to be installed separately. It is separate archive.
Starting from version 10 we have 3 GIM modules:
- STAP for Database and File Activity Monitoring (GIM-Kit-Windows archive)
- FAM ICM analysis and classification tools (GIM-Kit-FAM archive)
- CAS for Windows (CAS archive)
Extract GIM modules and import them on GIM manager appliance (Manage->Module Installation->Upload Modules). Using Browse button to select files and upload them:
Then import the uploaded modules – click on small “Import this module” icon and confirm this operation. After a while you will be notified that module has been imported.
Note: In this article I assume that GIM is installed on monitored system – GIM installation is described here.
Now we are able to configure modules (Manage->Module Installation->Setup by Client) on your managed system
To see all available modules for managed Windows system you need to uncheck “Display Only Bundles” flag
Now we are ready to install.
S-TAP and FS-TAP installation and configuration
Module configuration screen has not been changed in the G10. The “Common Module Parameters” section contains the preselected parameters (the assumption most widely used). In the comparison to G9 we can notice 4 new fields for Query/Rewrite feature (firewall parameters still unavailable).
However I prefer fewer options in this section than putting them all, what we see in Linux S-TAP configuration.
“Common Module Parameters” section is used to simplify module configuration. The “Apply to Selected” button saves data from this form to marked systems inside “Client Modules Parameters” section. It is useful in case when you configure 2 or more managed systems together.
Minimum information required to install WINSTAP module:
- WINSTAP_INSTALL_DIR – installation directory of this module in backslash notation (i.e. C:/Guardium/WINSTAP)
- WINSTAP_SQLGUARD_IP – collector IP assigned to this WINSTAP as a primary
- WINSTAP_TAP_IP – only if your managed system has many network interfaces (option has to be set directly for particular agent)
Please notice that most parameters have default value and you do not need set them.
Now parameters from “Client Module Parameters” should be assigned to monitored system – Apply to Clients button. Finally installation process can be invoked using Install/Update (define when the process will start or order immediate execution – insert “Now”)
Check out installation status using “i” icon
WHAT IF I NEED SET UP MORE ADVANCED FEATURES
It is available by using the WINSTAP_CMD_LINE parameter. You can put here any values in format <parameter>=<value> which are corresponds to TAP section of guard_tap.ini. Below example of installation with 3 additional parameters
and guard_tap.ini content after installation
New: WINSTAP 10 changed the location of guard_tap.ini from c:\Windows\System to <WINSTAP_INSTALL_DIR>\Bin
REMOTE WINSTAP RECONFIGURATION
Standard STAP modification form is available under Manage->Activity Monitoring->S-TAP Control and provides limited manageability
but Guardium API delivers interface to manage most existing WINSTAP parameters
grdapi update_stap_config stapHost= updateValue=SECTION.PARAMETER:VALUE waitForResponse=<0|1>
the updateValue parameter can point many WINSTAP configuration changes
This method can work with 3 sections of guard_tap.ini
And here is an example that sets the same three parameters that I used in WINSTAP_CMD_LINE method
grdapi update_stap_config stapHost=192.168.0.20 updateValue=TAP.FIREWALL_INSTALLED:1&TAP.FIREWALL_DEFAUL_STATE:1&TAP.KRB_MSSQL_DRIVER_INSTALLED:1 waitForResponse=1
Do not forget restart S-TAP after change
grdapi restart_stap stapHost=<stap_ip>
Default installation enables database instance discovery. Current version of S-TAP discoveries installed on monitored system instances of DB2, Couch DB, Informix, Mongo DB, MSSQL and Oracle. If you would like to monitor other supported databases you need add inspection engine manually (edit S-TAP configuration in portal and “Add Inspection Engine” definition. Then push Add and Apply buttons
It is possible to disable instance discovery during WINSTAP installation process. The -NOAUTODISCOVERY flag has to be set in CMD_COMMAND_LINE parameter.
New in G10: Database Instance Discovery does not use Java longer
Instance discovery can be ordered manually from portal. In S-TAP Control view click on “Send Command” icon
then select “Run Database Instance Discovery” command
Be aware that “Replace Inspection Engines” flag clears all existing IE definitions. Use it if you are running the initial instance scan or intentionally you would like to replace them. Results of instance discovery are stored in “Discovered Instances” report
To compare discovered instances to actually defined in S-TAP you can use grdapi call from report. In the report bar expand Action menu and select list_inspection_engines command
Select one row and insert your S-TAP host IP address
Now output from grdapi can be compared with the last scan
New in 10: Action menu in the report allows to invoke Guardium API calls for all results in the related report. Very useful feature.
Instance discovery process can be executed periodically using DISCOVERY_INTERVAL=<time_in_hours> parameter. This parameter cannot be modified by grdapi and you should remember to set it during installation or later change it manually.
Base on this refreshed information we can create Audit Process to identify changes of the existing instances or detect new ones available on the host.
Tip: If S-TAP configuration parameter from TAP section cannot be changed remotely by API or does not exist form field in GIM you always can modify it using CMD_COMMAND_LINE.
Do not forget set up the DAM policy on the collector. Default policy installed on appliance after installation – “Ignore Data Activity for Unknown Connections” – ignores all traffic.
DAM policy creation and installation available at:
Policy Builder – Protect->Security Policies->Policy Builder for Data & Applications
Policy Installer – Protect->Security Policies->Policy Installation
New in 10: Redefined S-TAP architecture in G10 allows monitor database traffic without restart machine or database.
Now you are able to monitor database traffic.
Info: I use here FAM acronym as a reference to FS-TAP functionality. The FAM ICM features are not a part of this article
File Activity Monitoring is separately licensed. Standard installation of WINSTAP activates this feature as default. To prevent its installation put in the CMD_COMMAND_LINE the flag “-FAM OFF” (the guard_tap.ini syntax reference FSM_DRIVER_INSTALLED=0 does not work)
Important: If you do not posses FAM license, please remember switch this feature off to avoid compliance issue
Installed FAM is visible in the “S-TAP Control” list (S-TAP host with “-FAM” suffix)
Important: Default FAM settings switch off the monitoring of Administrator account. FAM policies can block access to particular files or whole file system and to protect against accidentally mistakes the files activity monitoring ignores super-users (root, Administrator). You can enable this functionality using TAP flag in guard_tap.ini – FAM_PROTECT_PRIVILEGED=1. Use it on production only when your policies were tested, incorrect use can lead to crash and irreversible damage of the monitored system
FAM does not require any inspection engine definition. File monitoring is defined by separate FAM policy installed parallel to DAM.
FAM policy builder
FAM policy builder (Protect->Security Policies->Policy Builder for Files) delivers new application to create and modify the file monitoring polices. Use + icon to add new policy
Insert policy name. “Show Templates” option allows use the rules created in the other FAM policies. Add new rule using + icon
The rule definition screen uses a new interface logic incorporated in G10 – “End to End scenario”. In this case we are able create rule in 4 steps with the clear context of this task. Now we need insert rule name and go Next
We define systems where rule will be evaluated. We can select particular system with FAM feature enabled
or select/create group of systems
Next step defines the action type:
- Audit (put event to Access audit domain)
- Alert and Audit (1 and additional Guardium Alert event)
- Log As Violation and Audit (1 and mark event in the Quick Search as a violation)
- Block, Log As Violation and Audit (1, 3 and block I/O operation)
- Ignore (do nothing)
Last step defines rule criteria. We can use maximum 3 of them:
- File path (required, defines single or group of paths, wildcards allowed)
- User (not required, one or group of users)
- File operation (not required, single or set of available operations)
Available qualifiers for File path:
- = this path
- != everything except this path
- In Group – all paths in the group
- Not In Group – everything except paths in this group
This is example a file path group definition
Criterion for User uses this same four qualifiers but related to user names. If User criterion is not appear in the rule or has no value, each user is monitored.
Access command criterion can refer to one selected operation (=) or their group (In Group). If this criterion has been removed from rule or has no value, all operations are monitored.
Tip: If you want to see all file system operations including directory structure modification leave Access command criterion empty
Two exclusive options are available in the criteria section:
- Monitor subdirectories in file path – very useful but consider it influence on performance
- Removable media – disables File path criterion in the rule and refers to all files on the attached media (pen drive, CD/DVD, etc.)
Rules evaluation in FAM policy is similar to DAM. Rules are evaluated from top to down. If rule matches the analyzed file event all the other rules are ignored (you cannot force the evaluation process to next rule). Use arrows icon to reorder rules in your policy
FAM policy installation
FAM policy has to be installed on collector. It is completely independent to DAM and must be installed parallel.
In the Protect->Security Policies->Policy Installation point your FAM policy in the Policy Installer section. Then select action
which is executed immediately
Tip: When FAM and DAM coexist together you need to manage minimum 2 polices on your collector. Use the names of easy to distinguish policies (DAM- and FAM- prefixes, for example).
Install & Override action used before G10 most frequently is not longer an option in DAM and FAM environments.
Important: Modified policy is not installed automatically on collector, you need reinstall it after change. To avoid policy deinstalation/installation use Run Once Now button in Policy Installer section (installed policy refresh)
All FAM audited events are stored in the Access domain. It is example of query to provide full information about file access events
and report based on it
QuickSearch for FAM is separated from DAM. You need enable this option using grdapi:
grdapi enable_fam_crawler activity_schedule_units=<MINUTE|HOUR> activity_schedule_interval=<INTERVAL> entitlement_schedule_units=<MINUTE|HOUR> entitlement_schedule_interval=<INTERVAL>
activity_* parameters are related to events audited by policy
entitlement_* parameters are related to metadata gathered by ICM
The FAM and DAM quicksearch window can be invoked from menu bar
Guardium 10 introduced a lot new features and improvements for monitoring of Windows environment:
– simple installation
– wider support for instance discovery
– no reboots and restarts after agent installation
– remote configuration and management
– file activity monitoring and blocking
– file content analysis and classification
It is significant step to build integrated data governance platform