Extra 10.1.2

capacidades del file activity monitoring(1.1.1)

1.1.3 Explain key security concepts used in Data Activity Monitoring

1.2.1 Supported Data source platforms for IBM Guardium Data Protection

1.2.2Supported Data source platforms for IBM Guardium Vulnerability Assessment (VA)

are used to verify that users have access only to the
appropriate data.

Auto-discovery uses scan and probe jobs to ensure that no database goes undetected in
your environment.

Collector – In Database Activity Monitoring or Vulnerability Assessment, the collectors
monitor and analyze database activity to provide continuous fine-grained auditing and
reporting, real-time policy-based alerting and database access controls.

Physical CPUs Minimum 4 cores x86 (Intel or AMD) processors required
RAM (64-bit)
24 GB (min) to motherboard maxPorts (NICs)
1 Gbit or 10 Gbit per second card recommended

10 Gbit per second card can be used in 64-bit system with sufficient memory

The Guardium unit type cannot be changed from a Collector
to an Aggregator from a cli command or similar. The Unit must be rebuilt from scratch
and the correct unit type specified.

Using STAP Failover across two Collectors
S-TAP failover
An S-TAP can be configured to fail over (start communicating with) to a
secondary or tertiary collector if the primary collector is unreachable. When
the primary collector is reachable, the S-TAP reverts to it.
The S-TAP also uses a limited memory buffer (spill file on the z/OS) to
temporarily buffer data that is in transit to the collector.
S-TAP Mirroring
If a collector fails, the data since the last daily export or archive is lost. To
avoid any loss, the S-TAP can be configured to mirror its transmission to two
collectors, so each collector receives the same copy of the data.

Managed Unit
Standalone Unit
Central Manager Aggregator
Backup Central Manager

The S-TAP agent product also contains these subcomponents
K-TAP
A-TAP
PCAP
TEE
Discovery Agent

9500/9501 TCP Alive messages
9500 TCP Clear S-TAP®
9501 TLS Encrypted S-TAP

The gdent prefix is used for the scripts that are used for entitlement reporting

when looking for scripts
to grant privileges for entitlement reporting, use scripts in the gdmmonitor_scripts
directory.

1. Set the primary system IP address
2. Set the Default Router IP Address
3. Set DNS Server IP Address
4. SMTP Server
5. Set Host and Domain Names
6. Set the Time Zone, Date and Time
7. Set the Initial Unit Type
8. Reset Root Password
9. Validate All Settings
10. Reboot the System
store network interface ip <ip_address>
store network interface mask <mask>
store network resolver 1 <dns_server>
store network route default <gateway>
restart network
store system hostname <hostname>
store system domainname <domain>
store system clock timezone <timezone in Continent/Country syntax>
store system ntp server (point servers, double Enter confirms the inputted values)
store system ntp state on
store unit type standalone
setup vm install
restart system

Enter store unit type manager

1. KTAP Loader finds exact kernel module match for the Operating system level
and loads it.
2. KTAP Loader checks if there is a tested compatible kernel module in the
ktap-combos.txt file list (KTAP_List_of_Modules) and loads it.
3. KTAP Loader compiles KTAP module locally and loads it. KTAP will only be
compiled on the system if the system has required packages installed (gcc
and kernel-devel for booted kernel).
4. If FlexLoad mechanism is ON, KTAP Loader will find the closest matching
kernel module and load it.
5. To turn on the FlexLoad mechanism, use the following flags:
• For Shell installation, use option:
"--ktap_allow_module_combos"
• For GIM installation, use option:
"KTAP_ALLOW_MODULE_COMBOS=Y"
6. KTAP Loader generates "Failed to load" message and install the S-TAP
without the KTAP (or fail the S-TAP installation)

To resolve the problem, follow these steps in the GIM modules installation pane.
• Set KTAP_LIVE_UPDATE to Y
• Set KTAP_ENABLED to Y
and reinstall the new S-TAP.

Interactive mode is recommended for individual S-TAPs. The system prompts for the
basic configuration, and verifies your input immediately, so there are no errors.

If the message "GIM Client failed to register (500, read timeout)" appears in the Central
GIM log, any of the following causes are possible:
1. The IP address or host name of the g-machine is invalid in the GIM Client
configuration.
2. The GIM Client is pointing to a Central Manager unit instead of to the Managed Unit.
3. Port 8081 is blocked by the firewall.
4. The GIM servlet is not running on the Managed Unit

1. If an S-TAP is not connected to your Guardium system, check whether the STAP process is running on the database server
2. Verify the connection between the database server and the Guardium system.
• Verify that you can ping the Guardium system at sqlguard_ip from the database
server.
• If the ping is successful, verify that you can telnet to the correct ports on
the Guardium system (based on the monitored platform)
• If there is a firewall between the database server and the Guardium system, verify
that the correct ports are open for traffic between these two systems (based on the
monitored platform)

The deployment health views gather and display information about your entire Guardium
environment in powerful, easily consumed graphical views

the deployment health dashboard presents data from your entire Guardium deployment.
The deployment health dashboard formats and presents data through various tiles or
small window-like containers.

The deployment health dashboard supports several tiles based on Guardium
correlation alerts: Alerts by category, Alerts by name, Alerts by severity, and
Alerts by system. Add correlation alert tiles to the dashboard by using the Add
chart menu

A table that displays all met and unmet resource requirements in your Guardium
deployment is also available at Manage > Central Management > System

The unit utilization issues tile displays issues based on unit utilization thresholds.
The issues that are displayed on the tile represent individual metrics that exceedtheir respective thresholds. The overall severity is assigned based on the highest
severity issue that is found in all available metrics for an individual system in a
specified time period.

• The default value for purge is 60 days
• The default purge activity is scheduled every day at 5:00 AM.
• For a new install, a default purge schedule is installed that is based on the default
value and activity.
• When a unit type is changed to a managed unit or back to a standalone unit, the
default purge schedule is applied.
• The purge schedule will not be affected during an upgrade.
• When purging a large number of records (10 million or higher), a large batch size
setting (500k to 1 million) is the most effective way to go. Using a smaller batch size
or NULL causes the purge to take hours longer. Smaller purges finish quickly, so a
large batch size setting is only relevant for large purges.

Open the Report Builder
by clicking Manage > Reports > Report Builder. From the Query menu, select Location View

If this system is not the system that generated the archive to be restored, you must
create a location entry in the catalog via Catalog Archive, then click Add (reference:
Guardium catalog) or GuardAPI (reference: CLI and API > GuardAPI Reference >
GuardAPI Catalog Entry Functions).

• Before restoring from TSM, a dsm.sys configuration file must be uploaded to
the Guardium system, via the CLI. Use the import tsm config CLI command.
• Before restoring from EMC Centera, a pea file must be uploaded to the
Guardium system, via the Data Archive panel.
• Before restoring or importing a file that was encrypted by a different
Guardium system, make sure that the system shared secret used by the
Guardium system that encrypted the file is available on this system
(otherwise, it will not be able to decrypt the file)..
• Before restoring on a Guardium collector run the CLI command stop
inspection-core to stop the inspection-core process

1. Open Data Restore by clicking Manage > Data Management > Data Restore.
2. Enter a date in From to specify the earliest date for which you want data.
3. Enter a date in To to specify the latest date for which you want data.
4. For Host Name, optionally enter the name of the Guardium system from
which the archive originated.
5. Click Search.
6. In the Search Results panel, check the Select check box for each archive
you want to restore.
7. In the Don't purge restored data for at least field, enter the number of days
that you want to retain the restored data on the system.
8. Click Restore.
9. Click Done when you are finished

12. Data, either collected data, audit results and custom tables data, is not included

. On a Central Manager, navigate to Manage > Central Management > Enterprise Load
Balancer > Associate S-TAPs and Managed Units.
2. Associate the S-TAP group with a group of managed units.
a. Select the S-TAP group you want to associate
b. Click Associate Managed Units to open the Associate Managed Unit Group
dialog.
c. If necessary, create a new group of managed units otherwise select an existing
Managed Units group to associate with your S-TAP group.

Creating customized roles involves several processes:
• Creating a new role
• Managing permissions for the role to limit what users can access
• Optionally customizing the navigation menu for the role to further limit what users
can see
• Adding users to the role

Limit access from the application by deselecting the All Roles check box on the
Role Permissions > Edit Application Role Permissions screen. Next, select the
individual roles that should have access to the application.
The process is the same if you find that the All Roles check box is already
deselected: simply select or deselect the individual roles to grant or revoke
access to the application.

Ignore S-TAP Session: Ignore S-TAP Session causes the collector to send a signal to
the S-TAP instructing it to stop sending all traffic, except for the logout notification, for
specific sessions.

If an alert action is specified, the Notification pane opens, and at least one notification
type must be defined.“Alert only” and “Alert per match” notify for each time the rule is satisfied

DML (Data Manipulation Commands) include SQL statements like ‘UPDATE’,’INSERT’
etc. These are monitored by access rules

There are three types of rules:
o An access rule applies to client requests - for example, it might test for UPDATE
commands issued from a specific group of IP addresses.
o An exception rule evaluates exceptions returned by the server (responses) - for
example, it might test for five login failures within one minute.
o An extrusion rule evaluates data returned by the server (in response to requests)
- for example, it might test the returned data for numeric patterns that could be
social security or credit card numbers.

Alert Per Match sends notifications each time the rule is satisfied. This would be
appropriate for a condition requiring attention each and every time it occurs.

You can insert the wildcard character (%) anywhere within the value
string. The presence of the wildcard character (%) represents a string of zero of more
characters.

If a Group has no members - an empty group will always return TRUE when the rule is
evaluated.

-Add a rule with a QUERY REWRITE: ATTACH rule action
-Add a rule with one or more QUERY REWRITE: APPLY DEFINITION
-Add a rule with a QUERY REWRITE: DETACH

IN GROUP - If the value matches any member of the selected group, the condition is
true. IN ALIASES GROUP, this operator works on a group of the same type as IN
GROUP, however assumes the members of that group are aliases. Note that the IN
GROUP/IN ALIASES GROUP operators expect the group to contain actual values or
aliases respectively. Query Builder will look for records with database values matching
the aliases value in the group.

A runtime parameter provides a value to be used in a query condition. There is a default
set of runtime parameters for all queries, and any number of runtime parameters can be
defined in the query that is used by the report.

An external feed can be mapped to receive data from Guardium reports
• Identify the external database that will receive data from the feed, and gather the
connection information required for that database (ip address, port number,
username, password, etc.). External feeds currently support relational databases and
may not function with other database type
• External feeds allow you to send Guardium report information directly to an external
database. Anything that can be defined in a report can be sent via an external feed.
These feeds depend on mapping DOMAIN_ID and ATTRIBUTE_ID from Guardium's
reporting mechanism to table fields on the external database. Each mapping consists
of the records in four tables (EF_MAP_TYPE_HDR, EF_MAP_TABLE,
EF_MAP_COLUMN, and EF_MAP_GDM_TYPE). Use the
grdapi_create_ef_mapping function to help create these tables and establish the
mapping.

he basic steps for creating a security assessment are:
1. Create the assessment
2. Add datasources to the assessment
3. Add tests to the assessment

As an administrator, you can perform any actions on any to-do list entry. Any actions you
perform are logged, indicating that the action was performed on behalf of the user by the
administrator.
Navigate to Comply > Tools and Views > Audit Process To-Do List.

• Using the Alert Builder allows you to configure new alerts, allowing you to send them
to different receivers (SIEMs, Email, etc)
• The correlation of alerts, system self-monitoring and unit utilization are visualized in a
health implementation control panel in a Guardium environment.
• To obtain an extensive set of buffer usage statistics, you can use the correlation alerts
and queries, using the Sniffer Buffer domain and the Sniffer Buffer entity.
• For the queries that are of screen of definitions of alert they must include the mark of
time for a better definition of the query.

• A 'slon' capture can be useful for IBM Technical Support in order to help diagnose
problems with the data packets that come into the Guardium Appliance.
• You can use the S-TAP Events panel to view the event messages output by S-TAP
and identify the problems reported
• The S-TAP Monitor process allows to monitor the performance and response capacity
of S-TAP, allowing to implement certain actions based on several thresholds.
• If an S-TAP does not respond to the request of the console, you can automatically take
actions that may include: obtaining information, kill S-TAP process and core dump
• The S-TAP agents can be configured to support active/passive database clusters
where the databases are not available or not mounted on the passive node until the
failover occurs.