Вы находитесь на странице: 1из 88

IBM InfoSphere Guardium Version 8.

Guardium Administration
Copyright, IBM Corp. 2011

Table of Contents
Guardium Administration Guide ................................................................................... 1
Guardium Administration Help Book ........................................................................... 1
Guardium Administration .......................................................................................... 1
Administration Overview ........................................................................................ 1
admin Role Privileges ............................................................................................ 1
admin User Privileges ............................................................................................ 2
Access Management and the Administrator .............................................................. 2
Installation ............................................................................................................. 3
Installation Overview ............................................................................................ 3
Step 1. Assemble the following before you begin ..................................................... 3
Step 2. Setup the physical appliance or the virtual appliance..................................... 5
Step 3. Install the IBM InfoSphere Guardium image ................................................. 7
Step 4. Setup Initial and Basic Configuration ........................................................... 8
Step 5. What to do next ..................................................................................... 10
Physical Connectivity........................................................................................... 13
Install a Server Certificate (Optional) .................................................................... 17
Appliance Overview............................................................................................. 20
System Configuration............................................................................................. 24
System Configuration Overview ............................................................................ 24
About the System Shared Secret .......................................................................... 24
Modify the System Configuration .......................................................................... 25
System Configuration Panel Reference .................................................................. 25
Inspection Engine Configuration .............................................................................. 29
Inspection Engine Configuration Overview ............................................................. 29
Configure Settings that Apply to All Inspection Engines ........................................... 30
Settings that Apply to All Inspection Engines .......................................................... 30
Create an Inspection Engine ................................................................................ 32
Start or Stop an Inspection Engine ....................................................................... 34
Remove an Inspection Engine .............................................................................. 34
Portal Configuration ............................................................................................... 34
Configure Authentication ........................................................................................ 35
Authentication Overview ...................................................................................... 35
Configure Guardium Authentication ....................................................................... 35
Configure RADIUS Authentication ......................................................................... 35

ii

Table of Contents
Configure LDAP Authentication ............................................................................. 36
Global Profile ........................................................................................................ 37
Global Profile Overview........................................................................................ 37
Override the Default Aliases Setting ...................................................................... 37
Customize the PDF Page Footer ............................................................................ 37
Edit the Alert Message Template ........................................................................... 38
Alert Message Template Variables ......................................................................... 38
Disable accordion menus ..................................................................................... 40
Named Template ................................................................................................ 40
CSV Separator ................................................................................................... 40
Add other HTML content to the Guardium Window .................................................. 40
Add or Disable a Login Message ............................................................................ 40
Enable or Disable Concurrent Same-user Logins ..................................................... 41
Enable Data Level Security at the Observed Data Level ........................................... 41
Default Filtering .................................................................................................. 41
Escalate result to all users ................................................................................... 42
SCP and FTP files via different ports ...................................................................... 42
Add a Logo to the Guardium Window .................................................................... 42
Alerter Configuration.............................................................................................. 42
Alerter Overview................................................................................................. 42
Automatically activate the Alerter on startup .......................................................... 43
Set the frequency that the Alerter checks for and sends messages ........................... 43
Configure the Alerter to send SMTP (email) messages ............................................. 43
Configure the Alerter to send SNMP traps .............................................................. 44
Anomaly Detection ................................................................................................ 44
Anomaly Detection Overview ................................................................................ 44
Automatically activate Anomaly Detection on startup .............................................. 45
Set the frequency that Anomaly Detection checks for appliance issues ...................... 45
Enable or Disable Active Alerts ............................................................................. 45
Stop or Restart Anomaly Detection ....................................................................... 45
Session Inference .................................................................................................. 46
IP-to-Hostname Aliasing ......................................................................................... 46
Upload Key File ..................................................................................................... 47
Query Hint ............................................................................................................ 47
Customer Uploads ................................................................................................. 48
Archive, Purge and Restore ..................................................................................... 49
iii

Guardium Administration
Archive, Purge and Restore .................................................................................. 49
Configure Data Archive and Purge......................................................................... 51
Configure SCP or FTP Archive or Backup ................................................................ 52
Configure EMC Centera Archive or Backup ............................................................. 53
Configure TSM Archive or Backup ......................................................................... 54
Configure Results Archive .................................................................................... 54
Restore Data ...................................................................................................... 55
Catalog Archive .................................................................................................. 56
Catalog Export ................................................................................................... 57
Catalog Import ................................................................................................... 57
Results Export (CSV, CEF, PDF) ............................................................................... 58
System Backup ..................................................................................................... 59
SCP and FTP files via different ports ...................................................................... 60
Export/Import Definitions ....................................................................................... 60
Export/Import Definitions Overview ...................................................................... 60
Definition Types for Exporting (Table) ................................................................... 63
Export Definitions ............................................................................................... 64
Import Definitions............................................................................................... 64
Distributed Interface .............................................................................................. 65
Configure Distributed Interface ............................................................................. 65
Capture Replay ..................................................................................................... 69
How to use this feature ....................................................................................... 69
Configure Replay ................................................................................................ 70
Stage the data ................................................................................................... 71
Replay the Configuration ..................................................................................... 71
Data Staging ...................................................................................................... 72
Capture/Replay Comparison Listings ..................................................................... 72
Workload Comparison ......................................................................................... 74
Transaction Status .............................................................................................. 76
Compare (invoke APIs to compare jobs) ................................................................ 76
Modify Replay Configuration ................................................................................. 76
Remove Replay Configuration............................................................................... 76
Purge Replay Results........................................................................................... 77
Stop Replay after it starts .................................................................................... 77
S-TAP Certification................................................................................................. 77
Approve STAPs ................................................................................................... 77
iv

Table of Contents
Custom Alerting Class Administration ....................................................................... 78
Configure Permission to Socket Connection ............................................................... 78
Manage Custom Classes ......................................................................................... 78
Custom Class Management Overview .................................................................... 78
Upload a Custom Class ........................................................................................ 79
Update a Custom Class........................................................................................ 79
Delete a Custom Class ........................................................................................ 79
SSH Public Keys .................................................................................................... 79
Running Query Monitor .......................................................................................... 80
Legal Notices ........................................................................................................ 81
Trademarks ....................................................................................................... 83

Guardium Administration Guide


Guardium Administration Help Book
This help book describes Administration functions.
Click any topic in the Contents panel to the left to view the topics online, or click the PDF
link below to download a PDF version of the book.
Download PDF

Guardium Administration
Administration Overview
admin Role Privileges
admin User Privileges
Access Management and the Administrator
Administration Overview
Guardium administrators perform various administration and maintenance tasks from the
administrator portal, called Administration Console. Any user assigned the admin role is
referred to as a Guardium administrator. This is distinct from the admin user account,
which is described in detail below.
Refer to the Contents panel to the left for a list of tasks usually performed by Guardium
administrators.
Back to top
admin Role Privileges
The Guardium admin role (for example, any user account with the role admin) has
privileges that are not explicitly assigned to that role. For example, when a user with the
admin role displays a list of privacy set definitions, all privacy sets defined on the Guardium
system display, and the user with the admin role can view, modify, or delete any of those
definitions.
When a user without the admin role accesses the list of privacy sets, that user will see only
those privacy sets that he or she owns (i.e. created), and all privacy sets that have been
assigned a security role that is also assigned to that user.
CLI diag Command Access
Use of the diag cli command requires an additional password, which can be the password of
any user with the admin role.
If automatic account lockout is enabled (a feature that locks a user account after a specified
number of login failures), the admin user account may become locked after a number of
failed login attempts. If that happens, use the unlock admin CLI command to unlock it.
Note: Account lockout can also be cleared by the accessmgr. Go to user browser, choose
Edit under the Actions heading for the locked account and uncheck the box next to Disabled.
Back to top

Guardium Administration
admin User Privileges
The admin user has additional privileges that are not granted to the admin role, as follows:

Access to all users' to-do lists

Owner of imported definitions

Access management functions

admin User To-Do List Powers


The To-do List is a workflow automation feature that controls the distribution of audit
process results to users. The admin user has special privileges and responsibilities in this
area. If a user account is disabled, all audit process results for that user will be re-assigned
to the admin user automatically. If a user is unavailable for any other reason, audit process
results may be "stalled" in that user's to-do list, i.e., awaiting sign-off before being released
to the next results receiver. The admin user can open any user's to-do list, and take any
actions available to that user. When the admin user performs any actions on another user's
to-do list, that fact is noted in the audit process activity log (e.g., "User admin signed
results on behalf of user x").
Imported Definition Ownership
When definitions are exported, all roles are removed, and the owner is changed to the
admin user. This is the only way to control how the definition will be used on the importing
system.
Back to top
Access Management and the Administrator
By default, the Customize Pane for the admin user lists the Access Management tab, but
that tab does not appear in the layout, and no access management functions can be
performed. In smaller installations where access management and system administration
are not separate functions, you can grant access management privileges to the admin user
by logging in as the access manager (accessmgr), and assigning the accessmgr role to the
admin user. The next time the admin user logs in, the Access Manager tab (and all
functionality) will be available. This is possible for the admin user only (and not for other
users having the admin role).
If you have assigned the accessmgr role to the admin user, and you are logged in as the
admin user, and you remove accessmgr from your set of roles, the Access Management tab
will disappear, but the its menu will remain, with the message "You do not have access to
these portlets." Click on any other tab, and the menu and message will disappear.
Notes

Admin and accessmgr roles can not be assigned to the same user. The same user
may contain both of these roles through a legacy situation or as a result of an
upgrade. However, current use will not allow the two roles to be assigned to the
same user.

In the past, when an appliance is upgraded using the upgrade patch, the accessmgr
role was assigned to the admin user, and the accessmgr user was disabled. In this
upgrade situation, to configure the accessmgr and admin users on a new appliance,
it was necessary to first log in as admin and enable the accessmgr user, then log in

Guardium Administration Guide


as accessmgr (the initial password was guardium, the system prompted the user to
change it), and remove the accessmgr role from the admin user.
Back to top

Installation
Installation Overview
The appliances are shipped with the Guardium solution software, and with an initial factory
configuration (default roles, default passwords, etc.), specific product keys based on the
customers entitlements, and other unique settings that may be defined in the purchase
process.
This topic is organized as a series of installation steps that allow an administrator to
completely configure the appliance.
The initial configuration steps are performed using a local connection to the unit, via KVM or
direct keyboard and console connection. The remaining configuration steps can be done
over a network connection through the Command Line Interface (CLI) or the web-based
Graphical User Interface (GUI).
To complete the required installation and configuration, the appliance should be connected
to the network through an eth0 network card (or a virtual definition of one) and should have
a valid interface IP Address.
Before installing an appliance, read through this overview and then follow the complete set
of steps:
Step 1. Assemble the following before you begin
Step 2. Setup the physical appliance or the virtual appliance
Step 3. Install the IBM InfoSphere Guardium image
Step 4. Setup Initial and Basic Configuration
Step 5. What to do next
Supplemental information
Physical Connectivity
Install a Server Certificate (Optional)
Appliance Front and Back Views
Step 1. Assemble the following before you begin
This section details the minimum hardware resources required and what configuration
information is necessary to obtain before installation can proceed.
1.1 Hardware Requirements
The following hardware requirements are necessary for the IBM InfoSphere Guardium
solution to work properly. Unless specified otherwise, the requirements are for both the
physical installation and the virtual installation.

Guardium Administration
1.1.1 Installation on Physical Appliances
The InfoSphere Guardium solution will work only on Intel-based platforms with Xeon
processors. Only platforms and hardware that are officially supported by RedHat Linux 5.5
are expected to work properly. However, not all officially supported platforms are
guaranteed. Platforms that require additional drivers or specialized post-install configuration
are not supported at this time (see note below).
Note: If a customer has an appliance they know will require additional configuration beyond
the standard RedHat 5.5 installation, then that customer should install RedHat 5.5 and
record all the installation time choices and any post-install configuration steps. Send this
information to Guardium Technical Support for analysis and, based on the analysis, they
may be able to provide a software update to support this platform.
Any deviation from the instructions outlined in this document may result in failure to install
the solution, in such cases, the appliance might not be accessible over the network and IBM
InfoSphere Guardium Technical Support engineers will not be able to assist in
troubleshooting and remediation.
See the latest Software Appliance Technical Requirements document (not part of help
information) for specific platforms tested and approved by IBM.
1.1.2 Installation on Virtual Appliances
While IBM InfoSphere Guardium can be installed on any VMware product, the VMware ESX
server is the recommended platform for a virtual solution.
Notes:
1. Hardware requirements for the virtual solution are restricted to the platforms
supported by VMware.
2. When using the virtual solution, Database Activity Monitoring must be done via STAP agents. Over-the-network inspection through SPAN port or Tap device is not
supported for the virtual offering.
3. Due to VMwares performance limitations, it is not recommended to use the virtual
solution when monitoring high volumes of database activity. The virtual solution is
recommended for smaller environments and for the Privileged Users Monitoring
audit mode.
1.1.3 Recommended Resources
See the latest Software Appliance Technical Requirements document (not part of help
information) for required and recommended resources.
1.2 Sizing Recommendations
See the latest Software Appliance Technical Requirements document (not part of help
information) for sizing metrics.
1.3 Preparations
Preparing for the deployment of the appliance, the network administrator needs to supply:

Guardium Administration Guide

IP address for the interface card (eth0), and optionally an IP address for a secondary
management interface connection.
Default router IP address.
DNS server IP addresses (up to three addresses), and add the new appliance to the
DNS server.
Hostname and domain name to assign to system
(optional) NTP server hostname.
(optional) SMTP configuration information (for email alerts): IP address, port, and if
authentication is used, an SMTP user name and password.
(optional) SNMP configuration information (for SNMP alerts) the IP address of the
SNMP server and the trap community name to use.

1.4 SAN Storage Devices


If the installation is to be deployed on a SAN, all configuration information needed by the
SAN, before deployment, must be prepared. Also, there are additional installation steps
required to partition the SAN storage device and install the IBM InfoSphere Guardium OS.
See the latest Software Appliance Installation Guide (not part of help information) for
configuration and installation information.
Step 2. Setup the physical appliance or the virtual appliance
The setup instructions in this section are different when installing to a physical appliance or
a virtual appliance.
2.1 Physical Appliance
Once the appliance has been loaded into the customers rack, connect the appliance to the
network in the following manner:
1. Find the power connections. Plug the appropriate power cord (s) into these
connections.
2. Connect the network cable to the eth0 network port.
3. Connect a Keyboard, Video and Mouse directly or through a KVM connection (either
serial or through the USB port) to the appliance.
4. Power up the system.
Note: How to connect the appliance for network-based database activity monitoring.
For network-based database activity monitoring (as opposed to S-TAP-based), the
appliance captures the database traffic directly through the network. In this mode, the
appliance should be connected through one of the secondary network cards (in
addition to the eth0 connection) to a Switch or network Tap Device through which the
monitored database traffic flows (the nearer that device is to the monitored database
server or to a monitored application the better).
The illustration below is an example of the rear panel from the Dell R610, showing the
location of the power connections and the eth0 network port.

Guardium Administration

See the next section on how to map the network ports.


2.2 How to identify eth0 and other network ports
Use the following CLI commands to map the network ports.
show network interface inventory
Use this command to display the port names and MAC addresses of all installed network
interfaces.
Example
CLI> show network interface inventory
eth0 00:13:72:50:CF:40
eth1 00:13:72:50:CF:41
eth2 00:04:23:CB:11:84
eth3 00:04:23:CB:11:85
eth4 00:04:23:CB:11:96
eth5 00:04:23:CB:11:97
show network interface port
Use this command to locate a physical connector on the back of the appliance. After using
the show network interface inventory command (above) to display all port names, use this
command to blink the light on the physical port specified by n (the digit following eth in the
above command - eth0, eth1, eth2, eth3, etc.), 20 times.
Syntax
show network interface port <n>
Example
CLI> show network interface port 1
The orange light on port eth1 will now blink 20 times.
2.3 Virtual appliance
The IBM InfoSphere Guardium Virtual Machine (VM) is a software-only solution licensed and
installed on a guest virtual machine such as VMware ESX Server.
To install the IBM InfoSphere Guardium VM, follow the steps in Appendix B How to Create
the Virtual Image. A summary of the steps in the appendix are:

Guardium Administration Guide

Verify system compatibility


Install VMware ESX Server
Connect network cables
Configure the VM Management Portal
Create a new Virtual Machine
Install the IBM InfoSphere Guardium virtual appliance

After installing the VM, go to Step 4, Setup Initial and Basic Configurations for further
instructions on how to configure the IBM InfoSphere Guardium system.
Step 3. Install the IBM InfoSphere Guardium image
This section details how to install the image and partition the disk.
1. Make sure your BIOS boot sequence settings are set to attempt startup from the
removable media (the DVD drive) before using the hard drive. Note: Installation can
take place from DVD.
2. Load the IBM InfoSphere Guardium image from the installation DVD.
3. The following two options will appear:
Standard Installation default partitioning. Choose this option if unsure of how to
partition the disk.
Custom Partition Installation - allows more customization of the partitions (locally
or on a SAN disk). There are two custom partitioning options, one that starts the
installer in a graphical mode that allows for more advanced partitioning options. See
Appendix C for further information on how to implement this option.
Notes

Realize that the Standard Installation will wipe the disk, repartition and
reformat the disk, and install a new operating system.
On the first boot after installation, the user will be asked to accept a Licensing
Agreement. They can use PgDwn to read through the agreement or Q to skip
to the end. To accept the terms of the agreement enter q to exit and then
type yes. The user MUST enter "yes" to the agreement or the machine will
not boot up.

4. The system will boot up from DVD. It takes about 12 minutes for this installation.
The CD image version uses two separate CDs. To insert the second CD , login as
guardinstall and use the password guardium.
(a). The system asks for the CLI Password (will be set to guardium automatically
after 10 seconds if no input is provided).
(b). Choose and enter the password for the GUI Admin user. Repeat this password a
second time to confirm it.
(c). Choose and enter the password for the Access Manager user. Repeat this
password a second time to confirm it.
CLI and GUI passwords will need to be changed again on first login.
Note (for steps a, b, c): There is no visible output when entering the passwords.

Guardium Administration
(d). The installation process will now ask you to choose a collector or aggregator (will
be set to Collector automatically after 10 seconds if no input is provided).
Pay attention to the wording of the on-screen question:
For Collector answer YES.
For Aggregator answer NO.
5. The system will automatically reboot at this point to complete the installation.
Step 4. Setup Initial and Basic Configuration
The initial step should be the network configuration and must be done locally through the
Command Line Interface (CLI) accessible through the serial port or the system console.
Enter the temporary cli password you supplied previously.
In the following steps, you will supply various network parameters to integrate the IBM
InfoSphere Guardium into your environment, using cli commands.
In the cli syntax, variables are indicated by angled brackets, for example: <ip_address>
Replace each variable with the appropriate value for your network and installation (but do
not include any brackets).
Note: Do not change the hostname and the time zone in the same CLI session.
4.1 Set the primary System IP Address
The primary IP address is for the ETH0 connection, and is defined using the following two
commands:
store network interface ip <ip_address>
store network interface mask <subnet_mask>
Optionally, a secondary IP address can be assigned, but this can only be done from the GUI
after the initial configuration has been performed. The remaining network interface cards on
the appliance may be used to monitor database traffic, and do not have an assigned IP
address.
4.2 Set the Default Router IP Address
store network routes def <default_router_ip>
4.3 Set DNS Server IP Addresses
Set the IP address of one or more DNS servers to be used by the appliance to resolve host
names and IP addresses. The first resolver is required, the others are optional.
store network resolver 1 <resolver_1_ip>
store network resolver 2 <resolver_2_ip>
store network resolver 3 <resolver_3_ip>
4.4 SMTP Server

Guardium Administration Guide


An SMTP server is required to send system alerts. Enter the following commands to set your
SMTP server IP address, set a return address for messages, and enable SMTP alerts on
startup.
store alerter smtp relay <smtp_server_ip>
store alerter smtp returnaddr <first.last@company.com>
store alerter state startup on
4.5 Set Host and Domain Names
Configure the hostname and domain name of the appliance. This name should match the
hostname registered for the appliance in the DNS server.
store system hostname <host_name>
store system domain <domain_name>
Note: During basic configuration of the appliance, do NOT change the hostname and the
time zone in the same CLI session. Change hostname, reboot, login and then change the
time zone.
4.6 Set the Time Zone, Date, and Time
There are two options for setting the date and time for the appliance. Do one of the
following:
Date/Time Option 1: Network Time Protocol
Provide the details of an accessible NTP server and enable its use.
store system ntp server <ntpserver_name>
store system ntp state on
Date/Time Option 2: Set the time zone, date and time
Use the following command to display a list of valid time zones:
store system clock timezone list
Choose the appropriate time zone from the list and use the same command to set it
store system clock timezone <selected time zone>
Store the date and time, in the format: YYYY-mm-dd hh:mm:ss
store system clock datetime <date_time>
Note: Do not change the hostname and the time zone in the CLI session.
4.7 Set the Initial Unit Type
An appliance can be a standalone unit, a manager or a managed unit; In addition, an
appliance can be set to capture database activity via network inspection or STAP or both.
The standard configuration would be for a standalone appliance (for all appliances), and the
most common setting would use STAP capturing (only for collectors).
store unit type standalone

<-- all appliances

store unit type stap

<-- for collectors

Guardium Administration
Unit type standalone and unit type stap are set by default. Unit type manager (if needed)
must be specified.
Note: unit type settings can be done at a later stage, when the appliance is fully
operational.
4.8 Reset Root Password
Reset your root password on the appliance using your own private passkey by executing the
following CLI command (requires access key: t0Tach):
support reset-password root <N>|random
Save the passkey used in your documentation to allow future Technical Support root
accessibility. To see the current pass key use the following CLI command:
support show passkey root
4.9 Validate All Settings
Before logging out of CLI and progressing to the next configuration step, it is recommended
to validate the configured settings using the following commands:
show network interface all
show network routes defaultroute
show network resolver all
show system hostname
show system domain
show system clock timezone
show system clock datetime
show system ntp all
show unit type
4.10 Reboot the System
Reboot the system to complete the basic configuration. If the system is not in its final
location, now is a good time to shut the system down, place it in its final network location,
and start it up again. Remove the installation DVD before rebooting the system.
To reboot the system, enter the following command in CLI:
restart system
The system will shut down and reboot immediately after the command is entered. Upon
startup, the system should be accessible (via CLI and GUI) through the network, using the
provided IP address and hostname.
Step 5. What to do next
This section details the steps of verifying the installation by logging on to the appliance;
setting unit type, installing license keys, and other installations patches, S-TAPs,
Inspection Engines, CAS.

10

Guardium Administration Guide


5.1 Verify Successful installation
1. Login to CLI - ssh cli@<ip of appliance>
2. Login to GUI - https://<ip of appliance>:8443
Login to the IBM InfoSphere Guardium web-based interface and go to the embedded online
help for more information on any of the following tasks:
5.2 Set Unit Type
To set up a federated environment, configure one of the appliances as the Central Manager
and all the other appliances should be set to be managed by the management unit.
See store unit type command in the Appendices help book, under the CLI topic
5.3 Install License Keys
See System Configuration in the Guardium Administration help book. (Note: in federated
environments, license keys are installed only on the Central Manager)
Specific product keys, which are based on the customers entitlements, must be installed
through CLI or the GUI as described below.
From the GUI:
1. Log in as admin to the IBM InfoSphere Guardium console.
2. Navigate to Administration Console -> Configuration -> System
3. Enter the License Key(s) in the System Configuration panel
From the CLI:
1. Log in to the CLI
2. Issue the store license console CLI command to store a new license.
Store license console
3. Copy and paste the new license at the cursor location. Make sure to type an equal sign
(=) at end of license code. Press Enter and then CTRL-D.
5.4 Install maintenance patches (if available)
Patches can be installed through CLI (see store system patch command) or through the
GUI.
See the Central Patch Management topic in Aggregation and Central Management help
book.
(Note: in federated environments, maintenance patches can be applied to all of the
appliances from the Central Manager)
There may not be any maintenance patches included with the installation materials. If any
are included, apply them as described below.

11

Guardium Administration
1. Log in to the IBM InfoSphere Guardium console, as the cli user, using the temporary cli
password you defined in the previous installation procedure. You can do this by using an ssh
client.
2. Do one of the following:
If installing from a patch DVD, Insert the DVD into the IBM InfoSphere Guardium DVD drive,
enter the following command, and skip ahead to step 3:
store system patch install cd
If installing from a network location, enter the following command (selecting either ftp or
scp):
store system patch install [ftp | scp]
And respond to the following prompts (be sure to supply the full path name to the patch
file):
Host to import patch from:
User on <hostname>:
Full path to patch, including name:
Password:
3. You will be prompted to select the patch to apply:
Please choose one patch to apply (1-n,q to quit):
Type the number of the patch to apply, and then press Enter.
4. To install additional patches, repeat steps 2 and 3.
5.5 Additional Steps (optional):
CLI command store language
Use the CLI command store language to change from the baseline English and convert the
database to the desired language. Installation of Guardium is always in English. A Guardium
system can only be changed to Japanese or Chinese (Traditional or Simplified) after an
installation. The "store language" command is considered a setup of the appliance and is
intended to be run during the initial setup of the appliance. Running this CLI command after
deployment of the appliance in a specific language can change the information already
captured, stored, customized, archived or exported. For example, the psmls (the panes and
portlets you have created) will be deleted, since they need to be recreated in the new
language.
Note: After switching converting from English to a desired language, it is not possible to
revert back to English.
Install S-TAP agents on the database servers and define their inspection engines
S-TAP is a lightweight software agent installed on the database server, monitors local and
network database traffic and sends the relevant information to the IBM InfoSphere
Guardium appliance (the collector) for further analysis, reporting an alerting.
To install an S-TAP, refer to the S-TAP help book included in the product manuals
To verify that the S-TAPs have been installed and are connected to the IBM InfoSphere
Guardium appliance:

12

Guardium Administration Guide


1. Log in to the IBM InfoSphere Guardium administrator portal.
2. Do one of the following:
Navigate to the Tap Monitor --> S-TAP tab, and select S-TAP Status from the menu. All
active S-TAPs should display with a green background. A red background indicates that the
S-TAP is not active.
Navigate to Administration Console --> Local Taps --> S-TAP Control, and confirm that
theres a green status light for this S-TAP
Define Inspection Engines for network-based activity monitoring
Install Configuration Auditing System (CAS) agents on the database server
Install CAS agents
Install Configuration Auditing System (CAS) agents on the database server
5.6 More Information
For more information, go to the following online resources:
IBM InfoSphere Guardium home page:
http://www.ibm.com/software/data/info/guardium/
Technical Support home page: http://www.ibm.com/software/support/
Supplemental Information
Physical Connectivity
For network-based Database Activity Monitoring (as opposed to S-TAP-based), the appliance
captures the database traffic directly through the network. In this mode, the appliance
should be connected through one of the other network cards (not eth0) to a switch, hub, or
network device through which the database traffic flows (the nearer that device is to the
monitored database server or to a monitored application the better).
See Appliance front and back views for power connections and network connections at the
end of this topic.
Network Placement
For the most comprehensive monitoring of database communications, it is recommended
that the appliance be located as close as possible to the protected resource: the database.
If placed near the database client system, the appliance will see all traffic to or from that
client and any of the databases with which it communicates. If placed near the database
server, the appliance will see all traffic to or from any client to the database server.
In order for the appliance to function properly, it must be able to collect the database
communications that pass through the network segment on which it is connected. On a LAN
that is implemented on a network hub, the appliance can view and collect network data
packets. On a LAN that is implemented with network switches, viewing and collection of
these data packets will not occur unless the switch is specifically configured to allow such
actions.
If the appliance is placed on a switched network, that network switch must be configured to
mirror all traffic to and from the databases to be monitored, to a port on which the

13

Guardium Administration
appliance will be connected. A network administrator will be able to perform this
configuration. Consult your switch vendors documentation on the exact method to perform
this configuration. Some vendors call this mirroring feature Port Mirroring or Switched Port
Analyzer (SPAN).
The appliance provides administrative access from its first network interface card, whose
connector is labeled ETH0, and optionally from its last network interface card. The number
of the last interface card varies, depending on what types of cards are installed (one-, two-,
or four-port cards are available).
Database traffic is monitored either:

Using SPAN ports connected in sequence to ETH1, 2, 3, etc. , OR

Using consecutive ETH connector pairs (1 2, 3 4, etc.) to monitor traffic via network
TAPs.

The network administrator:

Provides an IP address for the ETH0 connection to the desktop LAN, and optionally
an IP address for a secondary management interface connection.

Provides the default router IP address.

Provides DNS server IP addresses for from 1 to 3 DNS servers.

Adds the new appliance to the company DNS server.

If an NTP server will be used, provides its host name (you cannot specify an IP
address for the NTP server).

Provides SMTP configuration information (for email alerts): IP address, port, and if
authentication is used, an SMTP user name and password.

If SNMP will be used for alerts, provides SNMP configuration information: the IP
address of the SNMP server and the trap community name to use.

The appliance administrator:

14

Coordinates with the network administrator to connect the desktop LAN to ETH0, and
to the optional secondary interface (if used).
Note: If a secondary IP address is used, this must be plugged into the last/highest
port, which will be located on the top right. See System IP Address (Secondary)
under the System Configuration Panel Reference section of the System Configuration
topic.

With the network administrator, connects the SPAN port(s), or uses one or more ETH
pairs (1 2, 3 4, etc.) to either monitor traffic from network TAPs.)

When using the high availability feature, which provides fail-over support via IP
Teaming for the primary connection, the IP address assigned must be plugged into
ETH3. For more information about the high-availability option, see the store network
interface high-availability command in the Network Configuration CLI Commands
appendix.

Uses the Administration Console to ensure that the system and network settings are
properly configured.

Guardium Administration Guide


Guidelines for Rack Mounting
Different rails and rack mounting systems are available. See the separate document shipped
with your unit for rack mounting instructions.
Network Interfaces and Connectors
Two PCI slots on the back of the system may contain network cards, and one or two
Integrated NICs may also be present. The use and location of all network cards is highly
variable, depending on the options purchased and the date the unit was built.
The use of network interfaces is described below. To connect the network cables, refer to
the network connection mapping document that shipped with the system or with any
upgrade to the unit that involved changing one or more network cards. If you do not have
this document, contact Technical Support.
ETH0
Always use ETH0 to connect to the LAN over which users will access the appliance. This is
also the connection over which S-TAP and CAS agents will send data. A second network
connection can be used to provide additional bandwidth, or to provide for a fail-over
capability (two separate options). The primary System IP Address is always assigned to
ETH0, and the optional secondary System IP Address (set via the Administration Console) is
always assigned to the highest numbered port. You can assign the primary IP address using
the CLI, as described later in this chapter. To use a fail-over device, you must enable the
high-availability option using the store network interface high-availability on command
(see the CLI appendix).
SPAN Port Connections
Connect ETH1 to the first SPAN port. Optionally connect additional SPAN ports using the
remaining connectors as necessary, in order.
TAP Connections
Beginning with ETH1 & ETH2, use each pair of connectors in sequence, one per TAP.
IP Configuration
To set the initial network configuration for the unit, use the Command Line Interface (CLI),
which is available from the serial port or on the system console.
Using the CLI
The CLI language is not case-sensitive.
All CLI examples are written in courier text. For example: show system clock

15

Guardium Administration
Notation for Command Arguments
Some command descriptions use delimiters to indicate which command arguments are
mandatory and in which context. Each syntax description shows the dependencies between
the command arguments by using special characters:

The < and > symbols denote a required argument.

The [ and ] symbols denote an optional argument.

The | (vertical bar) symbol separates alternative choices when only one can be
selected. For example: store full-bypass <on | off>

State Arguments
Commands that handle a state setting accept and use the following state arguments:

on or off

up or down

enabled or disabled

active or inactive

1 or 0

CLI Command Abbreviations


You can abbreviate commands and keywords as long as you provide enough characters so
the commands are not ambiguous.
For example: show can be shortened to: sho
Log in to the CLI
Once interactive administrative access is physically connected (via console or serial port),
turn on the appliance.
If a serial terminal is connected, no text will be displayed until the system has completely
finished its boot process. At that point, a login prompt is displayed.
If a PC keyboard and monitor are connected, a splash screen is displayed. The appliance
then loads the operating system and displays various text messages as it progresses
(Setting clock, Loading default keymap, etc.)
Once the system has finished booting, press the Enter key to obtain the login prompt.
The only user account for the CLI is cli, with a password assigned as noted in your
installation package.
Once you have logged in, you can start entering configuration settings.
Note: The installation uses two CDs. To insert the second CD , login as guardinstall and
use the password guardium".
Optionally Reset the CLI Password

16

Guardium Administration Guide


To simplify the support process, we suggest that you keep the assigned CLI password. To
change the cli password, use the store user password command. You will be prompted to
enter the current password, and then the new password twice. None of the password values
you enter on the keyboard will display on the screen. The cli user password must:

Be at least six characters in length.

Contain at least one digit character (0-9).

Contain at least one lowercase alphabetic character (a-z).

Contain at least one uppercase alphabetic character (A-Z).

Note that there is no way to retrieve the CLI user password once it is set. If you lose this
password, contact Technical Support to have it reset.
For a complete list of commands and available through the CLI, see the CLI Appendix.
Set the appropriate unit type for this appliance
An appliance can be a standalone unit, a manager or a managed unit; In addition, an
appliance can be set to capture database activity via network inspection or stap or both. The
standard configuration would be for a standalone appliance, and the most common setting
would use stap capturing.
store unit type standalone
store unit type stap
Optionally Enable Automatic Decoding of Kerberos-Encrypted Database User
Names
Note: This is not the preferred way to decode Kerberos-Encrypted Database User Names.
See the Windows S-TAP help for more information. If you are unsure which approach will be
used for Kerberos, skip this step for now (this can be configured later).
In an MS SQL environment, database user names may be encrypted by Kerberos. These
names will appear as strings of hexadecimal characters in reports. The appliance can decode
these names automatically if it has access to the Kerberos traffic and the feature is enabled,
as described below.
To enable the automatic decoding of Kerberos-encrypted database user names, enter the
following commands:
store local-stap on
store unit type stap
Ignore any messages about restarting the inspection core or inspection engines. The correct
settings will take effect when you restart the server after all initial settings have been
configured (as described below).
Back to top
Install a Server Certificate (Optional)
After you have configured the network settings and rebooted the system, you can obtain
and store a server certificate following the process outlined below:
1. Use the CLI to create a Certificate Signing Request (CSR).

17

Guardium Administration
2. Submit the CSR to your Certificate Authority (CA) and obtain a server certificate in
return.
3. If the server certificate returned by your CA includes the full trust path, skip ahead
to step 4.4. Otherwise, store the CA certificate (and, if necessary, any intermediate
certificates to the full trust path) on the appliance. This must be done before storing
the new server certificate.
4. Use the CLI to store the returned server certificate on the appliance.
Note: Guardium is NOT a Certificate Authority (CA). Users of Guardium, who wish to use the
Certificate feature, need to acquire/generate their own certificate.
Each step is described in detail, below. Be aware that you perform the second step outside
of the appliance, using whatever CA your company uses.
Create a CSR
Use the CLI to create a CSR (Certificate Signing Request). Be sure to enter all information
correctly and do not enter this command until after your network settings have been
configured. The generated CSR will be a PKCS7 file encoded in PEM (base64 ASCII text)
format, so you can copy and paste it easily.
To create the CSR:
1. Log in to the appliance as the cli user, as described previously
2. Enter the csr command.
3. Reply to all prompts, which will be used in generating the request. Be aware that the
common name (CN) is generated automatically from the host and domain name you
assigned when configuring the unit:

What is the name of your organizational unit (OU=) ?

What is the name of your organization (O=) ?

What is the name of your city or locality (L=) ?

What is the name of your state or province (ST=) ?

What is the two-letter country code for this unit (C=) ?

What encryption algorithm should be used (1=DSA or 2=RSA)?

You can find very detailed information on the DSA and RSA algorithms by searching
the web.
After you respond to the last prompt, the system displays a description of the request,
followed by the request itself, and followed finally by additional instructions. For
example:
This is the generated CSR:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=MA, L=Waltham, O=XYZCorp, OU=Accounting, CN=g2.xyz.com
-----BEGIN NEW CERTIFICATE REQUEST----MIICWjCCAhcCAQAwVDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB1dhbHRoYW0xETAPBgNVBAoT
CEd1

18

Guardium Administration Guide


YXJkaXVtMRUwEwYDVQQLEwxndWFyZGl1bS5jb20xCTAHBgNVBAMTADCCAbgwggEsBgcqhkjO
OAQB
MIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1
ujD2
y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMC
NVQT
WhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXW
mz3e
y7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozI
puE8
FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtV
JWQB
TDv+z0kqA4GFAAKBgQCONsEB4g4/limbHkuZ5YnLn9CGM3a2evEnqjXZts4itxeTYwPQvdkj
dSmQ
kaQlBxmNUsZOJZrq5nC5Cg3X9spa+BzFr+PgR/5zka17nHcxKXCjVjLk451L67KllXv61TUf
v/bU
PKmiaGKDttsP2ktG4dBFXQdICJEGo0aNFCYn6qAAMAsGByqGSM44BAMFAAMwADAtAhUAhHTY
5z9X
NiBAuyAC9PS4GzleYakCFF2kcfxfjX1BFy5I228XWMAU0N95
-----END NEW CERTIFICATE REQUEST----Please copy and paste this output to a file, starting at the BEGIN and
END
lines, and use that file to work with your Certificate Authority in
obtaining a certificate. I will be expecting the incoming certificate to
be in
PKCS#7 PEM format. Your CA will help you in receiving that format.
Once you have it, please use the "store certificate" command to
complete this operation.
4. Before continuing, check the Subject line to verify that you have entered your
company information correctly. If you can submit a CSR online and obtain a server
certificate quickly, remain logged in. Otherwise, enter the quit command now to log
out. Then log in again later after you have received the server certificate.
Submit the CSR to Your CA
When copying the CSR, be sure to select the entire request (shown highlighted above),
including the Begin and End request lines. Most CAs provide online signing services, so you
will be able to simply paste the CSR to a text box. If not, paste the CSR to a text file or into
an email in the appropriate location.
Be sure to have the server certificate generated as a PKS7 file in PEM (base64 ASCII text)
format, since you will need to copy and paste it into the CLI.
Store the CA Certificate (Optional)
Perform this step only if the server certificate returned from your CA does not include the
full trust path.
Use the CLI to store the CA certificate and, if necessary, to store any intermediate
certificates on the full trust path to the server. Certificates must be stored in hierarchical
order, beginning with the CA certificate.
1. If you are not still logged in to the appliance as the cli user, log in again as described
previously.
2. Enter the store trusted certificate command.

19

Guardium Administration
The following prompt is displayed:
What is a one-word alias we can use to uniquely identify this
certificate?
Enter a one-word name for the certificate and press Enter. The following instructions
are displayed:
Please paste your CA certificate, in PEM format.
Include the BEGIN and END lines, then press CTRL-D.
3. Copy the certificate, paste it to the command line, and press CRTL-D. You are
informed of the success or failure of the store operation.
4. If there are intermediate certificates on the full trust path to the appliance, repeat
steps 2 and 3 above for each of those, in hierarchical order.
Store the Server Certificate
Use the CLI to store the server certificate:
1. If you are not still logged in to the appliance as the cli user, log in again as described
previously.
2. Enter the store certificate console command.
The following information and prompt is displayed:
Please paste your new server certificate, in PEM format.
Include the BEGIN and END lines, then press CTRL-D.
3. Copy the server certificate, paste it to the command line, and press CRTL-D. You are
informed of the success or failure of the store operation.
4. Enter the restart gui command to restart the GUI.

Appliance Overview
The appearance of the appliance varies slightly depending on the model number and the
options purchased.
Appliance Front View
Dell Model R610

Appliance Front View - Dell Model R610

20

Guardium Administration Guide

Item

Indicator,
Button or
Connector

Description

Power-on
indicator,
power button

The power-on indicator lights when the system power is on.


The power button controls the DC power supply output to the
system.
Press to power the unit on or off. The indicator light may be:
Off - The system is off and AC power is not connected.
Blinking - A blinking green light indicates that the power is
connected, but the system is not powered on.
On - A solid green light indicates that the system is powered
on.

NMI button

Used to troubleshoot software and device driver errors when


using certain operating systems. This button can be pressed
using the end of a paper clip. Use this only if directed to do so
by qualified support personnel.

USB Connectors
(2)

Connect USB devices to the system. The ports are USB 2.0compliant.

Video connector

Connect a PC monitor here for initial installation or when


using the CLI. You can also connect a PC monitor to the back
of the unit or you can connect a terminal or a PC to the serial
port on the back of the unit.

LCD menu
buttons

Navigate the control panel LCD menu.

LCD panel

Provides system ID, status information, and system error


messages. The LCD lights blue during normal system
operation. The LCD lights amber when the system needs
attention, and the LCD panel displays an error code followed
by descriptive text.

System
Identification
Button

Use to locate a particular system in a rack. When pressed,


the blue indicator lights on both the front and back of the unit
blink. When pressed a second time, the indicators stop
blinking. There is also a system identification button on the
back of the unit.

Hard Drives (6)

Up to six 2.5-inch hard drives

Optical drive
(optional)

Optional

21

Guardium Administration

10

System
identification
panel

A slide-out panel for system information including Express


Service tag, embedded NIC MAC address, and iDRAC6
Enterprise Card MAC address. Space is provided for an
additional label.

Hard-Drive Indicator Codes


The hard drives contain two indicator lights, on the left side:

Light labeled "1" is drive-activity indicator


(green). Light labeled "2" is drive-status indicator (green and amber). The Activity Indicator
blinks when the drive is being accessed.
For non-RAID applications, the Condition Indicator is solid green when the unit is powered
on. For RAID applications, see below.
SCSI Hard-Drive RAID Indicator Codes
If RAID is activated, the two indicators on each of the hard-drive carriers provide
information on the status of the SCSI hard drives. The following table lists the drive
indicator patterns. Different patterns are displayed as events occur in the system. For
example, if a drive fails, the drive failed pattern appears. After the drive is selected for
removal, the drive being prepared for removal pattern appears, followed by the drive ready
for insertion or removal pattern, and so forth.
Condition

Indicator Pattern

Identify drive/ preparing


for removal

The condition indicator blinks green two times per second.

Drive ready for insertion


or removal

Both indicators are off.

Drive predicted failure

The condition indicator slowly blinks green, amber, and off.

Drive failed

The condition indicator blinks amber four times per second.

Drive rebuilding

The condition indicator blinks green slowly.

22

Guardium Administration Guide

Drive online

The condition indicator is solid green.

Appliance Back View


The appearance of the back of the appliance will vary slightly depending on the model and
options purchased.
Dell Model R610

Appliance Back View - Dell Model R610


Item

Indicator,
Button or
Connector

Description

iDRAC6
Enterprise
port
(optional)

Dedicated management port for optional iDRAC6 Enterprise


card.

VFlash media
slot (optional)

Connect an external SD memory card for optional iDRAC6


Enterprise card.

Serial
connector

Connects a serial device to the system.

PCIe Slot 1

PCI Express (generation 2) x8-wide expansion slot (fullheight, half-length)

Video
connector

Connects a VGA display to the system.

USB
Connectors
(2)

Connect USB devices to the system. The ports are USB 2.0compliant.

PCIe slot 2

PCI Express (generation 2) x8-wide expansion slot (fullheight, half-length)

Connect a USB keyboard to either of the USB connectors for


initial installation or when using the CLI. Typically, these are
only used during the initial installation or for
troubleshooting. A UPS can be connected to either of these
USB ports.

23

Guardium Administration

Ethernet
connectors (4)

Embedded 10/100/1000 NIC connectors

System status
indicator
connector

Connector for attaching a system indicator extension cable


that is used on a cable management arm.

10

System
Status
indicator

Provides a power-on indicator for the back of the system

11

System
identification
button

Turns the system ID modes on and off.

12

Power supply
1

13

Power supply
2

The identification buttons on the front and back panels can


be used to locate a particular system within a rack. When
one of these buttons is pushed, the LCD panel on the front
and the system status indicator on the chassis back panel
light blue until one of the buttons is pushed again.

System Configuration
System Configuration Overview
About the System Shared Secret
Modify the System Configuration
System Configuration Panel Reference
System Configuration Overview
Most of the information on the System Configuration panel is set via the CLI at installation
time.
If you are using Central Management and/or Aggregation, you will need to set the System
Shared Secret for all related systems to the same value.
For instructions on how to do this, or to modify any other System Configuration settings,
see Modify the System Configuration, below.
There must be a valid license in order to use various functions within the appliance. When a
license has been entered after the system is started a restart of the GUI is needed before
being new functionality is recognized.
Back to top
About the System Shared Secret

24

Guardium Administration Guide


The Guardium administrator defines the System Shared Secret on the System Configuration
panel (see System Configuration). The system shared secret is used for two general
purposes:

To encrypt files that are exported from the appliance by archive/export activities

To establish secure communications between Central Managers and managed units

The system shared secret value is null at installation time. Depending on a companys
security practices, it may be necessary to change the system shared secret on a periodic
basis. Each appliance maintains a shared secret keys file, containing an historical record of
all shared secrets defined on that appliance. The same system thus will have no problem at
a later date decrypting information that has been encrypted on that system.
When information is exported or archived from one system, and imported or restored on
another, the latter must have access to the shared secret used by the former. For these
cases, there are CLI commands that can be used to export the system shared secrets from
one system, and import them on another. See the following commands in the CLI appendix:

aggregator backup keys file

aggregator restore keys file


Back to top

Modify the System Configuration


1. Select Administration Console > System.
2. Referring to the System Configuration Panel Reference topic below, make any
changes desired.
3. Click the Apply button to save the updated system configuration when you are done
making changes.
Note: The applied changes do not take effect until the unit is restarted. After applying configuration
changes, click the Restart button to stop and restart the system (using the new configuration settings).

Back to top
System Configuration Panel Reference
Field or
Control

Description

Unique Global
Identifier

This value is used for collation and aggregation of data. The default
value is a unique value derived from the MAC address of the machine.
It is strongly recommended that you do not change this value after the
system begins monitoring operations.

25

Guardium Administration

Field or
Control

Description

System
Shared Secret

Any value you enter here does not display. Each character you type
displays as an asterisk.
The system shared secret is used for archive/restore operations, and
for Central Management and Aggregation operations. When used, its
value must be the same for all units that will communicate. This value
is null at installation time, and can change over time.
The system shared secret is used:

When secure connections are being established between a


Central Manager and a managed unit.

When an aggregated unit signs and encrypts data for export to


the aggregator.

When any unit signs and encrypts data for archiving.

When an aggregator imports data from an aggregated unit.

When any unit restores archived data.

Depending on your companys security practices, you may be required


to change the system shared secret from time to time. Because the
shared secret can change, each system maintains a shared secret keys
file, containing an historical record of all shared secrets defined on that
system. This allows an exported (or archived) file from a system with
an older shared secret to be imported (or restored) by a system on
which that same shared secret has been replaced with a newer one.
Caution: When used, be sure to save the shared secret value in a safe
location. If you lose the value, you will not be able to access archived
data.
Retype Secret

When entering or changing the system shared secret (see above),


retype the new value a second time. Any value you enter here does not
display. Each character you type displays as an asterisk.

product key

This value is not displayed. It is inserted in the configuration during


installation. Do not modify this field unless you are instructed to do so
by Technical Support. You may need to paste a new product key here if
optional components are being added.
If you install a new product key on the central management unit, when
you click the Apply button, you will receive a warning message that
reads: "Warning: changing the license on a Central Management Unit
requires refreshing all managed units." After you click OK to close the
message window, you must click Apply a second time to install the new
product key. You will know that the new license has been installed
when you receive the message: "Data successfully saved."
If you install a new product key on a Central Management Unit you
may get a warning stating that the license applied to the CM must be
refreshed on the managed unit. This requires a refresh done from the

26

Guardium Administration Guide

Field or
Control

Description
Central Manager and is done by pressing the refresh icon (the yellow
arrows) from the Central Manager to each of the collectors listed.

Number of
Datasources

If a limited license is applied, displays maximum number of


datasources permitted per datasource license.

Metered Scans
Left

If a limited license is applied, display number of vulnerability


assessment scans permitted (datasource metering) per metering
license where each time a vulnerability assessment is triggered, this
scan counter decreases by one.

Expiration
date

If a limited license is applied, a fixed date when the license will be


disabled.

System
Hostname

The resolvable host name for the Guardium appliance. This name must
match the DNS host name for the primary System IP Address (see
below).

Domain

The name of the DNS domain on which the Guardium appliance


resides.

System IP
Address

The primary IP address that users and S-TAP or CAS agents use to
connect to the Guardium appliance. It is assigned to the network
interface labeled ETH0.

SubNet Mask

The subnet mask for the primary System IP Address (above).

Hardware
(MAC)
Address

The MAC address for the primary network interface (above).

27

Guardium Administration

Field or
Control

Description

System IP
Address
(Secondary)

Optional. A secondary IP address that users and S-TAP or CAS agents


use to connect to the Guardium appliance. It is assigned to the highest
numbered network interface on the unit, for example: ETH5. You might
use a secondary IP address to provide access to the appliance from a
second network, or to provide additional bandwidth when many S-TAP
agents are reporting to the same Guardium appliance.
To display the network interfaces installed on the unit, use the show
network interface inventory CLI command. For example:
guard14.xyz.com> sho net int inv
eth0 00:04:23:D4:65:7E
eth1 00:04:23:D4:65:7F
eth2 00:04:23:D4:65:A2
eth3 00:04:23:D4:65:A3
eth4 00:18:8B:31:3A:A3
eth5 00:18:8B:31:3A:A4
ok
guard14.xyz.com>
In the example above, the secondary IP address would be assigned to
the port labeled ETH5. To locate the ETH5 connector on your appliance,
use the show network interface port CLI command, which will blink
the orange light on that port, 20 times. For example:
guard14.xyz.com> sho net int port 5
The orange light on port eth5 will now blink 20 times.
Note: The secondary IP address and its associated port are NOT related to the
high availability feature, which provides fail-over support via IP Teaming for the
primary connection. For more information about the high-availability option, see
the store network interface commands in the CLI Appendix.

SubNet Mask
(Secondary)

Optional. The subnet mask for the secondary System IP Address


(above).

Default Route

The IP address of the default router for the system.

Primary
Resolver
Secondary
Resolver
Tertiary
Resolver

The IP address for the Primary Resolver (DNS) is required. The


secondary and tertiary are optional.

Test
Connection

Click the Test Connection link to test the connection to the


corresponding DNS server. This only tests that there is access to port
53 (DNS) on the specified host. It does not verify that this is a working
DNS server. You will receive a message box indicating if the DNS
server responded.

28

Guardium Administration Guide

Field or
Control

Description

Stop

Click the Stop button to shut the system down.

Restart

Click the Restart button to stop and then restart the system. You will
be prompted to confirm the action.

Apply

Click the Apply button to save the changes. The changes will be applied
the next time the system restarts.
Back to top

Inspection Engine Configuration


Inspection Engine Configuration Overview
Configure Settings that Apply to All Inspection Engines
Create an Inspection Engine
Start or Stop an Inspection Engine
Remove an Inspection Engine
Inspection Engine Configuration Overview
An inspection engine monitors the traffic between a set of one or more servers and a set
of one or more clients using a specific database protocol (Oracle or Sybase, for example).
The inspection engine extracts SQL from network packets; compiles parse trees that identify
sentences, requests, commands, objects, and fields; and logs detailed information about
that traffic to an internal database.
You can configure and start or stop multiple inspection engines on the Guardium appliance.
Inspection engines cannot be defined or run on a Central Manager unit. However, you can
start and stop inspection engines on managed units from the Central Manager control panel.
See Central Management for more information.
Inspection engines are also defined on S-TAPs. If S-TAPs report to this Guardium appliance,
be sure the appliance does not monitor the same traffic as the S-TAP. If that happens, the
analysis engine will receive duplicate packets, will be unable to reconstruct messages, and
will ignore that traffic.
Selecting IP Addresses
Each inspection engine monitors traffic between one or more client and server IP addresses.
In an inspection engine definition these are defined using an IP address and a mask. You
can think of an IP address as a single location and a mask as a wild-card mechanism that
allows you to define a range of IP addresses.
IP addresses have the format: n.n.n.n, where each n is an eight-bit number (called an
octet) in the range 0-255.

29

Guardium Administration
For example, an IP address for your PC might be: 192.168.1.3. This address is used in the
examples below. Since these are binary numbers, the last octet (3) can be represented as:
00000011.
The mask is specified in the same format as the IP address: n.n.n.n. A zero in any bit
position of the mask serves as a wildcard. Thus, the mask 255.255.255.240 combined with
the IP address 192.168.1.3 matches all values from 0-15 in the last octet, since the value
240 in binary is 11110000. But it only matches the values 192.168.1 in the first three
octets, since 255 is all 1s in binary (in other words, no wildcards apply for the first three
octets).
Specifying binary masks can be a little confusing. However, for the sake of convenience, IP
addresses are usually grouped in a hierarchical fashion, with all of the addresses in one
category (desktop computers, for example) grouped together in one of the last two octets.
Therefore, in practice, the numbers you see most often in masks are either 255 (no
wildcard) or 0 (all).
Thus a mask 255.255.255.255 (which has no zero bits) identifies only the single address
specified by IP address (192.168.1.3 in the example above).
Alternatively, the mask 255.255.255.0, combined with the same IP address matches all IP
addresses beginning with 192.168.1.
Selecting All Addresses
The IP address 0.0.0.0, which is sometimes used to indicate all IP addresses, is not allowed
by Guardium. To select all IP addresses when using an IP address/mask combination, use
any non-zero IP address followed by a mask containing all zeroes (for example:
1.1.1.1/0.0.0.0).
Back to top
Configure Settings that Apply to All Inspection Engines
1. Select Administration Console > Inspection Engines.
2. Referring to the table below, make any changes desired.
3. Click the Apply button to save the updated system configuration when you are done
making changes.
4. Optionally add comments to the Inspection Engine Configuration. See Comments.
5. Click the Restart Inspection Engines button.
Note: The applied changes do not take effect until the inspection engines are
restarted. After applying inspection engine configuration changes, click the Restart
button to stop and restart the system (using the new configuration settings).
Back to top
Settings that Apply to All Inspection Engines
Control

Description

Default Capture
Value

Default value is false. Used by Replay function to distinguish


between transactions and capture values, meaning that if you have
a prepared statement, assigned values will be captured and

30

Guardium Administration Guide


replayed. If you want to replay your captured prepared
statements as prepared statements the check box should be
checked for the captured data.
Default Mark Auto
Commit

Default value is true. Due to various auto-commit models for


different databases, this value is used by Replay function to
explicitly mark up the transactions and auto commit after each
command.
Note: If checkbox is checked then commits and rollbacks will be
ignored
Note: Databases currently supported include DB2, Informix, and
Oracle

Log Request Sql


String

If marked, each SQL request statement is logged in its sanitized


format. Otherwise, no statements are logged.

Log Sequencingc

If marked, a record is made of the immediately previous SQL


statement, as well as the current SQL statement, provided that the
previous construct occurs within a short enough time period.

Log Exception Sql


String

If marked, when exceptions are logged, the entire SQL statement


is logged.

Log Records
Affected

If marked, the number of records affected is recorded for each SQL


statement (when applicable). Default value for log records affected
is FALSE (0).
Note: When using JDBC, this must be marked to properly log
Oracle bind variable traffic
Note: Enabling Log Records Affected is important within
Capture/Replay in order to provide comparisons results

Log timestamp per


second

If marked, allows you to display the distribution of requests down


to the second, regardless of the default logging granularity (see
below).

Compute Avg
Response Time

When marked, for each SQL construct logged, the average


response time will be computed.
Note: Enabling Compute Avg Response Time is important within
Capture/Replay to see response times between statement
executions

Inspect Returned
Data

Mark to inspect data returned by SQL requests as well as update


the ingress and egress counts.
If extrusion rules will be used in the security policy, this
checkbox must be marked.

Record Empty
Sessions

When marked, sessions containing no SQL statements will be


logged. When cleared, these sessions will be ignored.

31

Guardium Administration

Parse XML

The Inspection Engine will not normally parse XML traffic. Mark
this checkbox to parse XML traffic.

Logging
Granularity

The number of minutes (1, 2, 5, 10, 15, 30, or 60) in a logging


unit. If requested in a report, Guardium summarizes request data
at this granularity. For example, if the logging granularity is 60, a
certain request occurred n times in a given hour. If the above
check box is not marked, exactly when the command occurred
within the hour is not recorded. But, if a rule in a policy is
triggered by a request, a real time alert can indicate the exact
time. When you define exception rules for a policy, those rules can
also apply to the logging unit. For example, you might want to
ignore 5 login failures per hour, but send an alert on the sixth login
failure.

Max. Hits per


Returned Data

When returned data is being inspected, indicate how many hits


(policy rule violations) are to be recorded.

Ignored Ports List

A list of ports to be ignored. Add values to this list if you know


your database servers are processing non-database protocols, and
you want Guardium to not waste cycles analyzing non-database
traffic. For example, if you know the host on which your database
resides also runs an HTTP server on port 80, you can add 80 to the
ignored ports list, ensuring that Guardium will not process these
streams. Separate multiple values with commas, and use a hyphen
to specify an inclusive range of ports. For example:
101,105,110-223

Buffer Free: n %

Display only. n is the percent of free buffer space available for the
inspection engine process. This value is updated each time the
window is refreshed. There is a single inspection engine process
that drives all inspection engines. This is the buffer used by that
process.

Restart Inspection
Engines

Click the Restart Inspection Engines button to stop and restart all
inspection engines.

Add Comments

Click the Comment button to add comments to the Inspection


Engine Configuration. See Comments.

Apply

Click the Apply button to save the configuration.


Note: Any global changes made (and saved using the Apply button) do not
take effect until you restart the inspection engines. However, individual
inspection engine attributes, such as exclude, sequence order, etc., take
effect immediately.

Back to top
Create an Inspection Engine
1. Select Administration Console > Inspection Engines.

32

Guardium Administration Guide


2. Click the Add Inspection Engine link to expand the Add panel.
3. Enter a name in the Name box. It must be unique on the appliance. We recommend
that you use only letters and numbers in the name, as the use of any special
characters prevents working with this inspection engine via the CLI.
4. From the Protocol box, select either the protocol to be monitored (DB2, FTP, IBM
iSeries, Informix, MSSQL, Mysql, Named Pipes, Netezza, Oracle, PostgreSQL,
Sybase, Teradata, or Windows File Share) or the keyword exclude IE. Select
"exclude IE" if you want all traffic between the specified clients and servers to be
ignored.
Note: "exclude IE" only works on ports, IP does not matter. Enter a range of ports to
ignore. To exclude a specific IP for this port, the exclude DB Client IP can be used
within the inspection engine created. If there is a need not to pick up packets on a
certain port range, define a separate inspection engine of the type Exclude IE
(IGNORE). The only values that have to be defined in that engine are
PORT_RANGE_START and PORT_RANGE_END. This kind of exclusion might be needed,
for instance, when an all-inclusive Oracle Inspection Engine is defined with ports
range 1024-65535, but certain ports have to be excluded.
5. In the DB Client IP/Mask boxes, enter a list of clients (a client host from which the
database connection was initiated) to be monitored (or excluded if the Exclude DB
Client IP box is marked, as described above). The clients are identified by IP
addresses and subnet masks. There are detailed instructions on how to use these
fields in the overview, above.
Click the plus sign to add additional IP address and subnet mask. Click the minus
sign to remove the last IP address and subnet mask (at the bottom of the list).
6. In the DB Server IP/Mask boxes, enter a list of database servers (where a
database sits) to be monitored. The servers are identified by IP addresses and
subnet masks. There are detailed instructions on how to use these fields in the
overview, above.
Click the plus sign to add additional IP address and subnet mask. Click the minus
sign to remove the last IP address and subnet mask (at the bottom of the list).
7. In the Port box, enter a single port or a range of ports over which traffic between
the specified clients and database servers will be monitored. Most often, this should
be a single port.
Warning: Do not enter a wide range of ports, just to be certain that you have
included the right one! You may cause the inspection engine to bog down attempting
to analyze traffic on ports that carry no database traffic or traffic that is of no
interest for your environment.
8. Mark the Active on startup box if this inspection engine should be started
automatically on start-up.
9. Mark the Exclude DB Client IP box if you want the inspection engine to monitor
traffic from all clients except for those listed in the DB Client IP/Mask list (see
below). Be sure that you understand the difference between this and the Ignore
protocol selection (above). This includes all traffic except for the from IP addresses
specified below. To ignore a specific set of clients without including all other clients,
define a separate inspection engine for those clients and use the Ignore protocol (see
above).

33

Guardium Administration
10. Click the Add button to save the definition.
11. Optionally reposition the inspection engine in the list of inspection engines. Filtering
mechanisms defined in the inspection engines are executed in the order. If
necessary, reposition the new inspection engine configuration, or any existing
configurations, using the Up and/or Down buttons in the border of the definition.
12. Optionally click the Start button to start the inspection engine just configured. The
Start button will be replaced by a Stop button, once the engine has been started.
Back to top
Start or Stop an Inspection Engine
1. Select Administration Console > Inspection Engines.
2. To start an inspection engine, click its Start button.
3. To stop an inspection engine, click its Stop button.
Note: If using Central Management, you can also start or stop inspection engines from the Central
Management control panel. See Central Management.

Back to top
Remove an Inspection Engine
If you are no longer using an inspection engine, we suggest that you remove the definition,
so that it is not restarted accidentally.
1. Select Administration Console > Inspection Engines.
2. If the inspection engine to be removed has not been stopped, click the Stop button.
3. To remove an inspection engine, click its Delete button.
Back to top

Portal Configuration
You can keep the Guardium appliance Web server on its default port (8443) or reset the
portal as described below. We strongly recommend that you use the default port.
1. Select Administration Console > Portal to open the Guardium Portal panel.
2. If it is not marked, mark the Active on Startup checkbox (this should never be
disabled).
3. Set the HTTPS Port to an integer value between 1025 and 65535.
4. Click the Apply button to save the value. (The Guardium security portal will not start
listening on this port until it is restarted.) Or click the Revert button to restore the
value stored by the last Apply operation.
5. Click the Restart button to restart the Guardium Web server if you have made and
saved any changes. You can now connect to the unit on the newly assigned port.
Note: To re-connect to the unit once it has restarted with the new port number, you must change the URL
used to open the Guardium Login Page on your browser.

34

Guardium Administration Guide


For information about configuring authentication at the bottom half of this Portal screen, go
to the help topic Authentication Configuration.

Configure Authentication
Authentication Overview
Configure Guardium Authentication
Configure RADIUS Authentication
Configure LDAP Authentication
Authentication Overview
By default, Guardium user logins are authenticated by Guardium, independent of any other
application. For the Guardium admin user account, login is always authenticated by
Guardium alone. For all other Guardium user accounts, authentication can be configured to
use either RADIUS or LDAP. In the latter cases, additional configuration information for
connecting with the authentication server is required.
Note: FreeRadius client software is supported.
When an alternative authentication method is used, all Guardium users must still be defined
as users on the Guardium appliance. It is only the authentication that is performed by
another application.
Note that while user accounts and roles are managed by the accessmgr user, the
authentication method used is managed by the admin user. This is a standard "separation of
duties" best practice.
To configure authentication, see the appropriate topic, above.
Back to top
Configure Guardium Authentication
1. Select Administration Console > Portal.
2. Select the Guardium radio button in the Authentication Configuration panel.
3. Click Apply.
Back to top
Configure RADIUS Authentication
1. Select Administration Console > Portal.
2. Select the RADIUS radio button in the Authentication Configuration panel. Additional
fields will appear in the panel.
3. In the Primary Server box, enter host name or IP address of the primary RADIUS
server.
4. Optionally enter the host name or IP address of the secondary and tertiary RADIUS
servers.
5. Enter the UDP Port used (1812 or 1645) by RADIUS.
6. Enter the RADIUS server Shared Secret, twice.
7. Enter the Timeout Seconds (the default is 120).

35

Guardium Administration
8. Select the Authentication Type:

PAP - password authentication protocol

CHAP - Challenge-handshake authentication protocol

MS-CHAPv2 - Microsoft version 2 of the challenge-handshake authentication


protocol

9. Optionally click the Test button to verify the configuration. You will be informed of
the results of the test. The configuration will also be tested whenever you click the
Apply button to save changes (see below).
10. Click Apply. Guardium will attempt to authenticate a test user, and inform you of
the results.
Back to top
Configure LDAP Authentication
1. Select Administration Console > Portal.
2. Select the LDAP radio button in the Authentication Configuration panel.
3. In the Server box, enter the host name or IP address of the LDAP server.
4. Enter the Port number (the default is 636 for LDAP over SSL).
5. Enter the User RDN Type (relative distinguished name type) type, which is uid by
default.
Note: This attribute identifies a user for LDAP authentication. The
Access Manager should be made aware of what attribute is used here, since
the Access Manager performs the LDAP User Import operation. Click on this
help link LDAP User Import for further information on Importing LDAP Users.
Note: If a user is using SamAccountName as the RDN value, the user must
use either a "=search" or "=[domain name] in the full name.
Examples: SamAccountName=search, SamAccountName=dom
6. Enter the User Base DN (distinguished name).
7. Mark or clear the Use SSL checkbox, as appropriate for your LDAP Server.
8. Optional. To inspect one or more trusted certificates, click Trusted Certificates and
follow the instructions in that panel.
9. Optional. To add a trusted certificate, click Add Trusted Certificates and follow the
instructions in that panel.
10. Optional. Click the Test button to verify the configuration. You will be informed of
the results of the test. The configuration will also be tested whenever you click the
Apply button to save changes (see below).
11. Click Apply. Guardium will attempt to authenticate a test user, and inform you of
the results.
Back to top

36

Guardium Administration Guide

Global Profile
Global Profile Overview
Override the Default Aliases Setting
Customize the PDF Page Footer
Edit the Alert Message Template
Disable accordion menus
Named Template
CSV Separator
Add or Disable a Login Message
Enable or Disable Concurrent Same-user Logins
Enable Data Level Security at the Observed Data Level
Default Filtering
Escalate result to all users
SCP and FTP files via different ports
Global Profile Overview
The Global Profile panel defines defaults that apply to all users.
Back to top
Override the Default Aliases Setting
By default, for any new report, or for any report contained in a default layout, aliases are
not used.
An alias provides a synonym that substitutes for a stored value of a specific attribute type.
It is commonly used to display a meaningful or user-friendly name for a data value. For
example, Financial Server might be defined as an alias for IP address 192.168.2.18.
To display aliases for an individual report, you can open its Customize Portlet panel and
mark the Show Aliases On button.
If more often than not, you would rather see aliases by default, you can change the default
aliases setting for all reports, as follows:
1. Select Administration Console > Global Profile to open the Global Profile panel.
2. Mark the Use Aliases in Reports unless otherwise specified checkbox.
3. Click Apply.
Back to top
Customize the PDF Page Footer
PDF files created by various Guardium components (audit tasks, for example) have a
standard page footer. To customize that footer:
1. Select Administration Console > Global Profile to open the Global Profile panel.

37

Guardium Administration
2. In the PDF Footer Text field, enter the text to be printed at the bottom of each
page.
3. Click Apply.
Back to top
Edit the Alert Message Template
To customize the message template used to generate alerts:
1. Select Administration Console > Global Profile to open the Global Profile panel.
2. In the Message Template text box, edit the alert template text.
You can mark the no wrap checkbox below the Message Template text box to see
where the line breaks appear in the message.
3. Click Apply when you are done.
4. Changes will not take effect until the inspection engines are restarted. To do that
now, select Administration Console > Inspection Engines > Restart Inspection
Engines.
Back to top
Alert Message Template Variables
Variable

Description

%%addBaselineConstruct

To add to baseline

%%AppUserName

Application user name

%%AuthorizationCode

Authorization code

%%category

Category from the rule definition

%%classification

Classification from the rule definition

%%clientHostname

Client hostname

%%clientIP

Client IP address

%%clientPort

Client port number

%%DBProtocol

Database protocol

%%DBProtocolVersion

Database protocol version

%%DBUser

Database user name

%%lastError

Last error description; available only when a SQL error


request triggering an exception rule contains a last error
description field

38

Guardium Administration Guide

%%netProtocol

Network protocol, for K-TAP on Oracle, this may display as


either IPC or BEQ

%%OSUser

Session information. (OS_USER in GDM_ACCESS)

%%receiptTime

Timestamp representing the time when the alert occurred

%%receiptTimeMills

Numeric representing the time when the alert occurred, in


milliseconds since the fixed date of Jan 1 1900

%%requestType

Request type

%%ruleDescription

The rule description from the policy rule definition

%%ruleID

The rule number from the rule definition

%%serverHostname

Server hostname

%%serverIP

Server IP address

%%serverPort

Server port number

%%serverType

The database server type

%%serviceName

Service name

%%sessionStart

Session start time (login time)

%%sessionStartMills

Numeric representing the start of the session where the


alert occurred, in milliseconds since the fixed date of Jan 1
1900

%%severity

Severity from the rule definition

%%SourceProgram

Source program name

%%SQLNoValue

SQL string with masked values

%%SQLString

SQL string (if any)

%%SQLTimestamp

The time on the packet/request (TIMESTAMP in


GDM_CONSTRUCT_TEXT)

%%Subject[ ]

If this variable is used in the message template, all that


appears between [ ] (for example, file name, email sender,
description) will be the subject line of the email sent to user.

%%violationID

Numeric representing the POLICY_VIOLATION_LOG_ID of


this alert in GDM_POLICY_VIOLATION_LOG (this is the same
as the Violation Log ID in the Policy Violations / Incident

39

Guardium Administration
Management report)
Disable accordion menus
Check this box to display the Tools tab with Config and Control and Report Building in one
column and their associated functions in another column.
Named Template
Message templates are used to generate alerts.
The feature defines multiple message templates and facilitates the use of different
templates on different rules. In the past, only a single message template was available for
all rules, all receiver types, etc.
To add, modify and delete named message templates, click on the Edit button. When
creating a new named template, the starting value of the string is a copy of whatever is
currently in the Message template of the Global Profile. "R/T Alert" is the only level of
severity permitted.
Predefined message templates have been created for the SIEM solutions, ArcSight and
EnVision. The Guardium system comes preloaded with two certified (agreed upon)
templates to integrate with these two SIEM solutions.
After editing, the multiple message templates can be selected from within the Policy Builder
menu. See Policies.
CSV Separator
To define a separator to be used in the audit process:
1. Select Administration Console > Global Profile to open the Global Profile panel.
2. Choose Comma, Semicolon, Tab, or define your own in Other box to define the
CSV Separator that will be used.
3. Click Apply.
Back to top
Add other HTML content to the Guardium Window
To add a company logo graphic to the upper right portion of the Guardium window, or to
add other HTML content to the bottom of the Guardium window:
1. Select Administration Console > Global Profile to open the Global Profile panel.
2. In the HTML - Left and HTML - Right text boxes, enter the HTML for the text or
any other items you want to include on the window.
3. Optionally click the preview button

to verify that your HTML displays as expected.

4. Click Apply.
Add or Disable a Login Message
To add a message to display in a message box, each time a user logs in:
1. Select Administration Console > Global Profile to open the Global Profile panel.
2. In the Login Message text box, enter the text you want to display when each user
logs in.

40

Guardium Administration Guide


3. Mark the show login message box to enable the display of the login message (or
clear the box to disable the display).
4. Click Apply.
Back to top
Enable or Disable Concurrent Same-user Logins
By default, the same Guardium user can log in to an appliance from multiple IP addresses.
You can disable concurrent logins from the same user, as described below. When disabled,
each Guardium user will be allowed to log in from only one IP address at a time. If a user
closes their browser without logging out, the connection will time out due to inactivity, so
the user account will not be blocked for long.
To change this setting:
1. Select Administration Console > Global Profile to open the Global Profile panel.
2. Click the Enable or Disable button (depending on the current status) to perform the
desired action.
Note: When the feature is enabled, an Unlock button appears to the left of the
Enable/Disable button.. You can click the Unlock button to allow a second user to log
in with this user account, from a different IP address. This is provided for support
purposes.
Enable Data Level Security at the Observed Data Level
Enable data level security filtering by clicking the button.
This feature assumes that specific Guardium users are responsible for certain specific
databases. Therefore a mechanism exists that will filter results, system-wide, in a way that
each user will only be able to see the information from those databases that the user is
responsible for.
To change this setting:
1. Select Administration Console > Global Profile to open the Global Profile panel.
2. Click the Enable or Disable button for the Data level security filtering option
Note: The datasec-exempt role (see Manage Roles) is activated when data level
security is enabled and the datasec-exempt role has been assigned to a user.
3. Additional choices include:
i.

Show-all - Permits the logged-in viewer to see all the rows in the result
regardless of who these rows belong to. When used with the Datasec-exempt
role (see Manage Roles) permits an override of the data level security
filtering.

ii.

Include indirect records - Permits the logged-in viewer to see the rows
that belong to the logged-in user, but also all rows that belong to users below
the logged-in user in the user hierarchy. See Access Management, Data User
Security - Hierarchy and Associations.

Note: If data level security at the observed data level has been enabled, then audit process
escalation will only be allowed to users at a higher level in the user hierarchy. See Access
Management, Data User Security - Hierarchy and Associations.
Default Filtering

41

Guardium Administration
Online viewer default setting and for audit process results distribution.
Show-all - See explanation in section above, Enable Data Level Security at the Observed
Data Level, step 3. The default setting is disable.
Include indirect records - See explanation in section above, Enable Data Level Security at
the Observed Data Level, step 3. The default setting is disable.
Escalate result to all users
Escalate result to all users - A check mark in this check box escalates audit process
results (and PDF versions) to all users, even if data level security at the observed data level
is enabled. The default setting is enable. If the check box is disabled (no check mark in the
check box), then audit process escalation will only be allowed to users at a higher level in
the user hierarchy and to users with the datasec-exempt role. If the check box is disabled,
and there is no user hierarchy, then no escalation is permitted. See Access Management,
Data User Security - Hierarchy and Associations.
SCP and FTP files via different ports
Change the ports that can be used to send files over SCP and FTP.
For Global Profile - CSV, Export and Patch Backup can be changed. The default port for
ssh/scp/sftp is 22. The default port for ftp is 20.
Note: Seeing a zero "0" as the port indicates the default port is being used and no need to
change.
Add a Logo to the Guardium Window
To add a company logo graphic to the upper right portion of the Guardium window, or to
add other HTML content to the bottom of the Guardium window:
1. Select Administration Console > Global Profile to open the Global Profile panel.
2. In the Upload Logo Image pane (located at the bottom of the menu screen), if you
want to include a logo image in the upper-right portion of the portal window, enter
an image file name or click the Browse button to select a file to upload to the
Guardium appliance, and then click the Upload button. The image will display the
next time the window is refreshed.
Note: The uploaded logo file name can not contain these special characters, single quote ',
double quote ", less than sign <, greater than sign >.
Back to top

Alerter Configuration
Alerter Overview
Set the frequency that the Alerter checks for and sends messages
Configure the Alerter to send SMTP (e-mail) messages
Configure the Alerter to send SNMP traps
Automatically activate the Alerter on startup
Alerter Overview

42

Guardium Administration Guide


No e-mail messages, SNMP traps, or alert related Syslog messages will be sent until the
Alerter is configured and activated. Other components create and queue messages for the
Alerter. The Alerter checks for and sends messages based on the polling interval that has
been configured for it.
To configure, enable or disable individual correlation alerts, see the Correlation Alerts topic.
Note that for correlation alerts and appliance alerts to be produced, Anomaly Detection
must also be started. For real-time alerts to be produced, a security policy must be
installed.
Mail/SNMP/SYSLOG messages are sent out according to their priority.
Back to top
Automatically activate the Alerter on startup
1. Select Administration Console > Alerter to open the Alerter Configuration panel.
2. Mark the Active on Startup checkbox. Each time the appliance restarts, the Alerter
will be activated automatically.
3. Click Apply.
4. If the Alerter is not running, and you want to start it, click Restart.
Back to top
Set the frequency that the Alerter checks for and sends messages
1. Select Administration Console > Alerter to open the Alerter Configuration panel.
2. Enter the Polling Interval, in minutes.
3. Click Apply.
Back to top
Configure the Alerter to send SMTP (email) messages
1. Select Administration Console > Alerter to open the Alerter Configuration panel.
Note: All remaining items in this topic are in the SMTP section of the Alerter panel.
2. Enter the IP address for the SMTP gateway, in the IP Address box.
3. Enter the SMTP port number (it is almost always 25) in the Port box.
4. Optional: Click the Test Connection hypertext link to verify the SMTP address and
port. This only tests that there is access to specified host and port. It does not verify
that this is a working SMTP server. A dialog box is displayed, informing you of the
success or failure of the operation.
Note: If this SMTP server uses authentication, you must supply a valid User Name
and Password for that mail server in the following two fields. Otherwise, those fields
can be left blank.
5. Enter a valid user name for your mail server in the User Name box if your SMTP
server uses authentication.
6. Enter the password for the above user in the Password box if your SMTP server
uses authentication. Re-enter it in the Re-enter Password box.

43

Guardium Administration
7. In the Return E-mail Address box, enter the return address for e-mail sent by the
system. This address is usually an administrative account that is checked often.
8. Select Auth in the Authentication Method if your SMTP server uses authentication.
Otherwise, select None. When Auth is selected, you must specify the user name and
password to be used for authentication.
9. Click the Apply button to save the configuration.
Note: The Alerter will not begin using a new configuration until it is restarted.
10. Click Restart to restart the Alerter with the new configuration.
Back to top
Configure the Alerter to send SNMP traps
1. Select Administration Console > Alerter to open the Alerter Configuration panel.
Note: All remaining items in this topic are in the SNMP section of the Alerter panel.
2. In the IP Address box, enter the IP address to which the SNMP trap will be sent.
3. Optional: Click the Test Connection hypertext link to verify the SNMP address and
port (22). This only tests that there is access to specified host and port. It does not
verify that this is a working SNMP server. A dialog box is displayed, informing you of
the success or failure of the operation.
4. In the Trap Community box, enter the community name for the trap. Retype the
community in the Retype Community box.
5. Click the Apply button to save the configuration.
Note: The Alerter will not begin using a new configuration until it is restarted.
6. Click Restart to restart the Alerter with the new configuration.
Back to top

Anomaly Detection
Anomaly Detection Overview
Automatically activate Anomaly Detection on startup
Set the frequency that Anomaly Detection checks for appliance issues
Enable or Disable Active Alerts
Stop or Restart Anomaly Detection
Anomaly Detection Overview
The Anomaly Detection process executes correlation alerts according to the schedule
defined for each alert. A correlation alert looks back over a specified period of time to
determine if a condition has been satisfied (an excessive number of failed logins, for
example) See Correlation Alerts for more information.
In a Central Manager environment, the Anomaly Detection panel is used to turn off
correlation alerts that are not appropriate for a particular appliance. Under Central

44

Guardium Administration Guide


Management, all correlation alerts are defined on the Central Manager, and when activated,
will be activated on all appliances by default.
Notes

If an alert creates an email message or SNMP trap, the Alerter component must be
configured and started.

Anomaly Detection does not play a role in the production of real time alerts, which
are produced by security policies.
Back to top.

Automatically activate Anomaly Detection on startup


1. Click Administration Console > Anomaly Detection to open the Anomaly Detection
panel.
2. Mark the Active on Startup checkbox. Each time the appliance restarts, Anomaly
Detection will be activated automatically.
3. Click Apply.
Back to top.
Set the frequency that Anomaly Detection checks for appliance issues
1. Click Administration Console > Anomaly Detection to open the Anomaly Detection
panel.
2. Enter the Polling Interval, in minutes.
3. Click Apply.
Back to top.
Enable or Disable Active Alerts
To disable an alert globally in a Central Manager environment, it will be easier to clear the
Active checkbox in the Modify Alert panel (see Correlation Alerts).
To enable or disable an alert on a single appliance in a Central Management environment,
follow the procedure outlined below:
1. Log in to the administrator portal of the appliance on which you want to disable one
or more alerts.
2. Click Administration Console > Anomaly Detection to open the Anomaly Detection
panel.
3. To disable an alert, select it from the Active Alerts box, and click Disable.
4. To enable an alert, select it from the Locally Disabled Alerts box, and click
Enable.
Back to top.
Stop or Restart Anomaly Detection
1. Click Administration Console > Anomaly Detection to open the Anomaly Detection
panel.
2. Click Stop to stop Anomaly Detection, or click Restart to restart it.
45

Guardium Administration
Back to top.

Session Inference
Session Inference checks for open sessions that have not been active for a specified period
of time, and marks them as closed.
To configure the Session Inference options:
1. Select Administration Console > Session Inference.
2. Mark the Active On Startup box to start Session Inference on startup of the
Guardium appliance.
3. In the Polling Interval box, enter the frequency (in minutes) with which Session
Inference will check for open sessions. The default is 120 (minutes).
4. In the Max Inactive Period box, enter the number of minutes of inactivity, after
which a session should be marked closed. The default is 720 (minutes).
5. Click the Apply button to store the values in the configuration database. Session
Inference will not begin using a new configuration until it is restarted.
6. Click Restart to restart Session Inference with the new configuration.
Stopping Session Inference
To stop Session Inference, open the Session Inference panel as described above, and click
the Stop button.

IP-to-Hostname Aliasing
The IP-to-Hostname Aliasing function accesses the Domain Name System (DNS) server
to define hostname aliases for client and server IP addresses. Note that there are two
separate sets of IP addresses - one for clients, and one for servers. When IP-to-Hostname
Aliasing is enabled, alias names will replace IPs within Guardium where appropriate.
1. Select Administration Console > IP-to-Hostname Aliasing.
2. Mark the Generate Hostname Aliases for Client and Server IPs (when
available) checkbox to enable hostname aliasing.
A second checkbox displays when the first is marked: Update existing Hostname
Aliases if rediscovered
3. Mark the "Update existing..." checkbox to update a previously defined alias that does
not match the current DNS hostname (usually indicating that the hostname for that
IP address has changed). You may not want to do this if you have assigned some
aliases manually. For example, assume that the DNS hostname for a given IP
address is dbserver204.guardium.com, but that server is commonly known as the
QA Sybase Server. If QA Sybase Server has been defined manually as an alias for
that IP address, and the "Update" checkbox is marked, that alias will be overwritten
by the DNS hostname.
4. Click the Apply button to save the IP-to-Hostname Aliasing configuration.
5. Do one of the following:

46

Click the Run Once Now button to generate the aliases immediately.

Guardium Administration Guide

Click the Define Schedule button to define a schedule for running this task.
For instructions on how to use the general-purpose task scheduler, see
Scheduling.

To view the aliases defined, see View the Aliases Defined, in the Common Tools book.

Upload Key File


Under rare conditions, a Microsoft SQL Server key file must be uploaded to the Guardium
appliance, in order for the appliance to monitor encrypted SQL Server traffic. No key file is
needed if an S-TAP has been installed on the SQL Server and configured to handle
encryption. This is the recommended and most common way of configuring an S-TAP agent
for MS SQL Server. To determine if an S-TAP is configured to handle encrypted MS SQL
Server traffic:
1. Select Administration Console > Local Taps > S-TAP Control.
2. Expand the Details pane for the S-TAP agent on the desired (MS SQL Server) host.
3. Verify that the SQL Server TAP Decrypted property has been set to either SSL Only
or Kerberos and SSL.
4. If the SQL Server TAP Decrypted property has been set to None, we recommend
changing that setting to either SSL Only or Kerberos and SSL. See the Windows STAP topic in the S-TAP help book for detailed information about configuring Windows
S-TAPs.
Note: After changing the SQL Server TAP Decrypted property, you must restart the STAP service for the change to take effect, and you must restart the MSSQL Monitor service.

If for some reason you are not permitted to change the SQL Server TAP Decrypted
setting, use the procedure below to upload a key file from the server.
If no S-TAP has been installed, or if it has been installed but is not configured to handle
encrypted SQL Server traffic, a key file will be required to monitor SQL Server traffic under
the following conditions:

If the server is configured using the force protocol encryption option.

If the server in a SQL Server 2005 environment uses encrypted login sessions with
SQL Server mixed authentication.

Since a single Guardium appliance may be monitoring multiple SQL Server instances, you
may need to upload multiple key files. To upload a key file to the Guardium appliance:
1. Select Administration Console > Upload Key File.
2. Click the Browse button to locate the key file you want to upload. The key file name
must be the fully qualified domain name of the SQL Server. The class file cannot be
renamed it must be created with that name.
3. Enter the pass phrase in both Pass Phrase boxes.
4. Click the Upload Key File button. You will be informed of the results of the
operation.

Query Hint
This feature is password protected and can be used only as directed by Technical Support.
Contact Technical Support if you require more information.

47

Guardium Administration
The Query Hint screen is also used to activate two policy log actions, "Log full details with
values" and "Log full details with values per session". After filling in the Query Hint
password, an additional button will appear, "Add value logging option to policies". See Log
Actions in Policies for further information. Again, contact Technical Support for instructions
on how to use this feature.

Customer Uploads
Database Activity Monitor Content Subscription (previously known as Database Protection
Subscription Service) supports the maintenance of predefined assessment tests, SQL based
tests, CVEs, APARs, and groups such as database versions and patches. DPS is provided as
a service to keep information current and within industry best practices to protect against
newly discovered vulnerabilities. Distribution of updates will be done on a quarterly basis.
Uploading Jar files is also done through at this menu screen.
Note: If a custom group exists with the same name as a predefined Guardium group, the
upload process will add "Guardium - " in front of the name for the predefined group.
1. Select Administration Console > Customer Uploads
2. For DPS Upload - Enter the name of the file to be uploaded or click the Browse
button to locate and select that file.
3. Import DPS identifies what files have been uploaded.
4. For Upload DB2 z/OS License jar - Enter the name of the file to be uploaded or
click the Browse button to locate and select that file.
5. For Upload Oracle JDBC driver, or Upload MS SQL Server JDBC driver - Use
this function to upload open source drivers for Oracle and MS SQL. Oracle Data
Direct and MS SQL Data Direct drivers are pre-loaded in the Guardium appliance.
Use this function to upload open source drivers for Oracle and MS SQL which will
appear, after upload, in the Database Type drop-down menu in Datasources
Definition menu. Upload one driver at a time.
6. Click the Upload button. You are notified when the operation completes, and the file
uploaded will be displayed. This action brings the uploaded file to Central Manager.
For the Oracle JDBC and SQL Server JDBC driver files, go to Central Management
choice within Admin Console to manage distribution of these Jar file to the managed
units.
Note: After the file is successfully uploaded, the GUI needs to be restarted on the
Central Manager and the managed units.
Select Administration Console > Configuration > Portal > press Restart.
Select Administration Console > Central Management > Central Management and
press Distribute Uploaded Jar Files.
7. Click to import or click to remove the uploaded file without importing.
8. You will be prompted to confirm either action.
9. Click the Done button when finished.
Note: If you will be exporting and importing definitions from one appliance to
another, be aware that subscribed groups are not exported. When exporting
definitions that reference subscribed groups, you must ensure that all referenced

48

Guardium Administration Guide


subscribed groups are installed on the importing appliance (or central manager in a
federated environment).
Note: When uploading DB2 z/OS License jar files, the license will take effect after restart of
the GUI.

Archive, Purge and Restore


Archive, Purge and Restore
Configure Data Archive and Purge
Configure Results Archive
Restore Data
Catalog Archive
Catalog Export
Catalog Import
Archive, Purge and Restore
Archive and purge operations should be run on a scheduled basis. There are two archive
operations available on the Administration Console, in the Data Management section of the
menu:

Data Archive backs up the data that has been captured by the appliance, for a
given time period. When configuring Data Archive, a purge operation can also be
configured. Typically, data is archived at the end of the day on which it is captured,
which ensures that in the event of a catastrophe, only the data of that day is lost.
The purging of data depends on the application and is highly variable, depending on
business and auditing requirements. In most cases data can be kept on the machines
for more than six months.

Results Archive backs up audit tasks results (reports, assessment tests, entity
audit trail, privacy sets and classification processes) as well as the view and sign-off
trails and the accommodated comments from workflow processes. Results sets are
purged from the system according to the workflow process definition.

In an aggregation environment, data can be archived from the collector, from the
aggregator, or from both locations. Most commonly, the data is archived only once, and the
location from where it is archived varies depending on the customer's requirements.
Scheduled export operations send data from Guardium collector units to a Guardium
aggregation server. On its own schedule, the aggregation server executes an import
operation to complete the aggregation process. On either or both units, archive and purge
operations are scheduled to back up and purge data on a regular basis (both to free up
space and to speed up access operations on the internal database).
Archive files can be sent using SCP or FTP protocol, or to an EMC Centera or TSM storage
system (if configured). You can define a single archiving configuration for each Guardium
appliance.
Guardiums archive function creates signed, encrypted files that cannot be tampered with.
DO NOT change the names of the generated archive files. The archive and restore
operations depend on the file names created during the archiving process.
Archive and export activities use the system shared secret to create encrypted data files.
Before information encrypted on one system can be restored on another, the restoring

49

Guardium Administration
system must have the shared secret that was used on the archiving system when the file
was created.
Note: For more information about the system shared secret, see About the System Shared
Secret in the Guardium Administration Guide; and for information on how backup and restore
shared secret files from one system to another, see the description of the aggregator backup
keys file and aggregator restore keys file commands in the CLI Reference.

Whenever archiving data, be sure to verify that the operation completes successfully. To do
this, log in as admin user, click the Guardium Monitor tab, and select the
Aggregation/Archive Log report. There should be multiple activities listed for each Archive
operation, and the status of each activity should be "Succeeded".
Backup and Restore tasks can be performed from the CLI as well as from the Guardium GUI
at the Admin Console tab. See File Handling CLI Commands for further information.
Default Purging

The default value for purge is 60 days


The default purge activity is scheduled every day at 5:00 AM.
For a new install a default purge schedule will be installed that is based on the
default value and activity.
When a unit type is changed between manager managed or back to standalone the
default purge schedule will be applied.
The purge schedule will not be affected during an upgrade.
When purging a large number of records (10 million or higher), a large batch size
setting (500k to 1 million) is the most effective way to go. Using a smaller batch size
or NULL causes the purge to take hours longer. Smaller purges finish quickly, so a
large batch size setting is only relevant for large purges.

About the Catalog


Regardless of the destination for the archived data, the Guardium catalog tracks where
every archive file is sent, so that it can be retrieved and restored on the system with
minimal effort, at any point in the future.
A separate catalog is maintained on each appliance, and a new record is added to the
catalog whenever the appliance archives data or results. Catalog entries can be transferred
between appliances by one of the following methods:

Aggregation - Catalog tables are aggregated, which means that the aggregator will
have the merged catalog of all of its collectors

Export/Import Catalog (described below) - These functions can be used to transfer


catalog entries between collectors, or to backup a catalog for later restoration, etc.

Data Restore - Each data restore operation contains the data of the archived day,
including the catalog of that day. So, when restoring data, the catalog is also being
updated.

When catalog entries are imported from another system, those entries will point to files that
have been encrypted by that system. Before restoring or importing any such file, the
system shared secret of the system that encrypted the file must be available on the
importing system. See the description of the aggregator backup keys file and aggregator
restore keys file commands in the CLI Reference, for instructions on how to get the shared
secrets from one appliance to another.
Several commands are provided on the Administration Console for catalog maintenance:
50

Guardium Administration Guide


Catalog Archive - If archive files are moved to another location after the Guardium
archive operation, Guardium has no way of knowing what happened to those files.
For these situations, the archive catalog can be maintained manually, using the
Archive Catalog command on the Administration Console, to add or remove archive
entries.
Catalog Export - Export either the data or results catalog.
Catalog Import - Import a previously exported data or results catalog.
How to determine what days are not archived
Use a query (Tools tab > Report Building > Report Builder > query "Location View") that
can be modified to create a report showing the files that are archived. This report lists all
the files with archive dates. Dates not on this report indicate that those dates have not been
archived. Run archive for the dates not on the list, if required.
Back to top
Configure Data Archive and Purge
1. Select Administration Console > Data Archive.
2. If it is not already checked, mark the Archive checkbox. Additional fields will appear
in the Configuration panel.
3. In the boxes following Archive data older than, specify a starting day for the archive
operation as a number of days, weeks, or months prior to the current day, which is
day zero. These are calendar measurements, so if today is April 24, all data captured
on April 23 is one day old, regardless of the time when the operation is performed.
To archive data starting with yesterdays data, enter the value 1, and select Day(s)
from the list.
4. Optionally, use the boxes following Ignore data older than to control how many days
of data will be archived. Any value specified here must be greater than the Archive
data older than value.

Note: If you leave the Ignore data older than row blank, you will archive data for all days older
than the value specified in the Archive data older than row. This means that if you archive daily
and purge data older than 30 days, you will archive each day of data 30 times (before it is
purged on the 31st day).

5. Mark the Archive Values box to include values (from SQL strings) in the archived
data. If this box is cleared, values will be replaced with question mark characters on
the archive (and hence the values will not be available following a restore operation).
6. Select storage method radio button from the list below. Depending on how the
appliance has been configured, one or more of these buttons may not be available.
For a description of how to configure the archive and backup storage methods, see
the description of the show and store storage-system commands in the CLI
Appendix.

EMC CENTERA

TSM

SCP

FTP

51

Guardium Administration
7. Perform the appropriate procedure (below), depending on the storage method
selected:

Configure SCP or FTP Archive or Backup

Configure EMC Centera Archive or Backup

Configure TSM Archive or Backup

8. Optionally mark the Purge box to define a purge operation. When this box is
marked, additional fields display.

IMPORTANT: The Purge configuration is used by both Data Archive and Data
Export. Changes made here will apply to any executions of Data Export and
vice-versa. In the event that purging is activated and both Data Export and
Data Archive run on the same day, the first operation that runs will likely
purge any old data before the second operation's execution. For this reason,
any time that Data Export and Data Archive are both configured, the purge
age must be greater than both the age at which to export and the age at
which to archive.

9. If purging data, use the Purge data older than fields to specify a starting day for the
purge operation as a number of days, weeks, or months prior to the current day,
which is day zero. All data from the specified day and all older days will be purged,
except as noted below. Any value specified for the starting purge date must be
greater than the value specified for the Archive data older than value. In addition, if
data exporting is active, the starting purge date specified here must be greater than
the Export data older than value. See the IMPORTANT note above.

Notes: There is no warning when you purge data that has not been archived
or exported by a previous operation.

The purge operation does not purge restored data whose age is within the do not purge restored
data timeframe specified on a restore operation.

10. Click Apply to verify and save the configuration changes. The system will attempt to
verify the configuration by sending a test data file to that location.

If the operation fails, an error message will be displayed and the configuration
will not be saved.

If the operation succeeds, the configuration will be saved.

11. To run or schedule the archive and purge operation, do one of the following:

Click the Run Once Now button to run the operation once.

Click the Modify Schedule button to schedule the operation to run on a


regular basis. See Scheduling in the Common Tools book for instructions on
using the general purpose scheduler.

12. Click Done when you are finished.


Back to top
Configure SCP or FTP Archive or Backup
After selecting SCP or FTP in an archive or backup configuration panel, the following
information must be provided:
1. In the Host box, enter the IP address or host name of the host to receive the
archived data.

52

Guardium Administration Guide


2. In the Directory box, identify the directory in which the data is to be stored. How
you specify this depends on whether the file transfer method used is FTP or SCP.

For FTP: Specify the directory relative to the FTP account home directory.

For SCP: Specify the directory as an absolute path.

3. Change the port that can be used to send files over SCP and FTP. The default port for
ssh/scp/sftp is 22. The default port for ftp is 20.
Note: Seeing a zero '0' as the port indicates the default port is being used and no
need to change.
1. In the Username box, enter the user name for logging onto the SCP or FTP server.
This user must have write/execute permissions for the directory specified in the
Directory box (above).

For Windows, a domain user is accepted with the format of domain\user

2. In the Password box, enter the password for the above user, then enter it again in
the Re-enter Password box.
3. Return to the archiving or backup procedure to complete the configuration.
Back to top
Configure EMC Centera Archive or Backup
This backup or archiving task copies files to an EMC Centera storage system off-site. A
license is needed with user name and password from EMC. Four main actions are needed for
this task:

establish account with an EMC Centera on the network (IP addresses and a ClipID
are needed);

configure the data and/or configuration files from a Guardium system;

define and export a library; and,

confirm that your files are indeed stored on the EMC Centera storage system.

CLI action
From the CLI, run the command,
store storage-system centera backup ON
show storage-system
GUI action
Select Administration Console, System Backup from admin account. Then selecting EMC
Centera in an archive or backup configuration panel, the following information must be
provided:
1. In the Retention box, enter the number of days to retain the data. The maximum is
24855 (68 years). If you want to save it for longer, you can restore the data later
and save it again.
2. In the Centera Pool Address box, enter the Centera Pool Connection String; for
example:

53

Guardium Administration

10.2.3.4,10.6.7.8/var/centera/us1_profile1_rwe.pea txt
Note: This IP address and the .PEA file comes from EMC Centera. The question mark is
required when configuring the path. The .../var/centera/... path name is important as the backup
may fail if the path name is not followed. The .PEA file gives permissions, username and
password authentication per Centera backup request.

3. Click the Upload PEA File button to upload a Centera PEA file to be used for the
connection string. The Centera Pool Address is still needed.
Note: If the message "Cannot open the pool at this address.." appears, check the size
of the Guardium appliance host name. A timeout issue has been reported with Centera when
using host names that are less than four characters in length.

4. Click the Apply button to save the configuration. The system will attempt to verify
the Centera address by opening a pool using the connection string specified. If the
operation fails, you will be informed and the configuration will not be saved.
5. Then Run Once Now to perform the backup using the downloaded .PEA file.
Define and export a library (this is performed with root access)
# export LD_LIBRARY_PATH=/usr/local/Centera/lib/ (set export library)
Confirm that your files have been copied to the EMC Centera. The name of the files and a
ClipID are required for this task.
Back to top
Configure TSM Archive or Backup
Before archiving to a TSM server, a dsm.sys configuration file must be uploaded to the
Guardium appliance, via the CLI. See import tsm config in the CLI Reference Appendix.
After selecting TSM in an archive or backup configuration panel, the following information
must be provided:
1. In the Password box, enter the TSM password that this Guardium appliance will use
to request TSM services, and re-enter it in the Re-enter Password box.
2. Optionally enter a Server name matching a servername entry in your dsm.sys file.
3. Optionally enter an As Host name.
4. Click the Apply button to save the configuration. When you click the Apply button,
the system attempts to verify the TSM destination by sending a test file to the server
using the dsmc archive command. If the operation fails, you will be informed and the
configuration will not be saved.
5. Return to the archiving or backup procedure to complete the configuration.
Back to top
Configure Results Archive
1. Select Administration Console > Results Archive.
2. In the boxes following Archive results older than, specify a starting day for the
archive operation as a number of days, weeks, or months prior to the current day,
which is day zero. These are calendar measurements, so if today is April 24, all
results created on April 23 are one day old, regardless of the time when the

54

Guardium Administration Guide


operation is performed. To archive results starting with yesterdays data, enter the
value 1, and select Day(s) from the list.
3. Optionally, use the boxes following Ignore results older than to control how many
days of results will be archived. Any value specified here must be greater than the
Archive results older than value.
4. Select storage method radio button from the list below. Depending on how the
appliance has been configured, one or more of these buttons may not be available.
For a description of how to configure the archive and backup storage methods, see
the description of the show and store storage-system commands in the CLI
Appendix.

EMC CENTERA

TSM

SCP

FTP

5. Perform the appropriate procedure (below), depending on the storage method


selected:

Configure SCP or FTP Archive or Backup

Configure EMC Centera Archive or Backup

Configure TSM Archive or Backup

6. In the Comment box, optionally enter comments to be stored with the configuration.
7. Click Apply to verify and save the configuration changes. The system will attempt to
verify the configuration by sending a test data file to that location.

If the operation fails, an error message will be displayed and the configuration
will not be saved.

If the operation succeeds, the configuration will be saved.

8. To run or schedule the archive and purge operation, do one of the following:

Click the Run Once Now button to run the operation once.

Click the Modify Schedule button to schedule the operation to run on a


regular basis. See Scheduling in the Common Tools book for instructions on
using the general purpose scheduler.

9. Click Done when you are finished.


Back to top
Restore Data
Before Restoring Data:

Before restoring from TSM, a dsm.sys configuration file must be uploaded to the
Guardium appliance, via the CLI. See import tsm config in the CLI Reference
Appendix.

Before restoring from EMC Centera, a pea file must be uploaded to the Guardium
appliance, via the Data Archive panel.

55

Guardium Administration

Before restoring or importing a file that was encrypted by a different Guardium


appliance, make sure that the system shared secret used by the appliance that
encrypted the file is available on this appliance (otherwise, it will not be able to
decrypt the file). See About the System Shared Secret in the Guardium
Administration Guide for more information.

Before restoring on a Guardium collector run the CLI command "stop inspectioncore" to stop the inspection-core process. Note that data can not be captured during
the restore process.

To restore data:
1. Select Administration Console > Data Restore.
2. Enter a date in the From box, to specify the earliest date for which you want data.
3. Enter a date in the To box, to specify the latest date for which you want data.
4. In the Host Name box, optionally enter the name of the Guardium appliance from
which the archive originated.
5. Click the Search button.
6. In the Search Results panel, mark the Select box for each archive you want to
restore.
7. In the Don't purge restored data for at least box, enter the number of days that
you want to retain the restored data on the appliance.
8. Click the Restore button.
9. Click Done when you are finished.
Back to top
Catalog Archive
1. Select Administration Console >Data Management > Catalog Archive
2. Do one of the following:

To display catalog entries:


1. Enter a date in the From box, to specify the earliest date for which
you want to display catalog entries.
2. Enter a date in the To box, to specify the latest date for which you
want to display catalog entries.
3. Optionally enter a Host Name to identify the host on which the
archive is stored.
4. Click the Search button.

To add a catalog entry:


1. Click the Add button.
2. Enter a File Name.
3. Enter a Host Name.
4. Enter the Path for the file. For FTP: specify the directory relative to
the FTP account home directory; for SCP: Specify the directory as an

56

Guardium Administration Guide


absolute path; for TSM: Specify the directory as an absolute path of
the original location .
5. Enter a User Name for access to this location.
6. Enter a Password for the above.
7. In the Retention box, enter the number of days this entry is to be
kept in the catalog (the default is 365).
8. Select the Storage System on which the file is contained.
9. Click Accept.

To remove a catalog entry:


1. Open the catalog (see To display catalog entries, above).
2. Mark the Select box.
3. Click the Remove Selected button.

3. Click Done when you are finished.


Back to top
Catalog Export
1. Select Administration Console > Data Management >Catalog Export
2. From the Type list, select the type of catalog to export: Data Catalog or Results
Catalog.
3. Select all of the definitions of this type to be exported.

To select multiple contiguous definitions: Click the mouse on the first


definition to export, hold down the Shift key, and click the mouse on the last
definition to export.

To select multiple non-contiguous definitions: Hold down the Ctrl key and
click the mouse on each definition to be exported.

4. Click the Export button. Depending on your browser security settings, you may
receive a warning message asking if you want to save the file or to open it using an
editor.
5. Save the exported file in an appropriate location.
6. Click the Done button when you are finished.
Back to top
Catalog Import
1. Select Administration Console > Data Management > Catalog Import
2. Enter the name of the file containing the exported catalog entries, or click the
Browse button to locate and select that file.
3. Click the Upload button. You are notified when the operation completes and the
definitions contained in the file will be displayed.
4. Optionally repeat the previous two steps to upload additional files.

57

Guardium Administration
5. Click
(Import this set of Definitions) to import a set of definitions, or click
(Remove this set of Definitions without Importing) to remove the uploaded file
without importing the definitions.
6. You will be prompted to confirm either action.
7. Click the Done button when you have finished importing or removing all uploaded
files.
Back to top

Results Export (CSV, CEF, PDF)


CSV, CEF and PDF files can be created by workflow processes. This function exports all such
files that are on the appliance.
Note: CEF/CSV files created by workflow processes can also be written to syslog. When that happens,
those files are not available to be exported by the means described here. Those files should be accessed
from syslog via other means.

To Export CSV, CEF, and PDF files:


1. Select Administration Console > Data Management > Results Export.
2. In the Host box, enter the IP address or DNS host name of the host to receive the
files.
3. the Directory box, identify the directory in which the data is to be stored. How you
specify this depends on whether the file transfer method used is FTP or SCP. If you
are unsure which file transfer method has been configured, use the show transfermethod CLI command (described in the CLI Appendix).

For FTP: Specify the directory relative to the FTP account home directory.

For SCP: Specify the directory as an absolute path.

4. Change the port that can be used to send files over SCP and FTP. The default port for
ssh/scp/sftp is 22. The default port for ftp is 20.
5. In the Username box, enter the user name to use for logging in to the host
machine. This user must have write/execute permissions for the directory specified
in the Directory box (above).
6. In the Password box, enter the password for the above user, and enter it again in
the Re-enter Password box.
7. Click the Apply button to save the configuration. The system will attempt to verify
the configuration by sending a test data file to that location. If the operation fails, it
displays an error message. If the test file is transmitted successfully, the buttons in
the Scheduling panel will become active.
8. Do one of the following:

58

To export the files right now, click the Run Once Now button.

To schedule the export operation, click the Modify Schedule button. See
Scheduling in the Common Tools book if you need help using the generic task
scheduler.

Guardium Administration Guide


9. To verify that files have been exported, check the Aggregation/Archive Log report on
the Guardium Monitor tab. There should be a Send activity for each CSV or CEF file
exported.
To define default separator (comma, semicolon, tab, or define your own), go to
Administration Console > Global Profile.
To enter a label to be included in all file names, go to Tools > Audit Process Builder.
Note: The Syslog maximum message size is 4000. CSV results will be truncated over this
limit.
Note: Set the encoding to UTF-8 no matter what application used to read .CSV files. Excel
defaults to a different character set and will corrupt the .CSV files. Also when using Excel,
import the .CSV file and select UTF-8 encoding instead of just opening the file and having
Excel launch based on file association.

System Backup
Use the System Backup function to define a backup operation that can be run on demand or
on a scheduled basis. All configuration information and data is written to a single encrypted
file and sent to the specified destination, using the transfer method configured for backups
on this appliance (see the transfer-method CLI command description in the CLI
Appendix).
To restore backed up system information, use the restore system CLI command (see the
description of that command in the CLI Appendix).
Note: System restore must be done to the same patch level of the system backup. For example,
if a customer backed up the appliance when it was on Version 7.0, Patch 7 and then wishes to
restore this backup into a newly-built appliance, then there is a need to first install Version 7.0,
Patches 1 to 7 on the appliance and only then to restore the file.

To back up system information:


1. Select Administration Console > System Backup.
2. Mark one or both of the Backup checkboxes (near the bottom of the panel):

Mark the Configuration checkbox to back up all definitions.

Mark the Data checkbox to back up all data. (If you are archiving data on a
regular basis, this is unnecessary.)

3. Select storage method radio button from the list below. Depending on how the
appliance has been configured, one or more of these buttons may not be available.
For a description of how to configure the archive and backup storage methods, see
the description of the show and store storage-system commands in the CLI
Appendix.

EMC CENTERA

TSM

SCP

FTP

59

Guardium Administration
4. Perform the appropriate procedure (below), depending on the storage method
selected:

Configure SCP or FTP Archive or Backup

Configure EMC Centera Archive or Backup

Configure TSM Archive or Backup

5. Click Apply to verify and save the configuration changes. The system will attempt to
verify the configuration by sending a test data file to that location.

If the operation fails, an error message will be displayed and the configuration
will not be saved.

If the operation succeeds, the configuration will be saved.

6. To run or schedule the system backup operation, do one of the following:

Click the Run Once Now button to run the operation once.

Click the Modify Schedule button to schedule the operation to run on a


regular basis. See Scheduling in the Common Tools book for instructions on
using the general purpose scheduler.

7. Click Done when you are finished.


Note: During a SCP/FTP/TSM/Centera file transfer, if the backup file transfer fails,
the last file of each set of backup/archive files (system backup, configuration backup,
archive, CSV archive, etc.) will be saved in the "diag/current" folder. Then when the
backup file destination is again online, a manual transfer of the backup files can be
made from the "diag/current"folder to the destination. The set of backup/archive files
will only be saved in the "diag/current" folder if the file transfer is unsuccessful. If
during another backup file transfer there is a file transfer failure, the set of
backup/archive files will again be saved in the "diag/current" folder. However, in
order to avoid saving too many files and running out of disk space, ONLY the latest
file of each type will be saved. The earlier backup files will be overwritten.
SCP and FTP files via different ports
Change the ports that can be used to send files over SCP and FTP.
For System Backup - Set the protocol (SCP or FTP) and specify Host, Directory and Port.
The default port for ssh/scp/sftp is 22. The default port for ftp is 20.
Back to top

Export/Import Definitions
Export/Import Definitions Overview
Export Definitions
Import Definitions
Investigation Center
Export/Import Definitions Overview
If you have multiple systems with identical or similar requirements, and are not using
Central Management, you can define the components you need on one system and export

60

Guardium Administration Guide


those definitions to other systems, provided those systems are on the same software
release level.
You can export one type of definition (reports, for example) at a time. Each element
exported can cause other referenced definitions to be exported as well. For example, a
report is always based on a query, and it can also reference other items, such as IP address
groups or time periods. All referenced definitions (except for security roles) are exported
along with the report definition. However, only one copy of a definition is exported if that
definition is referenced in multiple exported items.
An export of policies or queries exports only the groups referenced by the exported policies
or queries. Previously an export of policies or queries would export all groups.
Notes

When exporting graphical reports, the presentation parameter settings (colors, fonts,
titles, etc.) are not exported. When imported, these reports will use the default
presentation parameter settings for the importing system.

Subscribed groups are not exported. When exporting definitions that reference
subscribed groups, the user must ensure that all referenced subscribed groups are
installed on the importing appliance (or Central Manager in a federated
environment).

The logs of Export/Import Definitions have the same retention period than the
monitored database activity logs.

All files exported from Guardium 7 cannot be imported into Guardium 8. For
example, policies exported from Guardium 7 cannot be imported into Guardium 8,
due to the enhanced capability of multi-action rules. Users need to re-export after an
upgrade. Another option is to call Guardium technical support for data migration
services.

Comments are not included in export.

When audit process definitions of scheduled runs (including schedule time) are
exported to another system, the ACTIVE check box in Audit Process Builder is not
checked (INACTIVE).

Schedule Start Time of an audit process defined on one appliance and exported to
another (unrelated) appliance - In the case that the original schedule start time is
defined, it is retained. In the case that the original schedule start time is not defined
(empty), then the imported schedule start time is set to the time it was imported.

When exporting a datasource with an open source driver, the open source driver will
not be included in the export. The user needs to first upload the open source driver
into the new system before importing the datasource definition that was created
using it, otherwise the data direct driver will be substituted for the open source
driver when it is imported.

Large complex imports can take a very long time and can exceed the length of the
user's session. If this happens and the session times out the import will continue to
run in the background until it completes.

When exporting the definition of classifier policies - any custom evaluation classes
associated with the policies are not exported with the definition. For the imported
policies to work custom evaluation classes must be uploaded separately.

Exporting/Importing definitions between different languages does not work. For


example, trying to export a file from a Guardium system with a language of

61

Guardium Administration
Simplified Chinese and import that file to a Guardium system of English will not be
successful.
Importing Groups
When importing a group that already exists, members may be added, but no members will
be deleted.
Importing Aliases
When importing aliases, new aliases may be added, but no aliases will be deleted.
Ownership of Imported Definitions
When a definition is created, the user who creates it is saved as the owner of that definition.
The significance of this is that if no security roles are assigned to that definition, only the
owner and the admin user have access to it.
When a definition is imported, the owner is always changed to admin.
Roles for Imported Definitions
References to security roles are removed from exported definitions. So any imported
definitions will have no roles assigned.
Users for Imported Definitions
A reference to a user in an exported definition causes the user definition to be exported.
When definitions are imported, the referenced user definitions are imported only if they do
not already exist on the importing system. In other words, existing user definitions are
never overwritten. This has several implications, as described in the Duplicate Role and User
Implications topic, below.
In addition, imported user definitions are disabled. This means that imported users can
receive email notifications sent from the importing system, but they are not able to log into
that system, unless and until the administrator enables that account.
Duplicate Group and User Implications
As mentioned above, if a group referenced by an exported definition already exists on the
importing system, the definition of that group from the exporting system will not be not
imported. This may create some confusion if the group is not used for the same purposes on
both systems.
If a user definition already exists on the importing system, it may not be for the same
person defined on the exporting system. For example, assume that on the exporting system
the user jdoe with the email address john_doe@aaa.com is a recipient of output from an
exported alert. Assume also that on the importing system, the jdoe user already exists for a
person with the email address jane_doe@zzz.com. The exported user definition is not
imported, and when the imported alert is triggered, email is sent to the jane_doe@zzz,.com
address. In either case, when security roles or user definitions are not imported, check the

62

Guardium Administration Guide


definitions on both systems to see if there are differences. If so, make the appropriate
adjustments to those definitions.
Back to top
Definition Types for Exporting (Table)
The following table identifies elements that can be exported in the first column, and
elements that cannot be exported, in the second column.
Can Be Exported

Can NOT Be Exported

Access Map

Baseline or Baseline included in a Policy

Alert

Custom Alerting Class

Alias

Custom Assessment Test

Audit Process

Custom Identification Procedure

Auto-discovery Process
CAS Hosts
CAS Template Sets
Classification Process

Access Rule

Classifier Policy
Custom Class Connection Permission
Custom Domain
Custom Table
Datasource
Event Type
Group
Named Template
Period (time period)
Policy (but not an included Baseline)
Privacy Set
Query

63

Guardium Administration

Replay
Report
Role
Security Assessment
User
Users database mapping
Users database permission
Users Hierarchy
Back to top
Export Definitions
1. Select Administration Console > Guardium Definitions > Export.
2. From the Type list, select the single type of definition to export. The Definitions to
Export box will be populated with definitions of the selected type.
3. Select all of the definitions of this type to be exported.

To select multiple contiguous definitions: Click the mouse on the first


definition to export, hold down the Shift key, and click the mouse on the last
definition to export.

To select multiple non-contiguous definitions: Hold down the Ctrl key and
click the mouse on each definition to be exported.

Note: Do not export a Policy definition whose name contains one or more quote characters. That definition
can be exported, but it cannot be imported. To export such a definition, make a clone of it, naming the
clone without using any quote characters, and export the clone.

4. Click the Export button. Depending on your browser security settings, you may
receive a warning message asking if you want to save the file or to open it using an
editor.
5. Save the exported file in an appropriate location.
6. Click the Done button when you are finished.
Back to top
Import Definitions
1. Select Administration Console > Guardium Definitions > Import.
2. Enter the name of the file containing the exported definitions, or click the Browse
button to locate and select that file.
3. Click the Upload button. You are notified when the operation completes and the
definitions contained in the file will be displayed.
4. Optionally repeat the previous two steps to upload additional files.

64

Guardium Administration Guide


5. There is a checkbox, "Fully synchronize group members", to set the behavior of how
to add new group members imported directly or via other datasets such as queries or
policies. If not checked, new members that are in the import are added, but
members not in the import are not removed. If checked, then group members not in
the import are removed. There is a "Set as default" button next to the checkbox to
enable saving the checkbox setting.
6. Click
(Import this set of Definitions) to import a set of definitions, or click
(Remove this set of Definitions without Importing) to remove the uploaded file
without importing the definitions.
7. You will be prompted to confirm either action.

Note: An import operation does not overwrite an existing definition. If you attempt to import a
definition with the same name as an existing definition, you are notified that the item was not
replaced. If you want to overwrite an existing definition with an imported one, you must delete
the existing definition before performing the import operation.

8. Click the Done button when you have finished importing or removing all uploaded
files.
Back to top

Distributed Interface
Overview
Use this configuration screen to define the Distributed Interface and upload the Protocol
Buffer (.proto) file to the DIST_INT database. From this database, Query Domain metadata
is built automatically. After the metadata is built, the user can go to Custom Domain Builder
to modify or clone the data and build custom reports. The distributed interface data uses
protocol buffers. Protocol buffers are a flexible, efficient, and automated mechanism for
serializing structured data.
Configure Distributed Interface
1. Select Distributed Interface from Admin Console > Guardium Definitions.
2. Select an already created Distributed Interface from the Distributed Interface Finder.
Click on Modify or Delete for desired action.
3. Or click on the New button to create a new Distributed Interface.
4. In the Vendor ID box, enter the ID of the vendor (for example, 20000).
5. In the Domain Name box, enter the name of the domain that will be selectable from
Custom Domain Builder.
6. In the Include in aggregation box, a checkmark appears by default.
7. In the File Name box, enter or select via browsing a file name.
8. Click on Apply button to save this configuration.
9. Go to Custom Domain Builder (Tools > Report Building > Custom Domain Builder) to
build custom reports.

Example of a .proto file


package bim;

65

Guardium Administration
option java_package = "com.ibm.infosphere.bim.proto";
option java_outer_classname = "BimEvent";
// NOTE: AssetID and Property_type (== Property name!) are strings.
// For AssetID , it is safest to use a UUID since it provides world-wide unique ID.
// This will be the key to the table of current metrics and property values.
// per each asset, per each property , there will be one value (recent, or min, or max,etc)
message EventTypeID {
required string eventType

= 1; //e.g. Schema change

}
message AssetID {
required string assetId

= 1;

}
message InfoPropertyID {
required string assetId
required string propertyName

= 1;
= 2;

}
message MetricPropertyID {
required string assetId
required string propertyName

= 1;
= 2;

}
message AssetRelationID {
// These are asset "native" ids
required string sourceAssetId

= 1;

required string targetAssetId

= 2;

}
message RelationPropertyID {
required string assetRelationId
required string propertyName

= 1;
= 2;

}
message Event {
optional InnerEvent innerEvent

= 1;

}
message InnerEvent {
// Common for all events
optional EventTypeID eventTypeId
optional string description
66

= 1;
= 2;

Guardium Administration Guide


optional string time

= 3;

optional string agentId

= 4;

// Event can be for asset info, or metric property


optional AssetInfoEvent assetInfoEvent

= 5;

optional MetricPropertyEvent metricPropertyEvent = 6;


optional AssetRelationEvent relationEvent
optional RuleEvent ruleEvent

= 7;
= 8;

}
message AssetInfoEvent {
optional AssetID unique_key__

= 1;

optional string assetType

= 2;

optional string assetName

= 3;

optional string gdm_server_ip

= 4;

optional string gdm_service_name

= 5;

repeated InfoProperty property

= 6;

}
message InfoProperty {
optional InfoPropertyID unique_key__
optional string value

= 1;

= 2;

}
message MetricPropertyEvent {
optional AssetID assetId

= 1;

repeated MetricProperty property

= 2;

}
message MetricProperty {
optional MetricPropertyID unique_key__

= 1;

optional AssetID assetId

= 2;

optional string stringValue

= 3;

optional double doubleValue

= 4;

enum Data_type {
DOUBLE
LONG
INT

= 1;
= 2;
= 3;

FLOAT

= 4;

DATE

= 5;
67

Guardium Administration
BOOLEAN
double_value

= 6; // convention is to store it as 0 and 1 in the

STRING

= 7; // stored in string_value

}
optional Data_type dataType
optional string unit

= 5;
= 6; // unit for the value

}
message AssetRelationEvent {
optional AssetRelationID unique_key__

= 1;

required string relationshipType

= 2;

repeated RelationshipProperty property


optional bool deleted

= 3;

= 4;

}
message RelationshipProperty {
optional RelationPropertyID unique_key__
optional string value

= 1;

= 2;

}
message RuleEvent {
optional string ruleName
optional bool enabled

= 1;
= 2;

}
// --- Metadata --- All unique identifier must be defined here
message Identifier {
optional InfoPropertyID infoPropertyId

= 1;

optional MetricPropertyID metricPropertyId


optional AssetID assetId

= 2;
= 3;

optional AssetRelationID assetRelationId


optional RelationPropertyID relationshipPropertyId
}

68

= 4;
= 5;

Guardium Administration Guide

Capture Replay
Use this feature for performance and capacity testing.
For performance testing, for example, take the data stream collected on one system with an
Oracle database and replay the data stream on a different system with an Oracle database.
Do this to see if one system is faster or slower in handling the data stream.
For capacity testing, take a data stream collected from one datasource and replay this data
stream on a different datasource. For example, take the data stream collected from a
system running an Oracle database and replay this data stream on a system using a DB2
database. Use this task to test the capacity of the second datasource to handle the amount
of data processed by the first datasource.
Notes:

The Replay feature will work only on data captured with a Log Full Details policy
Make sure that there are no Ignore actions in the policy. Ignore actions direct the
collector to leave out specific SQL transactions. If the SQL is not captured, then it
can not be replayed
The source database must have active S-TAP and Inspection Engines
Will work on a standalone or managed unit collector
S-TAP must be installed on any database used for Replay and be reporting back to
the same Guardium appliance where the captured database reported to for proper
analysis of capture and replay
The progress of Capture/Replay jobs may be seen in Guardium Job Queue report
from Guardium Monitor tab or within the Capture/Replay tab
If the captured data is not supported on the replay database the query will fail. For
example, capturing an Oracle SELECT statement such as "select * from test.obj1"
will fail on Informix since the '.' is not valid within Informix and Replay does not
transform the SELECT statement to "select * from test:obj1".
Bind variable capture is supported for DB2, Informix, and Oracle and will be replayed
the same as it was captured.

How to use this feature


1. Configure replay
2. Stage the data
3. Replay the Configuration
4. Data Staging
5. Capture/Replay Comparison Listings
6. Workload Comparison
7. Transaction Status
8. Compare (invoke APIs to compare jobs)
9. Modify Replay Configuration
10. Remove Replay Configuration
11. Purge Replay Results
12. Stop Replay After it Starts

69

Guardium Administration
Configure Replay
Configuration of replay is the process of identifying which SQL stream, from a capture
policy, you are interested in. In order to configure capture replay, it is assumed that you
have already captured data on the Guardium appliance and the capture data has been done
with a log full detail policy.
1. Within the User view, click on the Capture/Replay tab, users with admin role:
Select Tools > Config and Control > Replay Builder
2. Click on the Configuration tab
3. To define a new replay, click on the New button, to clear any pre-populated fields,
and then populate the following fields:
Parameter

Description

Name

required - name for the replay configuration

Period Start

required - the start time of the captured data that replay should
begin

Period End

required - the end time of the captured data when replay should
end

DB Type

required - DB2, IBM Informix (DRDA), IBM iSeries, Informix, MS


SQL Server, MYSQL, Netezza, Oracle, Sybase, Teradata (The
choices shown are the ones set in the Access Rule of the policy
that managed the sniffed data)

Server IP

optional

Client IP

optional

DB User

optional

DB Name

optional

Service Name

optional

Net protocol

optional

Source
program

optional

4. When done configuring these values, click on the Apply button. By default the status
of this replay configuration will be 'Not Staged'; meaning that while it has been
configured there is no capture data associated with it yet. The replay configuration
can only be replayed after it has been staged.

70

Guardium Administration Guide


Stage the data
In order to replay captured data, the replay configuration must be staged; meaning that, for
the replay configuration defined, captured data will be filtered and associated with this
replay configuration for subsequent replaying of SQL traffic. The staging of a replay
configuration will cause the selected replay configuration to be added to the process queue
which can be viewed through the Guardium Job Queue under the Guardium monitor tab or
Capture/Replay tab. The status will then turn to 'Staged' when staging has been completed,
allowing the user to now replay the configuration.
1. Within the User view, click on the Capture/Replay tab, users with admin role:
Select Tools > Config and Control > Replay Builder
2. Click on the Configuration tab
3. Select the Replay Configuration you're wanting to stage
4. Click on the Stage button
5. Choose Start from the drop-down list

Replay the Configuration


Here is where we configure where we would like to replay the data.
1. Within the User view, click on the Capture/Replay tab, users with admin role:
Select Tools > Config and Control > Replay Builder
2. Click on the Configuration tab
3. Select the Replay Configuration (that is staged)
4. Next click on the Replay button and the Replay Schedule Setups menu screen
appears. If there is no previous choices for Scheduling, click on the New button.
5. Another Replay Schedule Setups menu screen appears. The configuration choices
are as follows:
Parameter

Description

Name

Name of the schedule

Datasource
Name

A defined datasource where replay will be performed.

Speed Rate

The speed at which to run the replay where examples would be: 0
= no delay (as fast it can run on second datasource), 0.1 = 10x
slower, 1 = same speed, 10 = 10x faster
Note: The speed setting is approximate. There are many normal
system and data handling processes and acknowledgements that
will slow the speed down

Repeat times

The number of times this replay to be performed


Note: This does not open new sessions for each repeat time but
will runs the same SQL within the opened sessions

71

Guardium Administration

Parameter

Description

Commit
Methods

Defines the method of committing where:

Log box

Check to log if the Query failed or if the Query was successful

Don't force : means you will not be setting the commit


through the replay and the commit method will take on the
property of the captured session through the setting of the
inspection engine settings
Force auto commit : means commits will occur after every
SQL regardless of how it was captured
Force no auto commit : means there will be no commits until
an explicit commit is seen in the capture
Note: Overriding the commit method set through the inspection
engine with Force auto commit or Force no auto commit is
preferred

6. When done with configuring the Replay Schedule Setups, click the Apply button to
save the replay schedule
7. If you'd like to run the replay schedule setup once, click the Run Once Now button
to replay a data stream
8. If you'd like to assign a schedule to the selected replay schedule setup, click on the
Modify Schedule button
9. If a schedule has been defined, you may click on the Pause button to deactivate the
schedule
10. If a schedule has been defined but is paused, click on the Resume button to
reactivate the schedule
Note: Any comments in original statements that were captured are removed during replay

Data Staging
Staged Data - Shows, for a selected replay configuration, the staged SQL. By default the
value of the config ID is empty and the user must modify the runtime parameter through
the customize option and enter the config ID that you would like to see.
Replay Statistics - Shows some high-level replay execution statistics

Capture/Replay Comparison Listings


After capture(s) and replay(s) have been performed, three different reporting views can be
utilized to view and serve as a resource to drill down into capture and replay detail as well
as execute GuardAPI calls to aggregate selected information. These three listings consist of:

72

Capture-Capture List

Capture-Replay List

Replay-Replay List

Guardium Administration Guide


Capture/Capture List
Is a listing of all possible combinations of all captures that have been done for the purpose
of examining two different captures side by side.
The Capture-Capture List may be used to examine problems in database workload, by
comparing two captures side by side for workload patterns/usages such as differences in
SQL executed, runtime differences, execution failures, etc. Additional reports available by
double-clicking on a Capture-Capture List row include:

View Workload Comparison - see Workload Comparison below

SQL Workload Summary Drill Down - after invoking one of the aggregation APIs
(from the invoke icon), allows the user to compare the differences between the two
captured workloads; providing insight into how SQL ran between the two.

Capture/Replay List
Is a listing of all the Captures that have been configured and have a Replay associated with
them and is used for the purpose of examining the differences in captured SQL to the
replaying of that SQL to a target database system. If a capture configuration has not been
replayed then it will not appear in the list.
The Capture-Replay List may be used to examine problems/differences in database
workloads on same,similar,or different database systems. Additional reports available by
double-clicking on a Capture-Replay List row include:

View Workload Comparison - see Workload Comparison below

Compare Avg Execution Time - list the average execution time between capture and
repaly

Compare Rows Retrieved - list the number of rows retrieved between capture and
replay

compare SQL Execution - list the execution counts between capture and replay

Compare SQL Failures - lists the failure count between capture and replay

Replay Exception From Drill Down - list the exceptions encountered from the capture

Replay Exception To Drill Down - lists the exceptions encountered during replay

SQL workload Match Drill Down - after invoking queue_replay_match_by_id, lists a


side-by-side comparison for SQL various statistics between capture and replay

SQL Workload Summary Drill Down - after invoking one of the aggregation APIs
(from the invoke icon), allows the user to compare the differences between then
capture and replay workloads; providing insight into how SQL ran between the two.

Replay/Replay List
Is a listing of all the Replays that have been performed against the same capture
configuration.
The Replay-Replay List may be used to examine problems/differences in database
workloads on same,similar,or different database systems with the same capture
configuration. Additional reports available by double-clicking on a Replay-Replay List row
include:

73

Guardium Administration

View Workload Comparison - see Workload Comparison below

Compare Avg Execution Time - list the average execution time between the two
replays

Compare Rows Retrieved - list the number of rows retrieved between the two replays

compare SQL Execution - list the execution counts between the two replays

Compare SQL Failures - lists the failure count between the two replays

Replay Exception From Drill Down - list the exceptions encountered from the capture

Replay Exception To Drill Down - lists the exceptions encountered during replay

SQL workload Match Drill Down - after invoking queue_replay_match_by_id, lists a


side-by-side comparison for SQL various statistics between the two replays

SQL Workload Summary Drill Down - after invoking one of the aggregation APIs
(from the invoke icon), allows the user to compare the differences between the two
replay workloads; providing insight into how SQL ran between the two.

Workload Comparison
The workload comparison tab is non-existent the first time a user goes to the capture/replay
tab. It only shows up after the first workload comparison has done. Workload comparisons
are done by double-clicking on either a Capture-Capture List, Capture-Replay List, or
Replay-Replay List row detail and selecting View Workload Comparison.
The following table shows the reports available after selecting View Workload
Comparison from the designated Capture Replay Lists:
Reports available

Capture-Capture
List

Data Staging

Capture-Replay
List

Replay-Replay
List

Summary
Comparison
Compare
Avg
Execution
Time
Compare
SQL
Exceptions
Compare
Rows
Retrieved
Compare
SQL Failures

Workload
Aggregate Match

74

Guardium Administration Guide

Workload
Exceptions
Workload Match

Available Reports

Data Staging - Shows the Full SQL, the staging data that was used and that was
executed during replay
Summary Comparison provides a high-level look into the differences in the capture
and replay, consisting of:
Compare Avg Execution Time - how the execution time differed between
capture and replay
Compare SQL Exceptions - how the number of SQL exceptions differed
between capture and replay
Compare Rows Retrieved - how the number of rows returned differed
between capture and replay
Compare SQL Failures - how many SQL failures there were between
capture and replay
Workload Aggregate Match - after invoking gueue_replay_agg_match_by_id or
queue_replay_object_agg_match_by_id, from the Capture-Capture List, CaptureReplay List, or Replay-Repaly List, aggregates by SQL the statistics that allow the
user to compare the differences between the selected workloads. Depending on the
two workloads selected, whether they are of the same type or not, determines which
API to use. for databases of the same type use queue_replay_agg_match_by_id, for
databases of differing type use queue_replay_object_agg_match_by_id.
Note: For Workload Aggregate Match, switching between running
queue_replay_agg_match_by_id and queue_replay_object_agg_match_by_id will,
since they use the same report (Workload Aggregate Match) will delete the previous
report results for the selected workloads.
Note: The Workload Aggregate Match will include all the data that appears during the
periods selected (full hours). If you look at the SQLs that appear on the report you
might see SQLs that were not really replayed. So if you want to see only the specific
SQLs the Workload Match report should be utilized.

Workload Exceptions - shows the SQL that generated exceptions during replay
Workload Match - after invoking queue_replay_match_by_id, provides a side by
side comparison of each SQL statement and a statistical comparison between the two
selected workloads. The queue_replay_match_by_id also provides the ability to use
defined groups that can aid in the inclusion or exclusion of database objects. Two
predefined groups, Replay-Exlude from Compare & Replay-Include in Compare, you
can go to Group Builder to see which objects have been defined or modify these
groups.
Note: For Workload Match, by default the reports show the SQLs that appear in both
the capture and in the replay. in order to see unmatched SQLs you will need to
customize the report by changing the runtime parameters such that if you want to: 1.
the SQLs that are in the replay but not in the capture set "capturedFullSQLLike" to ""

75

Guardium Administration
and replayFullSQLLike to be % 2. the SQLs that are in the capture but not in the
replay set "capturedFullSQLLike" to % and replayFullSQLLike to "".

Transaction Status
When viewing the SQL for capture or replay, there exists a status column in various reports.
This status column indicates a status for replay that is to be observed each transaction
given the following statuses:

0
1
2
4
8
5
6
9
10

ROLLBACK
COMMIT
NO_STATUS (this is the default)
AUTOCOMMIT_ON
AUTOCOMMIT_OFF
AUTOCOMMIT_ON + COMMIT
AUTOCOMMIT_ON + NO_STATUS
AUTOCOMMIT_OFF + COMMIT
AUTOCOMMIT_OFF + NO_STATUS

Compare (invoke APIs to compare jobs)


Results may be aggregated, compared, or controlled by invoking a variety of APIs through
the various Capture/Replay Lists (Capture-Capture List, Capture-Replay List, or ReplayReplay List). See GuardAPI functions for Capture/Replay for information on the
Capture/Replay GuardAPI functions.

Modify Replay Configuration


1. Within the User view, click on the Capture/Replay tab, users with admin role:
Select Tools > Config and Control > Replay Builder
2. Click on the Configuration tab
3. Select the Replay Configuration that you'd like to modify
4. Edit directly the configuration (see Configure replay for details on configurations)
5. Click on the Apply button to save
Note: A replay configuration that is staged can't be modified until the stage is dropped.

Remove Replay Configuration


A user may either delete a replay configuration (complete removal) or modify the
configuration from the staged status to the not staged status (no SQL traffic is now
associated with the configuration).
For staged configurations may be dropped from the queue by selecting Drop from the dropdown list in step 3; causing the configuration to be not staged again.
1. Within the User view, click on the Capture/Replay tab, users with admin role:
Select Tools > Config and Control > Replay Builder
2. Click on the Configuration tab

76

Guardium Administration Guide


3. Select the Replay Configuration you're wanting to stage
4. If Deleting the replay configuration, Click the Delete button
5. If dropping the staged replay configuration, Click on the Stage button and choose
Drop from the drop-down list

Purge Replay Results


Replay results, including the replay result header and the actual results and results statistics
older than 14 days on statuses DONE or TERMINATED, are purged on a daily basis.

Stop Replay after it starts


As an admin user, click on the Guardium Monitor tab. Select the Replay process from the
Job Queue under the Capture/Replay tab. Right-click the mouse to bring up a menu. Select
Stop job.
The default time period a replay process will run is 1440 seconds (24 hours).
The CLI command for Replay configuration is "store replay". The time period, that a replay
process runs, can also be changed from the CLI.

S-TAP Certification
Use this function to block unauthorized STAPs from connecting to the Guardium appliance.
If there is a checkmark in the S-TAP Approval Needed box, then STAPs can not connect until
they are specifically approved.
If an unapproved STAP connects, it is immediately disconnected until someone goes to this
GUI screen and specifically authorizes the IP Address of that STAP.
There is a pre-defined report for approved clients, "Approved TAP clients", it is available on
the "Daily Monitor" tab.
This function can also be controlled via the CLI command, stap approval ON | OFF ( store
stap certification ON | OFF, show stap certification ON | OFF) and via a GuardAPI command,
grdapi store_stap_approval.
The new configuration will be effective after running the "restart inspection-core" command.
Approve STAPs
1. Place a checkmark in the box for S-TAP Approval Needed.
2. Then specify the Approved S-TAP clients.
Note: Use the valid IP address, not the host name.
Note: Within a Central Managed environment, after adding the IPs to approved STAPs,
there is a wait time associated with synchronization that might take up to an hour. After
synchronization is complete the approved STAPs status will appear green in GUI.

77

Guardium Administration

Custom Alerting Class Administration


Custom alerting classes can be developed by any user, but the class must be uploaded to
the Guardium Appliance from the Administration Console. See the following topics:

Custom Alerting in the Monitor & Enforce help book describes how to implement and
test a custom alerting class.

Manage Custom Classes in the Administration Guide describes how to upload, update
or remove custom classes

Configure Permission to Socket Connection, also in the Administration Guide,


describes how to configure permissions for any socket connections required by the
custom class.

Configure Permission to Socket Connection


This topic applies to Custom Alerting Classes. Follow this procedure to configure permissions
for socket all connections that are used by custom classes.
1. Select Administration Console > Custom Alerting > Communication Permissions
2. Click

Add permission To Socket Connection to expand that pane

3. Enter the IP address or Host name for the host


4. Enter a Port number for the socket connection
5. Enter a description
6. Click Save

Manage Custom Classes


Custom Class Management Overview
Upload a Custom Class
Update a Custom Class
Delete a Custom Class
See also: Configure Permission to Socket Connection
Custom Class Management Overview
Users can develop custom classes by implementing Java interfaces supplied by Guardium
Support. Once a class has been compiled, it must be uploaded to the Guardium appliance
from the Administration Console. Select one of the topics above to upload, update, or delete
a custom class.
For more information about custom alerting or custom assessment classes, see:

Custom Alerting in the Monitor & Enforce help book

For more information about custom evaluations, see:

Custom Evaluation in the Discover help book


Back to top

78

Guardium Administration Guide


Upload a Custom Class
1. Select Administration Console > Custom Classes > Upload (under the Custom
Alerts or Custom Evaluations section)
2. Enter a Description
3. Click the Browse button to locate and select the desired Class File. Selecting a file
this way will insert the full path name for the class in the Full Class Name box. (You
can enter this manually, but having the system insert the full name will be more
reliable.)
4. Click the Apply button
Back to top
Update a Custom Class
1. Select Administration Console > Custom Classes> Update (under the Custom Alerts
or Custom Evaluations section)
2. From the drop-down, select the Description of the class to be updated
3. Click the Browse button to locate and select the Class File that will be used for the
update. Selecting a file this way will insert the full path name for the class in the Full
Class Name box. (You can enter this manually, but having the system insert the full
name will be more reliable.)
4. Click the Apply button.
Back to top
Delete a Custom Class
1. Select Administration Console > Custom Classes > Delete (under the Custom Alerts
or Custom Evaluations section)
2. From the drop-down, select the Description of the class to be deleted
Note: You cannot remove a class that is in use by some other component (the installed policy, for
example).

3. Click the Delete button


Back to top

SSH Public Keys


1. Do one of the following:

To create a key, click the New button.

To modify a key, select it from the list and click the Modify button.

To remove a key, select it from the list, click the Remove button, and confirm
the action. This completed the Remove procedure.

2. In the SSH Public Key Edit panel, for a new key, enter a Host name or IP address
(this field is required).
3. Paste the public key in the Public Key box.
4. Click the Apply button to save any changes.

79

Guardium Administration
5. Click the Back button to return to the SSH Public Key Management panel.
6. Click the Generate button to generate a new public key for this host.
7. Click the Cancel button to close this panel.

Running Query Monitor


The Running Query Monitor displays the status of active user queries, and allows you to set
a timeout value for all Report/Monitor queries.
To open the Running Query Monitor panel, select Guardium Monitor > Running Query
Monitor
From the Running Query Monitor, you can:

Set the query timeout for all reports and monitors running in a portlet. Other query
processes, such as policy simulations, audit processes, baseline generations and
internal processes are not affected by this timeout value. The default is 60 seconds.

Kill any currently running user query. Some queries that are listed in this panel
audit processes, for example, may exceed the query timeout specified. That is
expected, because the Report/Monitor query timeout applies to reports and monitors
running in a portlet only.

We do not recommend setting the Query Timeout above the default setting (60 seconds) for
an extended period of time. If you set this limit upwards, it will increase the chances of
overloading the system with ad hoc reporting activity.
To change the timeout setting, type a number of seconds in the Report/Monitor Query
Timeout box, and click the Update button. You will be informed when the update has been
completed.
To kill a running query, mark it in the list and click the Kill button.
The query type will be one of the following: Report/Monitor, Audit Process, Policy
Simulation, Configuration, or Definitions.

80

Guardium Administration Guide

Legal Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other
countries. Consult your local IBM representative for information on the products and
services currently available in your area. Any reference to an IBM product, program, or
service is not intended to state or imply that only that IBM product, program, or service
may be used. Any functionally equivalent product, program, or service that does not
infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or
service.
IBM may have patents or pending patent applications covering subject matter described in
this document. The furnishing of this document does not grant you any license to these
patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte character set (DBCS) information, contact the
IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
The following paragraph does not apply to the United Kingdom or any other country where
such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES
CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain
transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes will be incorporated in new
editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only
and do not in any manner serve as an endorsement of those Web sites. The materials at

81

Guardium Administration
those Web sites are not part of the materials for this IBM product and use of those Web
sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes
appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of
enabling: (i) the exchange of information between independently created programs and
other programs (including this one) and (ii) the mutual use of the information which has
been exchanged, should contact:
IBM Corporation
J46A/G4
555 Bailey Avenue
San Jose, CA 95141-1003 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in
some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it
are provided by IBM under terms of the IBM Customer Agreement, IBM International
Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment.
Therefore, the results obtained in other operating environments may vary significantly.
Some measurements may have been made on development-level systems and there is no
guarantee that these measurements will be the same on generally available systems.
Furthermore, some measurements may have been estimated through extrapolation. Actual
results may vary. Users of this document should verify the applicable data for their specific
environment.
Information concerning non-IBM products was obtained from the suppliers of those
products, their published announcements or other publicly available sources. IBM has not
tested those products and cannot confirm the accuracy of performance, compatibility or any
other claims related to non-IBM products. Questions on the capabilities of non-IBM products
should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal
without notice, and represent goals and objectives only.
This information is for planning purposes only. The information herein is subject to change
before the products described become available.
This information contains examples of data and reports used in daily business operations.
To illustrate them as completely as possible, the examples include the names of individuals,
companies, brands, and products. All of these names are fictitious and any similarity to the
names and addresses used by an actual business enterprise is entirely coincidental.
This information contains sample application programs in source language, which illustrate
programming techniques on various operating platforms. You may copy, modify, and
distribute these sample programs in any form without payment to IBM, for the purposes of
developing, using, marketing or distributing application programs conforming to the
application programming interface for the operating platform for which the sample programs
are written. These examples have not been thoroughly tested under all conditions. IBM,

82

Guardium Administration Guide


therefore, cannot guarantee or imply reliability, serviceability, or function of these
programs. The sample programs are provided "AS IS", without warranty of any kind. IBM
shall not be liable for any damages arising out of your use of the sample programs.
Each copy or any portion of these sample programs or any derivative work, must include a
copyright notice as follows:
(your company name) (year). Portions of this code are derived from IBM Corp. Sample
Programs. Copyright IBM Corp. _enter the year or years_. All rights reserved.
If you are viewing this information softcopy, the photographs and color illustrations may not
appear.

Trademarks
IBM, the IBM logo, ibm.com and Guardium are trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM trademarks is
available on the Web at www.ibm.com/legal/copytrade.shtml.
The following terms are trademarks or registered trademarks of other companies:
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or
both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other
countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United
States, other countries, or both.

83